Create Interactive Tour

Analysis Report nW47Os1nLL

Overview

General Information

Sample Name:	nW47Os1nLL (renamed file extension from none to exe)
Analysis ID:	402510
MD5:	4ac7b7a9992cfd83912dc912105d615c
SHA1:	a5a6c2c780b2879a75eee64107129057caddbdbc
SHA256:	8c6fd14084820ec528749300222097d21197659535aaa50cdcc75831f73546c1
Tags:	IranianhackersNetworm
Infos:
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Found potential string decryption / allocating functions

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Startup

System is w10x64

nW47Os1nLL.exe (PID: 6872 cmdline: 'C:\Users\user\Desktop\nW47Os1nLL.exe' MD5: 4AC7B7A9992CFD83912DC912105D615C)

conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
nW47Os1nLL.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000000.640786324.00000000011D8000.00000008.00020000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: nW47Os1nLL.exe PID: 6872	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.nW47Os1nLL.exe.1110000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.0.nW47Os1nLL.exe.1110000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: nW47Os1nLL.exe	Virustotal: Detection: 49%			Perma Link
Source: nW47Os1nLL.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\nW47Os1nLL.exe

Code function: 0_2_01113E42 CryptEncrypt,GetLastError,

0_2_01113E42

Source: nW47Os1nLL.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: nW47Os1nLL.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: D:\31-App\app\Slave\Slave\Win32\Release\Client\Slave.pdb source: nW47Os1nLL.exe

Source: nW47Os1nLL.exe, 00000000.00000002.642718411.0000000000EEA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Yara match	File source: nW47Os1nLL.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.640786324.00000000011D8000.00000008.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nW47Os1nLL.exe PID: 6872, type: MEMORY
Source: Yara match	File source: 0.2.nW47Os1nLL.exe.1110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.nW47Os1nLL.exe.1110000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_011A1177	0_2_011A1177
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_011801E1	0_2_011801E1
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_011808AA	0_2_011808AA
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_0119E249	0_2_0119E249
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_011A1297	0_2_011A1297
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_011952FC	0_2_011952FC
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_0118A510	0_2_0118A510
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_01180413	0_2_01180413
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_011164EC	0_2_011164EC
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_01180645	0_2_01180645

Source: C:\Users\user\Desktop\nW47Os1nLL.exe

Code function: String function: 0115F0B0 appears 35 times

Source: nW47Os1nLL.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal52.evad.winEXE@2/2@0/0

Source: C:\Users\user\Desktop\nW47Os1nLL.exe

Code function: 0_2_01117750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,AbortSystemShutdownW,AdjustTokenPrivileges,

0_2_01117750

Source: C:\Users\user\Desktop\nW47Os1nLL.exe

File created: C:\Users\user\Desktop\log.txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01

Source: nW47Os1nLL.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\nW47Os1nLL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nW47Os1nLL.exe	Virustotal: Detection: 49%
Source: nW47Os1nLL.exe	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\nW47Os1nLL.exe 'C:\Users\user\Desktop\nW47Os1nLL.exe'
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: nW47Os1nLL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: nW47Os1nLL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: nW47Os1nLL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: nW47Os1nLL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: nW47Os1nLL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: nW47Os1nLL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: nW47Os1nLL.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: nW47Os1nLL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\31-App\app\Slave\Slave\Win32\Release\Client\Slave.pdb source: nW47Os1nLL.exe

Source: nW47Os1nLL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nW47Os1nLL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nW47Os1nLL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nW47Os1nLL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nW47Os1nLL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\nW47Os1nLL.exe

Code function: 0_2_0115EC46 push ecx; ret

0_2_0115EC59

Source: nW47Os1nLL.exe, 00000000.00000002.642718411.0000000000EEA000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\nW47Os1nLL.exe

Code function: 0_2_011164EC IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,RaiseException,SetUnhandledExceptionFilter,

0_2_011164EC

Source: C:\Users\user\Desktop\nW47Os1nLL.exe

Code function: 0_2_01192104 IsDebuggerPresent,OutputDebugStringW,

0_2_01192104

Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_011843DF mov eax, dword ptr fs:[00000030h]	0_2_011843DF
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_01196E70 mov eax, dword ptr fs:[00000030h]	0_2_01196E70
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_01196DE8 mov eax, dword ptr fs:[00000030h]	0_2_01196DE8
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_011164EC mov eax, dword ptr fs:[00000030h]	0_2_011164EC
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_011164EC mov eax, dword ptr fs:[00000030h]	0_2_011164EC
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_011164EC mov eax, dword ptr fs:[00000030h]	0_2_011164EC
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_01196E2C mov eax, dword ptr fs:[00000030h]	0_2_01196E2C
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_01196EA1 mov eax, dword ptr fs:[00000030h]	0_2_01196EA1

Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_011164EC IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,RaiseException,SetUnhandledExceptionFilter,	0_2_011164EC
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_0118270A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0118270A
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: 0_2_0115E7F5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0115E7F5

Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: GetLocaleInfoW,	0_2_011901B3
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0119D1A9
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0119C848
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: EnumSystemLocalesW,	0_2_0119CB35
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: EnumSystemLocalesW,	0_2_0118FB46
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: EnumSystemLocalesW,	0_2_0119CBD0
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: EnumSystemLocalesW,	0_2_0119CAEA
Source: C:\Users\user\Desktop\nW47Os1nLL.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0119CFD4

Source: C:\Users\user\Desktop\nW47Os1nLL.exe

Code function: 0_2_0115F2E4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0115F2E4

Source: C:\Users\user\Desktop\nW47Os1nLL.exe

Code function: 0_2_011949CF _free,_free,_free,GetTimeZoneInformation,_free,

0_2_011949CF

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Access Token Manipulation1	Masquerading1	Input Capture1	System Time Discovery2	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection1	Access Token Manipulation1	LSASS Memory	Security Software Discovery111	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	System Information Discovery12	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
nW47Os1nLL.exe	49%	Virustotal		Browse
nW47Os1nLL.exe	9%	Metadefender		Browse
nW47Os1nLL.exe	55%	ReversingLabs	Win32.Trojan.Remexec

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	402510
Start date:	03.05.2021
Start time:	08:42:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	nW47Os1nLL (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.evad.winEXE@2/2@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 97.2%) Quality average: 82% Quality standard deviation: 24.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\log.txt Download File
Process:	C:\Users\user\Desktop\nW47Os1nLL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	49
Entropy (8bit):	3.9738194768925954
Encrypted:	false
SSDEEP:	3:k9mJsr/HXWcIvVMA:Js7H0vVN
MD5:	7823A62D280AC0B11A1498FAA869AE8B
SHA1:	E8EDBF90FF70F4B8E657C14E23BC92A850C0C003
SHA-256:	2674459257AD10DF345524D83F5893A72A463661B839866A642228E50BFFBA86
SHA-512:	AFB28FCEC7C4A3DCC704063C6F503C5019F50C97F554480565053E8CF65755328877C88CA8F292B003C05B021B5259677E901E35E767A67646872FAC7CE60880
Malicious:	false
Reputation:	low
Preview:	wrong parameters :..exepath -s serverip -p port..

\Device\ConDrv Download File
Process:	C:\Users\user\Desktop\nW47Os1nLL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	39
Entropy (8bit):	4.260423540630527
Encrypted:	false
SSDEEP:	3:oNt+WfWLCoUAAy:oNwvbAy
MD5:	02607830F1851A1C01A326A08895E221
SHA1:	A85AF8A5B7875B5DA61351AEBB29832C2CCF481F
SHA-256:	A7734AF6F6B44552FD56EBC185017E7CC7469EA7FA5992D269C772E6AA8DBD98
SHA-512:	4E78D1631A0DEC7946F32749A9C78A5404095AC40EA487FFCCFB9E9C53BAA860D773F0E3BB48322969D4B8B587382FC905DE2514F414297A5AA6FA02D93365A8
Malicious:	false
Reputation:	low
Preview:	C:\Users\user\Desktop\nW47Os1nLL.exe..

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.702106427385733
TrID:	Win32 Executable (generic) a (10002005/4) 99.55% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	nW47Os1nLL.exe
File size:	990208
MD5:	4ac7b7a9992cfd83912dc912105d615c
SHA1:	a5a6c2c780b2879a75eee64107129057caddbdbc
SHA256:	8c6fd14084820ec528749300222097d21197659535aaa50cdcc75831f73546c1
SHA512:	2c62c982ae3e96ead28c31ee33215cced7ea2e5b9a6722130f1f5c4a9297e629e6f8ccde80d2b2e6b890992073a0ba04f051ff33b96ec635a8b8e3e8316025f8
SSDEEP:	24576:DtG98luwfruEtsMnjjp2tZdusyDhotpI74EX1WG8v2mNHP:o93qsMnjjItZdryWC74El1kP
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........B..FB..FB..F...GQ..F...G...F...GU..F...GH..F...GQ..F...GZ..F...G...F...GO..FB..F...F...Gd..F..*FC..F...GC..FRichB..F.......

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x44ec3c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60867E3F [Mon Apr 26 08:47:59 2021 UTC]
TLS Callbacks:	0x450ff0
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	77d80035665581931c6a2b33cd1449a3

Entrypoint Preview

Instruction
call 00007FD1D0C82C35h
jmp 00007FD1D0C823B9h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007FD1D0C81A64h
jmp 00007FD1D0C82520h
mov ecx, dword ptr [ebp-14h]
xor ecx, ebp
call 00007FD1D0C81A53h
jmp 00007FD1D0C8250Fh
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004C8098h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004C8098h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004C8098h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc679c	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xeb000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xec000	0xa020	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb2340	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb2480	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb23b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9f000	0x384	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9d4fc	0x9d600	False	0.533553725675	data	6.67935975429	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9f000	0x28b40	0x28c00	False	0.371075776457	data	4.83397398719	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc8000	0x2276c	0x21200	False	0.224012382075	DOS executable (block device driver)	5.21965586623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xeb000	0x1e0	0x200	False	0.53125	data	4.71767883295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xec000	0xa020	0xa200	False	0.593388310185	data	6.53494861663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0xeb060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
NETAPI32.dll	NetApiBufferFree, NetFileClose, NetFileEnum
KERNEL32.dll	SetEvent, CloseHandle, GetProcAddress, LocalFree, VerSetConditionMask, WideCharToMultiByte, VerifyVersionInfoW, FormatMessageA, CreateEventA, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetLastError, SetConsoleCtrlHandler, GetCurrentProcess, GetModuleHandleW, LoadLibraryW, HeapFree, RemoveDirectoryW, HeapAlloc, GetProcessHeap, ReadFile, GetStdHandle, WriteFile, CreateProcessW, WaitForMultipleObjects, WaitForSingleObject, PostQueuedCompletionStatus, TerminateThread, TlsAlloc, QueueUserAPC, TlsFree, ReleaseSemaphore, WaitForMultipleObjectsEx, WaitForSingleObjectEx, CreateSemaphoreA, SetWaitableTimer, TlsSetValue, SetLastError, InitializeCriticalSectionAndSpinCount, GetQueuedCompletionStatus, CreateEventW, Sleep, SleepEx, TlsGetValue, FormatMessageW, QueryInformationJobObject, GetBinaryTypeW, VirtualProtect, VirtualFree, VirtualAlloc, GetEnvironmentVariableW, GetWriteWatch, ResetWriteWatch, K32GetProcessImageFileNameW, GlobalGetAtomNameW, OpenProcess, GetCurrentThread, RaiseException, GetThreadContext, HeapQueryInformation, ReadProcessMemory, GetCurrentProcessId, IsDebuggerPresent, CheckRemoteDebuggerPresent, SetUnhandledExceptionFilter, CreateDirectoryW, FindFirstFileW, FindNextFileW, FindClose, SetFileAttributesW, DeleteFileW, OutputDebugStringW, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, HeapReAlloc, SetStdHandle, GetExitCodeProcess, ReadConsoleW, GetTimeZoneInformation, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileSizeEx, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, HeapSize, GetThreadTimes, FreeLibrary, CreateIoCompletionPort, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetCommandLineA, GetDriveTypeW, ExitThread, ExitProcess, WriteConsoleW, GetModuleHandleExW, GetFileType, RtlUnwind, UnregisterWait, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, DuplicateHandle, GetVersionExW, LoadLibraryExW, GetModuleFileNameW, MultiByteToWideChar, GetStringTypeW, QueryPerformanceCounter, QueryPerformanceFrequency, SwitchToThread, GetCurrentThreadId, TryEnterCriticalSection, EncodePointer, DecodePointer, GetSystemTimeAsFileTime, GetTickCount, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, ResetEvent, UnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetStartupInfoW, InitializeSListHead, OpenEventA, ResumeThread, GetLogicalProcessorInformation, GetModuleHandleA, CreateWaitableTimerA, GetCurrentDirectoryW, CreateFileW, GetFileAttributesW, GetFileAttributesExW, GetFullPathNameW, SetEndOfFile, SetFilePointerEx, DeviceIoControl, AreFileApisANSI, CreateFileA, GetFileSize, SetFilePointer, MapViewOfFileEx, UnmapViewOfFile, CreateFileMappingA, CreateTimerQueue, SignalObjectAndWait, CreateThread, SetThreadPriority, GetThreadPriority, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, FreeLibraryAndExitThread
USER32.dll	ShutdownBlockReasonDestroy, PostQuitMessage, LoadCursorW, LoadIconW, TranslateMessage, AdjustWindowRect, ShutdownBlockReasonCreate, DispatchMessageW, ShowWindow, RegisterClassExW, SendMessageW, CreateWindowExW, DefWindowProcW, GetMessageW, EndPaint, BeginPaint, UpdateWindow
ADVAPI32.dll	AdjustTokenPrivileges, AbortSystemShutdownW, OpenProcessToken, LookupPrivilegeValueW
ole32.dll	CoCreateGuid
WS2_32.dll	WSAStartup, ioctlsocket, freeaddrinfo, setsockopt, WSAGetLastError, htonl, getsockopt, WSARecv, connect, getsockname, getaddrinfo, WSASetLastError, listen, select, WSASend, closesocket, WSAIoctl, bind, accept, __WSAFDIsSet, WSACleanup, WSASocketW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• nW47Os1nLL.exe
• conhost.exe

Click to jump to process

Memory Usage

• nW47Os1nLL.exe
• conhost.exe

Click to jump to process

Behavior

• nW47Os1nLL.exe
• conhost.exe

Click to jump to process

System Behavior

Analysis Process: nW47Os1nLL.exe PID: 6872 Parent PID: 5960

Function Logs

General

Start time:	08:43:01
Start date:	03/05/2021
Path:	C:\Users\user\Desktop\nW47Os1nLL.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\nW47Os1nLL.exe'
Imagebase:	0x1110000
File size:	990208 bytes
MD5 hash:	4AC7B7A9992CFD83912DC912105D615C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.640786324.00000000011D8000.00000008.00020000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

File Activities

Section Activities

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Thread Activities

Memory Activities

System Activities

Show Windows behavior

LPC Port Activities

Analysis Process: conhost.exe PID: 6900 Parent PID: 6872

Function Logs

General

Start time:	08:43:01
Start date:	03/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Section Activities

Registry Activities

Show Windows behavior

Mutex Activities

Process Activities

Show Windows behavior

Thread Activities

Memory Activities

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: nW47Os1nLL.exe PID: 6872 Parent PID: 5960 nW47Os1nLL.exeCOMMON

Executed Functions

Function 011843DF, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011843DF(int _a4) {
				void* _t7;
				void* _t14;

				_t7 = E01196E70(_t14); // executed
				if(_t7 != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E01184421(_t14, _a4);
				ExitProcess(_a4);
			}

0x011843e4
0x011843ec
0x01184408
0x01184408
0x01184411
0x0118441a

APIs

GetCurrentProcess.KERNEL32(?,?,011843DE,?,00000000,?,?), ref: 01184401
TerminateProcess.KERNEL32(00000000,?,011843DE,?,00000000,?,?), ref: 01184408
ExitProcess.KERNEL32 ref: 0118441A

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 37e035318ded57d979d9afddb3488657de262ca78a07c87fe7f187e52aec0916
Instruction ID: 0b29a0ae8045b03cdabf43ea7b9b92f9a978ee6d2fc1403a7696439c796d2480
Opcode Fuzzy Hash: 37e035318ded57d979d9afddb3488657de262ca78a07c87fe7f187e52aec0916
Instruction Fuzzy Hash: 42E0EC3101015AAFDF2ABF68D94CA5D3F6AFB40245B548424F91586925CF39EDA3CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01196E70, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01196E70(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E0118FE8D(_t16,  &_v8); // executed
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x01196e7d
0x01196e7f
0x01196e82
0x01196e85
0x01196e88
0x01196e99
0x01196e9b
0x01196e8a
0x01196e8e
0x01196e97
0x00000000
0x00000000
0x01196e97
0x01196ea0

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd06f88d71269cbcc1598fbff3f02fb1c4ed781fa5115e78a3f0b6744d8b4b45
Instruction ID: 6fb87bbb5e83cca5002c796a9d23928af99358ef94e842e409562342a439c4ea
Opcode Fuzzy Hash: dd06f88d71269cbcc1598fbff3f02fb1c4ed781fa5115e78a3f0b6744d8b4b45
Instruction Fuzzy Hash: FAE0E672911238EBCB29EBDCC544949F7ECEB45E54F154456B511D3551C375DE00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0118FD43, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0118FD43(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t13;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x11fa1a8 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x11b7018 + _t22 * 4);
						_t13 = LoadLibraryExW(_t23, 0, 0x800); // executed
						_t32 = _t13;
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E0118FA68(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E0118FA68(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x0118fd4c
0x0118fdf6
0x0118fd54
0x0118fd56
0x0118fd5d
0x0118fd5f
0x0118fd65
0x0118fd72
0x0118fd81
0x0118fd87
0x0118fd8b
0x0118fddd
0x0118fddd
0x0118fde2
0x0118fde6
0x0118fde9
0x0118fde9
0x0118fdef
0x0118fdf1
0x0118fe06
0x0118fe01
0x0118fe05
0x0118fe05
0x0118fdf3
0x0118fdf3
0x00000000
0x0118fdf3
0x0118fd8d
0x0118fd96
0x0118fdcd
0x0118fdcd
0x0118fdcf
0x0118fdd1
0x00000000
0x00000000
0x0118fdd9
0x00000000
0x0118fdd9
0x0118fda0
0x0118fda5
0x0118fdaa
0x00000000
0x00000000
0x0118fdb4
0x0118fdb9
0x0118fdbe
0x00000000
0x00000000
0x0118fdc3
0x0118fdc9
0x00000000
0x0118fdc9
0x0118fd6a
0x00000000
0x00000000
0x00000000
0x0118fd70
0x0118fdff
0x00000000

Strings

ext-ms-, xrefs: 0118FDAE
api-ms-, xrefs: 0118FD9A

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: a4e21459bd472e21fd8797a6d803ec0d987edc1537e5d01fa9588daccaaed62a
Instruction ID: 5ec55c8a30cc1de6f558abb7fd2bfd1581123677f7f6fdab6a9e2d2ce785195a
Opcode Fuzzy Hash: a4e21459bd472e21fd8797a6d803ec0d987edc1537e5d01fa9588daccaaed62a
Instruction Fuzzy Hash: 4321AB71A01223ABDB3D6E28DC44B5E3B58AF41760B168225EB35A72C5E730E902CED1

Uniqueness

Uniqueness Score: -1.00%

Function 01193269, Relevance: 4.7, APIs: 3, Instructions: 177
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E01193269(signed int _a4, void* _a8, signed int _a12) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				long _v40;
				char _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t58;
				signed int _t66;
				signed int _t69;
				intOrPtr _t70;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t82;
				signed int _t85;
				signed int _t92;
				void* _t93;
				signed int _t95;
				signed int _t97;
				signed int _t101;
				intOrPtr _t102;
				signed int _t103;
				signed int _t104;
				signed int _t108;
				signed int _t110;
				void* _t112;

				_t95 = _a12;
				_t58 = _a8;
				_v8 = _t58;
				_v20 = _t95;
				_t108 = _a4;
				if(_t95 == 0) {
					L37:
					__eflags = 0;
					return 0;
				}
				_t116 = _t58;
				if(_t58 != 0) {
					_t101 = _t108 >> 6;
					_t104 = (_t108 & 0x0000003f) * 0x38;
					_v12 = _t101;
					_t102 =  *((intOrPtr*)(0x11fa288 + _t101 * 4));
					_v16 = _t104;
					_t92 =  *((intOrPtr*)(_t102 + _t104 + 0x29));
					__eflags = _t92 - 2;
					if(_t92 == 2) {
						L6:
						__eflags =  !_t95 & 0x00000001;
						if(__eflags == 0) {
							goto L2;
						}
						L7:
						__eflags =  *(_t102 + _t104 + 0x28) & 0x00000020;
						if(__eflags != 0) {
							E011964AD(_t108, 0, 0, 2); // executed
							_t112 = _t112 + 0x10;
						}
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t69 = E01192E10(_t102, __eflags, _t108);
						__eflags = _t69;
						if(_t69 == 0) {
							_t97 = _v12;
							_t103 = _v16;
							_t70 =  *((intOrPtr*)(0x11fa288 + _t97 * 4));
							__eflags =  *((char*)(_t70 + _t103 + 0x28));
							if( *((char*)(_t70 + _t103 + 0x28)) >= 0) {
								_t93 = _v8;
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_t73 = WriteFile( *(_t70 + _t103 + 0x18), _t93, _v20,  &_v40, 0);
								__eflags = _t73;
								if(_t73 == 0) {
									_v44 = GetLastError();
								}
								goto L26;
							}
							_t93 = _v8;
							_t82 = _t92;
							__eflags = _t82;
							if(_t82 == 0) {
								E01192E81(_t93,  &_v32, _t108,  &_v44, _t108, _t93, _v20); // executed
								goto L15;
							}
							_t85 = _t82 - 1;
							__eflags = _t85;
							if(_t85 == 0) {
								_t84 = E01193045(_t93,  &_v32, _t108,  &_v44, _t108, _t93, _v20);
								goto L15;
							}
							__eflags = _t85 != 1;
							if(_t85 != 1) {
								goto L28;
							}
							_t84 = E01192F5C(_t93,  &_v32, _t108,  &_v44, _t108, _t93, _v20);
							goto L15;
						} else {
							__eflags = _t92;
							if(__eflags == 0) {
								_t93 = _v8;
								_t84 = E011929FE(_t93,  &_v32, _t108, __eflags,  &_v44, _t108, _t93, _v20);
								L15:
								L13:
								L26:
								asm("movsd");
								asm("movsd");
								asm("movsd");
								L27:
								_t97 = _v12;
								_t103 = _v16;
								L28:
								_t74 = _v28;
								__eflags = _t74;
								if(_t74 != 0) {
									return _t74 - _v24;
								}
								_t76 = _v32;
								__eflags = _t76;
								if(_t76 == 0) {
									__eflags =  *( *((intOrPtr*)(0x11fa288 + _t97 * 4)) + _t103 + 0x28) & 0x00000040;
									if(__eflags == 0) {
										L35:
										 *((intOrPtr*)(E01186176(__eflags))) = 0x1c;
										_t66 = E01186163(__eflags);
										 *_t66 =  *_t66 & 0x00000000;
										L3:
										return _t66 | 0xffffffff;
									}
									__eflags =  *_t93 - 0x1a;
									if(__eflags == 0) {
										goto L37;
									}
									goto L35;
								}
								_t110 = 5;
								__eflags = _t76 - _t110;
								if(__eflags != 0) {
									_t66 = E01186140(_t76);
								} else {
									 *((intOrPtr*)(E01186176(__eflags))) = 9;
									_t66 = E01186163(__eflags);
									 *_t66 = _t110;
								}
								goto L3;
							}
							__eflags = _t92 - 1 - 1;
							_t93 = _v8;
							if(_t92 - 1 > 1) {
								goto L27;
							}
							E01192DA8( &_v44, _t93, _v20);
							goto L13;
						}
					}
					__eflags = _t92 - 1;
					if(_t92 != 1) {
						goto L7;
					}
					goto L6;
				}
				L2:
				 *(E01186163(_t116)) =  *_t64 & 0x00000000;
				 *((intOrPtr*)(E01186176( *_t64))) = 0x16;
				_t66 = E011828B6();
				goto L3;
			}

0x01193271
0x01193274
0x01193277
0x0119327a
0x0119327f
0x01193285
0x01193444
0x01193444
0x00000000
0x01193444
0x0119328b
0x0119328d
0x011932b3
0x011932b9
0x011932bc
0x011932bf
0x011932c6
0x011932c9
0x011932cd
0x011932d0
0x011932d7
0x011932db
0x011932dd
0x00000000
0x00000000
0x011932df
0x011932df
0x011932e4
0x011932ed
0x011932f2
0x011932f2
0x011932fa
0x011932fc
0x011932fd
0x011932fe
0x01193304
0x01193306
0x01193347
0x0119334a
0x0119334d
0x01193354
0x01193359
0x011933a7
0x011933ac
0x011933af
0x011933b0
0x011933ba
0x011933c0
0x011933c2
0x011933ca
0x011933ca
0x00000000
0x011933cd
0x0119335e
0x01193361
0x01193361
0x01193364
0x01193399
0x00000000
0x01193399
0x01193366
0x01193366
0x01193369
0x01193389
0x00000000
0x01193389
0x0119336b
0x0119336e
0x00000000
0x00000000
0x01193379
0x00000000
0x01193308
0x01193308
0x0119330a
0x01193334
0x0119333d
0x01193342
0x0119332a
0x011933d0
0x011933d3
0x011933d4
0x011933d5
0x011933d6
0x011933d6
0x011933d9
0x011933dc
0x011933dc
0x011933df
0x011933e1
0x00000000
0x0119343f
0x011933e3
0x011933e6
0x011933e8
0x0119341b
0x01193420
0x01193427
0x0119342c
0x01193432
0x01193437
0x011932a7
0x00000000
0x011932a7
0x01193422
0x01193425
0x00000000
0x00000000
0x00000000
0x01193425
0x011933ec
0x011933ed
0x011933ef
0x01193409
0x011933f1
0x011933f6
0x011933fc
0x01193401
0x01193401
0x00000000
0x011933ef
0x0119330e
0x01193311
0x01193314
0x00000000
0x00000000
0x01193322
0x00000000
0x01193327
0x01193306
0x011932d2
0x011932d5
0x00000000
0x00000000
0x00000000
0x011932d5
0x0119328f
0x01193294
0x0119329c
0x011932a2
0x00000000

APIs

Part of subcall function 011929FE: GetConsoleCP.KERNEL32(00000000,00000000,00000000), ref: 01192A46

WriteFile.KERNEL32(?,00000000,?,?,00000000,0000000C,00000000,00000000,?,?,?,00000000,?,?,?,00000000), ref: 011933BA
GetLastError.KERNEL32(?,?,?,00000000,?,?,?,00000000), ref: 011933C4
__dosmaperr.LIBCMT ref: 01193409

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID:
API String ID: 251514795-0
Opcode ID: 56d62fbadc2d196e6e6c48180d30df4ead34d37f6cd04b30c9492eaa0843e2a9
Instruction ID: 81493847551c1818da4364b110d9b96258f4870c4612d2c91aebd3fc901fb85e
Opcode Fuzzy Hash: 56d62fbadc2d196e6e6c48180d30df4ead34d37f6cd04b30c9492eaa0843e2a9
Instruction Fuzzy Hash: 5251F075A2410AAFEF1DABB8C884BEEBBB9FF05354F054055E530A7282D7349A41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01193564, Relevance: 4.6, APIs: 3, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01193564(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				int _t15;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E011979DC(_t33) != 0xffffffff) {
					_t13 =  *0x11fa288; // 0xefcf10
					if(_t33 != 1 || ( *(_t13 + 0x98) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x60) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E011979DC(2);
						if(E011979DC(1) == _t21) {
							goto L1;
						}
						L7:
						_t15 = FindCloseChangeNotification(E011979DC(_t33)); // executed
						if(_t15 != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E0119794B(_t33);
						 *((char*)( *((intOrPtr*)(0x11fa288 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x38)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E01186140(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}

0x0119356b
0x01193578
0x0119357e
0x01193586
0x01193594
0x00000000
0x00000000
0x00000000
0x00000000
0x0119359c
0x0119359c
0x0119359e
0x011935b0
0x00000000
0x00000000
0x011935b2
0x011935ba
0x011935c2
0x00000000
0x00000000
0x011935ca
0x011935cc
0x011935cd
0x011935e5
0x011935ec
0x00000000
0x011935fa
0x00000000
0x011935f5
0x01193586
0x0119357a
0x0119357a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,01193492,?,011D5850,0000000C,01193544,?,?,?), ref: 011935BA
GetLastError.KERNEL32(?,01193492,?,011D5850,0000000C,01193544,?,?,?), ref: 011935C4
__dosmaperr.LIBCMT ref: 011935EF

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: b493794206e49e6ebe47906a2c9cf8c4f8e961e31c1ee97c37cad17ea7d91486
Instruction ID: a8b6704200f7b062496a82daaaa1c0f2312b75246fc620864eabf9acf3e08167
Opcode Fuzzy Hash: b493794206e49e6ebe47906a2c9cf8c4f8e961e31c1ee97c37cad17ea7d91486
Instruction Fuzzy Hash: 5D012F326201201AEF3D6238684477E7B459F8B638F550259F93A871D2DB20C4C18691

Uniqueness

Uniqueness Score: -1.00%

Function 01196416, Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E01196416(void* __ecx, void* __eflags, signed int _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, intOrPtr _a16) {
				signed int _v8;
				void* _v12;
				void* _t15;
				int _t16;
				signed int _t19;
				intOrPtr _t28;
				signed int _t32;
				signed int _t33;
				signed int _t36;
				signed int _t39;

				_t36 = _a4;
				_push(_t32);
				_t15 = E011979DC(_t36);
				_t33 = _t32 | 0xffffffff;
				_t41 = _t15 - _t33;
				if(_t15 != _t33) {
					_push(_a16);
					_t16 = SetFilePointerEx(_t15, _a8, _a12,  &_v12); // executed
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = (_v12 & _v8) - _t33;
						if((_v12 & _v8) == _t33) {
							goto L2;
						} else {
							_t19 = _v12;
							_t39 = (_t36 & 0x0000003f) * 0x38;
							_t28 =  *((intOrPtr*)(0x11fa288 + (_t36 >> 6) * 4));
							_t11 = _t28 + _t39 + 0x28;
							 *_t11 =  *(_t28 + _t39 + 0x28) & 0x000000fd;
							__eflags =  *_t11;
						}
					} else {
						E01186140(GetLastError());
						goto L2;
					}
				} else {
					 *((intOrPtr*)(E01186176(_t41))) = 9;
					L2:
					_t19 = _t33;
				}
				return _t19;
			}

0x0119641e
0x01196421
0x01196423
0x01196428
0x0119642c
0x0119642e
0x01196441
0x0119644f
0x01196455
0x01196457
0x01196470
0x01196472
0x00000000
0x01196474
0x01196474
0x0119647f
0x01196482
0x01196489
0x01196489
0x01196489
0x01196489
0x01196459
0x01196460
0x00000000
0x01196465
0x01196430
0x01196435
0x0119643b
0x0119643b
0x0119643d
0x01196491

APIs

SetFilePointerEx.KERNELBASE(00000000,0000000C,00000002,00000000,00000000,0000000C,00000000,?,?,?,011964C3,00000000,0000000C,00000002,00000000), ref: 0119644F
GetLastError.KERNEL32(?,011964C3,00000000,0000000C,00000002,00000000,?,011932F2,00000000,00000000,00000000,00000002,0000000C,00000000,00000000), ref: 01196459
__dosmaperr.LIBCMT ref: 01196460

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 5e20d0ba7ba321aac31b257586ae52118ec0b1df44881f8f78e0b72e46903db3
Instruction ID: 1d6f51c4284c7cf24b10a1acabebf593c2b910fb5749bfd84614c57b55a5e1ea
Opcode Fuzzy Hash: 5e20d0ba7ba321aac31b257586ae52118ec0b1df44881f8f78e0b72e46903db3
Instruction Fuzzy Hash: 7701D432610515AFCF1D9FA9DC45DAE3B2AEFC5221B644219F8219B281EB70D942CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01192E81, Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E01192E81(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v9;
				void _v5128;
				long _v5132;
				intOrPtr _v5136;
				signed int _t28;
				int _t40;
				long _t42;
				char _t43;
				intOrPtr* _t46;
				intOrPtr* _t51;
				intOrPtr _t55;
				void* _t59;
				char* _t62;
				long _t63;
				signed int _t64;

				E0115F450();
				_t28 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t28 ^ _t64;
				_t48 = _a8;
				_t46 = _a4;
				_t51 = _a12;
				_t55 = _a16 + _t51;
				_v5132 =  *((intOrPtr*)( *((intOrPtr*)(0x11fa288 + (_a8 >> 6) * 4)) + 0x18 + (_t48 & 0x0000003f) * 0x38));
				asm("stosd");
				_v5136 = _t55;
				asm("stosd");
				asm("stosd");
				if(_t51 < _t55) {
					_t59 = _v5132;
					do {
						_t62 =  &_v5128;
						while(_t51 < _t55) {
							_t43 =  *_t51;
							_t51 = _t51 + 1;
							if(_t43 == 0xa) {
								 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t46 + 8)) + 1;
								 *_t62 = 0xd;
								_t62 = _t62 + 1;
							}
							 *_t62 = _t43;
							_t62 = _t62 + 1;
							if(_t62 <  &_v9) {
								continue;
							}
							break;
						}
						_a12 = _t51;
						_t63 = _t62 -  &_v5128;
						_t40 = WriteFile(_t59,  &_v5128, _t63,  &_v5132, 0); // executed
						if(_t40 == 0) {
							 *_t46 = GetLastError();
						} else {
							_t42 = _v5132;
							 *((intOrPtr*)(_t46 + 4)) =  *((intOrPtr*)(_t46 + 4)) + _t42;
							if(_t42 >= _t63) {
								goto L9;
							}
						}
						goto L12;
						L9:
						_t51 = _a12;
						_t55 = _v5136;
					} while (_t51 < _t55);
				}
				L12:
				return E0115E184(_v8 ^ _t64);
			}

0x01192e8b
0x01192e90
0x01192e97
0x01192e9a
0x01192eac
0x01192ebe
0x01192ec1
0x01192ec3
0x01192ecb
0x01192ecc
0x01192ed2
0x01192ed3
0x01192ed6
0x01192ed8
0x01192ede
0x01192ede
0x01192ee4
0x01192ee8
0x01192eea
0x01192eed
0x01192eef
0x01192ef2
0x01192ef5
0x01192ef5
0x01192ef6
0x01192ef8
0x01192efe
0x00000000
0x00000000
0x00000000
0x01192efe
0x01192f06
0x01192f09
0x01192f1d
0x01192f25
0x01192f49
0x01192f27
0x01192f27
0x01192f2d
0x01192f32
0x00000000
0x00000000
0x01192f32
0x00000000
0x01192f34
0x01192f34
0x01192f37
0x01192f3d
0x01192f41
0x01192f4b
0x01192f5b

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,0119339E,?,00000000,00000000,?,0000000C,00000000), ref: 01192F1D
GetLastError.KERNEL32(?,0119339E,?,00000000,00000000,?,0000000C,00000000,00000000,?,?,?,00000000,?,?,?), ref: 01192F43

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: d6b0c9ea6ad3be2d03ca225ec74edf98bc64515629f7d513b6ec24d4133f8e74
Instruction ID: d9e64cf1dc39793cca45941efdf79e606903c44f6e697305e2568a9da3777c85
Opcode Fuzzy Hash: d6b0c9ea6ad3be2d03ca225ec74edf98bc64515629f7d513b6ec24d4133f8e74
Instruction Fuzzy Hash: 16219135A00219ABCF1DCF29DC909E9B7B9EB49315F1440A9EA1AD7211D730DE868B61

Uniqueness

Uniqueness Score: -1.00%

Function 0111C7AF, Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0111C7AF(void* __ebx, intOrPtr* __ecx, intOrPtr* __edx, void* __edi, void* __eflags) {
				intOrPtr _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t59;
				void* _t64;
				intOrPtr _t66;
				intOrPtr _t74;
				void* _t77;
				intOrPtr _t78;
				void* _t81;
				intOrPtr _t83;
				intOrPtr _t84;
				intOrPtr* _t85;
				intOrPtr* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr* _t98;
				intOrPtr _t99;
				signed int _t100;
				intOrPtr* _t102;
				void* _t104;
				intOrPtr _t108;
				intOrPtr _t110;

				_t98 = __edx;
				_t85 = __ecx;
				_push(0x24);
				E0115ECE8(0x11a5f46, __ebx, __edi);
				 *((intOrPtr*)(_t104 - 0x20)) = _t98;
				_t102 = _t85;
				 *((intOrPtr*)(_t104 - 0x1c)) = _t102;
				_t86 = _t98;
				_t99 = _t86 + 1;
				do {
					_t54 =  *_t86;
					_t86 = _t86 + 1;
				} while (_t54 != 0);
				_t87 = _t86 - _t99;
				 *((intOrPtr*)(_t104 - 0x18)) = _t87;
				_t56 =  *((intOrPtr*)( *_t102 + 4));
				_t83 =  *((intOrPtr*)(_t56 + _t102 + 0x20));
				_t57 =  *((intOrPtr*)(_t56 + _t102 + 0x24));
				_t108 = _t57;
				if(_t108 < 0) {
					L9:
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x30], xmm0");
					_t57 =  *((intOrPtr*)(_t104 - 0x2c));
					_t84 =  *((intOrPtr*)(_t104 - 0x30));
				} else {
					if(_t108 > 0) {
						L8:
						_t84 = _t83 - _t87;
						asm("sbb eax, esi");
					} else {
						if(_t83 <= 0) {
							goto L9;
						} else {
							_t110 = _t57;
							if(_t110 < 0) {
								goto L9;
							} else {
								if(_t110 > 0) {
									goto L8;
								} else {
									_t111 = _t83 - _t87;
									if(_t83 <= _t87) {
										goto L9;
									} else {
										goto L8;
									}
								}
							}
						}
					}
				}
				_push(_t102);
				 *((intOrPtr*)(_t104 - 0x14)) = _t57;
				E0111ADA4(_t84, _t104 - 0x30, _t99, _t102, _t111);
				 *((intOrPtr*)(_t104 - 4)) = 0;
				if( *((char*)(_t104 - 0x2c)) != 0) {
					 *((char*)(_t104 - 4)) = 1;
					_t89 =  *_t102;
					_t59 =  *((intOrPtr*)(_t89 + 4));
					__eflags = ( *(_t59 + _t102 + 0x14) & 0x000001c0) - 0x40;
					if(( *(_t59 + _t102 + 0x14) & 0x000001c0) == 0x40) {
						L20:
						_t64 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t89 + 4)) + _t102 + 0x38)))) + 0x24))( *((intOrPtr*)(_t104 - 0x20)),  *((intOrPtr*)(_t104 - 0x18)), 0);
						__eflags = _t64 -  *((intOrPtr*)(_t104 - 0x18));
						if(_t64 !=  *((intOrPtr*)(_t104 - 0x18))) {
							goto L27;
						} else {
							__eflags = _t99;
							if(_t99 != 0) {
								goto L27;
							} else {
								_t74 =  *((intOrPtr*)(_t104 - 0x14));
								while(1) {
									__eflags = _t74;
									if(__eflags < 0) {
										break;
									}
									if(__eflags > 0) {
										L26:
										_t77 = E0111C693( *((intOrPtr*)( *((intOrPtr*)( *_t102 + 4)) + _t102 + 0x38)),  *( *((intOrPtr*)( *_t102 + 4)) + _t102 + 0x40) & 0x000000ff);
										__eflags = _t77 - 0xffffffff;
										if(_t77 != 0xffffffff) {
											_t74 =  *((intOrPtr*)(_t104 - 0x14));
											_t84 = _t84 + 0xffffffff;
											asm("adc eax, 0xffffffff");
											 *((intOrPtr*)(_t104 - 0x14)) = _t74;
											continue;
										} else {
											goto L27;
										}
									} else {
										__eflags = _t84;
										if(_t84 <= 0) {
											break;
										} else {
											goto L26;
										}
									}
									goto L30;
								}
								_t100 = 0;
							}
						}
					} else {
						_t78 =  *((intOrPtr*)(_t104 - 0x14));
						while(1) {
							__eflags = _t78;
							if(__eflags < 0) {
								break;
							}
							if(__eflags > 0) {
								L17:
								_t81 = E0111C693( *((intOrPtr*)( *((intOrPtr*)( *_t102 + 4)) + _t102 + 0x38)),  *( *((intOrPtr*)( *_t102 + 4)) + _t102 + 0x40) & 0x000000ff);
								__eflags = _t81 - 0xffffffff;
								if(_t81 == 0xffffffff) {
									L27:
									_t100 = 4;
								} else {
									_t78 =  *((intOrPtr*)(_t104 - 0x14));
									_t84 = _t84 + 0xffffffff;
									asm("adc eax, 0xffffffff");
									 *((intOrPtr*)(_t104 - 0x14)) = _t78;
									continue;
								}
							} else {
								__eflags = _t84;
								if(_t84 <= 0) {
									break;
								} else {
									goto L17;
								}
							}
							goto L30;
						}
						_t89 =  *_t102;
						goto L20;
					}
					L30:
					_t66 =  *((intOrPtr*)( *_t102 + 4));
					 *((intOrPtr*)(_t66 + _t102 + 0x20)) = 0;
					 *((intOrPtr*)(_t66 + _t102 + 0x24)) = 0;
					 *((intOrPtr*)(_t104 - 4)) = 0;
				} else {
					_t100 = 4;
				}
				E0111B30A( *((intOrPtr*)( *_t102 + 4)) + _t102,  *( *((intOrPtr*)( *_t102 + 4)) + _t102 + 0xc) | _t100, 0);
				E0111AD54(_t84, _t102,  *( *((intOrPtr*)( *_t102 + 4)) + _t102 + 0xc) | _t100);
				return E0115EC46(_t102);
			}

0x0111c7af
0x0111c7af
0x0111c7af
0x0111c7b6
0x0111c7bb
0x0111c7be
0x0111c7c0
0x0111c7c3
0x0111c7c7
0x0111c7ca
0x0111c7ca
0x0111c7cc
0x0111c7cd
0x0111c7d3
0x0111c7d5
0x0111c7d8
0x0111c7db
0x0111c7df
0x0111c7e3
0x0111c7e5
0x0111c7fd
0x0111c7fd
0x0111c800
0x0111c805
0x0111c808
0x0111c7e7
0x0111c7e7
0x0111c7f7
0x0111c7f7
0x0111c7f9
0x0111c7e9
0x0111c7eb
0x00000000
0x0111c7ed
0x0111c7ed
0x0111c7ef
0x00000000
0x0111c7f1
0x0111c7f1
0x00000000
0x0111c7f3
0x0111c7f3
0x0111c7f5
0x00000000
0x00000000
0x00000000
0x00000000
0x0111c7f5
0x0111c7f1
0x0111c7ef
0x0111c7eb
0x0111c7e7
0x0111c80b
0x0111c80f
0x0111c812
0x0111c817
0x0111c81e
0x0111c828
0x0111c82c
0x0111c82e
0x0111c83a
0x0111c83d
0x0111c875
0x0111c885
0x0111c888
0x0111c88b
0x00000000
0x0111c88d
0x0111c88d
0x0111c88f
0x00000000
0x0111c891
0x0111c891
0x0111c894
0x0111c894
0x0111c896
0x00000000
0x00000000
0x0111c898
0x0111c89e
0x0111c8ad
0x0111c8b2
0x0111c8b5
0x0111c8bc
0x0111c8bf
0x0111c8c2
0x0111c8c5
0x00000000
0x00000000
0x00000000
0x00000000
0x0111c89a
0x0111c89a
0x0111c89c
0x00000000
0x00000000
0x00000000
0x00000000
0x0111c89c
0x00000000
0x0111c898
0x0111c8ca
0x0111c8ca
0x0111c88f
0x0111c83f
0x0111c83f
0x0111c842
0x0111c842
0x0111c844
0x00000000
0x00000000
0x0111c846
0x0111c84c
0x0111c85b
0x0111c860
0x0111c863
0x0111c8b7
0x0111c8b9
0x0111c865
0x0111c865
0x0111c868
0x0111c86b
0x0111c86e
0x00000000
0x0111c86e
0x0111c848
0x0111c848
0x0111c84a
0x00000000
0x00000000
0x00000000
0x00000000
0x0111c84a
0x00000000
0x0111c846
0x0111c873
0x00000000
0x0111c873
0x0111c8cc
0x0111c8ce
0x0111c8d1
0x0111c8d5
0x0111c900
0x0111c820
0x0111c822
0x0111c822
0x0111c911
0x0111c919
0x0111c925

APIs

__EH_prolog3_catch.LIBCMT ref: 0111C7B6

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 48efe63e1f93e067db6c47820a68df9d24cc336bc2bc4006b34e4e1af0c05809
Instruction ID: bd8b19942f2ff4768a577f9f50fb687de0076a386907ddec1ee0a7b038b21fb4
Opcode Fuzzy Hash: 48efe63e1f93e067db6c47820a68df9d24cc336bc2bc4006b34e4e1af0c05809
Instruction Fuzzy Hash: 4841A131A446069FCB29CF6CC9C0AACFBF1BF48724B244269E921AB795D770D941CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01186F1B, Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01186F1B(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v16;
				char _v20;
				signed int _t23;
				void* _t27;
				void* _t28;
				intOrPtr _t29;
				void* _t39;
				signed int _t41;
				signed int _t45;
				void* _t51;
				void* _t76;
				signed int _t81;

				_t23 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t23 ^ _t81;
				_t73 = _a8;
				if(( *(_a8 + 0xc) >> 0x0000000c & 0x00000001) == 0) {
					_t27 = E01191BF6(_t73);
					_t51 = 0x11d82b0;
					if(_t27 == 0xffffffff || E01191BF6(_t73) == 0xfffffffe) {
						_t28 = _t51;
					} else {
						_t45 = E01191BF6(_t73);
						_t28 =  *((intOrPtr*)(0x11fa288 + (_t45 >> 6) * 4)) + (E01191BF6(_t73) & 0x0000003f) * 0x38;
					}
					_t9 = _t28 + 0x29; // 0xa0a0a00
					_t29 =  *_t9;
					if(_t29 == 2 || _t29 == 1) {
						L18:
						E01186EEB(_a4, _t73);
					} else {
						if(E01191BF6(_t73) != 0xffffffff && E01191BF6(_t73) != 0xfffffffe) {
							_t41 = E01191BF6(_t73);
							_t51 =  *((intOrPtr*)(0x11fa288 + (_t41 >> 6) * 4)) + (E01191BF6(_t73) & 0x0000003f) * 0x38;
						}
						if( *((char*)(_t51 + 0x28)) >= 0) {
							goto L18;
						} else {
							if(E01190C69( &_v20,  &_v16, 5, _a4) != 0) {
								L17:
							} else {
								_t76 = 0;
								if(_v20 > 0) {
									while(1) {
										_t39 = E01182917( *((char*)(_t81 + _t76 - 0xc)), _t73); // executed
										if(_t39 == 0xffffffff) {
											goto L17;
										}
										_t76 = _t76 + 1;
										if(_t76 < _v20) {
											continue;
										} else {
											goto L16;
										}
										goto L19;
									}
									goto L17;
								}
							}
						}
					}
					L19:
				} else {
					E01186EEB(_a4, _t73);
				}
				return E0115E184(_v8 ^ _t81);
			}

0x01186f23
0x01186f2a
0x01186f2e
0x01186f3a
0x01186f4f
0x01186f54
0x01186f5d
0x01186f8f
0x01186f6b
0x01186f6c
0x01186f8b
0x01186f8b
0x01186f91
0x01186f91
0x01186f96
0x0118702a
0x0118702e
0x01186fa4
0x01186fae
0x01186fbd
0x01186fdc
0x01186fdc
0x01186fe2
0x00000000
0x01186fe4
0x01186ffb
0x01187023
0x01186ffd
0x01186ffd
0x01187002
0x01187004
0x0118700b
0x01187015
0x00000000
0x00000000
0x01187017
0x0118701b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0118701b
0x00000000
0x01187004
0x01187002
0x01186ffb
0x01186fe2
0x01187035
0x01186f3c
0x01186f40
0x01186f46
0x01187043

APIs

__cftof.LIBCMT ref: 01186FF1

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __cftof
String ID:
API String ID: 1622813385-0
Opcode ID: 56b31c16886fb220aadfa6ba2a98194368d53e541d4489b264666a51299f8159
Instruction ID: 31447743960c1354bd35ca4f02ae193477fa60b2738fdb6188dcd55eea3a7b8a
Opcode Fuzzy Hash: 56b31c16886fb220aadfa6ba2a98194368d53e541d4489b264666a51299f8159
Instruction Fuzzy Hash: BC3159325040166ADB2DBB3C9C4087F77799F56A74764821AFD359A2D0FF31D483CA51

Uniqueness

Uniqueness Score: -1.00%

Function 0118DABB, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0118DB6E

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1343ecb7f937db7d081a8f531f55bf5420087db9566dd5aab5d5bbeee9164961
Instruction ID: c416a1da7c45059143d2e571349930698f523ea1ee3c5ea55a05ea598dc9676f
Opcode Fuzzy Hash: 1343ecb7f937db7d081a8f531f55bf5420087db9566dd5aab5d5bbeee9164961
Instruction Fuzzy Hash: 47314D76A007159F8B18EFADD48085DBBB1FF8A3207268565D529EB3A4D330AC45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0118FE0A, Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0118FE0A(signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t14;
				signed int* _t20;
				signed int _t22;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				_Unknown_base(*)()* _t36;

				_t20 = 0x11fa1f8 + _a4 * 4;
				_t28 =  *0x11d8098; // 0xa9f5dfda
				_t31 = _t30 | 0xffffffff;
				_t29 = _t28 ^  *_t20;
				_t22 = _t28 & 0x0000001f;
				asm("ror edx, cl");
				if(_t29 != _t31) {
					if(_t29 == 0) {
						_t11 = E0118FD43(_t22, _a12, _a16); // executed
						if(_t11 == 0) {
							L7:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t31 ^  *0x11d8098;
							_t14 = 0;
							L8:
							return _t14;
						}
						_t36 = GetProcAddress(_t11, _a8);
						if(_t36 == 0) {
							goto L7;
						}
						 *_t20 = E0118426F(_t36);
						_t14 = _t36;
						goto L8;
					}
					return _t29;
				}
				return 0;
			}

0x0118fe14
0x0118fe1e
0x0118fe24
0x0118fe29
0x0118fe2b
0x0118fe2e
0x0118fe32
0x0118fe3a
0x0118fe47
0x0118fe50
0x0118fe6f
0x0118fe74
0x0118fe7c
0x0118fe84
0x0118fe86
0x0118fe88
0x00000000
0x0118fe88
0x0118fe5c
0x0118fe60
0x00000000
0x00000000
0x0118fe69
0x0118fe6b
0x00000000
0x0118fe6b
0x00000000
0x0118fe3c
0x00000000

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a86a46ca3e9cc09af509a54afd96f436a7e5311a02ee9ab00f3c57d57af47d
Instruction ID: d0c7acc8f1527c5f960b8572fcc36ed87e049bc99fde92d0a3007098512a74d5
Opcode Fuzzy Hash: 38a86a46ca3e9cc09af509a54afd96f436a7e5311a02ee9ab00f3c57d57af47d
Instruction Fuzzy Hash: 0C01F9336111235B9F2EBD7DEC4095A3796ABC4A20716C130FA14CB189DB30D4838B90

Uniqueness

Uniqueness Score: -1.00%

Function 01182D9D, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01182D9D(void* __ecx, intOrPtr _a4) {
				signed char _t10;
				signed int _t16;
				signed int _t24;
				signed int _t25;
				intOrPtr _t27;

				_t27 = _a4;
				_t30 = _t27;
				if(_t27 == 0) {
					 *((intOrPtr*)(E01186176(_t30))) = 0x16;
					return E011828B6() | 0xffffffff;
				}
				_push(_t24);
				_t25 = _t24 | 0xffffffff;
				_t10 =  *(_t27 + 0xc) >> 0xd;
				__eflags = _t10 & 0x00000001;
				if((_t10 & 0x00000001) != 0) {
					_t25 = E01182C92(_t27);
					E011906DA(_t27);
					_t16 = E011934D7(E01191BF6(_t27)); // executed
					__eflags = _t16;
					if(_t16 >= 0) {
						__eflags =  *(_t27 + 0x1c);
						if( *(_t27 + 0x1c) != 0) {
							E0118FAFF( *(_t27 + 0x1c));
							_t7 = _t27 + 0x1c;
							 *_t7 =  *(_t27 + 0x1c) & 0x00000000;
							__eflags =  *_t7;
						}
					} else {
						_t25 = _t25 | 0xffffffff;
					}
				}
				E01193669(_t27);
				return _t25;
			}

0x01182da3
0x01182da6
0x01182da8
0x01182daf
0x00000000
0x01182dba
0x01182dc2
0x01182dc3
0x01182dc7
0x01182dca
0x01182dcc
0x01182dd5
0x01182dd7
0x01182de3
0x01182deb
0x01182ded
0x01182df4
0x01182df8
0x01182dfd
0x01182e02
0x01182e02
0x01182e02
0x01182e06
0x01182def
0x01182def
0x01182def
0x01182ded
0x01182e08
0x00000000

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef0b53efb16d2ff8c584fd411319f08a878ac1c6a53f3e10fa9c1dd8d52cab5
Instruction ID: 1d4cfeceb236c1d1d1a9a7387d8d2646c8e857d47fe8a4c4d6c23ae12066fa49
Opcode Fuzzy Hash: 7ef0b53efb16d2ff8c584fd411319f08a878ac1c6a53f3e10fa9c1dd8d52cab5
Instruction Fuzzy Hash: CBF0F9326006212BDB2F3A79DC00AAA3A98AF62378F118315E975971D0DB74D502CDD5

Uniqueness

Uniqueness Score: -1.00%

Function 0118FAA2, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0118FAA2(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x11fa59c, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E0118F70F();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E01186176(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E0118CF1F(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x0118faa2
0x0118faa8
0x0118faad
0x0118fabb
0x0118fabb
0x0118fac1
0x0118fac3
0x0118fac3
0x0118fada
0x0118fae3
0x0118faeb
0x00000000
0x00000000
0x0118facb
0x0118facd
0x0118faef
0x0118faf4
0x0118fafa
0x00000000
0x0118fafa
0x0118fad0
0x0118fad5
0x0118fad6
0x0118fad8
0x00000000
0x00000000
0x0118fad8
0x00000000
0x0118fada
0x0118fab3
0x0118fab9
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01191166,00000001,00000364,00000006,000000FF,?,?,?,0118617B,01181C10), ref: 0118FAE3

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7295ce914d5e4574cb214302a377323e5b1147dca9f4492e5b29b8a88107204e
Instruction ID: 75ed8412fcc066531419365d97c781ae3abf42755eb6dd5e3fc22d4677801def
Opcode Fuzzy Hash: 7295ce914d5e4574cb214302a377323e5b1147dca9f4492e5b29b8a88107204e
Instruction Fuzzy Hash: DDF0B4312045276BAB2DBE26D804B5BBB58DF817B0B15C022E908DA184DB20D8028EE1

Uniqueness

Uniqueness Score: -1.00%

Function 01190910, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E01190910(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E01186176(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x11fa59c, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E0118F70F();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E0118CF1F(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x01190910
0x01190916
0x0119091c
0x0119094e
0x01190953
0x01190959
0x00000000
0x01190959
0x01190920
0x01190922
0x01190922
0x01190939
0x01190942
0x0119094a
0x00000000
0x00000000
0x0119092a
0x0119092c
0x00000000
0x00000000
0x0119092f
0x01190934
0x01190935
0x01190937
0x00000000
0x00000000
0x01190937
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,01191CA4,00001000,?,?,?,?,0117F057), ref: 01190942

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 83478f70079c3e735f9e96c627fb6bac78882d5378ea146afb12badfa6144b08
Instruction ID: 6f1d8b28b7bdcc2728692bdf4758647bd2445eaee220696bff13851543cb3988
Opcode Fuzzy Hash: 83478f70079c3e735f9e96c627fb6bac78882d5378ea146afb12badfa6144b08
Instruction Fuzzy Hash: 0CE065312046269AFF3E3A6D5D04B5A7A9D9F4A6B0F164121FD3D96190FB60C8408AE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 011164EC, Relevance: 28.3, APIs: 6, Strings: 10, Instructions: 281
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E011164EC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v13;
				void* __ebp;
				signed int _t52;
				void* _t54;
				intOrPtr _t56;
				intOrPtr* _t57;
				void* _t58;
				intOrPtr _t60;
				intOrPtr* _t61;
				signed char _t63;
				int _t64;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				void* _t76;
				unsigned char _t79;
				_Unknown_base(*)()* _t83;
				intOrPtr _t86;
				signed char _t92;
				void* _t94;
				void* _t98;
				void* _t102;
				signed char _t118;
				signed char _t119;
				signed char _t121;
				signed int _t122;
				signed char _t123;
				signed char _t125;
				signed char _t126;
				signed char _t127;
				void* _t128;
				void* _t130;
				signed int _t133;
				signed char _t134;
				void* _t148;
				void* _t149;
				signed char _t150;
				void* _t151;
				signed char _t152;
				signed int _t162;
				signed int _t165;
				void* _t168;
				void* _t197;
				void* _t200;
				void* _t201;
				signed int _t205;
				signed int _t209;
				signed int _t218;
				signed int _t232;

				_t201 = __esi;
				_t197 = __edi;
				_t52 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t52 ^ _t218;
				_t118 = 0;
				_push(0);
				_t128 = 6;
				_t54 = E011113E1(0, _t128, 0, __edi, __esi);
				_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				if(_t54 == 0) {
					_t57 = _t56 + 0xc;
					__eflags = _t57;
				} else {
					_t57 = _t56 + 0x40;
				}
				_t221 =  *_t57 - 2;
				_push(_t201);
				_push(_t197);
				if( *_t57 <= 2) {
					_v12 = _t118;
				} else {
					E0111CC91(0x11f93d0, E0111C7AF(_t118, 0x11f93d0, "HeapFlags", 0x11f93d0, _t221));
					_v12 = 1;
				}
				_push(_t118);
				_t130 = 6;
				_t58 = E011113E1(_t118, _t130, 0, 0x11f93d0, _t201);
				_t60 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				if(_t58 == 0) {
					_t61 = _t60 + 0x10;
					__eflags = _t61;
				} else {
					_t61 = _t60 + 0x44;
				}
				_t223 =  *_t61 - _t118;
				if( *_t61 <= _t118) {
					_t133 = 1;
					__eflags = 1;
				} else {
					E0111CC91(0x11f93d0, E0111C7AF(_t118, 0x11f93d0, "HeapForceFlags", 0x11f93d0, _t223));
					_t133 = 1;
					_t118 = 1;
				}
				_t119 = _t118 | _v12;
				_t63 =  *((intOrPtr*)( *[fs:0x30] + 2));
				_v13 = _t63;
				_t224 = _t63 - _t133;
				if(_t63 == _t133) {
					E0111CC91(0x11f93d0, E0111C7AF(_t119, 0x11f93d0, "IsDebuggerPresentPEB", 0x11f93d0, _t224));
					_t63 = _v13;
					_t133 = 1;
				}
				_t121 =  ==  ? _t133 : _t119 & 0x000000ff;
				_t64 = IsDebuggerPresent();
				_t134 = _t133 & 0xffffff00 | _t64 != 0x00000000;
				_v13 = _t134;
				_t228 = _t64;
				if(_t64 != 0) {
					E0111CC91(0x11f93d0, E0111C7AF(_t121, 0x11f93d0, "IsDebuggerPresentAPI", 0x11f93d0, _t228));
					_t134 = _v13;
				}
				_v12 = _v12 & 0x00000000;
				_t122 = _t121 | _t134;
				__imp__CheckRemoteDebuggerPresent(GetCurrentProcess(),  &_v12);
				_t67 = _v12;
				_v13 = _t67 != 0;
				_t230 = _t67;
				if(_t67 != 0) {
					E0111CC91(0x11f93d0, E0111C7AF(_t122, 0x11f93d0, "CheckRemoteDebuggerPresentAPI", 0x11f93d0, _t230));
				}
				_t68 = E011406E7();
				_t205 = E011406E7() | 0 | (_t68 | _v13 & 0x000000ff | _t122 & 0x000000ff) != 0x00000000;
				_t70 = E01140771(_t122, 0x11f93d0, _t205, _t68 | _v13 & 0x000000ff | _t122 & 0x000000ff);
				_t232 = _t205;
				_t209 = E01140823(_t122, 0 | _t232 != 0x00000000, _v13 & 0x000000ff | _t122 & 0x000000ff, 0x11f93d0, _t232) | 0 | (_t70 | 0 | _t232 != 0x00000000) != 0x00000000;
				_t211 = E01140994(_t122, 0x11f93d0, _t209) | _t209 != 0x00000000;
				E01140BDB(_t122, 0x11f93d0, E01140A62(_t122, 0x11f93d0, E01140994(_t122, 0x11f93d0, _t209) | _t209 != 0x00000000) | 0 | _t211 != 0x00000000);
				_t148 = 0x18;
				if(E01112491(_t148) == 0) {
					_t123 = 0;
					__eflags = 0;
				} else {
					_t168 = 0x18;
					_t102 =  *((intOrPtr*)(E011124C9(_t168)))();
					_t123 = _t122 & 0xffffff00 | _t102 != 0x00000000;
					_t239 = _t102;
					if(_t102 != 0) {
						E0111CC91(0x11f93d0, E0111C7AF(_t123, 0x11f93d0, "IsAnyDebuggerPresent", 0x11f93d0, _t239));
					}
				}
				_t76 = 1;
				_t149 = 0x19;
				_t125 =  !=  ? _t76 : _t123 & 0x000000ff;
				if(E01112491(_t149) == 0) {
					_t150 = 0;
					__eflags = 0;
				} else {
					_t165 = 0x19;
					_t98 =  *((intOrPtr*)(E011124C9(_t165)))();
					_t150 = _t165 & 0xffffff00 | _t98 != 0x00000000;
					_v13 = _t150;
					_t243 = _t98;
					if(_t98 != 0) {
						E0111CC91(0x11f93d0, E0111C7AF(_t125, 0x11f93d0, "IsKernelDebuggerPresent", 0x11f93d0, _t243));
						_t150 = _v13;
					}
				}
				_t126 = _t125 | _t150;
				_t151 = 0x1a;
				if(E01112491(_t151) == 0) {
					_t152 = 0;
					__eflags = 0;
				} else {
					_t162 = 0x1a;
					_t94 =  *((intOrPtr*)(E011124C9(_t162)))();
					_t152 = _t162 & 0xffffff00 | _t94 != 0x00000000;
					_v13 = _t152;
					_t246 = _t94;
					if(_t94 != 0) {
						E0111CC91(0x11f93d0, E0111C7AF(_t126, 0x11f93d0, "IsUserDebuggerPresent", 0x11f93d0, _t246));
						_t152 = _v13;
					}
				}
				_t79 =  *0x7ffe02d4;
				_t127 = _t126 | _t152;
				if((1 & _t79) != 0) {
					L32:
					E0111CC91(0x11f93d0, E0111C7AF(_t127, 0x11f93d0, "SharedUserDataKernelDebugger", 0x11f93d0, _t248));
					_pop(1);
					_t127 = 1;
					goto L33;
				} else {
					_t92 =  !(_t79 >> 1);
					_t248 = 1 & _t92;
					if((1 & _t92) != 0) {
						L33:
						_t83 = SetUnhandledExceptionFilter(0x1140cdc);
						RaiseException(0xc000008e, 0, 0, 0);
						SetUnhandledExceptionFilter(_t83);
						_t86 =  *0x11dd464; // 0x1
						_pop(_t200);
						_v13 = 0 | _t86 != 0x00000000;
						_t251 = _t86;
						if(_t86 != 0) {
							E0111CC91(0x11f93d0, E0111C7AF(_t127, 0x11f93d0, "UnhandledExcepFilterTest", _t200, _t251));
						}
						return E0115E184(_v8 ^ _t218);
					}
					goto L32;
				}
			}

0x011164ec
0x011164ec
0x011164f2
0x011164f9
0x011164fd
0x01116501
0x01116504
0x01116505
0x01116513
0x01116516
0x0111651d
0x0111651d
0x01116518
0x01116518
0x01116518
0x01116520
0x01116523
0x01116524
0x0111652a
0x01116547
0x0111652c
0x01116539
0x01116542
0x01116542
0x0111654a
0x0111654f
0x01116550
0x0111655e
0x01116561
0x01116568
0x01116568
0x01116563
0x01116563
0x01116563
0x0111656b
0x0111656d
0x0111658b
0x0111658b
0x0111656f
0x0111657c
0x01116584
0x01116585
0x01116585
0x01116592
0x01116595
0x01116598
0x0111659b
0x0111659d
0x011165ac
0x011165b1
0x011165b7
0x011165b7
0x011165bd
0x011165c0
0x011165c8
0x011165cb
0x011165ce
0x011165d0
0x011165df
0x011165e5
0x011165e5
0x011165e8
0x011165f0
0x011165f9
0x011165ff
0x01116604
0x01116608
0x0111660a
0x01116619
0x0111661e
0x0111661f
0x0111663f
0x01116641
0x01116648
0x0111665f
0x0111666f
0x01116681
0x01116693
0x0111669b
0x011166c5
0x011166c5
0x0111669d
0x0111669f
0x011166a5
0x011166a9
0x011166ac
0x011166ae
0x011166bd
0x011166c2
0x011166ae
0x011166c9
0x011166d1
0x011166d2
0x011166dc
0x0111670c
0x0111670c
0x011166de
0x011166e0
0x011166e6
0x011166ea
0x011166ed
0x011166f0
0x011166f2
0x01116701
0x01116707
0x01116707
0x011166f2
0x0111670e
0x01116712
0x0111671a
0x0111674a
0x0111674a
0x0111671c
0x0111671e
0x01116724
0x01116728
0x0111672b
0x0111672e
0x01116730
0x0111673f
0x01116745
0x01116745
0x01116730
0x0111674c
0x01116751
0x01116758
0x01116762
0x0111676f
0x01116776
0x01116777
0x00000000
0x0111675a
0x0111675c
0x0111675e
0x01116760
0x0111677a
0x01116785
0x01116793
0x0111679a
0x0111679c
0x011167a3
0x011167a7
0x011167ab
0x011167ad
0x011167bf
0x011167c5
0x011167d8
0x011167d8
0x00000000
0x01116760

APIs

Part of subcall function 011113E1: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 01111447
Part of subcall function 011113E1: VerSetConditionMask.KERNEL32(00000000), ref: 0111144B
Part of subcall function 011113E1: VerSetConditionMask.KERNEL32(00000000), ref: 0111144F
Part of subcall function 011113E1: VerifyVersionInfoW.KERNEL32 ref: 01111476

IsDebuggerPresent.KERNEL32 ref: 011165C0
GetCurrentProcess.KERNEL32(00000000), ref: 011165F2
CheckRemoteDebuggerPresent.KERNEL32(00000000), ref: 011165F9

Part of subcall function 01140771: GetCurrentProcess.KERNEL32(?,011F93D0,00000000,?), ref: 011407B4

Part of subcall function 01140823: __EH_prolog3_GS.LIBCMT ref: 0114082A
Part of subcall function 01140823: QueryInformationJobObject.KERNEL32(00000000,00000003,00000000,0000100C,00000000), ref: 0114085E
Part of subcall function 01140823: GetCurrentProcessId.KERNEL32 ref: 01140889

Part of subcall function 01140994: VirtualAlloc.KERNEL32(00000000,00004000,00003000,00000004,011F93D0,00000000,?), ref: 011409BC

Part of subcall function 01140A62: VirtualAlloc.KERNEL32(00000000,00004000,00003000,00000004,011F93D0,00000000,?,01116676,?), ref: 01140A8E

Part of subcall function 01140BDB: VirtualAlloc.KERNEL32(00000000,00004000,00003000,00000004,011F93D0,00000000,?), ref: 01140C03

SetUnhandledExceptionFilter.KERNEL32(01140CDC,?), ref: 01116785
RaiseException.KERNEL32(C000008E,00000000,00000000,00000000), ref: 01116793
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0111679A

Part of subcall function 0111C7AF: __EH_prolog3_catch.LIBCMT ref: 0111C7B6

Strings

SharedUserDataKernelDebugger, xrefs: 01116762
IsDebuggerPresentAPI, xrefs: 011165D2
IsAnyDebuggerPresent, xrefs: 011166B0
HeapForceFlags, xrefs: 0111656F
IsUserDebuggerPresent, xrefs: 01116732
CheckRemoteDebuggerPresentAPI, xrefs: 0111660C
UnhandledExcepFilterTest, xrefs: 011167AF
IsDebuggerPresentPEB, xrefs: 0111659F
IsKernelDebuggerPresent, xrefs: 011166F4
HeapFlags, xrefs: 0111652C

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocConditionCurrentExceptionMaskProcessVirtual$DebuggerFilterPresentUnhandled$CheckH_prolog3_H_prolog3_catchInfoInformationObjectQueryRaiseRemoteVerifyVersion
String ID: CheckRemoteDebuggerPresentAPI$HeapFlags$HeapForceFlags$IsAnyDebuggerPresent$IsDebuggerPresentAPI$IsDebuggerPresentPEB$IsKernelDebuggerPresent$IsUserDebuggerPresent$SharedUserDataKernelDebugger$UnhandledExcepFilterTest
API String ID: 2429320787-900315610
Opcode ID: a36583dda19af447e7fa2e142417b2418994ca445c9fd71c9829c7b57d2992d4
Instruction ID: 200e481fe0baf341d7aae6f04f4e88634ab27cb2802fce238a2aba459225b37d
Opcode Fuzzy Hash: a36583dda19af447e7fa2e142417b2418994ca445c9fd71c9829c7b57d2992d4
Instruction Fuzzy Hash: 3D716832B417036BDB2C76B854A07FEE7994FA1518B18447EE841EB28CEFB5CC01C290

Uniqueness

Uniqueness Score: -1.00%

Function 01117750, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01117750(void* __edi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				signed int _t12;
				signed int _t33;

				_t12 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t12 ^ _t33;
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v24.Privileges));
					_v24.PrivilegeCount = 1;
					_v12 = 2;
					AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
					if(GetLastError() != 0 || AbortSystemShutdownW(0) == 0) {
						goto L4;
					} else {
						_v12 = 0;
						AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
					}
				}
				return E0115E184(_v8 ^ _t33);
			}

0x01117756
0x0111775d
0x01117776
0x01117784
0x01117790
0x0111779c
0x011177a3
0x011177b1
0x00000000
0x011177be
0x011177c4
0x011177cc
0x011177d4
0x011177b1
0x011177e5

APIs

GetCurrentProcess.KERNEL32(00000028,?,00CF0000,?,?,01117741), ref: 01117767
OpenProcessToken.ADVAPI32(00000000,?,?,01117741), ref: 0111776E
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,01117741), ref: 01117784
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 011177A3
GetLastError.KERNEL32 ref: 011177A9
AbortSystemShutdownW.ADVAPI32(00000000), ref: 011177B4
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 011177CC

Strings

SeShutdownPrivilege, xrefs: 0111777E

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Token$AdjustPrivilegesProcess$AbortCurrentErrorLastLookupOpenPrivilegeShutdownSystemValue
String ID: SeShutdownPrivilege
API String ID: 313000951-3733053543
Opcode ID: daa90ac12201642204d5b3ef7c37c599086dd2ca119a171eaacfc09518dc894f
Instruction ID: 644716b23a795013c831a03a72e5572ace678af09922c39cf0ff331fe62aeddb
Opcode Fuzzy Hash: daa90ac12201642204d5b3ef7c37c599086dd2ca119a171eaacfc09518dc894f
Instruction Fuzzy Hash: 61113C75A0014AABDB289BA5DD4DEBFBFBDEB89B01F40002CF512E1144DB308545CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0119C848, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0119C848(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v40;
				signed int _v52;
				char _v252;
				short _v292;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t69;
				void* _t73;
				void* _t74;
				void* _t78;
				intOrPtr* _t85;
				short* _t87;
				intOrPtr* _t92;
				intOrPtr* _t96;
				signed int _t114;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t120;
				signed int* _t121;
				intOrPtr* _t124;
				signed short _t126;
				int _t128;
				void* _t132;
				signed int _t133;

				_push(__ecx);
				_push(__ecx);
				_t85 = _a4;
				_push(__esi);
				_push(__edi);
				_t33 = E01190FC4(__ecx, __edx);
				_t114 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t124 = _t3;
				_t4 = _t124 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t124 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t124 + 4; // 0x54
				_t117 = _t6;
				_v8 = _t34;
				_t92 = _t85;
				_t35 = _t85 + 0x80;
				 *_t124 = _t85;
				 *_t117 = _t35;
				if( *_t35 != 0) {
					E0119C7DB(0x11b8730, 0x16, _t117);
					_t92 =  *_t124;
					_t132 = _t132 + 0xc;
					_t114 = 0;
				}
				_push(_t124);
				if( *_t92 == _t114) {
					E0119C14C(_t92);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t117)) == _t114) {
						E0119C26C();
					} else {
						E0119C1D3(_t92);
					}
					if( *((intOrPtr*)(_t124 + 8)) == 0) {
						_t78 = E0119C7DB(0x11b8420, 0x40, _t124);
						_t132 = _t132 + 0xc;
						if(_t78 != 0) {
							_push(_t124);
							if( *((intOrPtr*)( *_t117)) == 0) {
								E0119C26C();
							} else {
								E0119C1D3(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t124 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t85 + 0x100;
					if( *_t85 != 0 ||  *_t38 != 0) {
						_t39 = E0119C698(_t38, _t124);
					} else {
						_t39 = GetACP();
					}
					_t126 = _t39;
					if(_t126 == 0 || _t126 == 0xfde8 || IsValidCodePage(_t126 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t126;
						}
						_t120 = _a12;
						if(_t120 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t96 = _v8;
							_t15 = _t120 + 0x120; // 0xd0
							_t87 = _t15;
							 *_t87 = 0;
							_t16 = _t96 + 2; // 0x2
							_t115 = _t16;
							do {
								_t45 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t45 != _v12);
							_t18 = (_t96 - _t115 >> 1) + 1; // -1
							_t47 = E0118F97C(_t87, 0x55, _v8);
							_t133 = _t132 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E011828E3();
								asm("int3");
								_t131 = _t133;
								_t50 =  *0x11d8098; // 0xa9f5dfda
								_v52 = _t50 ^ _t133;
								_push(_t87);
								_push(_t126);
								_push(_t120);
								_t52 = E01190FC4(_t98, _t115);
								_t88 = _t52;
								_t121 =  *(E01190FC4(_t98, _t115) + 0x34c);
								_t128 = E0119CF83(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t128, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E01197511(_t121, _t128,  *((intOrPtr*)(_t88 + 0x54)),  &_v252) == 0 && E0119D0B5(_t128) != 0) {
										 *_t121 =  *_t121 | 0x00000004;
										_t121[2] = _t128;
										_t121[1] = _t128;
									}
								} else {
									 *_t121 =  *_t121 & _t56;
								}
								return E0115E184(_v12 ^ _t131);
							} else {
								if(E011901B3(_t87, 0x1001, _t120, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t120 + 0x80; // 0x30
									_t87 = _t20;
									_t21 = _t120 + 0x120; // 0xd0
									if(E011901B3(_t21, 0x1002, _t87, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t69 = E011A3D8B(_t98);
										_t98 = _t87;
										if(_t69 != 0) {
											L31:
											_t22 = _t120 + 0x120; // 0xd0
											if(E011901B3(_t22, 7, _t87, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t74 = E011A3D8B(_t98);
											_t98 = _t87;
											if(_t74 == 0) {
												L32:
												_t120 = _t120 + 0x100;
												if(_t126 != 0xfde9) {
													E01191E44(_t98, _t126, _t120, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t73 = E0118F97C(_t120, 0x10, L"utf8");
													_t133 = _t133 + 0x10;
													if(_t73 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x0119c84d
0x0119c84e
0x0119c850
0x0119c853
0x0119c854
0x0119c855
0x0119c85c
0x0119c85e
0x0119c861
0x0119c861
0x0119c864
0x0119c864
0x0119c86a
0x0119c86d
0x0119c870
0x0119c870
0x0119c873
0x0119c876
0x0119c878
0x0119c87e
0x0119c880
0x0119c885
0x0119c88f
0x0119c894
0x0119c896
0x0119c899
0x0119c899
0x0119c89b
0x0119c89f
0x0119c8e8
0x00000000
0x0119c8a1
0x0119c8a6
0x0119c8af
0x0119c8a8
0x0119c8a8
0x0119c8a8
0x0119c8ba
0x0119c8c4
0x0119c8c9
0x0119c8ce
0x0119c8d4
0x0119c8d8
0x0119c8e1
0x0119c8da
0x0119c8da
0x0119c8da
0x0119c8ed
0x0119c8ed
0x0119c8ce
0x0119c8ba
0x0119c8f3
0x0119ca2f
0x0119ca2f
0x00000000
0x0119c8f9
0x0119c8f9
0x0119c902
0x0119c913
0x0119c909
0x0119c909
0x0119c909
0x0119c91a
0x0119c91e
0x00000000
0x0119c942
0x0119c942
0x0119c947
0x0119c949
0x0119c949
0x0119c94b
0x0119c950
0x0119ca2a
0x0119ca2c
0x0119ca31
0x0119ca35
0x0119c956
0x0119c956
0x0119c959
0x0119c959
0x0119c961
0x0119c964
0x0119c964
0x0119c967
0x0119c967
0x0119c96a
0x0119c96d
0x0119c977
0x0119c981
0x0119c986
0x0119c98b
0x0119ca36
0x0119ca38
0x0119ca39
0x0119ca3a
0x0119ca3b
0x0119ca3c
0x0119ca3d
0x0119ca42
0x0119ca46
0x0119ca4e
0x0119ca55
0x0119ca58
0x0119ca59
0x0119ca5d
0x0119ca5e
0x0119ca63
0x0119ca6b
0x0119ca7a
0x0119ca86
0x0119ca97
0x0119ca9f
0x0119cab9
0x0119cac6
0x0119cac9
0x0119cacc
0x0119cacc
0x0119caa1
0x0119caa1
0x0119caa3
0x0119cae7
0x0119c991
0x0119c9a1
0x00000000
0x0119c9a7
0x0119c9a9
0x0119c9a9
0x0119c9b5
0x0119c9c3
0x00000000
0x0119c9c5
0x0119c9c5
0x0119c9c8
0x0119c9ce
0x0119c9d1
0x0119c9e1
0x0119c9e6
0x0119c9f4
0x00000000
0x00000000
0x00000000
0x00000000
0x0119c9d3
0x0119c9d3
0x0119c9d6
0x0119c9dc
0x0119c9df
0x0119c9f6
0x0119c9f6
0x0119ca02
0x0119ca22
0x00000000
0x0119ca04
0x0119ca04
0x0119ca0e
0x0119ca13
0x0119ca18
0x00000000
0x0119ca1a
0x00000000
0x0119ca1a
0x0119ca18
0x00000000
0x00000000
0x00000000
0x0119c9df
0x0119c9d1
0x0119c9c3
0x0119c9a1
0x0119c98b
0x0119c950
0x0119c91e

APIs

Part of subcall function 01190FC4: GetLastError.KERNEL32(?,?,?,0117EFA3,?,?,?,?,0117F06E,00000000), ref: 01190FC9
Part of subcall function 01190FC4: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,0117F06E,00000000), ref: 01191067

GetACP.KERNEL32(?,?,?,?,?,?,0118E77F,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0119C909
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0118E77F,?,?,?,00000055,?,-00000050,?,?), ref: 0119C934
_wcschr.LIBVCRUNTIME ref: 0119C9C8
_wcschr.LIBVCRUNTIME ref: 0119C9D6
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0119CA97

Strings

utf8, xrefs: 0119CA06

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: bb9582749b0a3f4662def3a917feb95ec057d64af69b0cf6af5965dd25ea5f3a
Instruction ID: 9206c437ec46f2b6760839be8bcff6cea3ef57378307acdbcb8d5ad986d158eb
Opcode Fuzzy Hash: bb9582749b0a3f4662def3a917feb95ec057d64af69b0cf6af5965dd25ea5f3a
Instruction Fuzzy Hash: 6B711A71A00713AAEF2DEB39CC41BAB77A8EF58754F044029E5A5DB180FB74E94187E1

Uniqueness

Uniqueness Score: -1.00%

Function 0119E249, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E0119E249(void* __ebx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1868;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				signed int _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				intOrPtr _v1916;
				signed int _v1920;
				intOrPtr* _v1924;
				signed int _v1928;
				char _v1936;
				signed int _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2436;
				signed int _t719;
				intOrPtr _t729;
				signed int _t733;
				signed int _t734;
				signed int _t745;
				signed int _t750;
				signed int _t751;
				signed int _t757;
				intOrPtr _t764;
				void* _t765;
				unsigned int* _t767;
				signed int _t776;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t786;
				signed int _t787;
				signed int _t788;
				signed int _t790;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				signed int _t798;
				signed int _t799;
				signed int _t805;
				signed int _t806;
				signed int _t809;
				signed int _t814;
				signed int _t822;
				signed int* _t825;
				signed int _t829;
				signed int _t840;
				signed int _t841;
				signed int _t842;
				signed int _t843;
				char* _t844;
				signed int _t847;
				signed int _t853;
				signed int _t855;
				signed int _t859;
				signed int _t862;
				signed int _t871;
				signed int _t874;
				signed int _t876;
				signed int _t879;
				signed int _t880;
				signed int _t883;
				signed int _t896;
				signed int _t897;
				signed int _t898;
				signed int _t899;
				char* _t900;
				signed int _t903;
				signed int* _t906;
				signed int _t909;
				signed int _t911;
				signed int _t915;
				signed int _t918;
				signed int _t926;
				signed int _t929;
				signed int _t933;
				intOrPtr _t937;
				void* _t938;
				unsigned int* _t940;
				unsigned int _t950;
				signed int _t951;
				signed int _t955;
				signed int _t956;
				void* _t957;
				signed int _t970;
				signed int _t972;
				unsigned int _t977;
				signed int _t978;
				signed int _t982;
				signed int _t983;
				void* _t984;
				signed int _t989;
				signed int _t993;
				signed int _t995;
				void* _t1002;
				signed int _t1003;
				signed int _t1005;
				signed int _t1008;
				void* _t1012;
				signed int _t1013;
				signed int _t1015;
				signed int _t1017;
				signed int _t1019;
				signed int _t1020;
				signed int _t1021;
				signed int _t1022;
				intOrPtr* _t1035;
				signed int _t1040;
				signed int _t1047;
				signed int _t1048;
				signed int _t1051;
				signed int _t1052;
				signed int _t1054;
				signed int _t1055;
				signed int _t1056;
				signed int _t1060;
				signed int _t1064;
				signed int _t1065;
				signed int _t1066;
				signed int _t1068;
				signed int _t1069;
				signed int _t1070;
				signed int _t1071;
				signed int _t1072;
				signed int _t1073;
				signed int _t1074;
				signed int _t1076;
				signed int _t1077;
				signed int _t1078;
				signed int _t1079;
				signed int _t1080;
				void* _t1081;
				signed int _t1082;
				signed int _t1087;
				signed int _t1088;
				signed int _t1093;
				void* _t1094;
				signed int _t1098;
				signed int _t1101;
				signed int _t1106;
				signed int _t1109;
				signed int _t1110;
				signed int _t1111;
				unsigned int _t1112;
				char _t1121;
				signed int _t1123;
				signed int _t1124;
				signed int _t1125;
				signed int _t1126;
				signed int _t1127;
				signed int _t1128;
				signed int _t1130;
				signed int _t1132;
				signed int _t1133;
				signed int _t1134;
				signed int _t1135;
				signed int _t1136;
				signed int _t1138;
				unsigned int _t1140;
				signed int _t1145;
				intOrPtr* _t1147;
				signed int _t1149;
				intOrPtr* _t1151;
				void* _t1152;
				intOrPtr _t1153;
				void* _t1157;
				signed int _t1158;
				unsigned int _t1160;
				signed int _t1161;
				signed int _t1162;
				void* _t1163;
				signed int _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1169;
				signed int _t1170;
				signed int _t1171;
				signed int _t1172;
				signed int _t1175;
				signed int _t1176;
				signed int _t1177;
				signed int _t1178;
				signed int _t1180;
				signed int _t1183;
				signed int _t1184;
				signed int _t1187;
				void* _t1188;
				signed int _t1189;
				signed int _t1192;
				signed int _t1193;
				signed int _t1194;
				unsigned int* _t1195;
				signed int _t1196;
				signed int _t1199;
				signed int _t1200;
				signed int _t1201;
				signed int _t1202;
				signed int _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int _t1208;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1214;
				unsigned int* _t1215;
				signed int _t1216;
				signed int _t1220;
				signed int _t1222;
				signed int _t1224;
				signed int _t1226;
				signed int _t1228;
				signed int _t1233;
				signed int* _t1234;
				signed int* _t1237;
				signed int _t1240;
				signed int _t1247;

				_t1188 = __esi;
				_t1152 = __edi;
				_t1002 = __ebx;
				_t1228 = _t1233;
				_t1234 = _t1233 - 0x964;
				_t719 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t719 ^ _t1228;
				_v1924 = _a16;
				_v1904 = _a20;
				E011A1DEE(__eflags,  &_v1944);
				if((_v1944 & 0x0000001f) != 0x1f) {
					E011A1E56(__eflags,  &_v1944);
					_v1936 = 1;
				} else {
					_v1936 = 0;
				}
				_push(_t1002);
				_t1003 = _a4;
				_push(_t1188);
				_t1189 = _a8;
				_push(_t1152);
				_t1153 = 0x20;
				_t1240 = _t1189;
				if(_t1240 > 0 || _t1240 >= 0 && _t1003 >= 0) {
					_t729 = _t1153;
				} else {
					_t729 = 0x2d;
				}
				_t1035 = _v1924;
				_t1109 = _v1904;
				 *_t1035 = _t729;
				 *((intOrPtr*)(_t1035 + 8)) = _t1109;
				if((_t1189 & 0x7ff00000) != 0) {
					L12:
					_t733 = E01191270( &_a4);
					__eflags = _t733;
					if(_t733 != 0) {
						 *(_v1924 + 4) = 1;
					}
					_t734 = _t733 - 1;
					__eflags = _t734;
					if(_t734 == 0) {
						_push("1#INF");
						goto L311;
					} else {
						_t750 = _t734 - 1;
						__eflags = _t750;
						if(_t750 == 0) {
							_push("1#QNAN");
							goto L311;
						} else {
							_t751 = _t750 - 1;
							__eflags = _t751;
							if(_t751 == 0) {
								_push("1#SNAN");
								goto L311;
							} else {
								__eflags = _t751 == 1;
								if(_t751 == 1) {
									_push("1#IND");
									L311:
									_push(_a24);
									_t1039 = _v1904;
									_push(_v1904);
									goto L312;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a8 = _t1189 & 0x7fffffff;
									_a4 = _t1003;
									_t1247 = _a4;
									asm("fst qword [ebp-0x778]");
									_t1192 = _v1912;
									_v1920 = _a12 + 1;
									_t1047 = _t1192 >> 0x14;
									_t757 = _t1047 & 0x000007ff;
									__eflags = _t757;
									if(_t757 != 0) {
										_t757 = 0;
										_t1110 = 0x100000;
										_t1005 = 0;
										__eflags = 0;
									} else {
										_t1110 = 0;
										_t1005 = 1;
									}
									_t1193 = _t1192 & 0x000fffff;
									_v1888 = _v1916 + _t757;
									asm("adc esi, edx");
									_t1048 = _t1047 & 0x000007ff;
									_v1868 = _t1048 + _t1005;
									E011A1EB0(_t1048, _t1247);
									_push(_t1048);
									_push(_t1048);
									 *_t1234 = _t1247;
									E011A1FC0(_t1048, _v1916 + _t757);
									_t1051 = E011A3550(_t1110);
									_v1900 = _t1051;
									_t1157 = 0x20;
									__eflags = _t1051 - 0x7fffffff;
									if(_t1051 == 0x7fffffff) {
										L23:
										__eflags = 0;
										_v1900 = 0;
									} else {
										__eflags = _t1051 - 0x80000000;
										if(_t1051 == 0x80000000) {
											goto L23;
										}
									}
									_t1111 = _v1868;
									__eflags = _t1193;
									_v468 = _v1888;
									_v464 = _t1193;
									_v936 = _v936 & 0x00000000;
									_t1008 = (0 | _t1193 != 0x00000000) + 1;
									_v472 = _t1008;
									__eflags = _t1111 - 0x433;
									if(_t1111 < 0x433) {
										__eflags = _t1111 - 0x35;
										if(_t1111 == 0x35) {
											L111:
											_t764 =  *((intOrPtr*)(_t1228 + _t1008 * 4 - 0x1d4));
											_t202 =  &_v1912;
											 *_t202 = _v1912 & 0x00000000;
											__eflags =  *_t202;
											asm("bsr eax, eax");
											if( *_t202 == 0) {
												_t765 = 0;
												__eflags = 0;
											} else {
												_t765 = _t764 + 1;
											}
											_t1194 = _t1008;
											_t1158 = _t1157 - _t765;
											__eflags = _t1158;
											_v1888 = _t1194;
											_t1052 = _t1194;
											_t767 =  &(( &_v472)[_t1194]);
											_v1884 = _t767;
											_t1195 = _t767;
											while(1) {
												__eflags = _t1052 - _t1008;
												if(_t1052 >= _t1008) {
													_t213 =  &_v1872;
													 *_t213 = _v1872 & 0x00000000;
													__eflags =  *_t213;
												} else {
													_v1872 =  *(_t1228 + _t1052 * 4 - 0x1d0);
												}
												_t215 = _t1052 - 1; // -1
												__eflags = _t215 - _t1008;
												if(_t215 >= _t1008) {
													_t1112 = 0;
													__eflags = 0;
												} else {
													_t1112 =  *_t1195;
												}
												_t1195 = _t1195 - 4;
												 *(_t1228 + _t1052 * 4 - 0x1d0) = _t1112 >> 0x0000001f | _v1872 + _v1872;
												_t1052 = _t1052 - 1;
												__eflags = _t1052 - 0xffffffff;
												if(_t1052 == 0xffffffff) {
													break;
												}
												_t1008 = _v472;
											}
											_t1196 = _v1888;
											__eflags = _t1158 - 1;
											if(_t1158 >= 1) {
												_v472 = _t1196;
											} else {
												_v472 = _t1196 + 1;
											}
											_t1160 = 0x434 >> 5;
											E0117B230(0x434 >> 5,  &_v1396, 0, 0x434);
											__eflags = 1;
											 *(_t1228 + 0xbad63d) = 1 << (0x00000434 - _v1868 & 0x0000001f);
										} else {
											_v1396 = _v1396 & 0x00000000;
											_v1392 = 0x100000;
											_v1400 = 2;
											__eflags = _t1193;
											if(_t1193 != 0) {
												_t1081 = 0;
												__eflags = 0;
												while(1) {
													_t937 =  *((intOrPtr*)(_t1228 + _t1081 - 0x570));
													__eflags = _t937 -  *((intOrPtr*)(_t1228 + _t1081 - 0x1d0));
													if(_t937 !=  *((intOrPtr*)(_t1228 + _t1081 - 0x1d0))) {
														goto L111;
													}
													_t1081 = _t1081 + 4;
													__eflags = _t1081 - 8;
													if(_t1081 != 8) {
														continue;
													} else {
														_t172 =  &_v1912;
														 *_t172 = _v1912 & 0x00000000;
														__eflags =  *_t172;
														asm("bsr eax, esi");
														if( *_t172 == 0) {
															_t938 = 0;
															__eflags = 0;
														} else {
															_t938 = _t937 + 1;
														}
														_t1214 = _t1008;
														_t1178 = _t1157 - _t938;
														__eflags = _t1178;
														_v1888 = _t1214;
														_t1082 = _t1214;
														_t940 =  &(( &_v472)[_t1214]);
														_v1884 = _t940;
														_t1215 = _t940;
														while(1) {
															__eflags = _t1082 - _t1008;
															if(_t1082 >= _t1008) {
																_t183 =  &_v1872;
																 *_t183 = _v1872 & 0x00000000;
																__eflags =  *_t183;
															} else {
																_v1872 =  *(_t1228 + _t1082 * 4 - 0x1d0);
															}
															_t185 = _t1082 - 1; // -1
															__eflags = _t185 - _t1008;
															if(_t185 >= _t1008) {
																_t1140 = 0;
																__eflags = 0;
															} else {
																_t1140 =  *_t1215;
															}
															_t1215 = _t1215 - 4;
															 *(_t1228 + _t1082 * 4 - 0x1d0) = _t1140 >> 0x0000001e | _v1872 << 0x00000002;
															_t1082 = _t1082 - 1;
															__eflags = _t1082 - 0xffffffff;
															if(_t1082 == 0xffffffff) {
																break;
															}
															_t1008 = _v472;
														}
														_t1216 = _v1888;
														__eflags = _t1178 - 2;
														if(_t1178 >= 2) {
															_v472 = _t1216;
														} else {
															_v472 = _t1216 + 1;
														}
														_t1160 = 0x435 >> 5;
														E0117B230(0x435 >> 5,  &_v1396, 0, 0x435);
														 *(_t1228 + 0xbad63d) = 1 << (0x00000435 - _v1868 & 0x0000001f);
													}
													goto L127;
												}
											}
											goto L111;
										}
										L127:
										_t776 = _t1160 + 1;
										_t1012 = 0x1cc;
										_v1400 = _t776;
										_v936 = _t776;
										__eflags = _t776 << 2;
										E011825C7( &_v932, 0x1cc,  &_v1396, _t776 << 2);
										_t1237 =  &(_t1234[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_v1392 = 0x100000;
										_v1400 = 2;
										__eflags = _t1193;
										if(_t1193 == 0) {
											L60:
											_t950 = _t1111 - 0x432;
											_t951 = _t950 & 0x0000001f;
											_t1220 = _t950 >> 5;
											_v1868 = _t951;
											_v1876 = _t1220;
											_v1888 = _t1157 - _t951;
											_t955 = E011A3AE0(1, _t1157 - _t951, 0) - 1;
											_t117 =  &_v1912;
											 *_t117 = _v1912 & 0x00000000;
											__eflags =  *_t117;
											_v1908 = _t955;
											_t956 =  !_t955;
											_v1884 = _t956;
											asm("bsr eax, ecx");
											if( *_t117 == 0) {
												_t957 = 0;
												__eflags = 0;
											} else {
												_t957 = _t956 + 1;
											}
											_t1145 = _t1008 + _t1220;
											_t1180 = _t1157 - _t957;
											_v1880 = _t1180;
											_v1892 = _t1145;
											__eflags = _t1145 - 0x73;
											if(_t1145 != 0x73) {
												L66:
												_t1087 = 0;
												__eflags = 0;
											} else {
												__eflags = _v1868 - _t1180;
												if(_v1868 <= _t1180) {
													goto L66;
												} else {
													_t1087 = 1;
												}
											}
											__eflags = _t1145 - 0x73;
											if(_t1145 > 0x73) {
												L88:
												__eflags = 0;
												_t1012 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E011825C7( &_v468, 0x1cc,  &_v1396, 0);
												_t1234 =  &(_t1234[4]);
											} else {
												__eflags = _t1087;
												if(_t1087 != 0) {
													goto L88;
												} else {
													__eflags = _t1145 - 0x72;
													if(_t1145 >= 0x72) {
														_t1145 = 0x72;
														_v1892 = _t1145;
													}
													_t1088 = _t1145;
													_v1896 = _t1088;
													__eflags = _t1145 - 0xffffffff;
													if(_t1145 != 0xffffffff) {
														_t1183 = _v1876;
														_t1222 = _t1145 - _t1183;
														__eflags = _t1222;
														_t1147 =  &_v468 + _t1222 * 4;
														while(1) {
															__eflags = _t1088 - _t1183;
															if(_t1088 < _t1183) {
																break;
															}
															__eflags = _t1222 - _t1008;
															if(_t1222 >= _t1008) {
																_t970 = 0;
																__eflags = 0;
															} else {
																_t970 =  *_t1147;
															}
															_v1872 = _t970;
															__eflags = _t1222 - 1 - _t1008;
															if(_t1222 - 1 >= _t1008) {
																_t972 = 0;
																__eflags = 0;
															} else {
																_t972 =  *(_t1147 - 4);
															}
															_t1147 = _t1147 - 4;
															_t1093 = _v1896;
															 *(_t1228 + _t1093 * 4 - 0x1d0) = (_t972 & _v1884) >> _v1888 | (_v1872 & _v1908) << _v1868;
															_t1088 = _t1093 - 1;
															_t1222 = _t1222 - 1;
															_v1896 = _t1088;
															__eflags = _t1088 - 0xffffffff;
															if(_t1088 != 0xffffffff) {
																_t1008 = _v472;
																continue;
															}
															break;
														}
														_t1180 = _v1880;
														_t1145 = _v1892;
														_t1220 = _v1876;
													}
													__eflags = _t1220;
													if(_t1220 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1220 << 2);
														_t1234 =  &(_t1234[3]);
														_t1180 = _v1880;
													}
													_t1012 = 0x1cc;
													__eflags = _v1868 - _t1180;
													if(_v1868 <= _t1180) {
														_v472 = _t1145;
													} else {
														_v472 = _t1145 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = 2;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1094 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1228 + _t1094 - 0x570)) -  *((intOrPtr*)(_t1228 + _t1094 - 0x1d0));
												if( *((intOrPtr*)(_t1228 + _t1094 - 0x570)) !=  *((intOrPtr*)(_t1228 + _t1094 - 0x1d0))) {
													goto L60;
												}
												_t1094 = _t1094 + 4;
												__eflags = _t1094 - 8;
												if(_t1094 != 8) {
													continue;
												} else {
													_t977 = _t1111 - 0x431;
													_t978 = _t977 & 0x0000001f;
													_t1224 = _t977 >> 5;
													_v1868 = _t978;
													_v1872 = _t1224;
													_v1908 = _t1157 - _t978;
													_t982 = E011A3AE0(1, _t1157 - _t978, 0) - 1;
													_t61 =  &_v1912;
													 *_t61 = _v1912 & 0x00000000;
													__eflags =  *_t61;
													_v1884 = _t982;
													_t983 =  !_t982;
													_v1888 = _t983;
													asm("bsr eax, ecx");
													if( *_t61 == 0) {
														_t984 = 0;
														__eflags = 0;
													} else {
														_t984 = _t983 + 1;
													}
													_t1149 = _t1008 + _t1224;
													_t1184 = _t1157 - _t984;
													_v1880 = _t1184;
													_v1896 = _t1149;
													__eflags = _t1149 - 0x73;
													if(_t1149 != 0x73) {
														L35:
														_t1098 = 0;
														__eflags = 0;
													} else {
														__eflags = _v1868 - _t1184;
														if(_v1868 <= _t1184) {
															goto L35;
														} else {
															_t1098 = 1;
														}
													}
													__eflags = _t1149 - 0x73;
													if(_t1149 > 0x73) {
														L57:
														__eflags = 0;
														_t1012 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E011825C7( &_v468, 0x1cc,  &_v1396, 0);
														_t1234 =  &(_t1234[4]);
													} else {
														__eflags = _t1098;
														if(_t1098 != 0) {
															goto L57;
														} else {
															__eflags = _t1149 - 0x72;
															if(_t1149 >= 0x72) {
																_t1149 = 0x72;
																_v1896 = _t1149;
															}
															_t1101 = _t1149;
															_v1892 = _t1101;
															__eflags = _t1149 - 0xffffffff;
															if(_t1149 != 0xffffffff) {
																_t1187 = _v1872;
																_t1226 = _t1149 - _t1187;
																__eflags = _t1226;
																_t1151 =  &_v468 + _t1226 * 4;
																while(1) {
																	__eflags = _t1101 - _t1187;
																	if(_t1101 < _t1187) {
																		break;
																	}
																	__eflags = _t1226 - _t1008;
																	if(_t1226 >= _t1008) {
																		_t993 = 0;
																		__eflags = 0;
																	} else {
																		_t993 =  *_t1151;
																	}
																	_v1876 = _t993;
																	__eflags = _t1226 - 1 - _t1008;
																	if(_t1226 - 1 >= _t1008) {
																		_t995 = 0;
																		__eflags = 0;
																	} else {
																		_t995 =  *(_t1151 - 4);
																	}
																	_t1151 = _t1151 - 4;
																	_t1106 = _v1892;
																	 *(_t1228 + _t1106 * 4 - 0x1d0) = (_t995 & _v1888) >> _v1908 | (_v1876 & _v1884) << _v1868;
																	_t1101 = _t1106 - 1;
																	_t1226 = _t1226 - 1;
																	_v1892 = _t1101;
																	__eflags = _t1101 - 0xffffffff;
																	if(_t1101 != 0xffffffff) {
																		_t1008 = _v472;
																		continue;
																	}
																	break;
																}
																_t1149 = _v1896;
																_t1184 = _v1880;
																_t1224 = _v1872;
															}
															__eflags = _t1224;
															if(_t1224 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1224 << 2);
																_t1234 =  &(_t1234[3]);
																_t1184 = _v1880;
															}
															_t1012 = 0x1cc;
															__eflags = _v1868 - _t1184;
															if(_v1868 <= _t1184) {
																_v472 = _t1149;
															} else {
																_v472 = _t1149 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t989 = 4;
													__eflags = 1;
													_v1396 = _t989;
													_v1400 = 1;
													_v936 = 1;
													_push(_t989);
												}
												goto L59;
											}
											goto L60;
										}
										L59:
										_push( &_v1396);
										_push(_t1012);
										_push( &_v932);
										E011825C7();
										_t1237 =  &(_t1234[4]);
									}
									_t781 = _v1900;
									_t1054 = 0xa;
									_v1888 = _t1054;
									__eflags = _t781;
									if(_t781 < 0) {
										_t782 =  ~_t781;
										_t783 = _t782 / _t1054;
										_v1892 = _t783;
										_t1055 = _t782 % _t1054;
										_v1912 = _t1055;
										__eflags = _t783;
										if(_t783 == 0) {
											L250:
											__eflags = _t1055;
											if(_t1055 != 0) {
												_t822 =  *(0x11b6b8c + _t1055 * 4);
												_v1912 = _t822;
												__eflags = _t822;
												if(_t822 == 0) {
													L261:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L262;
												} else {
													__eflags = _t822 - 1;
													if(_t822 != 1) {
														_t1066 = _v472;
														__eflags = _t1066;
														if(_t1066 != 0) {
															_t1166 = 0;
															_t1202 = 0;
															__eflags = 0;
															do {
																_t1124 = _t822 *  *(_t1228 + _t1202 * 4 - 0x1d0) >> 0x20;
																 *(_t1228 + _t1202 * 4 - 0x1d0) = _t822 *  *(_t1228 + _t1202 * 4 - 0x1d0) + _t1166;
																_t822 = _v1912;
																asm("adc edx, 0x0");
																_t1202 = _t1202 + 1;
																_t1166 = _t1124;
																__eflags = _t1202 - _t1066;
															} while (_t1202 != _t1066);
															__eflags = _t1166;
															if(_t1166 != 0) {
																_t829 = _v472;
																__eflags = _t829 - 0x73;
																if(_t829 >= 0x73) {
																	goto L261;
																} else {
																	 *(_t1228 + _t829 * 4 - 0x1d0) = _t1166;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t783 - 0x26;
												if(_t783 > 0x26) {
													_t783 = 0x26;
												}
												_t1067 =  *(0x11ba15e + _t783 * 4) & 0x000000ff;
												_v1868 = _t783;
												_v1400 = ( *(0x11ba15e + _t783 * 4) & 0x000000ff) + ( *(0x11ba15f + _t783 * 4) & 0x000000ff);
												E0117B230(_t1067 << 2,  &_v1396, 0, _t1067 << 2);
												_t840 = E0117ACA0( &(( &_v1396)[_t1067]), 0x11b61f0 + ( *(0x11ba15c + _v1868 * 4) & 0x0000ffff) * 4, ( *(0x11ba15f + _t783 * 4) & 0x000000ff) << 2);
												_t1169 = _v1400;
												_t1237 =  &(_t1237[6]);
												__eflags = _t1169 - 1;
												if(_t1169 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1169 - _v472;
														_t1125 =  &_v1396;
														_t499 = _t1169 - _v472 > 0;
														__eflags = _t499;
														_t841 = _t840 & 0xffffff00 | _t499;
														if(_t499 >= 0) {
															_t1125 =  &_v468;
														}
														_v1876 = _t1125;
														_t1068 =  &_v468;
														__eflags = _t841;
														if(_t841 == 0) {
															_t1068 =  &_v1396;
														}
														_v1908 = _t1068;
														__eflags = _t841;
														if(_t841 == 0) {
															_t1069 = _v472;
															_v1896 = _t1069;
														} else {
															_t1069 = _t1169;
															_v1896 = _t1169;
														}
														__eflags = _t841;
														if(_t841 != 0) {
															_t1169 = _v472;
														}
														_t842 = 0;
														_t1204 = 0;
														_v1864 = 0;
														__eflags = _t1069;
														if(_t1069 == 0) {
															L244:
															_v472 = _t842;
															_t843 = _t842 << 2;
															__eflags = _t843;
															_push(_t843);
															_t844 =  &_v1860;
															goto L245;
														} else {
															do {
																__eflags =  *(_t1125 + _t1204 * 4);
																if( *(_t1125 + _t1204 * 4) != 0) {
																	_t1128 = 0;
																	_t1070 = _t1204;
																	_v1880 = _v1880 & 0;
																	_v1872 = 0;
																	__eflags = _t1169;
																	if(_t1169 == 0) {
																		L241:
																		__eflags = _t1070 - 0x73;
																		if(_t1070 == 0x73) {
																			goto L259;
																		} else {
																			_t1069 = _v1896;
																			_t1125 = _v1876;
																			goto L243;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1070 - 0x73;
																			if(_t1070 == 0x73) {
																				goto L236;
																			}
																			__eflags = _t1070 - _t842;
																			if(_t1070 == _t842) {
																				 *(_t1228 + _t1070 * 4 - 0x740) =  *(_t1228 + _t1070 * 4 - 0x740) & 0x00000000;
																				_t862 = _v1880 + 1 + _t1204;
																				__eflags = _t862;
																				_v1864 = _t862;
																			}
																			_t855 =  *(_v1908 + _v1880 * 4);
																			_t1130 = _v1876;
																			_t1128 = _t855 *  *(_t1130 + _t1204 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1228 + _t1070 * 4 - 0x740) =  *(_t1228 + _t1070 * 4 - 0x740) + _t855 *  *(_t1130 + _t1204 * 4) + _v1872;
																			asm("adc edx, 0x0");
																			_t859 = _v1880 + 1;
																			_t1070 = _t1070 + 1;
																			_v1880 = _t859;
																			__eflags = _t859 - _t1169;
																			_v1872 = _t1128;
																			_t842 = _v1864;
																			if(_t859 != _t1169) {
																				continue;
																			} else {
																				goto L236;
																			}
																			while(1) {
																				L236:
																				__eflags = _t1128;
																				if(_t1128 == 0) {
																					goto L241;
																				}
																				__eflags = _t1070 - 0x73;
																				if(_t1070 == 0x73) {
																					goto L259;
																				} else {
																					__eflags = _t1070 - _t842;
																					if(_t1070 == _t842) {
																						_t555 = _t1228 + _t1070 * 4 - 0x740;
																						 *_t555 =  *(_t1228 + _t1070 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t555;
																						_t561 = _t1070 + 1; // 0x1
																						_v1864 = _t561;
																					}
																					_t853 = _t1128;
																					_t1128 = 0;
																					 *(_t1228 + _t1070 * 4 - 0x740) =  *(_t1228 + _t1070 * 4 - 0x740) + _t853;
																					_t842 = _v1864;
																					asm("adc edx, edx");
																					_t1070 = _t1070 + 1;
																					continue;
																				}
																				goto L247;
																			}
																			goto L241;
																		}
																		goto L236;
																	}
																} else {
																	__eflags = _t1204 - _t842;
																	if(_t1204 == _t842) {
																		 *(_t1228 + _t1204 * 4 - 0x740) =  *(_t1228 + _t1204 * 4 - 0x740) & 0x00000000;
																		_t518 = _t1204 + 1; // 0x1
																		_t842 = _t518;
																		_v1864 = _t842;
																	}
																	goto L243;
																}
																goto L247;
																L243:
																_t1204 = _t1204 + 1;
																__eflags = _t1204 - _t1069;
															} while (_t1204 != _t1069);
															goto L244;
														}
													} else {
														_t1205 = _v468;
														_v1928 = _t1205;
														_v472 = _t1169;
														E011825C7( &_v468, _t1012,  &_v1396, _t1169 << 2);
														_t1237 =  &(_t1237[4]);
														__eflags = _t1205;
														if(_t1205 == 0) {
															goto L203;
														} else {
															__eflags = _t1205 - 1;
															if(_t1205 == 1) {
																goto L246;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L246;
																} else {
																	_t1071 = 0;
																	_t1170 = _v1928;
																	_t1206 = 0;
																	__eflags = 0;
																	_t1020 = _v472;
																	do {
																		_t871 = _t1170;
																		_t1126 = _t871 *  *(_t1228 + _t1206 * 4 - 0x1d0) >> 0x20;
																		 *(_t1228 + _t1206 * 4 - 0x1d0) = _t871 *  *(_t1228 + _t1206 * 4 - 0x1d0) + _t1071;
																		asm("adc edx, 0x0");
																		_t1206 = _t1206 + 1;
																		_t1071 = _t1126;
																		__eflags = _t1206 - _t1020;
																	} while (_t1206 != _t1020);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1171 = _v1396;
													__eflags = _t1171;
													if(_t1171 != 0) {
														__eflags = _t1171 - 1;
														if(_t1171 == 1) {
															goto L246;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L246;
															} else {
																_t1072 = 0;
																_t1207 = 0;
																__eflags = 0;
																_t1019 = _v472;
																do {
																	_t876 = _t1171;
																	_t1127 = _t876 *  *(_t1228 + _t1207 * 4 - 0x1d0) >> 0x20;
																	 *(_t1228 + _t1207 * 4 - 0x1d0) = _t876 *  *(_t1228 + _t1207 * 4 - 0x1d0) + _t1072;
																	asm("adc edx, 0x0");
																	_t1207 = _t1207 + 1;
																	_t1072 = _t1127;
																	__eflags = _t1207 - _t1019;
																} while (_t1207 != _t1019);
																L208:
																_t1012 = 0x1cc;
																__eflags = _t1071;
																if(_t1071 == 0) {
																	goto L246;
																} else {
																	_t874 = _v472;
																	__eflags = _t874 - 0x73;
																	if(_t874 >= 0x73) {
																		L259:
																		_v2408 = 0;
																		_v472 = 0;
																		E011825C7( &_v468, _t1012,  &_v2404, 0);
																		_t1237 =  &(_t1237[4]);
																		_t847 = 0;
																	} else {
																		 *(_t1228 + _t874 * 4 - 0x1d0) = _t1071;
																		_v472 = _v472 + 1;
																		goto L246;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t844 =  &_v2404;
														L245:
														_push(_t844);
														_push(_t1012);
														_push( &_v468);
														E011825C7();
														_t1237 =  &(_t1237[4]);
														L246:
														_t847 = 1;
													}
												}
												L247:
												__eflags = _t847;
												if(_t847 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L262:
													_push( &_v2404);
													_t825 =  &_v468;
													goto L263;
												} else {
													goto L248;
												}
												goto L264;
												L248:
												_t783 = _v1892 - _v1868;
												__eflags = _t783;
												_v1892 = _t783;
											} while (_t783 != 0);
											_t1055 = _v1912;
											goto L250;
										}
									} else {
										_t879 = _t781 / _t1054;
										_v1908 = _t879;
										_t1073 = _t781 % _t1054;
										_v1928 = _t1073;
										__eflags = _t879;
										if(_t879 == 0) {
											L184:
											__eflags = _t1073;
											if(_t1073 != 0) {
												_t880 =  *(0x11b6b8c + _t1073 * 4);
												_v1928 = _t880;
												__eflags = _t880;
												if(_t880 != 0) {
													__eflags = _t880 - 1;
													if(_t880 != 1) {
														_t1074 = _v936;
														__eflags = _t1074;
														if(_t1074 != 0) {
															_t1172 = 0;
															_t1208 = 0;
															__eflags = 0;
															do {
																_t1132 = _t880 *  *(_t1228 + _t1208 * 4 - 0x3a0) >> 0x20;
																 *(_t1228 + _t1208 * 4 - 0x3a0) = _t880 *  *(_t1228 + _t1208 * 4 - 0x3a0) + _t1172;
																_t880 = _v1928;
																asm("adc edx, 0x0");
																_t1208 = _t1208 + 1;
																_t1172 = _t1132;
																__eflags = _t1208 - _t1074;
															} while (_t1208 != _t1074);
															__eflags = _t1172;
															if(_t1172 != 0) {
																_t883 = _v936;
																__eflags = _t883 - 0x73;
																if(_t883 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1228 + _t883 * 4 - 0x3a0) = _t1172;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t879 - 0x26;
												if(_t879 > 0x26) {
													_t879 = 0x26;
												}
												_t1075 =  *(0x11ba15e + _t879 * 4) & 0x000000ff;
												_v1876 = _t879;
												_v1400 = ( *(0x11ba15e + _t879 * 4) & 0x000000ff) + ( *(0x11ba15f + _t879 * 4) & 0x000000ff);
												E0117B230(_t1075 << 2,  &_v1396, 0, _t1075 << 2);
												_t896 = E0117ACA0( &(( &_v1396)[_t1075]), 0x11b61f0 + ( *(0x11ba15c + _v1876 * 4) & 0x0000ffff) * 4, ( *(0x11ba15f + _t879 * 4) & 0x000000ff) << 2);
												_t1175 = _v1400;
												_t1237 =  &(_t1237[6]);
												__eflags = _t1175 - 1;
												if(_t1175 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1175 - _v936;
														_t1133 =  &_v1396;
														_t312 = _t1175 - _v936 > 0;
														__eflags = _t312;
														_t897 = _t896 & 0xffffff00 | _t312;
														if(_t312 >= 0) {
															_t1133 =  &_v932;
														}
														_v1868 = _t1133;
														_t1076 =  &_v932;
														__eflags = _t897;
														if(_t897 == 0) {
															_t1076 =  &_v1396;
														}
														_v1872 = _t1076;
														__eflags = _t897;
														if(_t897 == 0) {
															_t1077 = _v936;
															_v1892 = _t1077;
														} else {
															_t1077 = _t1175;
															_v1892 = _t1175;
														}
														__eflags = _t897;
														if(_t897 != 0) {
															_t1175 = _v936;
														}
														_t898 = 0;
														_t1210 = 0;
														_v1864 = 0;
														__eflags = _t1077;
														if(_t1077 == 0) {
															L177:
															_v936 = _t898;
															_t899 = _t898 << 2;
															__eflags = _t899;
															goto L178;
														} else {
															do {
																__eflags =  *(_t1133 + _t1210 * 4);
																if( *(_t1133 + _t1210 * 4) != 0) {
																	_t1136 = 0;
																	_t1078 = _t1210;
																	_v1880 = _v1880 & 0;
																	_v1896 = 0;
																	__eflags = _t1175;
																	if(_t1175 == 0) {
																		L174:
																		__eflags = _t1078 - 0x73;
																		if(_t1078 == 0x73) {
																			goto L187;
																		} else {
																			_t1077 = _v1892;
																			_t1133 = _v1868;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1078 - 0x73;
																			if(_t1078 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1078 - _t898;
																			if(_t1078 == _t898) {
																				 *(_t1228 + _t1078 * 4 - 0x740) =  *(_t1228 + _t1078 * 4 - 0x740) & 0x00000000;
																				_t918 = _v1880 + 1 + _t1210;
																				__eflags = _t918;
																				_v1864 = _t918;
																			}
																			_t911 =  *(_v1872 + _v1880 * 4);
																			_t1138 = _v1868;
																			_t1136 = _t911 *  *(_t1138 + _t1210 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1228 + _t1078 * 4 - 0x740) =  *(_t1228 + _t1078 * 4 - 0x740) + _t911 *  *(_t1138 + _t1210 * 4) + _v1896;
																			asm("adc edx, 0x0");
																			_t915 = _v1880 + 1;
																			_t1078 = _t1078 + 1;
																			_v1880 = _t915;
																			__eflags = _t915 - _t1175;
																			_v1896 = _t1136;
																			_t898 = _v1864;
																			if(_t915 != _t1175) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1136;
																				if(_t1136 == 0) {
																					goto L174;
																				}
																				__eflags = _t1078 - 0x73;
																				if(_t1078 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t906 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1078 - _t898;
																					if(_t1078 == _t898) {
																						_t368 = _t1228 + _t1078 * 4 - 0x740;
																						 *_t368 =  *(_t1228 + _t1078 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t368;
																						_t374 = _t1078 + 1; // 0x1
																						_v1864 = _t374;
																					}
																					_t909 = _t1136;
																					_t1136 = 0;
																					 *(_t1228 + _t1078 * 4 - 0x740) =  *(_t1228 + _t1078 * 4 - 0x740) + _t909;
																					_t898 = _v1864;
																					asm("adc edx, edx");
																					_t1078 = _t1078 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1210 - _t898;
																	if(_t1210 == _t898) {
																		 *(_t1228 + _t1210 * 4 - 0x740) =  *(_t1228 + _t1210 * 4 - 0x740) & 0x00000000;
																		_t331 = _t1210 + 1; // 0x1
																		_t898 = _t331;
																		_v1864 = _t898;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1210 = _t1210 + 1;
																__eflags = _t1210 - _t1077;
															} while (_t1210 != _t1077);
															goto L177;
														}
													} else {
														_t1211 = _v932;
														_v1884 = _t1211;
														_v936 = _t1175;
														E011825C7( &_v932, _t1012,  &_v1396, _t1175 << 2);
														_t1237 =  &(_t1237[4]);
														__eflags = _t1211;
														if(_t1211 != 0) {
															__eflags = _t1211 - 1;
															if(_t1211 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1079 = 0;
																	_t1176 = _v1884;
																	_t1212 = 0;
																	__eflags = 0;
																	_t1022 = _v936;
																	do {
																		_t926 = _t1176;
																		_t1134 = _t926 *  *(_t1228 + _t1212 * 4 - 0x3a0) >> 0x20;
																		 *(_t1228 + _t1212 * 4 - 0x3a0) = _t926 *  *(_t1228 + _t1212 * 4 - 0x3a0) + _t1079;
																		asm("adc edx, 0x0");
																		_t1212 = _t1212 + 1;
																		_t1079 = _t1134;
																		__eflags = _t1212 - _t1022;
																	} while (_t1212 != _t1022);
																	goto L148;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t900 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1177 = _v1396;
													__eflags = _t1177;
													if(_t1177 != 0) {
														__eflags = _t1177 - 1;
														if(_t1177 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1080 = 0;
																_t1213 = 0;
																__eflags = 0;
																_t1021 = _v936;
																do {
																	_t933 = _t1177;
																	_t1135 = _t933 *  *(_t1228 + _t1213 * 4 - 0x3a0) >> 0x20;
																	 *(_t1228 + _t1213 * 4 - 0x3a0) = _t933 *  *(_t1228 + _t1213 * 4 - 0x3a0) + _t1080;
																	asm("adc edx, 0x0");
																	_t1213 = _t1213 + 1;
																	_t1080 = _t1135;
																	__eflags = _t1213 - _t1021;
																} while (_t1213 != _t1021);
																L148:
																_t1012 = 0x1cc;
																__eflags = _t1079;
																if(_t1079 == 0) {
																	goto L180;
																} else {
																	_t929 = _v936;
																	__eflags = _t929 - 0x73;
																	if(_t929 < 0x73) {
																		 *(_t1228 + _t929 * 4 - 0x3a0) = _t1079;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t906 =  &_v1396;
																		L188:
																		_push(_t906);
																		_push(_t1012);
																		_push( &_v932);
																		E011825C7();
																		_t1237 =  &(_t1237[4]);
																		_t903 = 0;
																	}
																}
															}
														}
													} else {
														_t899 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t899);
														_t900 =  &_v1860;
														L179:
														_push(_t900);
														_push(_t1012);
														_push( &_v932);
														E011825C7();
														_t1237 =  &(_t1237[4]);
														L180:
														_t903 = 1;
													}
												}
												L181:
												__eflags = _t903;
												if(_t903 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t403 =  &_v936;
													 *_t403 = _v936 & 0x00000000;
													__eflags =  *_t403;
													_push(0);
													L190:
													_push( &_v2404);
													_t825 =  &_v932;
													L263:
													_push(_t1012);
													_push(_t825);
													E011825C7();
													_t1237 =  &(_t1237[4]);
												} else {
													goto L182;
												}
												goto L264;
												L182:
												_t879 = _v1908 - _v1876;
												__eflags = _t879;
												_v1908 = _t879;
											} while (_t879 != 0);
											_t1073 = _v1928;
											goto L184;
										}
									}
									L264:
									_t1161 = _v1904;
									_t1199 = _t1161;
									_t1056 = _v472;
									_v1876 = _t1199;
									__eflags = _t1056;
									if(_t1056 != 0) {
										_t1201 = 0;
										_t1165 = 0;
										__eflags = 0;
										_t1017 = 0xa;
										do {
											_t814 =  *(_t1228 + _t1165 * 4 - 0x1d0);
											_t1123 = _t814 * _t1017 >> 0x20;
											 *(_t1228 + _t1165 * 4 - 0x1d0) = _t814 * _t1017 + _t1201;
											asm("adc edx, 0x0");
											_t1165 = _t1165 + 1;
											_t1201 = _t1123;
											__eflags = _t1165 - _t1056;
										} while (_t1165 != _t1056);
										_v1912 = _t1201;
										__eflags = _t1201;
										_t1199 = _v1876;
										if(_t1201 != 0) {
											_t1065 = _v472;
											__eflags = _t1065 - 0x73;
											if(_t1065 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E011825C7( &_v468, 0x1cc,  &_v2404, 0);
												_t1237 =  &(_t1237[4]);
											} else {
												 *(_t1228 + _t1065 * 4 - 0x1d0) = _t1123;
												_v472 = _v472 + 1;
											}
										}
										_t1161 = _t1199;
									}
									_t786 = E0118A510( &_v472,  &_v936);
									__eflags = _t786 - 0xa;
									if(_t786 != 0xa) {
										__eflags = _t786;
										if(_t786 != 0) {
											_t787 = _t786 + 0x30;
											__eflags = _t787;
											_t1199 = _t1161 + 1;
											 *_t1161 = _t787;
											goto L283;
										} else {
											_t788 = _v1900 - 1;
										}
									} else {
										_v1900 = _v1900 + 1;
										_t1199 = _t1161 + 1;
										_t805 = _v936;
										 *_t1161 = 0x31;
										_v1876 = _t1199;
										__eflags = _t805;
										if(_t805 != 0) {
											_t1164 = 0;
											_t1200 = _t805;
											_t1064 = 0;
											__eflags = 0;
											_t1015 = 0xa;
											do {
												_t806 =  *(_t1228 + _t1064 * 4 - 0x3a0);
												 *(_t1228 + _t1064 * 4 - 0x3a0) = _t806 * _t1015 + _t1164;
												asm("adc edx, 0x0");
												_t1064 = _t1064 + 1;
												_t1164 = _t806 * _t1015 >> 0x20;
												__eflags = _t1064 - _t1200;
											} while (_t1064 != _t1200);
											_t1199 = _v1876;
											__eflags = _t1164;
											if(_t1164 != 0) {
												_t809 = _v936;
												__eflags = _t809 - 0x73;
												if(_t809 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E011825C7( &_v932, 0x1cc,  &_v2404, 0);
													_t1237 =  &(_t1237[4]);
												} else {
													 *(_t1228 + _t809 * 4 - 0x3a0) = _t1164;
													_v936 = _v936 + 1;
												}
											}
										}
										L283:
										_t788 = _v1900;
									}
									 *(_v1924 + 4) = _t788;
									_t1039 = _v1920;
									__eflags = _t788;
									if(_t788 >= 0) {
										__eflags = _t1039 - 0x7fffffff;
										if(_t1039 <= 0x7fffffff) {
											_t1039 = _t1039 + _t788;
											__eflags = _t1039;
										}
									}
									_t790 = _a24 - 1;
									__eflags = _t790 - _t1039;
									if(_t790 >= _t1039) {
										_t790 = _t1039;
									}
									_t791 = _t790 + _v1904;
									_v1920 = _t791;
									__eflags = _t1199 - _t791;
									if(__eflags != 0) {
										while(1) {
											_t792 = _v472;
											__eflags = _t792;
											if(__eflags == 0) {
												goto L304;
											}
											_t1162 = 0;
											_t1013 = _t792;
											_t1060 = 0;
											__eflags = 0;
											do {
												_t793 =  *(_t1228 + _t1060 * 4 - 0x1d0);
												 *(_t1228 + _t1060 * 4 - 0x1d0) = _t793 * 0x3b9aca00 + _t1162;
												asm("adc edx, 0x0");
												_t1060 = _t1060 + 1;
												_t1162 = _t793 * 0x3b9aca00 >> 0x20;
												__eflags = _t1060 - _t1013;
											} while (_t1060 != _t1013);
											__eflags = _t1162;
											if(_t1162 != 0) {
												_t799 = _v472;
												__eflags = _t799 - 0x73;
												if(_t799 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E011825C7( &_v468, 0x1cc,  &_v2404, 0);
													_t1237 =  &(_t1237[4]);
												} else {
													 *(_t1228 + _t799 * 4 - 0x1d0) = _t1162;
													_v472 = _v472 + 1;
												}
											}
											_t798 = E0118A510( &_v472,  &_v936);
											_t1163 = 8;
											_t1039 = _v1920 - _t1199;
											__eflags = _t1039;
											do {
												_t703 = _t798 % _v1888;
												_t798 = _t798 / _v1888;
												_t1121 = _t703 + 0x30;
												__eflags = _t1039 - _t1163;
												if(_t1039 >= _t1163) {
													 *((char*)(_t1163 + _t1199)) = _t1121;
												}
												_t1163 = _t1163 - 1;
												__eflags = _t1163 - 0xffffffff;
											} while (_t1163 != 0xffffffff);
											__eflags = _t1039 - 9;
											if(_t1039 > 9) {
												_t1039 = 9;
											}
											_t1199 = _t1199 + _t1039;
											__eflags = _t1199 - _v1920;
											if(__eflags != 0) {
												continue;
											}
											goto L304;
										}
									}
									L304:
									 *_t1199 = 0;
									goto L305;
								}
							}
						}
					}
				} else {
					_t1039 = _t1189 & 0x000fffff;
					if((_t1003 | _t1189 & 0x000fffff) != 0) {
						goto L12;
					} else {
						_push("0");
						_push(_a24);
						 *(_v1924 + 4) =  *(_v1924 + 4) & 0x00000000;
						_push(_t1109);
						L312:
						if(E0118F987() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E011828E3();
							asm("int3");
							_push(_t1228);
							_t1040 = _v2436;
							__eflags = _t1040 - 0xfffffffe;
							if(__eflags != 0) {
								__eflags = _t1040;
								if(__eflags < 0) {
									L321:
									 *((intOrPtr*)(E01186176(__eflags))) = 9;
									E011828B6();
									goto L322;
								} else {
									__eflags = _t1040 -  *0x11fa488; // 0x40
									if(__eflags >= 0) {
										goto L321;
									} else {
										_t745 =  *( *((intOrPtr*)(0x11fa288 + (_t1040 >> 6) * 4)) + 0x28 + (_t1040 & 0x0000003f) * 0x38) & 0x40;
										__eflags = _t745;
										return _t745;
									}
								}
							} else {
								 *((intOrPtr*)(E01186176(__eflags))) = 9;
								L322:
								__eflags = 0;
								return 0;
							}
						} else {
							L305:
							_t1245 = _v1936;
							if(_v1936 != 0) {
								E011A1E0B(_t1039, _t1245,  &_v1944);
							}
							return E0115E184(_v8 ^ _t1228);
						}
					}
				}
			}

0x0119e249
0x0119e249
0x0119e249
0x0119e24c
0x0119e24e
0x0119e254
0x0119e25b
0x0119e261
0x0119e26a
0x0119e277
0x0119e288
0x0119e29a
0x0119e2a0
0x0119e28a
0x0119e28a
0x0119e28a
0x0119e2a7
0x0119e2a8
0x0119e2ab
0x0119e2ac
0x0119e2af
0x0119e2b2
0x0119e2b3
0x0119e2b5
0x0119e2c2
0x0119e2bd
0x0119e2bf
0x0119e2bf
0x0119e2c4
0x0119e2ca
0x0119e2d0
0x0119e2d4
0x0119e2e1
0x0119e309
0x0119e30d
0x0119e313
0x0119e315
0x0119e31d
0x0119e31d
0x0119e324
0x0119e324
0x0119e327
0x0119f57f
0x00000000
0x0119e32d
0x0119e32d
0x0119e32d
0x0119e330
0x0119f562
0x00000000
0x0119e336
0x0119e336
0x0119e336
0x0119e339
0x0119f55b
0x00000000
0x0119e33f
0x0119e33f
0x0119e342
0x0119f554
0x0119f567
0x0119f567
0x0119f56a
0x0119f570
0x00000000
0x0119e348
0x0119e351
0x0119e359
0x0119e35c
0x0119e35f
0x0119e362
0x0119e368
0x0119e370
0x0119e376
0x0119e380
0x0119e380
0x0119e383
0x0119e38c
0x0119e38e
0x0119e393
0x0119e393
0x0119e385
0x0119e387
0x0119e389
0x0119e389
0x0119e39b
0x0119e3a3
0x0119e3a9
0x0119e3ab
0x0119e3b4
0x0119e3ba
0x0119e3bf
0x0119e3c0
0x0119e3c1
0x0119e3c4
0x0119e3d0
0x0119e3d2
0x0119e3da
0x0119e3db
0x0119e3e1
0x0119e3eb
0x0119e3eb
0x0119e3ed
0x0119e3e3
0x0119e3e3
0x0119e3e9
0x00000000
0x00000000
0x0119e3e9
0x0119e3f3
0x0119e401
0x0119e403
0x0119e40c
0x0119e412
0x0119e419
0x0119e41a
0x0119e420
0x0119e426
0x0119e804
0x0119e807
0x0119e91f
0x0119e91f
0x0119e926
0x0119e926
0x0119e926
0x0119e92d
0x0119e930
0x0119e935
0x0119e935
0x0119e932
0x0119e932
0x0119e932
0x0119e937
0x0119e939
0x0119e939
0x0119e941
0x0119e947
0x0119e949
0x0119e94c
0x0119e952
0x0119e954
0x0119e954
0x0119e956
0x0119e967
0x0119e967
0x0119e967
0x0119e958
0x0119e95f
0x0119e95f
0x0119e96e
0x0119e971
0x0119e973
0x0119e979
0x0119e979
0x0119e975
0x0119e975
0x0119e975
0x0119e981
0x0119e98b
0x0119e992
0x0119e993
0x0119e996
0x00000000
0x00000000
0x0119e998
0x0119e998
0x0119e9a0
0x0119e9a6
0x0119e9a9
0x0119e9b6
0x0119e9ab
0x0119e9ae
0x0119e9ae
0x0119e9cf
0x0119e9db
0x0119e9e8
0x0119e9ea
0x0119e80d
0x0119e80d
0x0119e814
0x0119e81e
0x0119e828
0x0119e82a
0x0119e830
0x0119e830
0x0119e832
0x0119e832
0x0119e839
0x0119e840
0x00000000
0x00000000
0x0119e846
0x0119e849
0x0119e84c
0x00000000
0x0119e84e
0x0119e84e
0x0119e84e
0x0119e84e
0x0119e855
0x0119e858
0x0119e85d
0x0119e85d
0x0119e85a
0x0119e85a
0x0119e85a
0x0119e85f
0x0119e861
0x0119e861
0x0119e869
0x0119e86f
0x0119e871
0x0119e874
0x0119e87a
0x0119e87c
0x0119e87c
0x0119e87e
0x0119e88f
0x0119e88f
0x0119e88f
0x0119e880
0x0119e887
0x0119e887
0x0119e896
0x0119e899
0x0119e89b
0x0119e8a1
0x0119e8a1
0x0119e89d
0x0119e89d
0x0119e89d
0x0119e8a9
0x0119e8b4
0x0119e8bb
0x0119e8bc
0x0119e8bf
0x00000000
0x00000000
0x0119e8c1
0x0119e8c1
0x0119e8c9
0x0119e8cf
0x0119e8d2
0x0119e8df
0x0119e8d4
0x0119e8d7
0x0119e8d7
0x0119e8f8
0x0119e904
0x0119e913
0x0119e913
0x00000000
0x0119e84c
0x0119e832
0x00000000
0x0119e82a
0x0119e9f1
0x0119e9f1
0x0119e9f4
0x0119e9f9
0x0119e9ff
0x0119ea05
0x0119ea18
0x0119ea1d
0x0119e42c
0x0119e42c
0x0119e433
0x0119e43d
0x0119e447
0x0119e449
0x0119e643
0x0119e643
0x0119e64f
0x0119e652
0x0119e657
0x0119e65f
0x0119e666
0x0119e678
0x0119e679
0x0119e679
0x0119e679
0x0119e680
0x0119e686
0x0119e688
0x0119e68e
0x0119e691
0x0119e696
0x0119e696
0x0119e693
0x0119e693
0x0119e693
0x0119e698
0x0119e69b
0x0119e69d
0x0119e6a3
0x0119e6a9
0x0119e6ac
0x0119e6ba
0x0119e6ba
0x0119e6ba
0x0119e6ae
0x0119e6ae
0x0119e6b4
0x00000000
0x0119e6b6
0x0119e6b6
0x0119e6b6
0x0119e6b4
0x0119e6bc
0x0119e6bf
0x0119e7b2
0x0119e7b2
0x0119e7b4
0x0119e7ba
0x0119e7c0
0x0119e7d5
0x0119e7da
0x0119e6c5
0x0119e6c5
0x0119e6c7
0x00000000
0x0119e6cd
0x0119e6cd
0x0119e6d0
0x0119e6d4
0x0119e6d5
0x0119e6d5
0x0119e6db
0x0119e6dd
0x0119e6e3
0x0119e6e6
0x0119e6ec
0x0119e6f4
0x0119e6f4
0x0119e6fc
0x0119e6ff
0x0119e6ff
0x0119e701
0x00000000
0x00000000
0x0119e703
0x0119e705
0x0119e70b
0x0119e70b
0x0119e707
0x0119e707
0x0119e707
0x0119e70d
0x0119e716
0x0119e718
0x0119e71f
0x0119e71f
0x0119e71a
0x0119e71a
0x0119e71a
0x0119e727
0x0119e746
0x0119e74e
0x0119e755
0x0119e756
0x0119e757
0x0119e75d
0x0119e760
0x0119e762
0x00000000
0x0119e762
0x00000000
0x0119e760
0x0119e76a
0x0119e770
0x0119e776
0x0119e776
0x0119e77c
0x0119e77e
0x0119e788
0x0119e78a
0x0119e78a
0x0119e78c
0x0119e78c
0x0119e792
0x0119e797
0x0119e79d
0x0119e7aa
0x0119e79f
0x0119e7a2
0x0119e7a2
0x0119e79d
0x0119e6c7
0x0119e7dd
0x0119e7e7
0x0119e7f1
0x0119e7f7
0x0119e7fd
0x0119e44f
0x0119e44f
0x0119e44f
0x0119e451
0x0119e458
0x0119e45f
0x00000000
0x00000000
0x0119e465
0x0119e468
0x0119e46b
0x00000000
0x0119e46d
0x0119e46d
0x0119e479
0x0119e47c
0x0119e481
0x0119e489
0x0119e490
0x0119e4a2
0x0119e4a3
0x0119e4a3
0x0119e4a3
0x0119e4aa
0x0119e4b0
0x0119e4b2
0x0119e4b8
0x0119e4bb
0x0119e4c0
0x0119e4c0
0x0119e4bd
0x0119e4bd
0x0119e4bd
0x0119e4c2
0x0119e4c5
0x0119e4c7
0x0119e4cd
0x0119e4d3
0x0119e4d6
0x0119e4e4
0x0119e4e4
0x0119e4e4
0x0119e4d8
0x0119e4d8
0x0119e4de
0x00000000
0x0119e4e0
0x0119e4e0
0x0119e4e0
0x0119e4de
0x0119e4e6
0x0119e4e9
0x0119e5dc
0x0119e5dc
0x0119e5de
0x0119e5e4
0x0119e5ea
0x0119e5ff
0x0119e604
0x0119e4ef
0x0119e4ef
0x0119e4f1
0x00000000
0x0119e4f7
0x0119e4f7
0x0119e4fa
0x0119e4fe
0x0119e4ff
0x0119e4ff
0x0119e505
0x0119e507
0x0119e50d
0x0119e510
0x0119e516
0x0119e51e
0x0119e51e
0x0119e526
0x0119e529
0x0119e529
0x0119e52b
0x00000000
0x00000000
0x0119e52d
0x0119e52f
0x0119e535
0x0119e535
0x0119e531
0x0119e531
0x0119e531
0x0119e537
0x0119e540
0x0119e542
0x0119e549
0x0119e549
0x0119e544
0x0119e544
0x0119e544
0x0119e551
0x0119e570
0x0119e578
0x0119e57f
0x0119e580
0x0119e581
0x0119e587
0x0119e58a
0x0119e58c
0x00000000
0x0119e58c
0x00000000
0x0119e58a
0x0119e594
0x0119e59a
0x0119e5a0
0x0119e5a0
0x0119e5a6
0x0119e5a8
0x0119e5b2
0x0119e5b4
0x0119e5b4
0x0119e5b6
0x0119e5b6
0x0119e5bc
0x0119e5c1
0x0119e5c7
0x0119e5d4
0x0119e5c9
0x0119e5cc
0x0119e5cc
0x0119e5c7
0x0119e4f1
0x0119e607
0x0119e612
0x0119e613
0x0119e614
0x0119e61a
0x0119e620
0x0119e626
0x0119e626
0x00000000
0x0119e46b
0x00000000
0x0119e451
0x0119e627
0x0119e62d
0x0119e634
0x0119e635
0x0119e636
0x0119e63b
0x0119e63b
0x0119ea20
0x0119ea2a
0x0119ea2b
0x0119ea31
0x0119ea33
0x0119ee8d
0x0119ee8f
0x0119ee91
0x0119ee97
0x0119ee99
0x0119ee9f
0x0119eea1
0x0119f1e8
0x0119f1e8
0x0119f1ea
0x0119f1f0
0x0119f1f7
0x0119f1fd
0x0119f1ff
0x0119f29d
0x0119f29d
0x0119f29f
0x0119f2a0
0x0119f2a6
0x00000000
0x0119f205
0x0119f205
0x0119f208
0x0119f20e
0x0119f214
0x0119f216
0x0119f21c
0x0119f21e
0x0119f21e
0x0119f220
0x0119f220
0x0119f229
0x0119f230
0x0119f236
0x0119f239
0x0119f23a
0x0119f23c
0x0119f23c
0x0119f240
0x0119f242
0x0119f244
0x0119f24a
0x0119f24d
0x00000000
0x0119f24f
0x0119f24f
0x0119f256
0x0119f256
0x0119f24d
0x0119f242
0x0119f216
0x0119f208
0x0119f1ff
0x0119eea7
0x0119eea7
0x0119eea7
0x0119eeaa
0x0119eeae
0x0119eeae
0x0119eeaf
0x0119eec1
0x0119eece
0x0119eedd
0x0119ef07
0x0119ef0c
0x0119ef12
0x0119ef15
0x0119ef18
0x0119efae
0x0119efb5
0x0119f03b
0x0119f041
0x0119f047
0x0119f047
0x0119f047
0x0119f04a
0x0119f04c
0x0119f04c
0x0119f052
0x0119f058
0x0119f05e
0x0119f060
0x0119f062
0x0119f062
0x0119f068
0x0119f06e
0x0119f070
0x0119f07c
0x0119f082
0x0119f072
0x0119f072
0x0119f074
0x0119f074
0x0119f088
0x0119f08a
0x0119f08c
0x0119f08c
0x0119f092
0x0119f094
0x0119f096
0x0119f09c
0x0119f09e
0x0119f19f
0x0119f19f
0x0119f1a5
0x0119f1a5
0x0119f1a8
0x0119f1a9
0x00000000
0x0119f0a4
0x0119f0a4
0x0119f0a4
0x0119f0a8
0x0119f0c8
0x0119f0ca
0x0119f0cc
0x0119f0d2
0x0119f0d8
0x0119f0da
0x0119f181
0x0119f181
0x0119f184
0x00000000
0x0119f18a
0x0119f18a
0x0119f190
0x00000000
0x0119f190
0x0119f0e0
0x0119f0e0
0x0119f0e0
0x0119f0e3
0x00000000
0x00000000
0x0119f0e5
0x0119f0e7
0x0119f0ef
0x0119f0f8
0x0119f0f8
0x0119f0fa
0x0119f0fa
0x0119f10c
0x0119f10f
0x0119f115
0x0119f11e
0x0119f121
0x0119f12e
0x0119f131
0x0119f132
0x0119f133
0x0119f139
0x0119f13b
0x0119f141
0x0119f147
0x00000000
0x00000000
0x00000000
0x00000000
0x0119f149
0x0119f149
0x0119f149
0x0119f14b
0x00000000
0x00000000
0x0119f14d
0x0119f150
0x00000000
0x0119f156
0x0119f156
0x0119f158
0x0119f15a
0x0119f15a
0x0119f15a
0x0119f162
0x0119f165
0x0119f165
0x0119f16b
0x0119f16d
0x0119f16f
0x0119f176
0x0119f17c
0x0119f17e
0x00000000
0x0119f17e
0x00000000
0x0119f150
0x00000000
0x0119f149
0x00000000
0x0119f0e0
0x0119f0aa
0x0119f0aa
0x0119f0ac
0x0119f0b2
0x0119f0ba
0x0119f0ba
0x0119f0bd
0x0119f0bd
0x00000000
0x0119f0ac
0x00000000
0x0119f196
0x0119f196
0x0119f197
0x0119f197
0x00000000
0x0119f0a4
0x0119efbb
0x0119efbb
0x0119efcd
0x0119efda
0x0119efe2
0x0119efe7
0x0119efea
0x0119efec
0x00000000
0x0119eff2
0x0119eff2
0x0119eff5
0x00000000
0x0119effb
0x0119effb
0x0119f002
0x00000000
0x0119f008
0x0119f00e
0x0119f010
0x0119f016
0x0119f016
0x0119f018
0x0119f01a
0x0119f01a
0x0119f01c
0x0119f025
0x0119f02c
0x0119f02f
0x0119f030
0x0119f032
0x0119f032
0x00000000
0x0119f036
0x0119f002
0x0119eff5
0x0119efec
0x0119ef1e
0x0119ef1e
0x0119ef24
0x0119ef26
0x0119ef42
0x0119ef45
0x00000000
0x0119ef4b
0x0119ef4b
0x0119ef52
0x00000000
0x0119ef58
0x0119ef5e
0x0119ef60
0x0119ef60
0x0119ef62
0x0119ef64
0x0119ef64
0x0119ef66
0x0119ef6f
0x0119ef76
0x0119ef79
0x0119ef7a
0x0119ef7c
0x0119ef7c
0x0119ef80
0x0119ef80
0x0119ef85
0x0119ef87
0x00000000
0x0119ef8d
0x0119ef8d
0x0119ef93
0x0119ef96
0x0119f25e
0x0119f261
0x0119f267
0x0119f27c
0x0119f281
0x0119f284
0x0119ef9c
0x0119ef9c
0x0119efa3
0x00000000
0x0119efa3
0x0119ef96
0x0119ef87
0x0119ef52
0x0119ef28
0x0119ef28
0x0119ef2a
0x0119ef30
0x0119ef36
0x0119ef37
0x0119f1af
0x0119f1af
0x0119f1b6
0x0119f1b7
0x0119f1b8
0x0119f1bd
0x0119f1c0
0x0119f1c0
0x0119f1c0
0x0119ef26
0x0119f1c2
0x0119f1c2
0x0119f1c4
0x0119f28b
0x0119f292
0x0119f299
0x0119f2ac
0x0119f2b2
0x0119f2b3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0119f1ca
0x0119f1d0
0x0119f1d0
0x0119f1d6
0x0119f1d6
0x0119f1e2
0x00000000
0x0119f1e2
0x0119ea39
0x0119ea39
0x0119ea3b
0x0119ea41
0x0119ea43
0x0119ea49
0x0119ea4b
0x0119edb3
0x0119edb3
0x0119edb5
0x0119edbb
0x0119edc2
0x0119edc8
0x0119edca
0x0119ee29
0x0119ee2c
0x0119ee32
0x0119ee38
0x0119ee3a
0x0119ee40
0x0119ee42
0x0119ee42
0x0119ee44
0x0119ee44
0x0119ee4d
0x0119ee54
0x0119ee5a
0x0119ee5d
0x0119ee5e
0x0119ee60
0x0119ee60
0x0119ee64
0x0119ee66
0x0119ee6c
0x0119ee72
0x0119ee75
0x00000000
0x0119ee7b
0x0119ee7b
0x0119ee82
0x0119ee82
0x0119ee75
0x0119ee66
0x0119ee3a
0x0119edcc
0x0119edcc
0x0119edce
0x0119edd4
0x0119edda
0x00000000
0x0119edda
0x0119edca
0x0119ea51
0x0119ea51
0x0119ea51
0x0119ea54
0x0119ea58
0x0119ea58
0x0119ea59
0x0119ea6b
0x0119ea78
0x0119ea87
0x0119eab1
0x0119eab6
0x0119eabc
0x0119eabf
0x0119eac2
0x0119eb36
0x0119eb3d
0x0119ec0a
0x0119ec10
0x0119ec16
0x0119ec16
0x0119ec16
0x0119ec19
0x0119ec1b
0x0119ec1b
0x0119ec21
0x0119ec27
0x0119ec2d
0x0119ec2f
0x0119ec31
0x0119ec31
0x0119ec37
0x0119ec3d
0x0119ec3f
0x0119ec4b
0x0119ec51
0x0119ec41
0x0119ec41
0x0119ec43
0x0119ec43
0x0119ec57
0x0119ec59
0x0119ec5b
0x0119ec5b
0x0119ec61
0x0119ec63
0x0119ec65
0x0119ec6b
0x0119ec6d
0x0119ed6e
0x0119ed6e
0x0119ed74
0x0119ed74
0x00000000
0x0119ec73
0x0119ec73
0x0119ec73
0x0119ec77
0x0119ec97
0x0119ec99
0x0119ec9b
0x0119eca1
0x0119eca7
0x0119eca9
0x0119ed50
0x0119ed50
0x0119ed53
0x00000000
0x0119ed59
0x0119ed59
0x0119ed5f
0x00000000
0x0119ed5f
0x0119ecaf
0x0119ecaf
0x0119ecaf
0x0119ecb2
0x00000000
0x00000000
0x0119ecb4
0x0119ecb6
0x0119ecbe
0x0119ecc7
0x0119ecc7
0x0119ecc9
0x0119ecc9
0x0119ecdb
0x0119ecde
0x0119ece4
0x0119eced
0x0119ecf0
0x0119ecfd
0x0119ed00
0x0119ed01
0x0119ed02
0x0119ed08
0x0119ed0a
0x0119ed10
0x0119ed16
0x00000000
0x00000000
0x00000000
0x00000000
0x0119ed18
0x0119ed18
0x0119ed18
0x0119ed1a
0x00000000
0x00000000
0x0119ed1c
0x0119ed1f
0x0119eddd
0x0119eddd
0x0119eddf
0x0119ede5
0x0119edeb
0x0119edec
0x00000000
0x0119ed25
0x0119ed25
0x0119ed27
0x0119ed29
0x0119ed29
0x0119ed29
0x0119ed31
0x0119ed34
0x0119ed34
0x0119ed3a
0x0119ed3c
0x0119ed3e
0x0119ed45
0x0119ed4b
0x0119ed4d
0x00000000
0x0119ed4d
0x00000000
0x0119ed1f
0x00000000
0x0119ed18
0x00000000
0x0119ecaf
0x0119ec79
0x0119ec79
0x0119ec7b
0x0119ec81
0x0119ec89
0x0119ec89
0x0119ec8c
0x0119ec8c
0x00000000
0x0119ec7b
0x00000000
0x0119ed65
0x0119ed65
0x0119ed66
0x0119ed66
0x00000000
0x0119ec73
0x0119eb43
0x0119eb43
0x0119eb55
0x0119eb62
0x0119eb6a
0x0119eb6f
0x0119eb72
0x0119eb74
0x0119eb90
0x0119eb93
0x00000000
0x0119eb99
0x0119eb99
0x0119eba0
0x00000000
0x0119eba6
0x0119ebac
0x0119ebae
0x0119ebb4
0x0119ebb4
0x0119ebb6
0x0119ebb8
0x0119ebb8
0x0119ebba
0x0119ebc3
0x0119ebca
0x0119ebcd
0x0119ebce
0x0119ebd0
0x0119ebd0
0x00000000
0x0119ebb8
0x0119eba0
0x0119eb76
0x0119eb78
0x0119eb7e
0x0119eb84
0x0119eb85
0x00000000
0x0119eb85
0x0119eb74
0x0119eac4
0x0119eac4
0x0119eaca
0x0119eacc
0x0119eae1
0x0119eae4
0x00000000
0x0119eaea
0x0119eaea
0x0119eaf1
0x00000000
0x0119eaf7
0x0119eafd
0x0119eaff
0x0119eaff
0x0119eb01
0x0119eb03
0x0119eb03
0x0119eb05
0x0119eb0e
0x0119eb15
0x0119eb18
0x0119eb19
0x0119eb1b
0x0119eb1b
0x0119ebd4
0x0119ebd4
0x0119ebd9
0x0119ebdb
0x00000000
0x0119ebe1
0x0119ebe1
0x0119ebe7
0x0119ebea
0x0119eb24
0x0119eb2b
0x00000000
0x0119ebf0
0x0119ebf2
0x0119ebf8
0x0119ebfe
0x0119ebff
0x0119edf2
0x0119edf2
0x0119edf9
0x0119edfa
0x0119edfb
0x0119ee00
0x0119ee03
0x0119ee03
0x0119ebea
0x0119ebdb
0x0119eaf1
0x0119eace
0x0119eace
0x0119ead0
0x0119ead6
0x0119ed77
0x0119ed77
0x0119ed78
0x0119ed7e
0x0119ed7e
0x0119ed85
0x0119ed86
0x0119ed87
0x0119ed8c
0x0119ed8f
0x0119ed8f
0x0119ed8f
0x0119eacc
0x0119ed91
0x0119ed91
0x0119ed93
0x0119ee07
0x0119ee0e
0x0119ee0e
0x0119ee0e
0x0119ee15
0x0119ee17
0x0119ee1d
0x0119ee1e
0x0119f2b9
0x0119f2b9
0x0119f2ba
0x0119f2bb
0x0119f2c0
0x00000000
0x00000000
0x00000000
0x00000000
0x0119ed95
0x0119ed9b
0x0119ed9b
0x0119eda1
0x0119eda1
0x0119edad
0x00000000
0x0119edad
0x0119ea4b
0x0119f2c3
0x0119f2c3
0x0119f2c9
0x0119f2cb
0x0119f2d1
0x0119f2d7
0x0119f2d9
0x0119f2dd
0x0119f2df
0x0119f2df
0x0119f2e1
0x0119f2e2
0x0119f2e2
0x0119f2e9
0x0119f2ed
0x0119f2f4
0x0119f2f7
0x0119f2f8
0x0119f2fa
0x0119f2fa
0x0119f2fe
0x0119f304
0x0119f306
0x0119f311
0x0119f313
0x0119f319
0x0119f31c
0x0119f32f
0x0119f332
0x0119f338
0x0119f34d
0x0119f352
0x0119f31e
0x0119f320
0x0119f327
0x0119f327
0x0119f31c
0x0119f355
0x0119f355
0x0119f365
0x0119f36c
0x0119f36f
0x0119f40b
0x0119f40d
0x0119f418
0x0119f418
0x0119f41a
0x0119f41d
0x00000000
0x0119f40f
0x0119f415
0x0119f415
0x0119f375
0x0119f375
0x0119f37b
0x0119f37e
0x0119f384
0x0119f387
0x0119f38d
0x0119f38f
0x0119f397
0x0119f399
0x0119f39b
0x0119f39b
0x0119f39d
0x0119f39e
0x0119f39e
0x0119f3a9
0x0119f3b0
0x0119f3b3
0x0119f3b4
0x0119f3b6
0x0119f3b6
0x0119f3ba
0x0119f3c5
0x0119f3c7
0x0119f3c9
0x0119f3cf
0x0119f3d2
0x0119f3e6
0x0119f3ec
0x0119f401
0x0119f406
0x0119f3d4
0x0119f3d4
0x0119f3db
0x0119f3db
0x0119f3d2
0x0119f3c7
0x0119f41f
0x0119f41f
0x0119f41f
0x0119f42b
0x0119f42e
0x0119f434
0x0119f436
0x0119f438
0x0119f43e
0x0119f440
0x0119f440
0x0119f440
0x0119f43e
0x0119f445
0x0119f446
0x0119f448
0x0119f44a
0x0119f44a
0x0119f44c
0x0119f452
0x0119f458
0x0119f45a
0x0119f460
0x0119f460
0x0119f466
0x0119f468
0x00000000
0x00000000
0x0119f46e
0x0119f470
0x0119f472
0x0119f472
0x0119f474
0x0119f474
0x0119f484
0x0119f48b
0x0119f48e
0x0119f48f
0x0119f491
0x0119f491
0x0119f49a
0x0119f49c
0x0119f49e
0x0119f4a4
0x0119f4a7
0x0119f4b8
0x0119f4bb
0x0119f4c1
0x0119f4d6
0x0119f4db
0x0119f4a9
0x0119f4a9
0x0119f4b0
0x0119f4b0
0x0119f4a7
0x0119f4ec
0x0119f4fb
0x0119f4fc
0x0119f4fc
0x0119f4fe
0x0119f500
0x0119f500
0x0119f506
0x0119f509
0x0119f50b
0x0119f50d
0x0119f50d
0x0119f510
0x0119f511
0x0119f511
0x0119f516
0x0119f519
0x0119f51d
0x0119f51d
0x0119f51e
0x0119f520
0x0119f526
0x00000000
0x00000000
0x00000000
0x0119f526
0x0119f460
0x0119f52c
0x0119f52c
0x00000000
0x0119f52c
0x0119e342
0x0119e339
0x0119e330
0x0119e2e3
0x0119e2e7
0x0119e2ef
0x00000000
0x0119e2f1
0x0119e2f7
0x0119e2fc
0x0119e2ff
0x0119e303
0x0119f571
0x0119f57b
0x0119f588
0x0119f589
0x0119f58a
0x0119f58b
0x0119f58c
0x0119f58d
0x0119f592
0x0119f595
0x0119f598
0x0119f59b
0x0119f59e
0x0119f5ad
0x0119f5af
0x0119f5d5
0x0119f5da
0x0119f5e0
0x00000000
0x0119f5b1
0x0119f5b1
0x0119f5b7
0x00000000
0x0119f5b9
0x0119f5d0
0x0119f5d0
0x0119f5d4
0x0119f5d4
0x0119f5b7
0x0119f5a0
0x0119f5a5
0x0119f5e5
0x0119f5e5
0x0119f5e8
0x0119f5e8
0x0119f57d
0x0119f52f
0x0119f52f
0x0119f539
0x0119f542
0x0119f547
0x0119f553
0x0119f553
0x0119f57b
0x0119e2ef

APIs

__floor_pentium4.LIBCMT ref: 0119E3C4

Strings

1#INF, xrefs: 0119F57F
1#QNAN, xrefs: 0119F562
1#IND, xrefs: 0119F554
1#SNAN, xrefs: 0119F55B

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ab17829714d065b7dee1a54522a8750551456b9a05317fb25761df5271bb22d6
Instruction ID: bfc1de623f70a06c627104a54d67c7c82a6dee2fa66db160db3876aa1cb515e6
Opcode Fuzzy Hash: ab17829714d065b7dee1a54522a8750551456b9a05317fb25761df5271bb22d6
Instruction Fuzzy Hash: 71C26B71E056299FDF29CE28DD407EABBB5EB48304F1541EAD91DE7240E734AE818F81

Uniqueness

Uniqueness Score: -1.00%

Function 0119CFD4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0119CFD4(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E01185FD6(_t23, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x0119cfd9
0x0119cfda
0x0119cfe1
0x0119d085
0x0119d09e
0x0119d0a4
0x0119d0a9
0x0119d0ab
0x0119d0ab
0x0119d0b1
0x0119d0b4
0x0119d0b4
0x0119d0a0
0x0119d0a0
0x00000000
0x0119d0a0
0x0119cfe7
0x0119cfec
0x00000000
0x00000000
0x0119cff2
0x0119cff7
0x0119cff9
0x0119cff9
0x0119cfff
0x00000000
0x00000000
0x0119d004
0x0119d01b
0x0119d01b
0x0119d024
0x0119d026
0x00000000
0x00000000
0x0119d028
0x0119d02d
0x0119d02f
0x0119d02f
0x0119d035
0x00000000
0x00000000
0x0119d03a
0x0119d058
0x0119d05a
0x0119d07d
0x00000000
0x0119d082
0x0119d075
0x00000000
0x00000000
0x0119d077
0x00000000
0x0119d077
0x0119d03c
0x0119d044
0x00000000
0x00000000
0x0119d046
0x0119d049
0x0119d04f
0x00000000
0x00000000
0x00000000
0x0119d051
0x0119d053
0x0119d055
0x00000000
0x0119d055
0x0119d006
0x0119d00e
0x00000000
0x00000000
0x0119d010
0x0119d013
0x0119d019
0x00000000
0x00000000
0x00000000
0x0119d019
0x0119d01f
0x0119d021
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0119D2F2,00000002,00000000,?,?,?,0119D2F2,?,00000000), ref: 0119D06D
GetLocaleInfoW.KERNEL32(?,20001004,0119D2F2,00000002,00000000,?,?,?,0119D2F2,?,00000000), ref: 0119D096
GetACP.KERNEL32(?,?,0119D2F2,?,00000000), ref: 0119D0AB

Strings

OCP, xrefs: 0119D028
ACP, xrefs: 0119CFF2

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 06d653cb9814f27ed26da7528925de30b3c01e285195a995e82347f55d97d113
Instruction ID: a407547542d977275ed0a7f7f156d5bd2ec1dd2a0fa59cd5e28144b4b3d62026
Opcode Fuzzy Hash: 06d653cb9814f27ed26da7528925de30b3c01e285195a995e82347f55d97d113
Instruction Fuzzy Hash: 7621C832600105AAEF3D9F99E905B9777A6FF44BD0B8E8424EE29D7105E732D943C351

Uniqueness

Uniqueness Score: -1.00%

Function 011949CF, Relevance: 7.9, APIs: 5, Instructions: 373
timeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E011949CF(void* __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				char _v52;
				char _v60;
				char _v64;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				signed int _t61;
				signed int _t68;
				signed int _t70;
				signed int _t74;
				signed int _t81;
				signed int _t85;
				signed int _t87;
				long _t89;
				signed int* _t92;
				signed int _t93;
				signed int _t96;
				signed int _t99;
				signed int _t103;
				signed int _t106;
				void* _t110;
				signed int _t113;
				void* _t114;
				void* _t116;
				void* _t117;
				char* _t123;
				signed int* _t125;
				signed int _t126;
				intOrPtr _t129;
				void* _t131;
				signed int _t132;
				signed int _t134;
				void* _t137;
				intOrPtr _t138;
				void* _t140;
				void* _t145;
				char _t148;
				signed int _t151;
				signed int _t155;
				signed int _t158;
				signed int _t159;
				intOrPtr* _t165;
				intOrPtr _t166;
				signed int _t167;
				intOrPtr* _t168;
				void* _t169;
				void* _t170;
				signed int _t171;
				signed int _t173;
				signed int _t176;
				intOrPtr* _t177;
				signed int _t181;
				signed int _t182;
				void* _t189;
				signed int _t190;
				void* _t191;
				signed int _t192;

				_t176 = __esi;
				_t170 = __edi;
				_t61 = E01194365();
				_v8 = _v8 & 0x00000000;
				_t134 = _t61;
				_v12 = _v12 & 0x00000000;
				_v16 = _t134;
				if(E011943C3( &_v8) != 0 || E0119436B( &_v12) != 0) {
					L45:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E011828E3();
					asm("int3");
					_t189 = _t191;
					_t192 = _t191 - 0x10;
					_push(_t134);
					_t177 = E01194365();
					_v52 = 0;
					_v60 = 0;
					_v64 = 0;
					_t68 = E011943C3( &_v52);
					_t140 = _t176;
					__eflags = _t68;
					if(_t68 != 0) {
						L65:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E011828E3();
						asm("int3");
						_push(_t189);
						_t190 = _t192;
						_t70 =  *0x11d8098; // 0xa9f5dfda
						_v100 = _t70 ^ _t190;
						 *0x11d844c =  *0x11d844c | 0xffffffff;
						 *0x11d8440 =  *0x11d8440 | 0xffffffff;
						_push(0);
						_push(_t177);
						_push(_t170);
						_t171 = 0;
						 *0x11fa4c0 = 0;
						_t74 = E011856C2(0x11b800c, _t140, _t166, 0, _t177, __eflags,  &_v360,  &_v356, 0x100, 0x11b800c);
						__eflags = _t74;
						if(_t74 != 0) {
							__eflags = _t74 - 0x22;
							if(_t74 == 0x22) {
								_t182 = E01190910(_t140, _v276);
								_pop(_t145);
								__eflags = _t182;
								if(__eflags != 0) {
									_t81 = E011856C2(0x11b800c, _t145, _t166, 0, _t182, __eflags,  &_v280, _t182, _v276, 0x11b800c);
									__eflags = _t81;
									if(_t81 == 0) {
										E0118FAFF(0);
										_t171 = _t182;
									} else {
										_push(_t182);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E0118FAFF();
								}
							}
						} else {
							_t171 =  &_v272;
						}
						asm("sbb esi, esi");
						_t181 =  ~(_t171 -  &_v272) & _t171;
						__eflags = _t171;
						if(_t171 == 0) {
							L80:
							L46();
						} else {
							__eflags =  *_t171;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t171);
								E011949CF(0x11b800c, _t171, _t181, __eflags);
							}
						}
						E0118FAFF(_t181);
						__eflags = _v16 ^ _t190;
						return E0115E184(_v16 ^ _t190);
					} else {
						_t85 = E0119436B( &_v20);
						_pop(_t140);
						__eflags = _t85;
						if(_t85 != 0) {
							goto L65;
						} else {
							_t87 = E01194397( &_v24);
							_pop(_t140);
							__eflags = _t87;
							if(_t87 != 0) {
								goto L65;
							} else {
								E0118FAFF( *0x11fa4b8);
								 *0x11fa4b8 = 0;
								 *_t192 = 0x11fa4c8;
								_t89 = GetTimeZoneInformation(??);
								__eflags = _t89 - 0xffffffff;
								if(_t89 != 0xffffffff) {
									_t167 =  *0x11fa4c8 * 0x3c;
									_t148 = 1;
									_push(_t170);
									_t173 =  *0x11fa51c; // 0x0
									 *0x11fa4c0 = 1;
									_v12 = _t167;
									__eflags =  *0x11fa50e; // 0x0
									if(__eflags != 0) {
										_t106 = _t173 * 0x3c + _t167;
										__eflags = _t106;
										_v12 = _t106;
									}
									__eflags =  *0x11fa562; // 0x0
									if(__eflags == 0) {
										L55:
										_t93 = 0;
										_t148 = 0;
									} else {
										_t103 =  *0x11fa570; // 0x0
										__eflags = _t103;
										if(_t103 == 0) {
											goto L55;
										} else {
											_t93 = (_t103 - _t173) * 0x3c;
										}
									}
									_v20 = _t148;
									_v24 = _t93;
									_t174 = E0118680D(_t167);
									_t96 = E01196F79(_t94, 0, 0x11fa4cc, 0xffffffff,  *_t177, 0x3f, 0,  &_v16);
									__eflags = _t96;
									if(_t96 == 0) {
										L59:
										 *((char*)( *_t177)) = 0;
									} else {
										__eflags = _v16;
										if(_v16 != 0) {
											goto L59;
										} else {
											 *((char*)( *_t177 + 0x3f)) = 0;
										}
									}
									_t99 = E01196F79(_t174, 0, 0x11fa520, 0xffffffff,  *((intOrPtr*)(_t177 + 4)), 0x3f, 0,  &_v16);
									__eflags = _t99;
									if(_t99 == 0) {
										L63:
										 *((char*)( *((intOrPtr*)(_t177 + 4)))) = 0;
									} else {
										__eflags = _v16;
										if(_v16 != 0) {
											goto L63;
										} else {
											 *((char*)( *((intOrPtr*)(_t177 + 4)) + 0x3f)) = 0;
										}
									}
								}
								 *(E0119435F()) = _v12;
								 *((intOrPtr*)(E01194353())) = _v20;
								_t92 = E01194359();
								 *_t92 = _v24;
								return _t92;
							}
						}
					}
				} else {
					_t168 =  *0x11fa4b8; // 0x0
					_t176 = _a4;
					if(_t168 == 0) {
						L12:
						E0118FAFF(_t168);
						_t151 = _t176;
						_t12 = _t151 + 1; // 0x1
						_t169 = _t12;
						do {
							_t110 =  *_t151;
							_t151 = _t151 + 1;
						} while (_t110 != 0);
						_t13 = _t151 - _t169 + 1; // 0x2
						 *0x11fa4b8 = E01190910(_t151 - _t169, _t13);
						_t113 = E0118FAFF(0);
						_t166 =  *0x11fa4b8; // 0x0
						if(_t166 == 0) {
							goto L44;
						} else {
							_t155 = _t176;
							_push(_t170);
							_t14 = _t155 + 1; // 0x1
							_t170 = _t14;
							do {
								_t114 =  *_t155;
								_t155 = _t155 + 1;
							} while (_t114 != 0);
							_t15 = _t155 - _t170 + 1; // 0x2
							_t116 = E0118F987(_t166, _t15, _t176);
							_t191 = _t191 + 0xc;
							if(_t116 == 0) {
								_t170 = 3;
								_push(_t170);
								_t117 = E01192471( *_t134, 0x40, _t176);
								_t191 = _t191 + 0x10;
								if(_t117 == 0) {
									while( *_t176 != 0) {
										_t176 = _t176 + 1;
										_t170 = _t170 - 1;
										if(_t170 != 0) {
											continue;
										}
										break;
									}
									_t134 =  *_t176;
									_pop(_t170);
									if(_t134 == 0x2d) {
										_t176 = _t176 + 1;
									}
									_t158 = E01185FF9(_t156, _t176) * 0xe10;
									_v8 = _t158;
									while(1) {
										_t166 =  *_t176;
										if(_t166 != 0x2b && _t166 - 0x30 > 9) {
											break;
										}
										_t176 = _t176 + 1;
									}
									__eflags = _t166 - 0x3a;
									if(_t166 == 0x3a) {
										_t176 = _t176 + 1;
										_t158 = _v8 + E01185FF9(_t158, _t176) * 0x3c;
										_t129 =  *_t176;
										_v8 = _t158;
										__eflags = _t129 - 0x30;
										if(_t129 >= 0x30) {
											_t166 = _t129;
											while(1) {
												_t129 = _t166;
												__eflags = _t166 - 0x39;
												if(_t166 > 0x39) {
													goto L32;
												}
												_t176 = _t176 + 1;
												_t129 =  *_t176;
												_t166 = _t129;
												__eflags = _t129 - 0x30;
												if(_t129 >= 0x30) {
													continue;
												}
												goto L32;
											}
										}
										L32:
										__eflags = _t129 - 0x3a;
										if(_t129 == 0x3a) {
											_t176 = _t176 + 1;
											_t158 = _v8 + E01185FF9(_t158, _t176);
											_v8 = _t158;
											while(1) {
												_t131 =  *_t176;
												__eflags = _t131 - 0x30;
												if(_t131 < 0x30) {
													goto L37;
												}
												__eflags = _t131 - 0x39;
												if(_t131 <= 0x39) {
													_t176 = _t176 + 1;
													__eflags = _t176;
													continue;
												}
												goto L37;
											}
										}
									}
									L37:
									__eflags = _t134 - 0x2d;
									if(_t134 == 0x2d) {
										_v8 =  ~_t158;
									}
									_t159 =  *_t176;
									__eflags = _t159;
									_v12 = 0 | _t159 != 0x00000000;
									_t123 =  *((intOrPtr*)(_v16 + 4));
									__eflags = _t159;
									if(_t159 == 0) {
										 *_t123 = 0;
										L43:
										 *(E0119435F()) = _v8;
										_t125 = E01194353();
										 *_t125 = _v12;
										return _t125;
									}
									_push(3);
									_t126 = E01192471(_t123, 0x40, _t176);
									_t191 = _t191 + 0x10;
									__eflags = _t126;
									if(_t126 == 0) {
										goto L43;
									}
								}
							}
							goto L45;
						}
					} else {
						_t165 = _t168;
						_t132 = _t176;
						while(1) {
							_t137 =  *_t132;
							if(_t137 !=  *_t165) {
								break;
							}
							if(_t137 == 0) {
								L8:
								_t113 = 0;
							} else {
								_t138 =  *((intOrPtr*)(_t132 + 1));
								if(_t138 !=  *((intOrPtr*)(_t165 + 1))) {
									break;
								} else {
									_t132 = _t132 + 2;
									_t165 = _t165 + 2;
									if(_t138 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t113 == 0) {
								L44:
								return _t113;
							} else {
								_t134 = _v16;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t113 = _t132 | 0x00000001;
						__eflags = _t113;
						goto L10;
					}
				}
				L82:
			}

0x011949cf
0x011949cf
0x011949d9
0x011949de
0x011949e2
0x011949e4
0x011949ec
0x011949f7
0x01194b9d
0x01194b9f
0x01194ba0
0x01194ba1
0x01194ba2
0x01194ba3
0x01194ba4
0x01194ba9
0x01194bad
0x01194baf
0x01194bb2
0x01194bb9
0x01194bc0
0x01194bc4
0x01194bc7
0x01194bca
0x01194bcf
0x01194bd0
0x01194bd2
0x01194cfa
0x01194cfa
0x01194cfb
0x01194cfc
0x01194cfd
0x01194cfe
0x01194cff
0x01194d04
0x01194d07
0x01194d08
0x01194d10
0x01194d17
0x01194d1a
0x01194d27
0x01194d2e
0x01194d2f
0x01194d30
0x01194d36
0x01194d45
0x01194d4c
0x01194d54
0x01194d56
0x01194d60
0x01194d63
0x01194d70
0x01194d72
0x01194d73
0x01194d75
0x01194d8e
0x01194d96
0x01194d98
0x01194d9e
0x01194da3
0x01194d9a
0x01194d9a
0x00000000
0x01194d9a
0x01194d77
0x01194d77
0x01194d78
0x01194d78
0x01194d78
0x01194da5
0x01194d58
0x01194d58
0x01194d58
0x01194db2
0x01194db4
0x01194db6
0x01194db8
0x01194dc8
0x01194dc8
0x01194dba
0x01194dba
0x01194dbd
0x00000000
0x01194dbf
0x01194dbf
0x01194dc0
0x01194dc5
0x01194dbd
0x01194dce
0x01194dd9
0x01194de2
0x01194bd8
0x01194bdc
0x01194be1
0x01194be2
0x01194be4
0x00000000
0x01194bea
0x01194bee
0x01194bf3
0x01194bf4
0x01194bf6
0x00000000
0x01194bfc
0x01194c02
0x01194c07
0x01194c0d
0x01194c14
0x01194c1a
0x01194c1d
0x01194c23
0x01194c2c
0x01194c2d
0x01194c2e
0x01194c34
0x01194c3a
0x01194c3d
0x01194c44
0x01194c49
0x01194c49
0x01194c4b
0x01194c4b
0x01194c4e
0x01194c55
0x01194c67
0x01194c67
0x01194c69
0x01194c57
0x01194c57
0x01194c5c
0x01194c5e
0x00000000
0x01194c60
0x01194c62
0x01194c62
0x01194c5e
0x01194c6b
0x01194c6e
0x01194c76
0x01194c8a
0x01194c92
0x01194c94
0x01194ca2
0x01194ca4
0x01194c96
0x01194c96
0x01194c99
0x00000000
0x01194c9b
0x01194c9d
0x01194c9d
0x01194c99
0x01194cb9
0x01194cc2
0x01194cc4
0x01194cd3
0x01194cd6
0x01194cc6
0x01194cc6
0x01194cc9
0x00000000
0x01194ccb
0x01194cce
0x01194cce
0x01194cc9
0x01194cc4
0x01194ce0
0x01194cea
0x01194cef
0x01194cf4
0x01194cf9
0x01194cf9
0x01194bf6
0x01194be4
0x01194a0f
0x01194a0f
0x01194a15
0x01194a1a
0x01194a50
0x01194a51
0x01194a57
0x01194a59
0x01194a59
0x01194a5c
0x01194a5c
0x01194a5e
0x01194a5f
0x01194a65
0x01194a70
0x01194a75
0x01194a7a
0x01194a84
0x00000000
0x01194a8a
0x01194a8a
0x01194a8c
0x01194a8d
0x01194a8d
0x01194a90
0x01194a90
0x01194a92
0x01194a93
0x01194a9a
0x01194a9f
0x01194aa4
0x01194aa9
0x01194ab1
0x01194ab2
0x01194ab8
0x01194abd
0x01194ac2
0x01194ac8
0x01194acd
0x01194ace
0x01194ad1
0x00000000
0x00000000
0x00000000
0x01194ad1
0x01194ad3
0x01194ad5
0x01194ad9
0x01194adb
0x01194adb
0x01194ae3
0x01194ae9
0x01194aec
0x01194aec
0x01194af1
0x00000000
0x00000000
0x01194afa
0x01194afa
0x01194afd
0x01194b00
0x01194b02
0x01194b10
0x01194b12
0x01194b14
0x01194b17
0x01194b19
0x01194b1b
0x01194b1d
0x01194b1d
0x01194b1f
0x01194b22
0x00000000
0x00000000
0x01194b24
0x01194b25
0x01194b27
0x01194b29
0x01194b2b
0x00000000
0x00000000
0x00000000
0x01194b2b
0x01194b1d
0x01194b2d
0x01194b2d
0x01194b2f
0x01194b31
0x01194b3c
0x01194b3e
0x01194b48
0x01194b48
0x01194b4a
0x01194b4c
0x00000000
0x00000000
0x01194b43
0x01194b45
0x01194b47
0x01194b47
0x00000000
0x01194b47
0x00000000
0x01194b45
0x01194b48
0x01194b2f
0x01194b4e
0x01194b4e
0x01194b51
0x01194b55
0x01194b55
0x01194b58
0x01194b5c
0x01194b61
0x01194b67
0x01194b6a
0x01194b6c
0x01194b82
0x01194b85
0x01194b8d
0x01194b92
0x01194b97
0x00000000
0x01194b97
0x01194b6e
0x01194b74
0x01194b79
0x01194b7c
0x01194b7e
0x00000000
0x01194b80
0x01194b7e
0x01194ac2
0x00000000
0x01194aa9
0x01194a1c
0x01194a1c
0x01194a1e
0x01194a20
0x01194a20
0x01194a24
0x00000000
0x00000000
0x01194a28
0x01194a3c
0x01194a3c
0x01194a2a
0x01194a2a
0x01194a30
0x00000000
0x01194a32
0x01194a32
0x01194a35
0x01194a3a
0x00000000
0x00000000
0x00000000
0x00000000
0x01194a3a
0x01194a30
0x01194a45
0x01194a47
0x01194b9c
0x01194b9c
0x01194a4d
0x01194a4d
0x00000000
0x01194a4d
0x00000000
0x01194a47
0x01194a40
0x01194a42
0x01194a42
0x00000000
0x01194a42
0x01194a1a
0x00000000

APIs

_free.LIBCMT ref: 01194A51
_free.LIBCMT ref: 01194A75
_free.LIBCMT ref: 01194C02
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,011B800C), ref: 01194C14
_free.LIBCMT ref: 01194DCE

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 427a46efda7387c24e70c1396d3baa9b1f46db9f7e2cf3584e5a9c618d3c6866
Instruction ID: 13a556b58cdef3c302b5512cfe051a1ae3530abfcb7e773bd6f5c70d414266f5
Opcode Fuzzy Hash: 427a46efda7387c24e70c1396d3baa9b1f46db9f7e2cf3584e5a9c618d3c6866
Instruction Fuzzy Hash: 28C18A359042069FDF2DAF7CDA40BAEBBF9EF41218F184069D4B697681E7348A43CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0119D1A9, Relevance: 7.7, APIs: 5, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0119D1A9(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t65;
				int _t67;
				short* _t71;
				intOrPtr _t74;
				void* _t76;
				short* _t77;
				intOrPtr _t84;
				short* _t88;
				short* _t91;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t39 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t39 ^ _t109;
				_t88 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E01190FC4(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E01190FC4(__ecx, __edx);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t91 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t91;
				if(_t91 != 0 &&  *_t91 != 0) {
					_t84 =  *0x11b8844; // 0x17
					E0119D148(_t91, 0, 0x11b8730, _t84 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if(__eflags == 0) {
						goto L19;
					}
					E0119CAEA(_t91, _t99, __eflags,  &_v20);
					_pop(_t91);
					goto L20;
				} else {
					_t71 =  *_t102;
					if(_t71 == 0) {
						L8:
						E0119CBD0(_t91, _t99, __eflags,  &_v20);
						L9:
						_pop(_t91);
						if(_v20 != 0) {
							_t103 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t108 = E0119CFD4(_t91,  ~_t105 & _t105 + 0x00000100,  &_v20);
							__eflags = _t108;
							if(_t108 == 0) {
								L22:
								L23:
								return E0115E184(_v8 ^ _t109);
							}
							_t55 = IsValidCodePage(_t108 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t108;
							}
							E011902F6(_v16,  &(_v24[0x94]), 0x55, _t103);
							__eflags = _t88;
							if(_t88 == 0) {
								L34:
								goto L23;
							}
							_t33 =  &(_t88[0x90]); // 0xd0
							E011902F6(_v16, _t33, 0x55, _t103);
							_t65 = GetLocaleInfoW(_v16, 0x1001, _t88, 0x40);
							__eflags = _t65;
							if(_t65 == 0) {
								goto L22;
							}
							_t36 =  &(_t88[0x40]); // 0x30
							_t67 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t67;
							if(_t67 == 0) {
								goto L22;
							}
							_t38 =  &(_t88[0x80]); // 0xb0
							E01191E44(_t38, _t108, _t38, 0x10, 0xa);
							goto L34;
						}
						_t74 =  *0x11b872c; // 0x41
						_t76 = E0119D148(_t91, _t99, 0x11b8420, _t74 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t76 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t77 =  *_t102;
						_t103 = 0;
						if(_t77 == 0) {
							L14:
							E0119CBD0(_t91, _t99, __eflags,  &_v20);
							L15:
							_pop(_t91);
							goto L21;
						}
						_t123 =  *_t77;
						if( *_t77 == 0) {
							goto L14;
						}
						E0119CB35(_t91, _t99, _t123,  &_v20);
						goto L15;
					}
					_t119 =  *_t71 - _t99;
					if( *_t71 == _t99) {
						goto L8;
					}
					E0119CB35(_t91, _t99, _t119,  &_v20);
					goto L9;
				}
			}

0x0119d1b1
0x0119d1b8
0x0119d1bf
0x0119d1c3
0x0119d1c7
0x0119d1d5
0x0119d1da
0x0119d1db
0x0119d1dc
0x0119d1dd
0x0119d1e5
0x0119d1e7
0x0119d1ed
0x0119d1f3
0x0119d1f6
0x0119d1f8
0x0119d1fb
0x0119d1ff
0x0119d206
0x0119d213
0x0119d218
0x0119d21b
0x0119d21e
0x0119d21e
0x0119d220
0x0119d223
0x0119d227
0x0119d297
0x0119d299
0x0119d29b
0x0119d2ae
0x0119d2ae
0x0119d2b5
0x0119d2bb
0x0119d2be
0x00000000
0x0119d2be
0x0119d29d
0x0119d2a0
0x00000000
0x00000000
0x0119d2a6
0x0119d2ab
0x00000000
0x0119d22e
0x0119d22e
0x0119d232
0x0119d244
0x0119d248
0x0119d24d
0x0119d251
0x0119d252
0x0119d2da
0x0119d2da
0x0119d2dc
0x0119d2e8
0x0119d2f2
0x0119d2f6
0x0119d2f8
0x0119d2c9
0x0119d2cb
0x0119d2d9
0x0119d2d9
0x0119d2fe
0x0119d304
0x0119d306
0x00000000
0x00000000
0x0119d30d
0x0119d313
0x0119d315
0x00000000
0x00000000
0x0119d317
0x0119d31a
0x0119d31c
0x0119d31e
0x0119d31e
0x0119d32f
0x0119d334
0x0119d336
0x0119d396
0x00000000
0x0119d398
0x0119d33b
0x0119d345
0x0119d355
0x0119d35b
0x0119d35d
0x00000000
0x00000000
0x0119d365
0x0119d374
0x0119d37a
0x0119d37c
0x00000000
0x00000000
0x0119d386
0x0119d38e
0x00000000
0x0119d393
0x0119d258
0x0119d267
0x0119d26c
0x0119d271
0x0119d2c1
0x0119d2c1
0x0119d2c1
0x0119d2c3
0x0119d2c7
0x00000000
0x00000000
0x00000000
0x0119d2c7
0x0119d273
0x0119d275
0x0119d279
0x0119d28b
0x0119d28f
0x0119d294
0x0119d294
0x00000000
0x0119d294
0x0119d27b
0x0119d27e
0x00000000
0x00000000
0x0119d284
0x00000000
0x0119d284
0x0119d234
0x0119d237
0x00000000
0x00000000
0x0119d23d
0x00000000
0x0119d23d

APIs

Part of subcall function 01190FC4: GetLastError.KERNEL32(?,?,?,0117EFA3,?,?,?,?,0117F06E,00000000), ref: 01190FC9
Part of subcall function 01190FC4: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,0117F06E,00000000), ref: 01191067

Part of subcall function 01190FC4: _free.LIBCMT ref: 01191026
Part of subcall function 01190FC4: _free.LIBCMT ref: 0119105C

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0119D2B5
IsValidCodePage.KERNEL32(00000000), ref: 0119D2FE
IsValidLocale.KERNEL32(?,00000001), ref: 0119D30D
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0119D355
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0119D374

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 751c8895f8e4fd6a38bc26e0318f757bfd09d1511f0f8fcc4f1b0532a79783a0
Instruction ID: b8d471cacbec15d8580dea5a42dce36ddaf715268ad7c4060ec1b5514da1a118
Opcode Fuzzy Hash: 751c8895f8e4fd6a38bc26e0318f757bfd09d1511f0f8fcc4f1b0532a79783a0
Instruction Fuzzy Hash: BB517471E00206ABEF18DFE9EC44AAE7BB8BF59750F0444A9EA25E7140D770D944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0118270A, Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0118270A(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t70;
				signed int _t72;
				signed int _t74;

				_t70 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t72 = _t74;
				_t40 =  *0x11d8098; // 0xa9f5dfda
				_t41 = _t40 ^ _t72;
				_v8 = _t40 ^ _t72;
				_push(__edi);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0115F09C(_t41);
					_pop(_t62);
				}
				E0117B230(_t67,  &_v804, 0, 0x50);
				E0117B230(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t70;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E0115F09C(_t57);
				}
				return E0115E184(_v8 ^ _t72);
			}

0x0118270a
0x0118270a
0x0118270a
0x0118270a
0x0118270d
0x01182715
0x0118271a
0x0118271c
0x01182723
0x01182724
0x01182726
0x01182729
0x0118272e
0x0118272e
0x0118273a
0x0118274d
0x0118275b
0x01182761
0x01182767
0x0118276d
0x01182773
0x01182779
0x0118277f
0x01182785
0x0118278b
0x01182791
0x01182798
0x0118279f
0x011827a6
0x011827ad
0x011827b4
0x011827bb
0x011827bc
0x011827c5
0x011827cb
0x011827ce
0x011827d4
0x011827e1
0x011827ea
0x011827f3
0x011827fc
0x0118280a
0x0118280c
0x01182821
0x0118282d
0x01182830
0x01182835
0x01182842

APIs

IsDebuggerPresent.KERNEL32 ref: 01182802
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0118280C
UnhandledExceptionFilter.KERNEL32(?), ref: 01182819

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d6281af12833d1a9f047dec4d0811dc04ae4335c267618496944edcf3eee9896
Instruction ID: fb3ad1b72792458dfefe9e9f5c028527e34d3f69ef515dfa8b2bff5d2a3f87e4
Opcode Fuzzy Hash: d6281af12833d1a9f047dec4d0811dc04ae4335c267618496944edcf3eee9896
Instruction Fuzzy Hash: B131C57491122D9BCB25EF68D9887CDBBB8BF18310F5041EAE41CA7250E7709B85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0118A510, Relevance: 3.4, APIs: 2, Instructions: 450
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0118A510(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t190;
				signed int _t191;
				intOrPtr _t192;
				signed int _t195;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t204;
				signed int _t210;
				intOrPtr _t216;
				void* _t219;
				signed int _t221;
				signed int _t232;
				void* _t236;
				signed int _t239;
				signed int* _t245;
				signed int _t247;
				signed int* _t248;
				signed int* _t250;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t255;
				signed int _t259;
				unsigned int _t260;
				signed int _t262;
				signed int* _t266;
				signed int _t267;
				signed int _t268;
				intOrPtr _t270;
				void* _t274;
				signed char _t280;
				signed int* _t283;
				signed int _t287;
				signed int* _t288;
				intOrPtr* _t295;
				signed int _t297;
				signed int _t298;
				signed int* _t301;
				signed int _t302;
				signed int _t304;
				intOrPtr* _t305;
				signed int _t309;
				signed int _t310;
				signed int _t315;
				signed int _t320;
				signed int _t321;
				signed int _t323;
				void* _t324;
				signed int _t325;
				signed int _t328;
				signed int _t332;
				signed int* _t334;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t343;
				void* _t344;
				signed int _t349;
				signed int _t356;
				signed int* _t357;

				_t245 = _a4;
				_t338 =  *_t245;
				if(_t338 == 0) {
					L75:
					__eflags = 0;
					return 0;
				} else {
					_t295 = _a8;
					_t190 =  *_t295;
					_v56 = _t190;
					if(_t190 == 0) {
						goto L75;
					} else {
						_t320 = _t190 - 1;
						_t259 = _t338 - 1;
						_v12 = _t259;
						if(_t320 != 0) {
							__eflags = _t320 - _t259;
							if(_t320 > _t259) {
								goto L75;
							} else {
								_t191 = _t259;
								_t297 = _t259 - _t320;
								__eflags = _t259 - _t297;
								if(_t259 < _t297) {
									L20:
									_t297 = _t297 + 1;
									__eflags = _t297;
								} else {
									_t283 =  &(_t245[_t259 + 1]);
									_t356 = _a8 + _t320 * 4 + 4;
									__eflags = _t356;
									while(1) {
										__eflags =  *_t356 -  *_t283;
										if(__eflags != 0) {
											break;
										}
										_t191 = _t191 - 1;
										_t356 = _t356 - 4;
										_t283 = _t283 - 4;
										__eflags = _t191 - _t297;
										if(_t191 >= _t297) {
											continue;
										} else {
											goto L20;
										}
										goto L21;
									}
									if(__eflags < 0) {
										goto L20;
									}
								}
								L21:
								__eflags = _t297;
								if(__eflags == 0) {
									goto L75;
								} else {
									_t192 = _a8;
									_t247 = _v56;
									_t340 =  *(_t192 + _t247 * 4);
									_t55 = _t247 * 4; // 0xfffeb1a6
									_t260 =  *(_t192 + _t55 - 4);
									asm("bsr eax, esi");
									_v52 = _t340;
									_v36 = _t260;
									if(__eflags == 0) {
										_t321 = 0x20;
									} else {
										_t321 = 0x1f - _t192;
									}
									_v16 = _t321;
									_v48 = 0x20 - _t321;
									__eflags = _t321;
									if(_t321 != 0) {
										_t280 = _t321;
										_v36 = _v36 << _t280;
										_v52 = _t340 << _t280 | _t260 >> _v48;
										__eflags = _t247 - 2;
										if(_t247 > 2) {
											_t68 = _t247 * 4; // 0xe850ffff
											_t70 =  &_v36;
											 *_t70 = _v36 |  *(_a8 + _t68 - 8) >> _v48;
											__eflags =  *_t70;
										}
									}
									_t341 = 0;
									_v32 = 0;
									_t298 = _t297 + 0xffffffff;
									__eflags = _t298;
									_v28 = _t298;
									if(_t298 >= 0) {
										_t197 = _t298 + _t247;
										_t250 = _a4;
										_v60 = _t197;
										_v64 = _t250 + 4 + _t298 * 4;
										_t266 = _t250 - 4 + _t197 * 4;
										_v80 = _t266;
										do {
											__eflags = _t197 - _v12;
											if(_t197 > _v12) {
												_t198 = 0;
												__eflags = 0;
											} else {
												_t198 = _t266[2];
											}
											_t302 = _t266[1];
											_t267 =  *_t266;
											_v76 = _t198;
											_v40 = 0;
											_v8 = _t198;
											_v24 = _t267;
											__eflags = _t321;
											if(_t321 != 0) {
												_t309 = _v8;
												_t328 = _t267 >> _v48;
												_t221 = E011A3AE0(_t302, _v16, _t309);
												_t267 = _v16;
												_t198 = _t309;
												_t302 = _t328 | _t221;
												_t341 = _v24 << _t267;
												__eflags = _v60 - 3;
												_v8 = _t309;
												_v24 = _t341;
												if(_v60 >= 3) {
													_t267 = _v48;
													_t341 = _t341 |  *(_t250 + (_v56 + _v28) * 4 - 8) >> _t267;
													__eflags = _t341;
													_t198 = _v8;
													_v24 = _t341;
												}
											}
											_push(_t250);
											_t199 = E0115ED60(_t302, _t198, _v52, 0);
											_v40 = _t250;
											_t252 = _t199;
											_t343 = _t341 ^ _t341;
											_t200 = _t302;
											_v8 = _t252;
											_v20 = _t200;
											_t323 = _t267;
											_v72 = _t252;
											_v68 = _t200;
											_v40 = _t343;
											__eflags = _t200;
											if(_t200 != 0) {
												L38:
												_t253 = _t252 + 1;
												asm("adc eax, 0xffffffff");
												_t323 = _t323 + E0115EE30(_t253, _t200, _v52, 0);
												asm("adc esi, edx");
												_t252 = _t253 | 0xffffffff;
												_t200 = 0;
												__eflags = 0;
												_v40 = _t343;
												_v8 = _t252;
												_v72 = _t252;
												_v20 = 0;
												_v68 = 0;
											} else {
												__eflags = _t252 - 0xffffffff;
												if(_t252 > 0xffffffff) {
													goto L38;
												}
											}
											__eflags = _t343;
											if(__eflags <= 0) {
												if(__eflags < 0) {
													goto L42;
												} else {
													__eflags = _t323 - 0xffffffff;
													if(_t323 <= 0xffffffff) {
														while(1) {
															L42:
															_v8 = _v24;
															_t219 = E0115EE30(_v36, 0, _t252, _t200);
															__eflags = _t302 - _t323;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L45:
																_t200 = _v20;
																_t252 = _t252 + 0xffffffff;
																_v72 = _t252;
																asm("adc eax, 0xffffffff");
																_t323 = _t323 + _v52;
																__eflags = _t323;
																_v20 = _t200;
																asm("adc dword [ebp-0x24], 0x0");
																_v68 = _t200;
																if(_t323 == 0) {
																	__eflags = _t323 - 0xffffffff;
																	if(_t323 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t219 - _v8;
																if(_t219 <= _v8) {
																	break;
																} else {
																	goto L45;
																}
															}
															L49:
															_v8 = _t252;
															goto L50;
														}
														_t200 = _v20;
														goto L49;
													}
												}
											}
											L50:
											__eflags = _t200;
											if(_t200 != 0) {
												L52:
												_t268 = _v56;
												_t324 = 0;
												_t344 = 0;
												__eflags = _t268;
												if(_t268 != 0) {
													_t255 = _v64;
													_t210 = _a8 + 4;
													__eflags = _t210;
													_v40 = _t210;
													_v24 = _t268;
													do {
														_v12 =  *_t210;
														_t216 =  *_t255;
														_t274 = _t324 + _v72 * _v12;
														asm("adc esi, edx");
														_t324 = _t344;
														_t344 = 0;
														__eflags = _t216 - _t274;
														if(_t216 < _t274) {
															_t324 = _t324 + 1;
															asm("adc esi, esi");
														}
														 *_t255 = _t216 - _t274;
														_t255 = _t255 + 4;
														_t210 = _v40 + 4;
														_t153 =  &_v24;
														 *_t153 = _v24 - 1;
														__eflags =  *_t153;
														_v40 = _t210;
													} while ( *_t153 != 0);
													_t252 = _v8;
													_t268 = _v56;
												}
												__eflags = 0 - _t344;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L61:
														__eflags = _t268;
														if(_t268 != 0) {
															_t254 = 0;
															_t305 = _v64;
															_t349 = _a8 + 4;
															__eflags = _t349;
															_t325 = _t268;
															do {
																_t270 =  *_t305;
																_t161 = _t349 + 4; // 0xf8835959
																_t349 = _t161;
																_t305 = _t305 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t305 - 4)) = _t270 +  *((intOrPtr*)(_t349 - 4)) + _t254;
																asm("adc eax, 0x0");
																_t254 = 0;
																_t325 = _t325 - 1;
																__eflags = _t325;
															} while (_t325 != 0);
															_t252 = _v8;
														}
														_t252 = _t252 + 0xffffffff;
														asm("adc dword [ebp-0x10], 0xffffffff");
													} else {
														__eflags = _v76 - _t324;
														if(_v76 < _t324) {
															goto L61;
														}
													}
												}
												_t204 = _v60 - 1;
												__eflags = _t204;
												_v12 = _t204;
											} else {
												__eflags = _t252;
												if(_t252 != 0) {
													goto L52;
												}
											}
											_t341 = _v32;
											_t250 = _a4;
											asm("adc esi, 0x0");
											_v64 = _v64 - 4;
											_t304 = _v28 - 1;
											_t321 = _v16;
											_t266 = _v80 - 4;
											_v32 = 0 + _t252;
											_t197 = _v60 - 1;
											_v28 = _t304;
											_v60 = _t197;
											_v80 = _t266;
											__eflags = _t304;
										} while (_t304 >= 0);
									}
									_t248 = _a4;
									_t262 = _v12 + 1;
									_t195 = _t262;
									__eflags = _t195 -  *_t248;
									if(_t195 <  *_t248) {
										_t301 =  &(( &(_t248[1]))[_t195]);
										do {
											 *_t301 = 0;
											_t301 =  &(_t301[1]);
											_t195 = _t195 + 1;
											__eflags = _t195 -  *_t248;
										} while (_t195 <  *_t248);
									}
									 *_t248 = _t262;
									__eflags = _t262;
									if(_t262 != 0) {
										while(1) {
											__eflags = _t248[_t262];
											if(_t248[_t262] != 0) {
												goto L74;
											}
											_t262 = _t262 + 0xffffffff;
											__eflags = _t262;
											 *_t248 = _t262;
											if(_t262 != 0) {
												continue;
											}
											goto L74;
										}
									}
									L74:
									return _v32;
								}
							}
						} else {
							_t7 = _t295 + 4; // 0x96850f0a
							_t310 =  *_t7;
							_v12 = _t310;
							if(_t310 != 1) {
								__eflags = _t259;
								if(_t259 != 0) {
									_t332 = 0;
									_v16 = 0;
									_v40 = 0;
									_v28 = 0;
									__eflags = _t259 - 0xffffffff;
									if(_t259 != 0xffffffff) {
										_t287 = _t259 + 1;
										__eflags = _t287;
										_t288 =  &(_t245[_t287]);
										_v32 = _t288;
										do {
											_t236 = E0115ED60( *_t288, _t332, _t310, 0);
											_v28 = _t245;
											_t245 = _t245;
											_v68 = _t310;
											_t332 = _t288;
											_v16 = 0 + _t236;
											_t310 = _v12;
											asm("adc ecx, 0x0");
											_v40 = _v16;
											_t288 = _v32 - 4;
											_v32 = _t288;
											_t338 = _t338 - 1;
											__eflags = _t338;
										} while (_t338 != 0);
										_t245 = _a4;
									}
									_v544 = 0;
									_t357 =  &(_t245[1]);
									 *_t245 = 0;
									E011825C7(_t357, 0x1cc,  &_v540, 0);
									_t232 = _v28;
									__eflags = 0 - _t232;
									 *_t357 = _t332;
									_t245[2] = _t232;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t245 = 0xbadbae;
									return _v16;
								} else {
									_t334 =  &(_t245[1]);
									_v544 = _t259;
									 *_t245 = _t259;
									E011825C7(_t334, 0x1cc,  &_v540, _t259);
									_t239 = _t245[1];
									_t315 = _t239 % _v12;
									__eflags = 0 - _t315;
									 *_t334 = _t315;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t245 =  ~0x00000000;
									return _t239 / _v12;
								}
							} else {
								_v544 = _t320;
								 *_t245 = _t320;
								E011825C7( &(_t245[1]), 0x1cc,  &_v540, _t320);
								return _t245[1];
							}
						}
					}
				}
			}

0x0118a51c
0x0118a521
0x0118a525
0x0118a99d
0x0118a9a1
0x0118a9a7
0x0118a52b
0x0118a52b
0x0118a52e
0x0118a530
0x0118a535
0x00000000
0x0118a53b
0x0118a53b
0x0118a53e
0x0118a541
0x0118a546
0x0118a677
0x0118a679
0x00000000
0x0118a67f
0x0118a681
0x0118a683
0x0118a685
0x0118a687
0x0118a6ab
0x0118a6ab
0x0118a6ab
0x0118a689
0x0118a690
0x0118a693
0x0118a693
0x0118a696
0x0118a698
0x0118a69a
0x00000000
0x00000000
0x0118a69c
0x0118a69d
0x0118a6a0
0x0118a6a3
0x0118a6a5
0x00000000
0x0118a6a7
0x00000000
0x0118a6a7
0x00000000
0x0118a6a5
0x0118a6a9
0x00000000
0x00000000
0x0118a6a9
0x0118a6ac
0x0118a6ac
0x0118a6ae
0x00000000
0x0118a6b4
0x0118a6b4
0x0118a6b7
0x0118a6ba
0x0118a6bd
0x0118a6bd
0x0118a6c1
0x0118a6c4
0x0118a6c7
0x0118a6ca
0x0118a6d5
0x0118a6cc
0x0118a6d1
0x0118a6d1
0x0118a6df
0x0118a6e4
0x0118a6e7
0x0118a6e9
0x0118a6f2
0x0118a6f4
0x0118a6fb
0x0118a6fe
0x0118a701
0x0118a709
0x0118a70f
0x0118a70f
0x0118a70f
0x0118a70f
0x0118a701
0x0118a712
0x0118a714
0x0118a71b
0x0118a71b
0x0118a71e
0x0118a721
0x0118a727
0x0118a72a
0x0118a72d
0x0118a736
0x0118a73c
0x0118a73f
0x0118a742
0x0118a742
0x0118a745
0x0118a74c
0x0118a74c
0x0118a747
0x0118a747
0x0118a747
0x0118a74e
0x0118a751
0x0118a753
0x0118a756
0x0118a75d
0x0118a760
0x0118a763
0x0118a765
0x0118a770
0x0118a773
0x0118a778
0x0118a77d
0x0118a784
0x0118a789
0x0118a78b
0x0118a78d
0x0118a791
0x0118a794
0x0118a797
0x0118a79f
0x0118a7a8
0x0118a7a8
0x0118a7aa
0x0118a7ad
0x0118a7ad
0x0118a797
0x0118a7b0
0x0118a7b8
0x0118a7bd
0x0118a7c2
0x0118a7c4
0x0118a7c6
0x0118a7c8
0x0118a7cb
0x0118a7ce
0x0118a7d0
0x0118a7d3
0x0118a7d6
0x0118a7d9
0x0118a7db
0x0118a7e2
0x0118a7e7
0x0118a7ea
0x0118a7f4
0x0118a7f6
0x0118a7f8
0x0118a7fb
0x0118a7fb
0x0118a7fd
0x0118a800
0x0118a803
0x0118a806
0x0118a809
0x0118a7dd
0x0118a7dd
0x0118a7e0
0x00000000
0x00000000
0x0118a7e0
0x0118a80c
0x0118a80e
0x0118a810
0x00000000
0x0118a812
0x0118a812
0x0118a815
0x0118a817
0x0118a817
0x0118a825
0x0118a828
0x0118a82d
0x0118a82f
0x00000000
0x00000000
0x0118a831
0x0118a838
0x0118a838
0x0118a83b
0x0118a83e
0x0118a841
0x0118a844
0x0118a844
0x0118a847
0x0118a84a
0x0118a84e
0x0118a851
0x0118a853
0x0118a856
0x00000000
0x00000000
0x0118a858
0x0118a856
0x0118a833
0x0118a833
0x0118a836
0x00000000
0x00000000
0x00000000
0x00000000
0x0118a836
0x0118a85d
0x0118a85d
0x00000000
0x0118a85d
0x0118a85a
0x00000000
0x0118a85a
0x0118a815
0x0118a810
0x0118a860
0x0118a860
0x0118a862
0x0118a86c
0x0118a86c
0x0118a86f
0x0118a871
0x0118a873
0x0118a875
0x0118a87a
0x0118a87d
0x0118a87d
0x0118a880
0x0118a883
0x0118a886
0x0118a888
0x0118a89d
0x0118a89f
0x0118a8a1
0x0118a8a3
0x0118a8a5
0x0118a8a7
0x0118a8a9
0x0118a8ab
0x0118a8ae
0x0118a8ae
0x0118a8b2
0x0118a8b4
0x0118a8ba
0x0118a8bd
0x0118a8bd
0x0118a8bd
0x0118a8c1
0x0118a8c1
0x0118a8c6
0x0118a8c9
0x0118a8c9
0x0118a8ce
0x0118a8d0
0x0118a8d2
0x0118a8d9
0x0118a8d9
0x0118a8db
0x0118a8e0
0x0118a8e2
0x0118a8e5
0x0118a8e5
0x0118a8e8
0x0118a8f0
0x0118a8f0
0x0118a8f2
0x0118a8f2
0x0118a8f7
0x0118a8fd
0x0118a901
0x0118a904
0x0118a907
0x0118a909
0x0118a909
0x0118a909
0x0118a90e
0x0118a90e
0x0118a911
0x0118a914
0x0118a8d4
0x0118a8d4
0x0118a8d7
0x00000000
0x00000000
0x0118a8d7
0x0118a8d2
0x0118a91b
0x0118a91b
0x0118a91c
0x0118a864
0x0118a864
0x0118a866
0x00000000
0x00000000
0x0118a866
0x0118a91f
0x0118a92c
0x0118a92f
0x0118a932
0x0118a936
0x0118a937
0x0118a93a
0x0118a93d
0x0118a943
0x0118a944
0x0118a947
0x0118a94a
0x0118a94d
0x0118a94d
0x0118a742
0x0118a958
0x0118a95b
0x0118a95c
0x0118a95e
0x0118a960
0x0118a965
0x0118a970
0x0118a970
0x0118a976
0x0118a979
0x0118a97a
0x0118a97a
0x0118a970
0x0118a97e
0x0118a980
0x0118a982
0x0118a984
0x0118a984
0x0118a988
0x00000000
0x00000000
0x0118a98a
0x0118a98a
0x0118a98d
0x0118a98f
0x00000000
0x00000000
0x00000000
0x0118a98f
0x0118a984
0x0118a991
0x0118a99c
0x0118a99c
0x0118a6ae
0x0118a54c
0x0118a54c
0x0118a54c
0x0118a54f
0x0118a555
0x0118a586
0x0118a588
0x0118a5ca
0x0118a5cc
0x0118a5d3
0x0118a5da
0x0118a5dd
0x0118a5e0
0x0118a5e2
0x0118a5e2
0x0118a5e3
0x0118a5e6
0x0118a5f0
0x0118a5fa
0x0118a5ff
0x0118a602
0x0118a604
0x0118a607
0x0118a610
0x0118a613
0x0118a616
0x0118a619
0x0118a61f
0x0118a622
0x0118a625
0x0118a625
0x0118a625
0x0118a62a
0x0118a62a
0x0118a635
0x0118a640
0x0118a643
0x0118a64f
0x0118a654
0x0118a65f
0x0118a661
0x0118a663
0x0118a669
0x0118a66e
0x0118a670
0x0118a676
0x0118a58a
0x0118a595
0x0118a598
0x0118a5a4
0x0118a5a6
0x0118a5ad
0x0118a5af
0x0118a5b7
0x0118a5b9
0x0118a5bb
0x0118a5c0
0x0118a5c3
0x0118a5c9
0x0118a5c9
0x0118a557
0x0118a565
0x0118a571
0x0118a573
0x0118a585
0x0118a585
0x0118a555
0x0118a546
0x0118a535

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d7601aeba3ea71792a145ebdf2ff9fb0119d3bacdde8c629637b5a349bc4f5
Instruction ID: 259995496e843169226c70291156d1caa50aebff47afbfb3f750e48feccffc34
Opcode Fuzzy Hash: 33d7601aeba3ea71792a145ebdf2ff9fb0119d3bacdde8c629637b5a349bc4f5
Instruction Fuzzy Hash: FFF17171E012199FDF18DFA8D8806ADFBB1FF89314F25826AD915A7345E731AA01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01113E42, Relevance: 3.2, APIs: 2, Instructions: 158
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E01113E42(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr* _a4, char _a8, intOrPtr _a12) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v6420;
				signed int _v6424;
				intOrPtr _v6428;
				char _v6432;
				char _v6436;
				char _v6440;
				char _v6444;
				char _v6448;
				intOrPtr _v6452;
				intOrPtr _v6456;
				intOrPtr _v6460;
				intOrPtr* _v6464;
				signed int _t61;
				signed int _t62;
				char _t74;
				char _t95;
				char _t105;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr _t122;
				char _t125;
				intOrPtr* _t127;
				signed int _t129;
				void* _t130;
				void* _t131;
				void* _t132;

				_push(0xffffffff);
				_push(0x11a4fa1);
				_push( *[fs:0x0]);
				E0115F450();
				_t61 =  *0x11d8098; // 0xa9f5dfda
				_t62 = _t61 ^ _t129;
				_v20 = _t62;
				_push(_t62);
				 *[fs:0x0] =  &_v16;
				_v6452 = __ecx;
				_t127 = _a4;
				_t95 = 0;
				_v6464 = _t127;
				_v6448 = 0;
				_v8 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				 *_t127 = 0;
				 *((intOrPtr*)(_t127 + 4)) = 0;
				 *((intOrPtr*)(_t127 + 8)) = 0;
				_v6448 = 1;
				E0117B230(_t127,  &_v6420, 0, 0x1900);
				_t131 = _t130 + 0xc;
				_t67 = _a8;
				_t122 = _a12 - _a8;
				_v6436 = 0;
				_v6444 = 0;
				_v6460 = _t122;
				if(_t122 != 0) {
					while(1) {
						_t17 = _t95 + 0xc80; // 0xc80
						_t105 = _t17;
						_v6440 = _t105;
						if(_t105 >= _t122) {
							_v6440 = _t122 - _t95;
							E0117B390( &_v6420, _t67 + _t95, _t122 - _t95 + _t67 + _t95 - _t67 + _t95);
							_t74 = _v6440;
							_t95 = _t122;
							_v6444 = 1;
						} else {
							E0117B390( &_v6420, _t67 + _t95, 0xc80);
							_t95 = _v6440;
							_t74 = 0xc80;
						}
						_t132 = _t131 + 0xc;
						_v6436 = _t74;
						_push(0x1900);
						_push( &_v6436);
						_push( &_v6420);
						_push(0);
						_push(_v6444);
						_push(0);
						_push( *((intOrPtr*)(_v6452 + 0xc)));
						if( *0x11fa630() == 0) {
							break;
						}
						asm("stosd");
						_t112 =  &_v6420 + _v6436;
						_v6456 = _t112;
						asm("stosd");
						asm("stosd");
						_t81 = 0;
						_v6424 = _v6424 & 0;
						_t125 = 0;
						_t113 = _t112 -  &_v6420;
						_v6432 = 0;
						_v6428 = 0;
						_v6440 = _t113;
						if(_t113 != 0) {
							E011150C3(_t95,  &_v6432,  &_v6420, _t113);
							_t125 = _v6432;
							E0117B390(_t125,  &_v6420, _v6440);
							_t132 = _t132 + 0xc;
							_t81 = _t125 -  &_v6420 + _v6456;
							_v6428 = _t125 -  &_v6420 + _v6456;
						}
						_v8 = 2;
						_push(_v6464);
						E01114DA1(_t127,  *((intOrPtr*)(_t127 + 4)), _t125, _t81);
						E0117B230(_t125,  &_v6420, 0, 0xc80);
						_t131 = _t132 + 0xc;
						_v8 = 1;
						E01114242( &_v6432);
						_t122 = _v6460;
						if(_t95 < _t122) {
							_t67 = _a8;
							continue;
						}
						goto L10;
					}
					GetLastError();
				}
				L10:
				E01114242( &_a8);
				 *[fs:0x0] = _v16;
				return E0115E184(_v20 ^ _t129);
			}

0x01113e45
0x01113e47
0x01113e52
0x01113e58
0x01113e5d
0x01113e62
0x01113e64
0x01113e6a
0x01113e6e
0x01113e74
0x01113e7a
0x01113e7d
0x01113e7f
0x01113e85
0x01113e92
0x01113e95
0x01113e96
0x01113e97
0x01113e98
0x01113e9a
0x01113e9d
0x01113eab
0x01113eb3
0x01113ebb
0x01113ebe
0x01113ec1
0x01113ec3
0x01113ec9
0x01113ecf
0x01113ed5
0x01113edb
0x01113edb
0x01113edb
0x01113ee1
0x01113ee9
0x01113f10
0x01113f27
0x01113f2c
0x01113f32
0x01113f34
0x01113eeb
0x01113efa
0x01113eff
0x01113f05
0x01113f05
0x01113f3e
0x01113f41
0x01113f4d
0x01113f52
0x01113f59
0x01113f60
0x01113f62
0x01113f68
0x01113f6a
0x01113f75
0x00000000
0x00000000
0x01113f83
0x01113f8a
0x01113f96
0x01113f9c
0x01113f9d
0x01113f9e
0x01113fa0
0x01113fa6
0x01113fa8
0x01113faa
0x01113fb0
0x01113fb6
0x01113fbc
0x01113fc5
0x01113fd0
0x01113fde
0x01113fed
0x01113ff0
0x01113ff6
0x01113ff6
0x01113ffc
0x01114002
0x0111400d
0x01114020
0x01114025
0x01114028
0x01114032
0x01114037
0x0111403f
0x01114041
0x00000000
0x01114041
0x00000000
0x0111403f
0x01114049
0x01114049
0x0111404f
0x01114052
0x0111405c
0x01114072

APIs

CryptEncrypt.ADVAPI32(?,00000000,?,00000000,?,?,00001900,?,?,?), ref: 01113F6D
GetLastError.KERNEL32 ref: 01114049

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CryptEncryptErrorLast
String ID:
API String ID: 1781102852-0
Opcode ID: db5793da7d4352db758e3c11365ee8826b79c04a916c1a4b47e41b83758c001d
Instruction ID: e5078a9bea18ed6c53678e87ddcdf57caa3169b513a6f68b05525cf7a5da67cc
Opcode Fuzzy Hash: db5793da7d4352db758e3c11365ee8826b79c04a916c1a4b47e41b83758c001d
Instruction Fuzzy Hash: 7F514B71902219AFDB28DF68CCA0AEEF7B4FB48350F1845ADE519A7240D730AF848F54

Uniqueness

Uniqueness Score: -1.00%

Function 01192104, Relevance: 3.1, APIs: 2, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E01192104(void* __ecx, void* __edi, WCHAR* _a4, signed int _a8) {
				void* __ebx;
				void* __esi;
				int _t8;
				signed int _t11;
				void* _t14;
				signed int _t16;
				signed int _t18;
				signed char _t19;
				void* _t21;
				void* _t22;
				WCHAR* _t24;

				_t22 = __edi;
				_t21 = __ecx;
				_pop(_t26);
				_push(_t18);
				_t8 = IsDebuggerPresent();
				_t24 = _a4;
				_t19 = _t18 & 0xffffff00 | _t8 != 0x00000000;
				if(_t8 == 0) {
					L6:
					__eflags = E01196E2C(_t21) - 2;
					if(__eflags != 0) {
						L12:
						_t11 = (_t19 & 0x000000ff) + 3;
						__eflags = _t11;
					} else {
						__eflags = E0119045E(__eflags);
						if(__eflags == 0) {
							goto L12;
						} else {
							__eflags = E0119055A(_t19, _t22, _t24, __eflags);
							if(__eflags != 0) {
								_t14 = E011904C7(__eflags);
								_push(_a8);
								_push(_a4);
								_push(_t24);
								_push(_t14);
							} else {
								_t16 = _a8 | 0x00200000;
								__eflags = _t16;
								_push(_t16);
								_push(_a4);
								_push(_t24);
								_push(0);
							}
							_t11 = E011903C3(_t19, _t22);
						}
					}
				} else {
					if(_t24 != 0) {
						OutputDebugStringW(_t24);
					}
					if(E01196EA1(_t21) == 1) {
						goto L6;
					} else {
						_t11 = 4;
					}
				}
				return _t11;
			}

0x01192104
0x01192104
0x01192109
0x0119208b
0x0119208d
0x01192093
0x01192098
0x0119209d
0x011920b9
0x011920be
0x011920c1
0x011920fa
0x011920fd
0x011920fd
0x011920c3
0x011920c8
0x011920ca
0x00000000
0x011920cc
0x011920d1
0x011920d3
0x011920eb
0x011920f0
0x011920f3
0x011920f6
0x011920f7
0x011920d5
0x011920d8
0x011920d8
0x011920dd
0x011920de
0x011920e1
0x011920e2
0x011920e2
0x011920e4
0x011920e4
0x011920ca
0x0119209f
0x011920a1
0x011920a4
0x011920a4
0x011920b2
0x00000000
0x011920b4
0x011920b6
0x011920b6
0x011920b2
0x01192103

APIs

IsDebuggerPresent.KERNEL32(?,00000000,?,01181ED5,?,Microsoft Visual C++ Runtime Library,00012012,?,00000240,00000000,00000000,01115225,?,?,00000000,00000480), ref: 0119208D
OutputDebugStringW.KERNEL32(?,?,01181ED5,?,Microsoft Visual C++ Runtime Library,00012012,?,00000240,00000000,00000000,01115225,?,?,00000000,00000480,00000000), ref: 011920A4

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DebugDebuggerOutputPresentString
String ID:
API String ID: 4086329628-0
Opcode ID: 8288ae0db410504cc099e6f6ad69943cea7e88f65ce313fab3710f45ae46546b
Instruction ID: f2cdcca86263da5bda0936c51f94c512b34b35fb0d0adf0ca46d490c2040bdef
Opcode Fuzzy Hash: 8288ae0db410504cc099e6f6ad69943cea7e88f65ce313fab3710f45ae46546b
Instruction Fuzzy Hash: 7D018F3114522ABBEF3D6A559C05FBE3B5EEF05665F080011FE3586140CB32D491D6B2

Uniqueness

Uniqueness Score: -1.00%

Function 011952FC, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E011952FC(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E01195932(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E0119589E(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x0119530a
0x01195311
0x01195316
0x0119531c
0x0119531f
0x01195325
0x0119532a
0x0119532f
0x0119532f
0x01195335
0x0119533a
0x0119533f
0x0119533f
0x01195346
0x0119534b
0x01195350
0x01195350
0x01195357
0x0119535c
0x01195361
0x01195361
0x01195368
0x0119536d
0x01195372
0x01195372
0x0119537a
0x0119538a
0x0119539c
0x011953ae
0x011953c1
0x011953d3
0x011953db
0x011953e0
0x011953e5
0x011953e5
0x011953ec
0x011953f1
0x011953f1
0x011953f8
0x011953fd
0x011953fd
0x01195404
0x01195409
0x01195409
0x01195410
0x01195415
0x01195415
0x0119541f
0x01195421
0x0119545b
0x01195423
0x01195428
0x0119544c
0x01195454
0x01195448
0x01195448
0x0119545e
0x01195465
0x01195467
0x01195489
0x01195491
0x01195494
0x01195494
0x01195496
0x01195496
0x011954a1
0x011954a7
0x011954ac
0x011954b3
0x011954ed
0x011954f8
0x011954fe
0x01195501
0x01195504
0x01195510
0x01195518
0x011954b5
0x011954b8
0x011954c4
0x011954ca
0x011954d0
0x011954d3
0x011954dc
0x011954dc
0x0119551b
0x01195529
0x0119552f
0x01195532
0x01195537
0x01195539
0x0119553c
0x0119553c
0x01195541
0x01195543
0x01195546
0x01195546
0x0119554b
0x0119554d
0x01195550
0x01195550
0x01195555
0x01195557
0x0119555a
0x0119555a
0x0119555f
0x01195561
0x01195561
0x0119556e
0x01195571
0x011955a8
0x01195573
0x01195573
0x01195576
0x011955a1
0x01195596
0x01195596
0x011955aa
0x011955b2
0x011955b5
0x011955d4
0x011955d9
0x011955d9
0x011955db
0x011955e0
0x011955ec
0x011955e2
0x011955e5
0x011955e5
0x011955f1
0x011955f1
0x011955b7
0x011955ba
0x011955c9
0x00000000
0x011955c9
0x011955bc
0x011955bf
0x011955c1
0x011955c1
0x00000000
0x011955bf
0x01195578
0x0119557b
0x01195591
0x00000000
0x01195591
0x01195580
0x01195582
0x01195582
0x01195580
0x00000000
0x01195571
0x0119546e
0x0119547c
0x01195484
0x00000000
0x01195484
0x01195472
0x01195477
0x01195477
0x00000000
0x01195472
0x0119542f
0x0119543d
0x01195445
0x00000000
0x01195445
0x01195433
0x01195438
0x01195438
0x01195433

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,011952F7,?,?,00000008,?,?,011A1643,00000000), ref: 01195529

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7d386efcf3a7f4df62aa17f9637e994763120f0b46c8d09c4ff023303c1e21c7
Instruction ID: 1c8e2a8a18e364c49ed5e4de89996d0c14fa5ae3adbb98be0e04c3774a7905c2
Opcode Fuzzy Hash: 7d386efcf3a7f4df62aa17f9637e994763120f0b46c8d09c4ff023303c1e21c7
Instruction Fuzzy Hash: 4AB14E31210604CFEB5ACF2CC486A547FE2FF45365F258659E9A9DF2A2C335E952CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0119CB35, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0119CB35(void* __ecx, void* __edx, void* __eflags, signed int* _a4) {
				void* __ebp;
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t32;
				signed char _t33;
				signed char _t34;
				intOrPtr* _t38;
				intOrPtr* _t41;
				signed int _t47;
				void* _t50;
				void* _t51;
				signed int* _t52;
				void* _t53;
				signed int _t62;

				_t53 = E01190FC4(__ecx, __edx);
				_t47 = 2;
				_t38 =  *((intOrPtr*)(_t53 + 0x50));
				_t50 = _t38 + 2;
				do {
					_t26 =  *_t38;
					_t38 = _t38 + _t47;
				} while (_t26 != 0);
				_t41 =  *((intOrPtr*)(_t53 + 0x54));
				 *(_t53 + 0x60) = 0 | _t38 - _t50 >> 0x00000001 == 0x00000003;
				_t51 = _t41 + 2;
				do {
					_t29 =  *_t41;
					_t41 = _t41 + _t47;
				} while (_t29 != 0);
				_t52 = _a4;
				 *(_t53 + 0x64) = 0 | _t41 - _t51 >> 0x00000001 == 0x00000003;
				_t52[1] = 0;
				if( *(_t53 + 0x60) == 0) {
					_t47 = E0119CC2F( *((intOrPtr*)(_t53 + 0x50)));
				}
				 *(_t53 + 0x5c) = _t47;
				_t32 = EnumSystemLocalesW(0x119cc5b, 1);
				_t62 =  *_t52 & 0x00000007;
				asm("bt ecx, 0x9");
				_t33 = _t32 & 0xffffff00 | _t62 > 0x00000000;
				asm("bt ecx, 0x8");
				_t34 = _t33 & 0xffffff00 | _t62 > 0x00000000;
				if((_t34 & (_t47 & 0xffffff00 | _t62 != 0x00000000) & _t33) == 0) {
					 *_t52 = 0;
					return _t34;
				}
				return _t34;
			}

0x0119cb42
0x0119cb48
0x0119cb49
0x0119cb4c
0x0119cb4f
0x0119cb4f
0x0119cb52
0x0119cb54
0x0119cb62
0x0119cb68
0x0119cb6b
0x0119cb6e
0x0119cb6e
0x0119cb71
0x0119cb73
0x0119cb7c
0x0119cb87
0x0119cb8a
0x0119cb90
0x0119cb9b
0x0119cb9b
0x0119cba4
0x0119cba7
0x0119cbaf
0x0119cbb5
0x0119cbb9
0x0119cbbe
0x0119cbc2
0x0119cbc7
0x0119cbc9
0x00000000
0x0119cbc9
0x0119cbcf

APIs

Part of subcall function 01190FC4: GetLastError.KERNEL32(?,?,?,0117EFA3,?,?,?,?,0117F06E,00000000), ref: 01190FC9
Part of subcall function 01190FC4: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,0117F06E,00000000), ref: 01191067

EnumSystemLocalesW.KERNEL32(0119CC5B,00000001,00000000,?,-00000050,?,0119D289,00000000,?,?,?,00000055,?), ref: 0119CBA7

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 0f4bede889ce636fda7356c754e1b579a15b84a8d896f0de1a7b365cda0e8caf
Instruction ID: 549f0096cf814ece2a68a2aa48a05d0878d50ad8ec4e79a29aa4d4885a1b7c8b
Opcode Fuzzy Hash: 0f4bede889ce636fda7356c754e1b579a15b84a8d896f0de1a7b365cda0e8caf
Instruction Fuzzy Hash: 4C11C6366047059FDF1C9F39C8916BABB91FF84768B14442DE99787A40D371B543D780

Uniqueness

Uniqueness Score: -1.00%

Function 0119CBD0, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0119CBD0(void* __ecx, void* __edx, void* __eflags, signed char* _a4) {
				void* __ebp;
				intOrPtr _t11;
				signed char* _t15;
				intOrPtr* _t19;
				intOrPtr _t24;
				void* _t25;
				void* _t26;

				_t26 = E01190FC4(__ecx, __edx);
				_t24 = 2;
				_t19 =  *((intOrPtr*)(_t26 + 0x50));
				_t25 = _t19 + 2;
				do {
					_t11 =  *_t19;
					_t19 = _t19 + _t24;
				} while (_t11 != 0);
				_t4 = _t19 - _t25 >> 1 == 3;
				 *(_t26 + 0x60) = 0 | _t4;
				if(_t4 != 0) {
					_t24 = E0119CC2F( *((intOrPtr*)(_t26 + 0x50)));
				}
				 *((intOrPtr*)(_t26 + 0x5c)) = _t24;
				EnumSystemLocalesW(0x119ceae, 1);
				_t15 = _a4;
				if(( *_t15 & 0x00000004) == 0) {
					 *_t15 = 0;
					return _t15;
				}
				return _t15;
			}

0x0119cbdd
0x0119cbe3
0x0119cbe4
0x0119cbe7
0x0119cbea
0x0119cbea
0x0119cbed
0x0119cbef
0x0119cbfd
0x0119cc00
0x0119cc03
0x0119cc0e
0x0119cc0e
0x0119cc17
0x0119cc1a
0x0119cc20
0x0119cc26
0x0119cc28
0x00000000
0x0119cc28
0x0119cc2e

APIs

Part of subcall function 01190FC4: GetLastError.KERNEL32(?,?,?,0117EFA3,?,?,?,?,0117F06E,00000000), ref: 01190FC9
Part of subcall function 01190FC4: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,0117F06E,00000000), ref: 01191067

EnumSystemLocalesW.KERNEL32(0119CEAE,00000001,00000000,?,-00000050,?,0119D24D,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0119CC1A

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c81217c491316dbc69d9f2a419207894042878b796442e26a57b6ded3b582fa3
Instruction ID: 655b188e46819a9432a3837e66d0ac9f62f543c6e641efd343461cd9951e7b99
Opcode Fuzzy Hash: c81217c491316dbc69d9f2a419207894042878b796442e26a57b6ded3b582fa3
Instruction Fuzzy Hash: 33F0FC362003055FDF285F39D88177ABF95EF81768B05442DF99687640D771A942D790

Uniqueness

Uniqueness Score: -1.00%

Function 0118FB46, Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0118FB46(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _t17;
				signed int _t28;
				void* _t30;

				E0115F0B0(__edx, 0x11d5730, 0xc);
				 *(_t30 - 0x1c) =  *(_t30 - 0x1c) & 0x00000000;
				E011861CA( *((intOrPtr*)( *((intOrPtr*)(_t30 + 8)))));
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				 *0x11fa280 = E0118426F( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t30 + 0xc)))))));
				_t28 = EnumSystemLocalesW(0x118fb39, 1);
				_t17 =  *0x11d8098; // 0xa9f5dfda
				 *0x11fa280 = _t17;
				 *(_t30 - 0x1c) = _t28;
				 *(_t30 - 4) = 0xfffffffe;
				E0118FBB6();
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0x10));
				return _t28;
			}

0x0118fb4d
0x0118fb52
0x0118fb5b
0x0118fb61
0x0118fb72
0x0118fb84
0x0118fb86
0x0118fb8b
0x0118fb90
0x0118fb93
0x0118fb9a
0x0118fba4
0x0118fbb0

APIs

Part of subcall function 011861CA: EnterCriticalSection.KERNEL32(-00073C75,?,0118CF63,00000000,011D5670,0000000C,0118CF2A,?,?,0118FAD5,?,?,01191166,00000001,00000364), ref: 011861D9

EnumSystemLocalesW.KERNEL32(0118FB39,00000001,011D5730,0000000C,01190058,00000000), ref: 0118FB7E

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: ca9dc201fda5dac8f87dd352884afe1244b93791e7a12e9bee1773a97f3e3766
Instruction ID: 5084a7613240f4c138543521125ab41717fb212c19c4db55d28fc2064fbd50b7
Opcode Fuzzy Hash: ca9dc201fda5dac8f87dd352884afe1244b93791e7a12e9bee1773a97f3e3766
Instruction Fuzzy Hash: 3EF04936A04216DFD718EFA8E401B9D77F1FB58725F10816AF824DB291DB7659418F40

Uniqueness

Uniqueness Score: -1.00%

Function 0119CAEA, Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0119CAEA(void* __ecx, void* __edx, void* __eflags, signed char* _a4) {
				void* __ebp;
				intOrPtr _t9;
				signed char* _t13;
				intOrPtr* _t15;
				void* _t19;
				void* _t21;

				_t19 = E01190FC4(__ecx, __edx);
				_t15 =  *((intOrPtr*)(_t19 + 0x54));
				_t21 = _t15 + 2;
				do {
					_t9 =  *_t15;
					_t15 = _t15 + 2;
				} while (_t9 != 0);
				 *(_t19 + 0x64) = 0 | _t15 - _t21 >> 0x00000001 == 0x00000003;
				EnumSystemLocalesW(0x119ca43, 1);
				_t13 = _a4;
				if(( *_t13 & 0x00000004) == 0) {
					 *_t13 = 0;
					return _t13;
				}
				return _t13;
			}

0x0119caf6
0x0119cafa
0x0119cafd
0x0119cb00
0x0119cb00
0x0119cb03
0x0119cb06
0x0119cb1e
0x0119cb21
0x0119cb27
0x0119cb2d
0x0119cb2f
0x00000000
0x0119cb2f
0x0119cb34

APIs

Part of subcall function 01190FC4: GetLastError.KERNEL32(?,?,?,0117EFA3,?,?,?,?,0117F06E,00000000), ref: 01190FC9
Part of subcall function 01190FC4: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,0117F06E,00000000), ref: 01191067

EnumSystemLocalesW.KERNEL32(0119CA43,00000001,00000000,?,?,0119D2AB,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0119CB21

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 912b43908f8945f230d2ed70d4630a3ffa6add10eecdf1d608f5fea7bad8b28c
Instruction ID: 69e0737b92b6463f59b02fd1e62c5baeb36133dd3297a4de0ebfadfec4b7a9a8
Opcode Fuzzy Hash: 912b43908f8945f230d2ed70d4630a3ffa6add10eecdf1d608f5fea7bad8b28c
Instruction Fuzzy Hash: 63F0553630020657CF08DF39D80576ABF98EFC2760B464058EE2A8B241C371A943C790

Uniqueness

Uniqueness Score: -1.00%

Function 011901B3, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0118F2FC,?,20001004,00000000,00000002,?,?,0118E8E7), ref: 011901E7

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6430c59c3f9de82e671e8fb7091f54386d2b71a3c4cf056eff5c47a973a621af
Instruction ID: f7a157d42bbb70385dcec167b3f8cbd74d9532664e8787508f60d9461da46d66
Opcode Fuzzy Hash: 6430c59c3f9de82e671e8fb7091f54386d2b71a3c4cf056eff5c47a973a621af
Instruction Fuzzy Hash: 9EE04F3550022ABBCF2A3F61DC04E9E3F19EF48750F058021FD2565110CB32CE219BD1

Uniqueness

Uniqueness Score: -1.00%

Function 011808AA, Relevance: 1.5, Strings: 1, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E011808AA(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				short _v12;
				short _v16;
				signed int _v20;
				short _v24;
				signed int _t57;
				signed int _t59;
				signed int _t60;
				void* _t61;
				signed char _t65;
				signed char _t67;
				signed int _t68;
				short _t70;
				void* _t71;
				signed char _t77;
				signed char _t80;
				void* _t85;
				void* _t86;
				signed char _t88;
				signed char _t90;
				short _t91;
				signed int _t94;
				signed int _t96;
				signed int _t97;
				unsigned int _t102;
				signed int _t103;
				void* _t106;
				void* _t107;
				void* _t109;
				signed int _t113;
				unsigned int _t115;
				signed int* _t117;
				signed char _t118;
				void* _t126;
				signed int _t129;
				void* _t130;
				short _t131;
				short _t132;
				void* _t133;
				intOrPtr* _t136;
				signed int _t137;
				void* _t138;
				void* _t140;
				void* _t141;

				_t130 = __edi;
				_t57 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t57 ^ _t137;
				_t136 = __ecx;
				_t126 = 0x41;
				_t59 =  *(__ecx + 0x32) & 0x0000ffff;
				_t109 = 0x58;
				_t140 = _t59 - 0x64;
				if(_t140 > 0) {
					__eflags = _t59 - 0x70;
					if(__eflags > 0) {
						_t60 = _t59 - 0x73;
						__eflags = _t60;
						if(_t60 == 0) {
							L9:
							_t61 = E01181441(_t136);
							L10:
							if(_t61 != 0) {
								__eflags =  *(_t136 + 0x30);
								if( *(_t136 + 0x30) != 0) {
									L70:
									L71:
									return E0115E184(_v8 ^ _t137);
								}
								_t113 = 0;
								_v16 = 0;
								_v12 = 0;
								_t102 =  *(_t136 + 0x20);
								_push(_t130);
								_v20 = 0;
								_t65 = _t102 >> 4;
								_t131 = 0x20;
								__eflags = 1 & _t65;
								if((1 & _t65) == 0) {
									L46:
									_t129 =  *(_t136 + 0x32) & 0x0000ffff;
									_t132 = 0x78;
									__eflags = _t129 - _t132;
									if(_t129 == _t132) {
										L48:
										_t67 = _t102 >> 5;
										__eflags = _t67 & 0x00000001;
										if((_t67 & 0x00000001) == 0) {
											L50:
											_t103 = 0;
											__eflags = 0;
											L51:
											__eflags = _t129 - 0x61;
											if(_t129 == 0x61) {
												L54:
												_t68 = 1;
												L55:
												_v24 = 0x30;
												__eflags = _t103;
												if(_t103 != 0) {
													L57:
													 *((short*)(_t137 + _t113 * 2 - 0xc)) = _v24;
													_t70 = 0x58;
													__eflags = _t129 - _t70;
													if(_t129 == _t70) {
														L59:
														_t132 = _t70;
														L60:
														 *((short*)(_t137 + _t113 * 2 - 0xa)) = _t132;
														_t113 = _t113 + 2;
														__eflags = _t113;
														_v20 = _t113;
														L61:
														_t71 = _t136 + 0x18;
														_t133 = _t136 + 0x448;
														_t106 =  *((intOrPtr*)(_t136 + 0x24)) -  *((intOrPtr*)(_t136 + 0x38)) - _t113;
														__eflags =  *(_t136 + 0x20) & 0x0000000c;
														if(( *(_t136 + 0x20) & 0x0000000c) == 0) {
															E0117EE2B(_t133, 0x20, _t106, _t71);
															_t113 = _v20;
															_t138 = _t138 + 0x10;
														}
														_push(_t136 + 0xc);
														E01181A09(_t133,  &_v16, _t113, _t136 + 0x18);
														_t115 =  *(_t136 + 0x20);
														_t77 = _t115 >> 3;
														__eflags = _t77 & 0x00000001;
														if((_t77 & 0x00000001) != 0) {
															_t118 = _t115 >> 2;
															__eflags = _t118 & 0x00000001;
															if((_t118 & 0x00000001) == 0) {
																E0117EE2B(_t133, _v24, _t106, _t136 + 0x18);
																_t138 = _t138 + 0x10;
															}
														}
														E011818B7(_t136, _t129, 0);
														_t117 = _t136 + 0x18;
														__eflags =  *_t117;
														if( *_t117 >= 0) {
															_t80 =  *(_t136 + 0x20) >> 2;
															__eflags = _t80 & 0x00000001;
															if((_t80 & 0x00000001) != 0) {
																E0117EE2B(_t133, 0x20, _t106, _t117);
															}
														}
														goto L70;
													}
													_t107 = 0x41;
													__eflags = _t129 - _t107;
													if(_t129 != _t107) {
														goto L60;
													}
													goto L59;
												}
												__eflags = _t68;
												if(_t68 == 0) {
													goto L61;
												}
												goto L57;
											}
											_t85 = 0x41;
											__eflags = _t129 - _t85;
											if(_t129 == _t85) {
												goto L54;
											}
											_t68 = 0;
											goto L55;
										}
										_t103 = 1;
										goto L51;
									}
									_t86 = 0x58;
									__eflags = _t129 - _t86;
									if(_t129 != _t86) {
										goto L50;
									}
									goto L48;
								}
								_t88 = _t102 >> 6;
								__eflags = 1 & _t88;
								if((1 & _t88) == 0) {
									__eflags = 1 & _t102;
									if((1 & _t102) == 0) {
										_t90 = _t102 >> 1;
										__eflags = 1 & _t90;
										if((1 & _t90) != 0) {
											_v16 = _t131;
											_t113 = 1;
											_v20 = 1;
										}
										goto L46;
									}
									_push(0x2b);
									L43:
									_pop(_t91);
									_t113 = 1;
									_v16 = _t91;
									_v20 = 1;
									goto L46;
								}
								_push(0x2d);
								goto L43;
							}
							L11:
							goto L71;
						}
						_t94 = _t60;
						__eflags = _t94;
						if(__eflags == 0) {
							L29:
							_push(0);
							_push(0xa);
							L30:
							_t61 = E01181199(_t136, __eflags);
							goto L10;
						}
						__eflags = _t94 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L30;
					}
					if(__eflags == 0) {
						_t61 = E011813B8(__ecx);
						goto L10;
					}
					__eflags = _t59 - 0x65;
					if(_t59 < 0x65) {
						goto L11;
					}
					__eflags = _t59 - 0x67;
					if(_t59 <= 0x67) {
						L31:
						_t61 = E01180DBD(_t136);
						goto L10;
					}
					__eflags = _t59 - 0x69;
					if(_t59 == 0x69) {
						L28:
						_t3 = _t136 + 0x20;
						 *_t3 =  *(_t136 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L29;
					}
					__eflags = _t59 - 0x6e;
					if(_t59 == 0x6e) {
						_t61 = E011812EE(__ecx, _t126);
						goto L10;
					}
					__eflags = _t59 - 0x6f;
					if(_t59 != 0x6f) {
						goto L11;
					}
					_t61 = E01181381(__ecx);
					goto L10;
				}
				if(_t140 == 0) {
					goto L28;
				}
				_t141 = _t59 - _t109;
				if(_t141 > 0) {
					_t96 = _t59 - 0x5a;
					__eflags = _t96;
					if(_t96 == 0) {
						_t61 = E01180C14(__ecx);
						goto L10;
					}
					_t97 = _t96 - 7;
					__eflags = _t97;
					if(_t97 == 0) {
						goto L31;
					}
					__eflags = _t97;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t61 = E01180FB2(_t136, _t126, __eflags, 0);
					goto L10;
				}
				if(_t141 == 0) {
					_push(1);
					goto L13;
				}
				if(_t59 == _t126) {
					goto L31;
				}
				if(_t59 == 0x43) {
					goto L17;
				}
				if(_t59 <= 0x44) {
					goto L11;
				}
				if(_t59 <= 0x47) {
					goto L31;
				}
				if(_t59 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x011808aa
0x011808b2
0x011808b9
0x011808be
0x011808c4
0x011808c7
0x011808cb
0x011808cc
0x011808cf
0x0118093c
0x0118093f
0x01180996
0x01180996
0x01180999
0x011808fd
0x011808ff
0x01180904
0x01180906
0x011809b4
0x011809b7
0x01180aff
0x01180b01
0x01180b0e
0x01180b0e
0x011809bd
0x011809bf
0x011809c2
0x011809c8
0x011809cc
0x011809cf
0x011809d2
0x011809d7
0x011809d8
0x011809da
0x01180a0c
0x01180a0c
0x01180a12
0x01180a13
0x01180a16
0x01180a20
0x01180a22
0x01180a25
0x01180a27
0x01180a2d
0x01180a2d
0x01180a2d
0x01180a2f
0x01180a2f
0x01180a32
0x01180a40
0x01180a40
0x01180a42
0x01180a42
0x01180a49
0x01180a4b
0x01180a51
0x01180a56
0x01180a5b
0x01180a5c
0x01180a5f
0x01180a69
0x01180a69
0x01180a6b
0x01180a6b
0x01180a70
0x01180a70
0x01180a73
0x01180a76
0x01180a79
0x01180a7f
0x01180a85
0x01180a87
0x01180a8b
0x01180a92
0x01180a97
0x01180a9a
0x01180a9a
0x01180aa0
0x01180aac
0x01180ab1
0x01180ab6
0x01180ab9
0x01180abb
0x01180abd
0x01180ac0
0x01180ac3
0x01180ace
0x01180ad3
0x01180ad3
0x01180ac3
0x01180ada
0x01180adf
0x01180ae2
0x01180ae5
0x01180aea
0x01180aed
0x01180aef
0x01180af6
0x01180afb
0x01180aef
0x00000000
0x01180afe
0x01180a63
0x01180a64
0x01180a67
0x00000000
0x00000000
0x00000000
0x01180a67
0x01180a4d
0x01180a4f
0x00000000
0x00000000
0x00000000
0x01180a4f
0x01180a36
0x01180a37
0x01180a3a
0x00000000
0x00000000
0x01180a3c
0x00000000
0x01180a3c
0x01180a29
0x00000000
0x01180a29
0x01180a1a
0x01180a1b
0x01180a1e
0x00000000
0x00000000
0x00000000
0x01180a1e
0x011809de
0x011809e1
0x011809e3
0x011809e9
0x011809eb
0x011809fd
0x011809ff
0x01180a01
0x01180a03
0x01180a07
0x01180a09
0x01180a09
0x00000000
0x01180a01
0x011809ed
0x011809ef
0x011809ef
0x011809f0
0x011809f2
0x011809f6
0x00000000
0x011809f6
0x011809e5
0x00000000
0x011809e5
0x0118090c
0x00000000
0x0118090c
0x011809a0
0x011809a0
0x011809a3
0x01180972
0x01180972
0x01180973
0x01180975
0x01180977
0x00000000
0x01180977
0x011809a5
0x011809a8
0x00000000
0x00000000
0x011809ae
0x01180915
0x01180915
0x00000000
0x01180915
0x01180941
0x0118098c
0x00000000
0x0118098c
0x01180943
0x01180946
0x00000000
0x00000000
0x01180948
0x0118094b
0x0118097e
0x01180980
0x00000000
0x01180980
0x0118094d
0x01180950
0x0118096e
0x0118096e
0x0118096e
0x0118096e
0x00000000
0x0118096e
0x01180952
0x01180955
0x01180967
0x00000000
0x01180967
0x01180957
0x0118095a
0x00000000
0x00000000
0x0118095e
0x00000000
0x0118095e
0x011808d1
0x00000000
0x00000000
0x011808d7
0x011808d9
0x01180919
0x01180919
0x0118091c
0x01180935
0x00000000
0x01180935
0x0118091e
0x0118091e
0x01180921
0x00000000
0x00000000
0x01180924
0x01180927
0x00000000
0x00000000
0x01180929
0x0118092c
0x00000000
0x0118092c
0x011808db
0x01180913
0x00000000
0x01180913
0x011808df
0x00000000
0x00000000
0x011808e8
0x00000000
0x00000000
0x011808ed
0x00000000
0x00000000
0x011808f2
0x00000000
0x00000000
0x011808fb
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 01180A42

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1a81b4031fdbbe4f64848b08b9c6d95d1612ab8cfb0b478813617165dbd4045d
Instruction ID: 9700665d3e414149541d0a24afd5e7229f707c849d42904c4debb9e58f72cc9f
Opcode Fuzzy Hash: 1a81b4031fdbbe4f64848b08b9c6d95d1612ab8cfb0b478813617165dbd4045d
Instruction Fuzzy Hash: BE615971A4070D5AFB3CFA6C88907BEB7A5AB4D204F04C62DF54ADB291E761994DCF02

Uniqueness

Uniqueness Score: -1.00%

Function 01180645, Relevance: 1.5, Strings: 1, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E01180645(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				short _v12;
				short _v16;
				signed int _v20;
				short _v24;
				signed int _t57;
				signed int _t59;
				signed int _t60;
				void* _t61;
				signed char _t65;
				signed char _t67;
				signed int _t68;
				short _t70;
				void* _t71;
				signed char _t77;
				signed char _t80;
				void* _t85;
				void* _t86;
				signed char _t88;
				signed char _t90;
				short _t91;
				signed int _t94;
				signed int _t96;
				signed int _t97;
				unsigned int _t102;
				signed int _t103;
				void* _t106;
				void* _t107;
				void* _t109;
				signed int _t113;
				unsigned int _t115;
				signed int* _t117;
				signed char _t118;
				void* _t126;
				signed int _t129;
				void* _t130;
				short _t131;
				short _t132;
				void* _t133;
				intOrPtr* _t136;
				signed int _t137;
				void* _t138;
				void* _t140;
				void* _t141;

				_t130 = __edi;
				_t57 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t57 ^ _t137;
				_t136 = __ecx;
				_t126 = 0x41;
				_t59 =  *(__ecx + 0x32) & 0x0000ffff;
				_t109 = 0x58;
				_t140 = _t59 - 0x64;
				if(_t140 > 0) {
					__eflags = _t59 - 0x70;
					if(__eflags > 0) {
						_t60 = _t59 - 0x73;
						__eflags = _t60;
						if(_t60 == 0) {
							L9:
							_t61 = E01181441(_t136);
							L10:
							if(_t61 != 0) {
								__eflags =  *(_t136 + 0x30);
								if( *(_t136 + 0x30) != 0) {
									L70:
									L71:
									return E0115E184(_v8 ^ _t137);
								}
								_t113 = 0;
								_v16 = 0;
								_v12 = 0;
								_t102 =  *(_t136 + 0x20);
								_push(_t130);
								_v20 = 0;
								_t65 = _t102 >> 4;
								_t131 = 0x20;
								__eflags = 1 & _t65;
								if((1 & _t65) == 0) {
									L46:
									_t129 =  *(_t136 + 0x32) & 0x0000ffff;
									_t132 = 0x78;
									__eflags = _t129 - _t132;
									if(_t129 == _t132) {
										L48:
										_t67 = _t102 >> 5;
										__eflags = _t67 & 0x00000001;
										if((_t67 & 0x00000001) == 0) {
											L50:
											_t103 = 0;
											__eflags = 0;
											L51:
											__eflags = _t129 - 0x61;
											if(_t129 == 0x61) {
												L54:
												_t68 = 1;
												L55:
												_v24 = 0x30;
												__eflags = _t103;
												if(_t103 != 0) {
													L57:
													 *((short*)(_t137 + _t113 * 2 - 0xc)) = _v24;
													_t70 = 0x58;
													__eflags = _t129 - _t70;
													if(_t129 == _t70) {
														L59:
														_t132 = _t70;
														L60:
														 *((short*)(_t137 + _t113 * 2 - 0xa)) = _t132;
														_t113 = _t113 + 2;
														__eflags = _t113;
														_v20 = _t113;
														L61:
														_t71 = _t136 + 0x18;
														_t133 = _t136 + 0x448;
														_t106 =  *((intOrPtr*)(_t136 + 0x24)) -  *((intOrPtr*)(_t136 + 0x38)) - _t113;
														__eflags =  *(_t136 + 0x20) & 0x0000000c;
														if(( *(_t136 + 0x20) & 0x0000000c) == 0) {
															E0117EDBF(_t133, 0x20, _t106, _t71);
															_t113 = _v20;
															_t138 = _t138 + 0x10;
														}
														_push(_t136 + 0xc);
														E01181976(_t133,  &_v16, _t113, _t136 + 0x18);
														_t115 =  *(_t136 + 0x20);
														_t77 = _t115 >> 3;
														__eflags = _t77 & 0x00000001;
														if((_t77 & 0x00000001) != 0) {
															_t118 = _t115 >> 2;
															__eflags = _t118 & 0x00000001;
															if((_t118 & 0x00000001) == 0) {
																E0117EDBF(_t133, _v24, _t106, _t136 + 0x18);
																_t138 = _t138 + 0x10;
															}
														}
														E01181824(_t136, _t129, 0);
														_t117 = _t136 + 0x18;
														__eflags =  *_t117;
														if( *_t117 >= 0) {
															_t80 =  *(_t136 + 0x20) >> 2;
															__eflags = _t80 & 0x00000001;
															if((_t80 & 0x00000001) != 0) {
																E0117EDBF(_t133, 0x20, _t106, _t117);
															}
														}
														goto L70;
													}
													_t107 = 0x41;
													__eflags = _t129 - _t107;
													if(_t129 != _t107) {
														goto L60;
													}
													goto L59;
												}
												__eflags = _t68;
												if(_t68 == 0) {
													goto L61;
												}
												goto L57;
											}
											_t85 = 0x41;
											__eflags = _t129 - _t85;
											if(_t129 == _t85) {
												goto L54;
											}
											_t68 = 0;
											goto L55;
										}
										_t103 = 1;
										goto L51;
									}
									_t86 = 0x58;
									__eflags = _t129 - _t86;
									if(_t129 != _t86) {
										goto L50;
									}
									goto L48;
								}
								_t88 = _t102 >> 6;
								__eflags = 1 & _t88;
								if((1 & _t88) == 0) {
									__eflags = 1 & _t102;
									if((1 & _t102) == 0) {
										_t90 = _t102 >> 1;
										__eflags = 1 & _t90;
										if((1 & _t90) != 0) {
											_v16 = _t131;
											_t113 = 1;
											_v20 = 1;
										}
										goto L46;
									}
									_push(0x2b);
									L43:
									_pop(_t91);
									_t113 = 1;
									_v16 = _t91;
									_v20 = 1;
									goto L46;
								}
								_push(0x2d);
								goto L43;
							}
							L11:
							goto L71;
						}
						_t94 = _t60;
						__eflags = _t94;
						if(__eflags == 0) {
							L29:
							_push(0);
							_push(0xa);
							L30:
							_t61 = E01181199(_t136, __eflags);
							goto L10;
						}
						__eflags = _t94 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L30;
					}
					if(__eflags == 0) {
						_t61 = E011813B8(__ecx);
						goto L10;
					}
					__eflags = _t59 - 0x65;
					if(_t59 < 0x65) {
						goto L11;
					}
					__eflags = _t59 - 0x67;
					if(_t59 <= 0x67) {
						L31:
						_t61 = E01180DBD(_t136);
						goto L10;
					}
					__eflags = _t59 - 0x69;
					if(_t59 == 0x69) {
						L28:
						_t3 = _t136 + 0x20;
						 *_t3 =  *(_t136 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L29;
					}
					__eflags = _t59 - 0x6e;
					if(_t59 == 0x6e) {
						_t61 = E011812EE(__ecx, _t126);
						goto L10;
					}
					__eflags = _t59 - 0x6f;
					if(_t59 != 0x6f) {
						goto L11;
					}
					_t61 = E01181381(__ecx);
					goto L10;
				}
				if(_t140 == 0) {
					goto L28;
				}
				_t141 = _t59 - _t109;
				if(_t141 > 0) {
					_t96 = _t59 - 0x5a;
					__eflags = _t96;
					if(_t96 == 0) {
						_t61 = E01180C14(__ecx);
						goto L10;
					}
					_t97 = _t96 - 7;
					__eflags = _t97;
					if(_t97 == 0) {
						goto L31;
					}
					__eflags = _t97;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t61 = E01180FB2(_t136, _t126, __eflags, 0);
					goto L10;
				}
				if(_t141 == 0) {
					_push(1);
					goto L13;
				}
				if(_t59 == _t126) {
					goto L31;
				}
				if(_t59 == 0x43) {
					goto L17;
				}
				if(_t59 <= 0x44) {
					goto L11;
				}
				if(_t59 <= 0x47) {
					goto L31;
				}
				if(_t59 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x01180645
0x0118064d
0x01180654
0x01180659
0x0118065f
0x01180662
0x01180666
0x01180667
0x0118066a
0x011806d7
0x011806da
0x01180731
0x01180731
0x01180734
0x01180698
0x0118069a
0x0118069f
0x011806a1
0x0118074f
0x01180752
0x0118089a
0x0118089c
0x011808a9
0x011808a9
0x01180758
0x0118075a
0x0118075d
0x01180763
0x01180767
0x0118076a
0x0118076d
0x01180772
0x01180773
0x01180775
0x011807a7
0x011807a7
0x011807ad
0x011807ae
0x011807b1
0x011807bb
0x011807bd
0x011807c0
0x011807c2
0x011807c8
0x011807c8
0x011807c8
0x011807ca
0x011807ca
0x011807cd
0x011807db
0x011807db
0x011807dd
0x011807dd
0x011807e4
0x011807e6
0x011807ec
0x011807f1
0x011807f6
0x011807f7
0x011807fa
0x01180804
0x01180804
0x01180806
0x01180806
0x0118080b
0x0118080b
0x0118080e
0x01180811
0x01180814
0x0118081a
0x01180820
0x01180822
0x01180826
0x0118082d
0x01180832
0x01180835
0x01180835
0x0118083b
0x01180847
0x0118084c
0x01180851
0x01180854
0x01180856
0x01180858
0x0118085b
0x0118085e
0x01180869
0x0118086e
0x0118086e
0x0118085e
0x01180875
0x0118087a
0x0118087d
0x01180880
0x01180885
0x01180888
0x0118088a
0x01180891
0x01180896
0x0118088a
0x00000000
0x01180899
0x011807fe
0x011807ff
0x01180802
0x00000000
0x00000000
0x00000000
0x01180802
0x011807e8
0x011807ea
0x00000000
0x00000000
0x00000000
0x011807ea
0x011807d1
0x011807d2
0x011807d5
0x00000000
0x00000000
0x011807d7
0x00000000
0x011807d7
0x011807c4
0x00000000
0x011807c4
0x011807b5
0x011807b6
0x011807b9
0x00000000
0x00000000
0x00000000
0x011807b9
0x01180779
0x0118077c
0x0118077e
0x01180784
0x01180786
0x01180798
0x0118079a
0x0118079c
0x0118079e
0x011807a2
0x011807a4
0x011807a4
0x00000000
0x0118079c
0x01180788
0x0118078a
0x0118078a
0x0118078b
0x0118078d
0x01180791
0x00000000
0x01180791
0x01180780
0x00000000
0x01180780
0x011806a7
0x00000000
0x011806a7
0x0118073b
0x0118073b
0x0118073e
0x0118070d
0x0118070d
0x0118070e
0x01180710
0x01180712
0x00000000
0x01180712
0x01180740
0x01180743
0x00000000
0x00000000
0x01180749
0x011806b0
0x011806b0
0x00000000
0x011806b0
0x011806dc
0x01180727
0x00000000
0x01180727
0x011806de
0x011806e1
0x00000000
0x00000000
0x011806e3
0x011806e6
0x01180719
0x0118071b
0x00000000
0x0118071b
0x011806e8
0x011806eb
0x01180709
0x01180709
0x01180709
0x01180709
0x00000000
0x01180709
0x011806ed
0x011806f0
0x01180702
0x00000000
0x01180702
0x011806f2
0x011806f5
0x00000000
0x00000000
0x011806f9
0x00000000
0x011806f9
0x0118066c
0x00000000
0x00000000
0x01180672
0x01180674
0x011806b4
0x011806b4
0x011806b7
0x011806d0
0x00000000
0x011806d0
0x011806b9
0x011806b9
0x011806bc
0x00000000
0x00000000
0x011806bf
0x011806c2
0x00000000
0x00000000
0x011806c4
0x011806c7
0x00000000
0x011806c7
0x01180676
0x011806ae
0x00000000
0x011806ae
0x0118067a
0x00000000
0x00000000
0x01180683
0x00000000
0x00000000
0x01180688
0x00000000
0x00000000
0x0118068d
0x00000000
0x00000000
0x01180696
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 011807DD

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1d27ec26e8357b34f646b596445f8505258c851104366b5ef15602290e1ff48b
Instruction ID: 33b0147dad7f32e6c7ac12ebe8d05d8a1b355d01b5805a1ea74067cfaaa0a268
Opcode Fuzzy Hash: 1d27ec26e8357b34f646b596445f8505258c851104366b5ef15602290e1ff48b
Instruction Fuzzy Hash: 5D614E71B00B0D5AEB3CBA2C48507BE7795AF9D608F24C529F582DB6C0D761998DCF42

Uniqueness

Uniqueness Score: -1.00%

Function 011801E1, Relevance: 1.5, Strings: 1, Instructions: 216
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E011801E1(intOrPtr* __ecx) {
				char _v6;
				char _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t51;
				signed int _t52;
				void* _t53;
				signed int _t54;
				signed char _t56;
				signed char _t58;
				signed int _t59;
				void* _t61;
				signed char _t66;
				signed char _t69;
				signed char _t76;
				signed char _t78;
				signed int _t80;
				signed int _t82;
				signed int _t83;
				unsigned int _t89;
				signed int _t90;
				signed int* _t91;
				void* _t93;
				signed int _t95;
				unsigned int _t97;
				signed char _t99;
				void* _t107;
				intOrPtr _t110;
				void* _t114;
				intOrPtr* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_push(__ecx);
				_push(__ecx);
				_t117 = __ecx;
				_t93 = 0x58;
				_t51 =  *((char*)(__ecx + 0x31));
				_t122 = _t51 - 0x64;
				if(_t122 > 0) {
					__eflags = _t51 - 0x70;
					if(__eflags > 0) {
						_t52 = _t51 - 0x73;
						__eflags = _t52;
						if(_t52 == 0) {
							L9:
							_t53 = E011813D0(_t117);
							L10:
							if(_t53 != 0) {
								__eflags =  *(_t117 + 0x30);
								if( *(_t117 + 0x30) != 0) {
									L70:
									_t54 = 1;
									L71:
									return _t54;
								}
								_t95 = 0;
								_v8 = 0;
								_v6 = 0;
								_t89 =  *(_t117 + 0x20);
								_v12 = 0;
								_t56 = _t89 >> 4;
								__eflags = 1 & _t56;
								if((1 & _t56) == 0) {
									L45:
									_t110 =  *((intOrPtr*)(_t117 + 0x31));
									__eflags = _t110 - 0x78;
									if(_t110 == 0x78) {
										L47:
										_t58 = _t89 >> 5;
										__eflags = _t58 & 0x00000001;
										if((_t58 & 0x00000001) == 0) {
											L49:
											_t90 = 0;
											__eflags = 0;
											L50:
											__eflags = _t110 - 0x61;
											if(_t110 == 0x61) {
												L53:
												_t59 = 1;
												L54:
												__eflags = _t90;
												if(_t90 != 0) {
													L56:
													 *((char*)(_t119 + _t95 - 4)) = 0x30;
													__eflags = _t110 - 0x58;
													if(_t110 == 0x58) {
														L59:
														0x78 = 0x58;
														L60:
														 *((char*)(_t119 + _t95 - 3)) = 0x78;
														_t95 = _t95 + 2;
														__eflags = _t95;
														_v12 = _t95;
														L61:
														_t91 = _t117 + 0x18;
														_t61 = _t117 + 0x448;
														_t114 =  *((intOrPtr*)(_t117 + 0x24)) -  *((intOrPtr*)(_t117 + 0x38)) - _t95;
														__eflags =  *(_t117 + 0x20) & 0x0000000c;
														if(( *(_t117 + 0x20) & 0x0000000c) == 0) {
															E0117ED84(_t61, 0x20, _t114, _t91);
															_t95 = _v12;
															_t120 = _t120 + 0x10;
														}
														_push(_t117 + 0xc);
														E0118194A(_t117 + 0x448,  &_v8, _t95, _t91);
														_t97 =  *(_t117 + 0x20);
														_t66 = _t97 >> 3;
														__eflags = _t66 & 0x00000001;
														if((_t66 & 0x00000001) != 0) {
															_t99 = _t97 >> 2;
															__eflags = _t99 & 0x00000001;
															if((_t99 & 0x00000001) == 0) {
																E0117ED84(_t117 + 0x448, 0x30, _t114, _t91);
																_t120 = _t120 + 0x10;
															}
														}
														E011816D6(_t91, _t117, _t114, _t117, 0);
														__eflags =  *_t91;
														if( *_t91 >= 0) {
															_t69 =  *(_t117 + 0x20) >> 2;
															__eflags = _t69 & 0x00000001;
															if((_t69 & 0x00000001) != 0) {
																E0117ED84(_t117 + 0x448, 0x20, _t114, _t91);
															}
														}
														goto L70;
													}
													__eflags = _t110 - 0x41;
													if(_t110 == 0x41) {
														goto L59;
													}
													goto L60;
												}
												__eflags = _t59;
												if(_t59 == 0) {
													goto L61;
												}
												goto L56;
											}
											__eflags = _t110 - 0x41;
											if(_t110 == 0x41) {
												goto L53;
											}
											_t59 = 0;
											goto L54;
										}
										_t90 = 1;
										goto L50;
									}
									__eflags = _t110 - 0x58;
									if(_t110 != 0x58) {
										goto L49;
									}
									goto L47;
								}
								_t76 = _t89 >> 6;
								__eflags = 1 & _t76;
								if((1 & _t76) == 0) {
									__eflags = 1 & _t89;
									if((1 & _t89) == 0) {
										_t78 = _t89 >> 1;
										__eflags = 1 & _t78;
										if((1 & _t78) != 0) {
											_v8 = 0x20;
											_t95 = 1;
											_v12 = 1;
										}
										goto L45;
									}
									_v8 = 0x2b;
									L42:
									_t95 = 1;
									_v12 = 1;
									goto L45;
								}
								_v8 = 0x2d;
								goto L42;
							}
							L11:
							_t54 = 0;
							goto L71;
						}
						_t80 = _t52;
						__eflags = _t80;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t53 = E01181048(_t117, _t107, __eflags);
							goto L10;
						}
						__eflags = _t80 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t53 = E011813A0(__ecx);
						goto L10;
					}
					__eflags = _t51 - 0x67;
					if(_t51 <= 0x67) {
						L30:
						_t53 = E01180C6E(0, _t117);
						goto L10;
					}
					__eflags = _t51 - 0x69;
					if(_t51 == 0x69) {
						L27:
						_t2 = _t117 + 0x20;
						 *_t2 =  *(_t117 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t51 - 0x6e;
					if(_t51 == 0x6e) {
						_t53 = E011812EE(__ecx, _t107);
						goto L10;
					}
					__eflags = _t51 - 0x6f;
					if(_t51 != 0x6f) {
						goto L11;
					}
					_t53 = E01181362(__ecx);
					goto L10;
				}
				if(_t122 == 0) {
					goto L27;
				}
				_t123 = _t51 - _t93;
				if(_t123 > 0) {
					_t82 = _t51 - 0x5a;
					__eflags = _t82;
					if(_t82 == 0) {
						_t53 = E01180BBA(__ecx);
						goto L10;
					}
					_t83 = _t82 - 7;
					__eflags = _t83;
					if(_t83 == 0) {
						goto L30;
					}
					__eflags = _t83;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t53 = E01180F22(0, _t117, __eflags, 0);
					goto L10;
				}
				if(_t123 == 0) {
					_push(1);
					goto L13;
				}
				if(_t51 == 0x41) {
					goto L30;
				}
				if(_t51 == 0x43) {
					goto L17;
				}
				if(_t51 <= 0x44) {
					goto L11;
				}
				if(_t51 <= 0x47) {
					goto L30;
				}
				if(_t51 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x011801e6
0x011801e7
0x011801ea
0x011801f0
0x011801f1
0x011801f5
0x011801f8
0x01180266
0x01180269
0x011802b8
0x011802b8
0x011802bb
0x01180227
0x01180229
0x0118022e
0x01180230
0x011802d6
0x011802d9
0x0118040d
0x0118040d
0x0118040f
0x01180412
0x01180412
0x011802df
0x011802e1
0x011802e5
0x011802ea
0x011802f0
0x011802f3
0x011802f6
0x011802f8
0x01180329
0x01180329
0x0118032c
0x0118032f
0x01180336
0x01180338
0x0118033b
0x0118033d
0x01180343
0x01180343
0x01180343
0x01180345
0x01180345
0x01180348
0x01180353
0x01180353
0x01180355
0x01180355
0x01180357
0x0118035d
0x0118035d
0x01180362
0x01180365
0x01180370
0x01180372
0x01180373
0x01180373
0x01180377
0x01180377
0x0118037a
0x0118037d
0x01180381
0x01180387
0x0118038d
0x0118038f
0x01180393
0x0118039a
0x0118039f
0x011803a2
0x011803a2
0x011803a8
0x011803b5
0x011803ba
0x011803bf
0x011803c2
0x011803c4
0x011803c6
0x011803c9
0x011803cc
0x011803d9
0x011803de
0x011803de
0x011803cc
0x011803e5
0x011803ea
0x011803ed
0x011803f2
0x011803f5
0x011803f7
0x01180404
0x01180409
0x011803f7
0x00000000
0x0118040c
0x01180367
0x0118036a
0x00000000
0x00000000
0x00000000
0x0118036c
0x01180359
0x0118035b
0x00000000
0x00000000
0x00000000
0x0118035b
0x0118034a
0x0118034d
0x00000000
0x00000000
0x0118034f
0x00000000
0x0118034f
0x0118033f
0x00000000
0x0118033f
0x01180331
0x01180334
0x00000000
0x00000000
0x00000000
0x01180334
0x011802fc
0x011802ff
0x01180301
0x01180309
0x0118030b
0x0118031a
0x0118031c
0x0118031e
0x01180320
0x01180324
0x01180326
0x01180326
0x00000000
0x0118031e
0x0118030d
0x01180311
0x01180311
0x01180313
0x00000000
0x01180313
0x01180303
0x00000000
0x01180303
0x01180236
0x01180236
0x00000000
0x01180236
0x011802c2
0x011802c2
0x011802c5
0x01180297
0x01180297
0x01180298
0x0118029a
0x0118029c
0x00000000
0x0118029c
0x011802c7
0x011802ca
0x00000000
0x00000000
0x011802d0
0x0118023f
0x0118023f
0x00000000
0x0118023f
0x0118026b
0x011802ae
0x00000000
0x011802ae
0x0118026d
0x01180270
0x011802a3
0x011802a5
0x00000000
0x011802a5
0x01180272
0x01180275
0x01180293
0x01180293
0x01180293
0x01180293
0x00000000
0x01180293
0x01180277
0x0118027a
0x0118028c
0x00000000
0x0118028c
0x0118027c
0x0118027f
0x00000000
0x00000000
0x01180283
0x00000000
0x01180283
0x011801fa
0x00000000
0x00000000
0x01180200
0x01180202
0x01180243
0x01180243
0x01180246
0x0118025f
0x00000000
0x0118025f
0x01180248
0x01180248
0x0118024b
0x00000000
0x00000000
0x0118024e
0x01180251
0x00000000
0x00000000
0x01180253
0x01180256
0x00000000
0x01180256
0x01180204
0x0118023d
0x00000000
0x0118023d
0x01180209
0x00000000
0x00000000
0x01180212
0x00000000
0x00000000
0x01180217
0x00000000
0x00000000
0x0118021c
0x00000000
0x00000000
0x01180225
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 0118035D

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d39816d60d257c1541e23df6a01e6b2bc2264f7577c089426745813c0dccfa25
Instruction ID: e619d0ee1a39cce49b85da64b13f8edf4607d638ef41802f507fd182c7006bbe
Opcode Fuzzy Hash: d39816d60d257c1541e23df6a01e6b2bc2264f7577c089426745813c0dccfa25
Instruction Fuzzy Hash: 68518E3060464C5FEF3DB96C88A57BFBB9B9B1E204F04C01AF986D7291C791994DCE02

Uniqueness

Uniqueness Score: -1.00%

Function 01180413, Relevance: 1.5, Strings: 1, Instructions: 216
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E01180413(intOrPtr* __ecx) {
				char _v6;
				char _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t51;
				signed int _t52;
				void* _t53;
				signed int _t54;
				signed char _t56;
				signed char _t58;
				signed int _t59;
				void* _t61;
				signed char _t66;
				signed char _t69;
				signed char _t76;
				signed char _t78;
				signed int _t80;
				signed int _t82;
				signed int _t83;
				unsigned int _t89;
				signed int _t90;
				signed int* _t91;
				void* _t93;
				signed int _t95;
				unsigned int _t97;
				signed char _t99;
				void* _t107;
				intOrPtr _t110;
				void* _t114;
				intOrPtr* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_push(__ecx);
				_push(__ecx);
				_t117 = __ecx;
				_t93 = 0x58;
				_t51 =  *((char*)(__ecx + 0x31));
				_t122 = _t51 - 0x64;
				if(_t122 > 0) {
					__eflags = _t51 - 0x70;
					if(__eflags > 0) {
						_t52 = _t51 - 0x73;
						__eflags = _t52;
						if(_t52 == 0) {
							L9:
							_t53 = E011813D0(_t117);
							L10:
							if(_t53 != 0) {
								__eflags =  *(_t117 + 0x30);
								if( *(_t117 + 0x30) != 0) {
									L70:
									_t54 = 1;
									L71:
									return _t54;
								}
								_t95 = 0;
								_v8 = 0;
								_v6 = 0;
								_t89 =  *(_t117 + 0x20);
								_v12 = 0;
								_t56 = _t89 >> 4;
								__eflags = 1 & _t56;
								if((1 & _t56) == 0) {
									L45:
									_t110 =  *((intOrPtr*)(_t117 + 0x31));
									__eflags = _t110 - 0x78;
									if(_t110 == 0x78) {
										L47:
										_t58 = _t89 >> 5;
										__eflags = _t58 & 0x00000001;
										if((_t58 & 0x00000001) == 0) {
											L49:
											_t90 = 0;
											__eflags = 0;
											L50:
											__eflags = _t110 - 0x61;
											if(_t110 == 0x61) {
												L53:
												_t59 = 1;
												L54:
												__eflags = _t90;
												if(_t90 != 0) {
													L56:
													 *((char*)(_t119 + _t95 - 4)) = 0x30;
													__eflags = _t110 - 0x58;
													if(_t110 == 0x58) {
														L59:
														0x78 = 0x58;
														L60:
														 *((char*)(_t119 + _t95 - 3)) = 0x78;
														_t95 = _t95 + 2;
														__eflags = _t95;
														_v12 = _t95;
														L61:
														_t91 = _t117 + 0x18;
														_t61 = _t117 + 0x448;
														_t114 =  *((intOrPtr*)(_t117 + 0x24)) -  *((intOrPtr*)(_t117 + 0x38)) - _t95;
														__eflags =  *(_t117 + 0x20) & 0x0000000c;
														if(( *(_t117 + 0x20) & 0x0000000c) == 0) {
															E0117EDFF(_t61, 0x20, _t114, _t91);
															_t95 = _v12;
															_t120 = _t120 + 0x10;
														}
														_push(_t117 + 0xc);
														E011819A2(_t117 + 0x448,  &_v8, _t95, _t91);
														_t97 =  *(_t117 + 0x20);
														_t66 = _t97 >> 3;
														__eflags = _t66 & 0x00000001;
														if((_t66 & 0x00000001) != 0) {
															_t99 = _t97 >> 2;
															__eflags = _t99 & 0x00000001;
															if((_t99 & 0x00000001) == 0) {
																E0117EDFF(_t117 + 0x448, 0x30, _t114, _t91);
																_t120 = _t120 + 0x10;
															}
														}
														E0118177D(_t91, _t117, _t114, _t117, 0);
														__eflags =  *_t91;
														if( *_t91 >= 0) {
															_t69 =  *(_t117 + 0x20) >> 2;
															__eflags = _t69 & 0x00000001;
															if((_t69 & 0x00000001) != 0) {
																E0117EDFF(_t117 + 0x448, 0x20, _t114, _t91);
															}
														}
														goto L70;
													}
													__eflags = _t110 - 0x41;
													if(_t110 == 0x41) {
														goto L59;
													}
													goto L60;
												}
												__eflags = _t59;
												if(_t59 == 0) {
													goto L61;
												}
												goto L56;
											}
											__eflags = _t110 - 0x41;
											if(_t110 == 0x41) {
												goto L53;
											}
											_t59 = 0;
											goto L54;
										}
										_t90 = 1;
										goto L50;
									}
									__eflags = _t110 - 0x58;
									if(_t110 != 0x58) {
										goto L49;
									}
									goto L47;
								}
								_t76 = _t89 >> 6;
								__eflags = 1 & _t76;
								if((1 & _t76) == 0) {
									__eflags = 1 & _t89;
									if((1 & _t89) == 0) {
										_t78 = _t89 >> 1;
										__eflags = 1 & _t78;
										if((1 & _t78) != 0) {
											_v8 = 0x20;
											_t95 = 1;
											_v12 = 1;
										}
										goto L45;
									}
									_v8 = 0x2b;
									L42:
									_t95 = 1;
									_v12 = 1;
									goto L45;
								}
								_v8 = 0x2d;
								goto L42;
							}
							L11:
							_t54 = 0;
							goto L71;
						}
						_t80 = _t52;
						__eflags = _t80;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t53 = E01181048(_t117, _t107, __eflags);
							goto L10;
						}
						__eflags = _t80 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t53 = E011813A0(__ecx);
						goto L10;
					}
					__eflags = _t51 - 0x67;
					if(_t51 <= 0x67) {
						L30:
						_t53 = E01180C6E(0, _t117);
						goto L10;
					}
					__eflags = _t51 - 0x69;
					if(_t51 == 0x69) {
						L27:
						_t2 = _t117 + 0x20;
						 *_t2 =  *(_t117 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t51 - 0x6e;
					if(_t51 == 0x6e) {
						_t53 = E011812EE(__ecx, _t107);
						goto L10;
					}
					__eflags = _t51 - 0x6f;
					if(_t51 != 0x6f) {
						goto L11;
					}
					_t53 = E01181362(__ecx);
					goto L10;
				}
				if(_t122 == 0) {
					goto L27;
				}
				_t123 = _t51 - _t93;
				if(_t123 > 0) {
					_t82 = _t51 - 0x5a;
					__eflags = _t82;
					if(_t82 == 0) {
						_t53 = E01180BBA(__ecx);
						goto L10;
					}
					_t83 = _t82 - 7;
					__eflags = _t83;
					if(_t83 == 0) {
						goto L30;
					}
					__eflags = _t83;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t53 = E01180F22(0, _t117, __eflags, 0);
					goto L10;
				}
				if(_t123 == 0) {
					_push(1);
					goto L13;
				}
				if(_t51 == 0x41) {
					goto L30;
				}
				if(_t51 == 0x43) {
					goto L17;
				}
				if(_t51 <= 0x44) {
					goto L11;
				}
				if(_t51 <= 0x47) {
					goto L30;
				}
				if(_t51 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x01180418
0x01180419
0x0118041c
0x01180422
0x01180423
0x01180427
0x0118042a
0x01180498
0x0118049b
0x011804ea
0x011804ea
0x011804ed
0x01180459
0x0118045b
0x01180460
0x01180462
0x01180508
0x0118050b
0x0118063f
0x0118063f
0x01180641
0x01180644
0x01180644
0x01180511
0x01180513
0x01180517
0x0118051c
0x01180522
0x01180525
0x01180528
0x0118052a
0x0118055b
0x0118055b
0x0118055e
0x01180561
0x01180568
0x0118056a
0x0118056d
0x0118056f
0x01180575
0x01180575
0x01180575
0x01180577
0x01180577
0x0118057a
0x01180585
0x01180585
0x01180587
0x01180587
0x01180589
0x0118058f
0x0118058f
0x01180594
0x01180597
0x011805a2
0x011805a4
0x011805a5
0x011805a5
0x011805a9
0x011805a9
0x011805ac
0x011805af
0x011805b3
0x011805b9
0x011805bf
0x011805c1
0x011805c5
0x011805cc
0x011805d1
0x011805d4
0x011805d4
0x011805da
0x011805e7
0x011805ec
0x011805f1
0x011805f4
0x011805f6
0x011805f8
0x011805fb
0x011805fe
0x0118060b
0x01180610
0x01180610
0x011805fe
0x01180617
0x0118061c
0x0118061f
0x01180624
0x01180627
0x01180629
0x01180636
0x0118063b
0x01180629
0x00000000
0x0118063e
0x01180599
0x0118059c
0x00000000
0x00000000
0x00000000
0x0118059e
0x0118058b
0x0118058d
0x00000000
0x00000000
0x00000000
0x0118058d
0x0118057c
0x0118057f
0x00000000
0x00000000
0x01180581
0x00000000
0x01180581
0x01180571
0x00000000
0x01180571
0x01180563
0x01180566
0x00000000
0x00000000
0x00000000
0x01180566
0x0118052e
0x01180531
0x01180533
0x0118053b
0x0118053d
0x0118054c
0x0118054e
0x01180550
0x01180552
0x01180556
0x01180558
0x01180558
0x00000000
0x01180550
0x0118053f
0x01180543
0x01180543
0x01180545
0x00000000
0x01180545
0x01180535
0x00000000
0x01180535
0x01180468
0x01180468
0x00000000
0x01180468
0x011804f4
0x011804f4
0x011804f7
0x011804c9
0x011804c9
0x011804ca
0x011804cc
0x011804ce
0x00000000
0x011804ce
0x011804f9
0x011804fc
0x00000000
0x00000000
0x01180502
0x01180471
0x01180471
0x00000000
0x01180471
0x0118049d
0x011804e0
0x00000000
0x011804e0
0x0118049f
0x011804a2
0x011804d5
0x011804d7
0x00000000
0x011804d7
0x011804a4
0x011804a7
0x011804c5
0x011804c5
0x011804c5
0x011804c5
0x00000000
0x011804c5
0x011804a9
0x011804ac
0x011804be
0x00000000
0x011804be
0x011804ae
0x011804b1
0x00000000
0x00000000
0x011804b5
0x00000000
0x011804b5
0x0118042c
0x00000000
0x00000000
0x01180432
0x01180434
0x01180475
0x01180475
0x01180478
0x01180491
0x00000000
0x01180491
0x0118047a
0x0118047a
0x0118047d
0x00000000
0x00000000
0x01180480
0x01180483
0x00000000
0x00000000
0x01180485
0x01180488
0x00000000
0x01180488
0x01180436
0x0118046f
0x00000000
0x0118046f
0x0118043b
0x00000000
0x00000000
0x01180444
0x00000000
0x00000000
0x01180449
0x00000000
0x00000000
0x0118044e
0x00000000
0x00000000
0x01180457
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 0118058F

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9465f85d232518133321317811d03153fb705e1bf283d424d661dc4b3774c087
Instruction ID: f236185f9f16ee23a98d6944fad040bb4a3918ffd2f82a7029b01234592e45bc
Opcode Fuzzy Hash: 9465f85d232518133321317811d03153fb705e1bf283d424d661dc4b3774c087
Instruction Fuzzy Hash: B051577064064DAAFB3CB92C88947BE7B999B1D208F04C41DF996D7282EB11D94DCE72

Uniqueness

Uniqueness Score: -1.00%

Function 011A1297, Relevance: .1, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E011A1297(unsigned int _a4) {
				signed int _v8;
				signed int _v32;
				void _v36;
				signed int _t56;
				signed int _t59;
				unsigned int _t61;
				unsigned int _t63;
				signed int _t70;
				signed int _t81;
				void* _t101;

				_t61 = _a4;
				_t68 = _t61 >> 0x00000010 & 0x0000003f;
				_t70 = 7;
				memset( &_v36, 0, _t70 << 2);
				asm("fnstenv [ebp-0x20]");
				_v32 = _v32 ^ (_v32 ^ ((_t61 >> 0x00000010 & 1) << 0x00000005 | ((_t61 >> 0x00000010 & 0x0000003f) >> 0x00000001 & 1) << 0x00000004 | (_t68 >> 0x00000002 & 1) << 0x00000003 | (_t68 >> 0x00000003 & 1) << 0x00000002 | _t68 >> 0x00000004 & 1 | (_t68 >> 0x00000005 & 1) + (_t68 >> 0x00000005 & 1))) & 0x0000003f;
				asm("fldenv [ebp-0x20]");
				_t63 = _t61 >> 0x00000018 & 0x0000003f;
				_t56 = (_t63 >> 0x00000005 & 1) + (_t63 >> 0x00000005 & 1);
				_t81 = (_t63 & 1) << 0x00000005 | (_t63 >> 0x00000001 & 1) << 0x00000004 | (_t63 >> 0x00000002 & 1) << 0x00000003 | (_t63 >> 0x00000003 & 1) << 0x00000002 | _t63 >> 0x00000004 & 1 | _t56;
				_t101 =  *0x11f9b80 - 1; // 0x6
				if(_t101 >= 0) {
					asm("stmxcsr dword [ebp-0x4]");
					_t59 = _v8 & 0xffffffc0 | _t81 & 0x0000003f;
					_v8 = _t59;
					asm("ldmxcsr dword [ebp-0x4]");
					return _t59;
				}
				return _t56;
			}

0x011a12a2
0x011a12aa
0x011a1302
0x011a1303
0x011a1305
0x011a1314
0x011a1317
0x011a131d
0x011a1367
0x011a136a
0x011a136c
0x011a1374
0x011a1376
0x011a1383
0x011a1385
0x011a1388
0x00000000
0x011a1388
0x011a138d

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b7d9db22351580458f347eaa10526767f3ea9dd8aae573578287e1d63b4886
Instruction ID: 77445bfd7194e76c5b993b87df44ebbc35bc48ed861cf6b28ec0d3d65d2edabb
Opcode Fuzzy Hash: d2b7d9db22351580458f347eaa10526767f3ea9dd8aae573578287e1d63b4886
Instruction Fuzzy Hash: 9021B373F204394B7B0CC47E8C522BDB6E1C78C551745823AF8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 011A1177, Relevance: .1, Instructions: 81
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E011A1177(void* __ecx) {
				signed int _v8;
				signed int _v12;
				unsigned int _t55;
				signed int _t70;
				void* _t72;

				_v8 = 0;
				asm("fnstsw word [ebp-0x4]");
				_t70 = ((_v8 & 0x3f) >> 0x00000001 & 1) << 0x00000005 | ((_v8 & 0x3f) >> 0x00000002 & 1) << 0x00000003 | ((_v8 & 0x3f) >> 0x00000003 & 1) << 0x00000002 | (_t43 >> 0x00000004 & 1) + (_t43 >> 0x00000004 & 1) | (_t43 & 1) << 0x00000004 | _t43 >> 0x00000005;
				_t72 =  *0x11f9b80 - 1; // 0x6
				if(_t72 >= 0) {
					asm("stmxcsr dword [ebp-0x8]");
					_t55 = _v12 & 0x0000003f;
				} else {
					_t55 = 0;
				}
				return (((_t55 >> 0x00000001 & 1) << 0x00000005 | (_t55 >> 0x00000002 & 1) << 0x00000003 | (_t55 >> 0x00000003 & 1) << 0x00000002 | (_t55 >> 0x00000004 & 1) + (_t55 >> 0x00000004 & 1) | (_t55 & 1) << 0x00000004 | _t55 >> 0x00000005) << 0x00000008 | _t70) << 0x00000010 | (_t55 >> 0x00000001 & 1) << 0x00000005 | (_t55 >> 0x00000002 & 1) << 0x00000003 | (_t55 >> 0x00000003 & 1) << 0x00000002 | (_t55 >> 0x00000004 & 1) + (_t55 >> 0x00000004 & 1) | (_t55 & 1) << 0x00000004 | _t55 >> 0x00000005 | _t70;
			}

0x011a1182
0x011a1186
0x011a11cb
0x011a11cd
0x011a11d3
0x011a11d9
0x011a11e0
0x011a11d5
0x011a11d5
0x011a11d5
0x011a122e

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 053619536617bc2e54280e4f1220954be945daa37eafb4947193f2079373de6c
Instruction ID: cde7ac1e1c97ae320d6f3e64c4366ebe6c13d1329ac93caf0f9cbd0aa9d6b124
Opcode Fuzzy Hash: 053619536617bc2e54280e4f1220954be945daa37eafb4947193f2079373de6c
Instruction Fuzzy Hash: 9E11A733F30C296A675C81B98C132BA95D2EBD815074F433AD826E72C4E994DE13D290

Uniqueness

Uniqueness Score: -1.00%

Function 01196EA1, Relevance: .0, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E01196EA1(void* __ecx) {
				char _v8;
				intOrPtr _t9;
				void* _t11;
				void* _t13;
				char _t21;

				_t21 =  *0x11fa580; // 0x0
				if(_t21 == 0) {
					_t21 = 2;
					_v8 = _t21;
					_t9 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t25 =  *((intOrPtr*)(_t9 + 8));
					if( *((intOrPtr*)(_t9 + 8)) >= 0) {
						E0118FF4D(_t25,  &_v8);
					}
					_t11 = _v8 - 1;
					if(_t11 != 0) {
						_t13 = _t11 - 1;
						if(_t13 == 0) {
							_t21 = 1;
							__eflags = 1;
						} else {
							if(_t13 == 1) {
								_push(3);
							} else {
								_push(4);
							}
							_pop(_t21);
						}
					}
					 *0x11fa580 = _t21;
				}
				return _t21;
			}

0x01196ea8
0x01196eb1
0x01196ebb
0x01196ebc
0x01196ebf
0x01196ec2
0x01196ec6
0x01196ecc
0x01196ecc
0x01196ed4
0x01196ed7
0x01196ed9
0x01196edc
0x01196eee
0x01196eee
0x01196ede
0x01196ee1
0x01196ee7
0x01196ee3
0x01196ee3
0x01196ee3
0x01196ee9
0x01196ee9
0x01196edc
0x01196ef6
0x01196ef6
0x01196efc

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42565b6d590f2dd1ddf0e982e176e4c9d9218215ec68fff35d1f45e4115fbccb
Instruction ID: 2835314a48c85c885c0d690d216640dcfab9d6f617160c34217d8df0808927ea
Opcode Fuzzy Hash: 42565b6d590f2dd1ddf0e982e176e4c9d9218215ec68fff35d1f45e4115fbccb
Instruction Fuzzy Hash: 9AF090726502349BDF2FDA5CD918BA977A8EB06A10F010056F221EB290C3B0EE40C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01196DE8, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01196DE8(void* __ecx) {
				signed int _v8;
				intOrPtr _t10;
				signed int _t18;

				_t18 =  *0x11fa578; // 0x0
				if(_t18 == 0) {
					_v8 = _v8 & _t18;
					_t18 = _t18 + 1;
					_t10 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t21 =  *((intOrPtr*)(_t10 + 8));
					if( *((intOrPtr*)(_t10 + 8)) >= 0) {
						E0118FF0D(_t21,  &_v8);
						if(_v8 == _t18) {
							_t18 = 2;
						}
					}
					 *0x11fa578 = _t18;
				}
				return _t18;
			}

0x01196def
0x01196df8
0x01196e00
0x01196e03
0x01196e04
0x01196e07
0x01196e0b
0x01196e11
0x01196e19
0x01196e1d
0x01196e1d
0x01196e19
0x01196e25
0x01196e25
0x01196e2b

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cdaa3172442b4c9e4d3eed28971dc76e65cc0982be0d04397df0903fb373794
Instruction ID: 620385bee3c6f47e075c984d9a807aa66c4a5e6014d8109e70a90438602445c3
Opcode Fuzzy Hash: 2cdaa3172442b4c9e4d3eed28971dc76e65cc0982be0d04397df0903fb373794
Instruction Fuzzy Hash: 5FF0E532A10234DFCF2ACB4CD405A89B7ACEB45B64F11405AF511EB151C770ED40CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01196E2C, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01196E2C(void* __ecx) {
				char _v8;
				intOrPtr _t9;
				intOrPtr _t17;
				char _t19;

				_t17 =  *0x11fa57c; // 0x0
				if(_t17 == 0) {
					_t19 = _t17 + 1;
					_v8 = _t19;
					_t9 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t21 =  *((intOrPtr*)(_t9 + 8));
					if( *((intOrPtr*)(_t9 + 8)) < 0) {
						L3:
						_t17 = 2;
					} else {
						E0118FECD(_t21,  &_v8);
						if(_v8 == _t19) {
							goto L3;
						}
					}
					 *0x11fa57c = _t17;
				}
				return _t17;
			}

0x01196e33
0x01196e3c
0x01196e44
0x01196e45
0x01196e48
0x01196e4b
0x01196e4f
0x01196e5f
0x01196e61
0x01196e51
0x01196e55
0x01196e5d
0x00000000
0x00000000
0x01196e5d
0x01196e69
0x01196e69
0x01196e6f

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d1f55778db058ce6f2afcca779b9a75ec5856f900a50d0f8588c43aa49dab3
Instruction ID: 31f2c6dd3a118fc467c053c9f1c66d190d05eac8efd4fc9b6e3cc939277c2ee9
Opcode Fuzzy Hash: 07d1f55778db058ce6f2afcca779b9a75ec5856f900a50d0f8588c43aa49dab3
Instruction Fuzzy Hash: CAF03071A116349BCF2ADA4CD444A4977ACEB48B54F114056E515E7251D7B4DD40CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01140A62, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 142
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E01140A62(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v28;
				long _v32;
				long _v36;
				signed int _v40;
				void* __ebp;
				signed int _t11;
				signed int _t17;
				void* _t18;
				signed int _t19;
				void* _t20;
				signed int _t21;
				signed int _t22;
				void* _t23;
				signed int _t24;
				void* _t25;
				signed int _t26;
				void* _t27;
				signed int _t28;
				signed int _t37;
				signed int _t48;
				void* _t58;
				void* _t61;
				signed int _t64;

				_t66 = (_t64 & 0xfffffff8) - 0x14;
				_t11 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t11 ^ (_t64 & 0xfffffff8) - 0x00000014;
				_push(__ebx);
				_push(__edi);
				_t61 = VirtualAlloc(0, 0x4000, 0x3000, 4);
				if(_t61 != 0) {
					_t58 = VirtualAlloc(0, 0x1000000, 0x203000, 4);
					__eflags = _t58;
					if(_t58 != 0) {
						_t17 = GlobalGetAtomNameW(0, _t58, 1);
						__eflags = _t17;
						_t18 = 1;
						_t42 =  !=  ? _t18 : 0;
						_t19 = GetEnvironmentVariableW(L"%ThisIsAnInvalidEnvironmentVariableName?[]<>@\\;*!-{}#:/~%", _t58, 0x1000000);
						__eflags = _t19;
						_t20 = 1;
						_t43 =  !=  ? _t20 :  !=  ? _t18 : 0;
						_t21 = GetBinaryTypeW(L"%ThisIsAnInvalidFileName?[]<>@\\;*!-{}#:/~%", _t58);
						__eflags = _t21;
						_t22 = 1;
						_t44 =  !=  ? _t22 :  !=  ? _t20 :  !=  ? _t18 : 0;
						__imp__HeapQueryInformation(0, 0x45, _t58, 0x1000, 0);
						__eflags = _t22;
						_t23 = 1;
						_t45 =  !=  ? _t23 :  !=  ? _t22 :  !=  ? _t20 :  !=  ? _t18 : 0;
						_t24 = ReadProcessMemory(0xffffffff, 0x69696969, _t58, 0x1000, 0);
						__eflags = _t24;
						_t25 = 1;
						_t46 =  !=  ? _t25 :  !=  ? _t23 :  !=  ? _t22 :  !=  ? _t20 :  !=  ? _t18 : 0;
						_t26 = GetThreadContext(0xffffffff, _t58);
						__eflags = _t26;
						_t27 = 1;
						_t47 =  !=  ? _t27 :  !=  ? _t25 :  !=  ? _t23 :  !=  ? _t22 :  !=  ? _t20 :  !=  ? _t18 : 0;
						_v40 =  !=  ? _t27 :  !=  ? _t25 :  !=  ? _t23 :  !=  ? _t22 :  !=  ? _t20 :  !=  ? _t18 : 0;
						_t48 = 0;
						_t28 = GetWriteWatch(0, E01140A62, 0, 0, 0, _t58);
						__eflags = _t28;
						if(_t28 != 0) {
							__eflags = _v40;
							if(_v40 == 0) {
								_v36 = 0x1000;
								_t37 = GetWriteWatch(0, _t58, 0x1000, _t61,  &_v36,  &_v32);
								__eflags = _t37;
								if(_t37 == 0) {
									__eflags = _v36;
									_t9 = _v36 != 0;
									__eflags = _t9;
									_t48 = 0 | _t9;
								}
							}
						}
						VirtualFree(_t61, 0, 0x8000);
						VirtualFree(_t58, 0, 0x8000);
						__eflags = _t48;
						if(__eflags != 0) {
							E0111CC91(0x11f93d0, E0111C7AF(_t48, 0x11f93d0, "WriteWatchAPICalls", _t58, __eflags));
						}
						L11:
						return E0115E184(_v28 ^ _t66);
					} else {
						VirtualFree(_t61, 0, 0x8000);
						goto L1;
					}
				}
				L1:
				goto L11;
			}

0x01140a68
0x01140a6b
0x01140a72
0x01140a76
0x01140a78
0x01140a90
0x01140a94
0x01140aac
0x01140aae
0x01140ab0
0x01140ac7
0x01140acf
0x01140ad1
0x01140add
0x01140ae0
0x01140ae8
0x01140aea
0x01140af1
0x01140af4
0x01140afc
0x01140afe
0x01140b0b
0x01140b0e
0x01140b16
0x01140b18
0x01140b28
0x01140b2b
0x01140b33
0x01140b35
0x01140b39
0x01140b3c
0x01140b44
0x01140b46
0x01140b47
0x01140b4b
0x01140b4f
0x01140b5a
0x01140b60
0x01140b62
0x01140b64
0x01140b68
0x01140b78
0x01140b81
0x01140b87
0x01140b89
0x01140b8b
0x01140b8f
0x01140b8f
0x01140b8f
0x01140b8f
0x01140b89
0x01140b68
0x01140ba0
0x01140baa
0x01140bac
0x01140bae
0x01140bc0
0x01140bc5
0x01140bc9
0x01140bda
0x01140ab2
0x01140ab9
0x00000000
0x01140ab9
0x01140ab0
0x01140a96
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,00004000,00003000,00000004,011F93D0,00000000,?,01116676,?), ref: 01140A8E
VirtualAlloc.KERNEL32(00000000,01000000,00203000,00000004), ref: 01140AAA
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01140AB9
GlobalGetAtomNameW.KERNEL32 ref: 01140AC7
GetEnvironmentVariableW.KERNEL32(%ThisIsAnInvalidEnvironmentVariableName?[]<>@\;*!-{}#:/~%,00000000,01000000), ref: 01140AE0
GetBinaryTypeW.KERNEL32(%ThisIsAnInvalidFileName?[]<>@\;*!-{}#:/~%,00000000), ref: 01140AF4
HeapQueryInformation.KERNEL32(00000000,00000045,00000000,00001000,00000000), ref: 01140B0E
ReadProcessMemory.KERNEL32(000000FF,69696969,00000000,00001000,00000000), ref: 01140B2B
GetThreadContext.KERNEL32(000000FF,00000000), ref: 01140B3C
GetWriteWatch.KERNEL32(00000000,01140A62,00000000,00000000,00000000,00000000), ref: 01140B5A
GetWriteWatch.KERNEL32(00000000,00000000,00001000,00000000,?,?), ref: 01140B81
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01140BA0
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01140BAA

Strings

%ThisIsAnInvalidFileName?[]<>@\;*!-{}#:/~%, xrefs: 01140AEC
%ThisIsAnInvalidEnvironmentVariableName?[]<>@\;*!-{}#:/~%, xrefs: 01140AD8
WriteWatchAPICalls, xrefs: 01140BB0

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Virtual$Free$AllocWatchWrite$AtomBinaryContextEnvironmentGlobalHeapInformationMemoryNameProcessQueryReadThreadTypeVariable
String ID: %ThisIsAnInvalidEnvironmentVariableName?[]<>@\;*!-{}#:/~%$%ThisIsAnInvalidFileName?[]<>@\;*!-{}#:/~%$WriteWatchAPICalls
API String ID: 856979550-1099830712
Opcode ID: ef2121049a831bbf18cd43950cb4a9df90e34c8322774cec5831e6c9f579ee4b
Instruction ID: 141345bfc89136d07e3702319da83b1f2f14567b522be5e3abf6d2047defe84d
Opcode Fuzzy Hash: ef2121049a831bbf18cd43950cb4a9df90e34c8322774cec5831e6c9f579ee4b
Instruction Fuzzy Hash: 8A41EF75784302BFF3389A729C89F6B3A9CDB85FA4F600429BB52D50C0D7A0DC4086A5

Uniqueness

Uniqueness Score: -1.00%

Function 01117636, Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 98
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E01117636(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				struct tagMSG _v36;
				struct tagRECT _v52;
				struct _WNDCLASSEXW _v100;
				signed int _t25;
				struct HINSTANCE__* _t28;
				struct HICON__* _t30;
				WCHAR* _t54;
				struct HINSTANCE__* _t62;
				struct HWND__* _t63;
				signed int _t64;

				_t25 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t25 ^ _t64;
				SetConsoleCtrlHandler(E011177E6, 1);
				_t28 = GetModuleHandleW(0);
				_v100.cbSize = 0x30;
				_t62 = _t28;
				_v100.style = 3;
				_v100.lpfnWndProc = E01117812;
				_v100.cbClsExtra = 0;
				_v100.cbWndExtra = 0;
				_v100.hInstance = _t62;
				_v100.hIcon = LoadIconW(0, 0x7f00);
				_t30 = LoadCursorW(0, 0x7f00);
				_v100.hIconSm = _v100.hIconSm & 0x00000000;
				_v100.hCursor = _t30;
				_v100.lpszMenuName = 0;
				_t54 = L"Windows Update";
				_v100.hbrBackground = 6;
				_v100.lpszClassName = _t54;
				RegisterClassExW( &_v100);
				asm("movaps xmm0, [0x11c2250]");
				asm("movups [ebp-0x30], xmm0");
				AdjustWindowRect( &_v52, 0xcf0000, 1);
				_t63 = CreateWindowExW(0, _t54, L"Fragment", 0xcf0000, 0x80000000, 0x80000000, _v52.right - _v52.left, _v52.bottom - _v52.top, 0, 0, _t62, 0);
				if(_t63 != 0) {
					ShowWindow(_t63, 0);
					UpdateWindow(_t63);
					if(GetMessageW( &_v36, 0, 0, 0) != 0) {
						TranslateMessage( &_v36);
						DispatchMessageW( &_v36);
						E01117750(0xcf0000);
					}
				}
				return E0115E184(_v8 ^ _t64);
			}

0x0111763c
0x01117643
0x01117650
0x01117659
0x01117664
0x0111766c
0x0111766e
0x01117676
0x0111767d
0x01117680
0x01117683
0x0111768e
0x01117691
0x01117697
0x0111769b
0x011176a1
0x011176a4
0x011176aa
0x011176b1
0x011176b4
0x011176ba
0x011176cd
0x011176d1
0x01117702
0x01117706
0x0111770a
0x01117711
0x01117726
0x0111772c
0x01117736
0x0111773c
0x0111773c
0x01117726
0x0111774f

APIs

SetConsoleCtrlHandler.KERNEL32(011177E6,00000001), ref: 01117650
GetModuleHandleW.KERNEL32(00000000), ref: 01117659
LoadIconW.USER32(00000000,00007F00), ref: 01117686
LoadCursorW.USER32(00000000,00007F00), ref: 01117691
RegisterClassExW.USER32 ref: 011176B4
AdjustWindowRect.USER32 ref: 011176D1
CreateWindowExW.USER32 ref: 011176FC
ShowWindow.USER32(00000000,00000000), ref: 0111770A
UpdateWindow.USER32(00000000), ref: 01117711
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0111771E
TranslateMessage.USER32(?), ref: 0111772C
DispatchMessageW.USER32 ref: 01117736

Part of subcall function 01117750: GetCurrentProcess.KERNEL32(00000028,?,00CF0000,?,?,01117741), ref: 01117767
Part of subcall function 01117750: OpenProcessToken.ADVAPI32(00000000,?,?,01117741), ref: 0111776E
Part of subcall function 01117750: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,01117741), ref: 01117784
Part of subcall function 01117750: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 011177A3
Part of subcall function 01117750: GetLastError.KERNEL32 ref: 011177A9
Part of subcall function 01117750: AbortSystemShutdownW.ADVAPI32(00000000), ref: 011177B4
Part of subcall function 01117750: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 011177CC

Strings

Fragment, xrefs: 011176F3
0, xrefs: 01117664
Windows Update, xrefs: 011176A4, 011176F8

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$AdjustMessageToken$LoadPrivilegesProcess$AbortClassConsoleCreateCtrlCurrentCursorDispatchErrorHandleHandlerIconLastLookupModuleOpenPrivilegeRectRegisterShowShutdownSystemTranslateUpdateValue
String ID: 0$Fragment$Windows Update
API String ID: 3425212113-1888710469
Opcode ID: b2b52aa4c12907d18c8c8227663723ba4da99c68640fdbb93cf967ce7ea18c46
Instruction ID: 199107fa4546b0409155d9286b1e8d86a5ad6e7e865331f488b853f500123886
Opcode Fuzzy Hash: b2b52aa4c12907d18c8c8227663723ba4da99c68640fdbb93cf967ce7ea18c46
Instruction Fuzzy Hash: AE3139B1900219AFDB249FA9DD88EEEBFBCFF08704F504029F515E6204DB349945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01181F0E, Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 403
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E01181F0E(void* __ebx, signed int __edx, void* __edi, void* __esi, char _a4, char _a8, intOrPtr* _a12, signed int _a16, intOrPtr _a20, char* _a24) {
				char _v0;
				signed int _v8;
				char _v12;
				char _v16;
				char _v532;
				signed int _v536;
				signed int _v540;
				WCHAR* _v544;
				signed int _v548;
				intOrPtr* _v552;
				WCHAR* _v556;
				intOrPtr _v576;
				intOrPtr* _v580;
				intOrPtr* _v584;
				intOrPtr* _v588;
				intOrPtr* _v592;
				intOrPtr* _v596;
				void* __ebp;
				signed int _t93;
				void* _t97;
				void* _t101;
				signed int _t102;
				void* _t119;
				void* _t121;
				void* _t122;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr _t130;
				void* _t132;
				void* _t133;
				void* _t134;
				void* _t135;
				void* _t137;
				void* _t138;
				void* _t139;
				intOrPtr _t140;
				intOrPtr _t141;
				void* _t145;
				void* _t146;
				void* _t147;
				intOrPtr _t148;
				intOrPtr _t149;
				void* _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t160;
				void* _t161;
				signed int _t162;
				WCHAR* _t164;
				char* _t165;
				char* _t166;
				char* _t169;
				char* _t170;
				void* _t173;
				void* _t174;
				char* _t176;
				char* _t177;
				void* _t179;
				void* _t181;
				void* _t182;
				signed int _t184;
				void* _t185;
				void* _t186;
				void* _t188;
				signed int _t194;
				WCHAR* _t197;
				intOrPtr* _t198;
				signed int _t200;
				intOrPtr* _t202;
				intOrPtr* _t204;
				intOrPtr* _t207;
				void* _t211;
				void* _t215;
				intOrPtr* _t216;
				void* _t218;
				signed int _t219;
				char _t221;
				signed short* _t224;
				intOrPtr* _t226;
				signed int _t229;
				void* _t230;
				signed int _t234;
				void* _t236;
				void* _t237;
				void* _t240;

				_t214 = __edx;
				_t229 = _t234;
				_t93 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t93 ^ _t229;
				_t190 = _a24;
				_t226 = _a4;
				_t221 = _a8;
				_v552 = _a12;
				_v536 = _a16;
				_t97 = E0118CEAC(_t226, _t221, L"Assertion failed!");
				_v540 = _v540 & 0x00000000;
				_t236 = _t234 - 0x228 + 0xc;
				if(_t97 != 0) {
					L66:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E011828E3();
					asm("int3");
					_push(_t229);
					_t230 = _t236;
					_push(_t197);
					_push(_t197);
					E0118249B(_t190, _t221, _t226, _v584, _v580, _v576);
					_t101 = E0117E316(2);
					_t237 = _t236 + 0x10;
					_t102 =  *(_t101 + 0xc);
					__eflags = _t102 & 0x000004c0;
					if((_t102 & 0x000004c0) == 0) {
						_push(0);
						_push(4);
						_t119 = E0117E316(2);
						_t197 = 0;
						_push(_t119);
						E01183592(_t214);
						_t237 = _t237 + 0x10;
					}
					_push(0);
					_v12 = E0118254A();
					_v16 = E0117E316(2);
					_push( &_a8);
					_push( &_a4);
					_push( &_v0);
					_push( &_v12);
					_push( &_v16);
					L70();
					E01182D48(_t197, _t214, E0117E316(2));
					E011844F3(_t190, _t197, _t214, _t221, _t226);
					asm("int3");
					_push(_t230);
					_push( *_v580);
					_push( *_v584);
					return E01166E23( *_v596,  *_v592,  *_v588);
				} else {
					_t121 = E01191EB6(_t226, _t221, L"\n\n");
					_t236 = _t236 + 0xc;
					if(_t121 != 0) {
						goto L66;
					} else {
						_t122 = E01191EB6(_t226, _t221, L"Program: ");
						_t236 = _t236 + 0xc;
						if(_t122 != 0) {
							goto L66;
						} else {
							E0117B230(_t221,  &_v532, _t122, 0x20a);
							_t240 = _t236 + 0xc;
							_v548 = 0;
							_t126 =  &_v548;
							__imp__GetModuleHandleExW(6, _t190, _t126);
							_t197 =  &_v532;
							_t190 = 0x105;
							asm("sbb eax, eax");
							_t128 =  ~_t126 & _v548;
							_v548 = _t128;
							if(GetModuleFileNameW(_t128, _t197, 0x105) != 0) {
								L6:
								_t190 =  &_v532;
								_t198 =  &_v532;
								_t214 = _t198 + 2;
								do {
									_t130 =  *_t198;
									_t198 = _t198 + 2;
								} while (_t130 != _v540);
								_t197 = _t198 - _t214 >> 1;
								if( &(_t197[5]) <= 0x40) {
									L10:
									_t132 = E01191EB6(_t226, _t221, _t190);
									_t236 = _t240 + 0xc;
									if(_t132 != 0) {
										goto L66;
									} else {
										_t133 = E01191EB6(_t226, _t221, "\n");
										_t236 = _t236 + 0xc;
										if(_t133 != 0) {
											goto L66;
										} else {
											_t134 = E01191EB6(_t226, _t221, L"File: ");
											_t236 = _t236 + 0xc;
											if(_t134 != 0) {
												goto L66;
											} else {
												_t214 = _v536;
												_t200 = _t214;
												_t190 = _t200 + 2;
												do {
													_t135 =  *_t200;
													_t200 = _t200 + 2;
												} while (_t135 != _v540);
												_t197 = _t200 - _t190 >> 1;
												if( &(_t197[4]) <= 0x40) {
													_push(_t214);
													goto L35;
												} else {
													_t194 = _t214;
													_t211 = _t194 + 2;
													do {
														_t161 =  *_t194;
														_t194 = _t194 + 2;
													} while (_t161 != _v540);
													_v544 = 0x5c;
													_t190 = _t194 - _t211 >> 1;
													_t197 = 1;
													_t162 =  *(_t214 + _t190 * 2 - 2) & 0x0000ffff;
													if(_t162 != _v544) {
														_v556 = _t162;
														_t224 = _t214 - 2 + _t190 * 2;
														_t219 = _t162;
														while(_t219 != 0x2f && _t197 < _t190) {
															_t224 = _t224 - 2;
															_t197 =  &(_t197[0]);
															_t184 =  *_t224 & 0x0000ffff;
															_t219 = _t184;
															if(_t184 != _v544) {
																continue;
															}
															break;
														}
														_t221 = _a8;
														_t214 = _v536;
													}
													_t164 = _t190 - _t197;
													_v544 = _t164;
													if(_t164 <= 0x26) {
														L30:
														if(__eflags >= 0) {
															_push(0x23);
															_t165 = E01192012(_t197, _t226, _t221, _t214);
															_t236 = _t236 + 0x10;
															__eflags = _t165;
															if(_t165 != 0) {
																goto L66;
															} else {
																_t166 = E01191EB6(_t226, _t221, L"...");
																_t236 = _t236 + 0xc;
																__eflags = _t166;
																if(_t166 != 0) {
																	goto L66;
																} else {
																	_t197 = _v544;
																	_push(8);
																	_t169 = E01192012(_t197, _t226, _t221, _v536 + _t197 * 2);
																	_t236 = _t236 + 0x10;
																	__eflags = _t169;
																	if(_t169 != 0) {
																		goto L66;
																	} else {
																		_t170 = E01191EB6(_t226, _t221, L"...");
																		_t236 = _t236 + 0xc;
																		__eflags = _t170;
																		if(_t170 != 0) {
																			goto L66;
																		} else {
																			_t173 = _v536 + _t190 * 2 + 0xfffffff2;
																			goto L34;
																		}
																	}
																}
															}
														} else {
															_t174 = 0x35;
															_t197 = _t197 >> 1;
															_v556 = _t197;
															_push(_t174 - _t197);
															_t176 = E01192012(_t197, _t226, _t221, _t214);
															_t236 = _t236 + 0x10;
															__eflags = _t176;
															if(_t176 != 0) {
																goto L66;
															} else {
																_t177 = E01191EB6(_t226, _t221, L"...");
																_t236 = _t236 + 0xc;
																__eflags = _t177;
																if(_t177 != 0) {
																	goto L66;
																} else {
																	_t190 = _t190 - _v556;
																	__eflags = _t190;
																	_t173 = _v536 + _t190 * 2;
																	goto L34;
																}
															}
														}
													} else {
														if(_t197 >= 0x12) {
															__eflags = _t164 - 0x26;
															goto L30;
														} else {
															_t179 = 0x35;
															_push(_t179 - _t197);
															_t181 = E01192012(_t197, _t226, _t221, _t214);
															_t236 = _t236 + 0x10;
															if(_t181 != 0) {
																goto L66;
															} else {
																_t182 = E01191EB6(_t226, _t221, L"...");
																_t236 = _t236 + 0xc;
																if(_t182 != 0) {
																	goto L66;
																} else {
																	_t197 = _v544;
																	_t173 = _v536 + _t197 * 2;
																	L34:
																	_push(_t173);
																	L35:
																	_push(_t221);
																	_push(_t226);
																	_t137 = E01191EB6();
																	_t236 = _t236 + 0xc;
																	if(_t137 != 0) {
																		goto L66;
																	} else {
																		_t138 = E01191EB6(_t226, _t221, "\n");
																		_t236 = _t236 + 0xc;
																		if(_t138 != 0) {
																			goto L66;
																		} else {
																			_t139 = E01191EB6(_t226, _t221, L"Line: ");
																			_t236 = _t236 + 0xc;
																			if(_t139 != 0) {
																				goto L66;
																			} else {
																				_t202 = _t226;
																				_t215 = _t202 + 2;
																				do {
																					_t140 =  *_t202;
																					_t202 = _t202 + 2;
																				} while (_t140 != 0);
																				_t216 = _t226;
																				_t197 = _t202 - _t215 >> 1;
																				_t190 = _t216 + 2;
																				do {
																					_t141 =  *_t216;
																					_t216 = _t216 + 2;
																				} while (_t141 != _v540);
																				_t214 = _t216 - _t190 >> 1;
																				_t145 = E01191E44(_t197, _a20, _t226 + (_t216 - _t190 >> 1) * 2, _t221 - _t197, 0xa);
																				_t236 = _t236 + 0x10;
																				if(_t145 != 0) {
																					goto L66;
																				} else {
																					_t146 = E01191EB6(_t226, _t221, L"\n\n");
																					_t236 = _t236 + 0xc;
																					if(_t146 != 0) {
																						goto L66;
																					} else {
																						_t147 = E01191EB6(_t226, _t221, L"Expression: ");
																						_t236 = _t236 + 0xc;
																						if(_t147 != 0) {
																							goto L66;
																						} else {
																							_t204 = _t226;
																							_t218 = _t204 + 2;
																							do {
																								_t148 =  *_t204;
																								_t204 = _t204 + 2;
																							} while (_t148 != 0);
																							_t214 = (_t204 - _t218 >> 1) + 0xb0;
																							_t207 = _v552;
																							_t190 = _t207 + 2;
																							do {
																								_t149 =  *_t207;
																								_t207 = _t207 + 2;
																							} while (_t149 != _v540);
																							_t197 = _t207 - _t190 >> 1;
																							if(_t197 + _t214 <= _t221) {
																								_push(_v552);
																								goto L52;
																							} else {
																								_push(_t221 - _t214 - 3);
																								_t160 = E01192012(_t197, _t226, _t221, _v552);
																								_t236 = _t236 + 0x10;
																								if(_t160 != 0) {
																									goto L66;
																								} else {
																									_push(L"...");
																									L52:
																									_push(_t221);
																									_push(_t226);
																									_t151 = E01191EB6();
																									_t236 = _t236 + 0xc;
																									if(_t151 != 0) {
																										goto L66;
																									} else {
																										_t190 = L"\n\n";
																										_t152 = E01191EB6(_t226, _t221, L"\n\n");
																										_t236 = _t236 + 0xc;
																										if(_t152 != 0) {
																											goto L66;
																										} else {
																											_t153 = E01191EB6(_t226, _t221, L"For information on how your program can cause an assertion\nfailure, see the Visual C++ documentation on asserts");
																											_t236 = _t236 + 0xc;
																											if(_t153 != 0) {
																												goto L66;
																											} else {
																												_t154 = E01191EB6(_t226, _t221, L"\n\n");
																												_t236 = _t236 + 0xc;
																												if(_t154 != 0) {
																													goto L66;
																												} else {
																													_t155 = E01191EB6(_t226, _t221, L"(Press Retry to debug the application - JIT must be enabled)");
																													_t236 = _t236 + 0xc;
																													if(_t155 != 0) {
																														goto L66;
																													} else {
																														return E0115E184(_v8 ^ _t229);
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									_t185 = _t197 * 2 - 0x6a;
									_t197 = 0x20a - _t185;
									_t190 =  &_v532 + _t185;
									_t186 = E011825C7( &_v532 + _t185, _t197, L"...", 6);
									_t236 = _t240 + 0x10;
									if(_t186 != 0) {
										goto L66;
									} else {
										goto L10;
									}
								}
							} else {
								_t188 = E0118CEAC( &_v532, 0x105, L"<program name unknown>");
								_t236 = _t240 + 0xc;
								if(_t188 != 0) {
									goto L66;
								} else {
									goto L6;
								}
							}
						}
					}
				}
			}

0x01181f0e
0x01181f11
0x01181f19
0x01181f20
0x01181f27
0x01181f2b
0x01181f2f
0x01181f37
0x01181f42
0x01181f48
0x01181f4d
0x01181f54
0x01181f59
0x011823e2
0x011823e4
0x011823e5
0x011823e6
0x011823e7
0x011823e8
0x011823e9
0x011823ee
0x011823f1
0x011823f2
0x011823f4
0x011823f5
0x011823ff
0x01182406
0x0118240b
0x0118240e
0x01182412
0x01182417
0x01182419
0x0118241b
0x01182421
0x01182426
0x01182427
0x01182428
0x0118242d
0x0118242d
0x01182430
0x01182439
0x01182441
0x01182447
0x0118244b
0x0118244f
0x01182453
0x01182457
0x01182458
0x01182465
0x0118246d
0x01182472
0x01182475
0x0118247b
0x01182480
0x0118249a
0x01181f5f
0x01181f66
0x01181f6b
0x01181f70
0x00000000
0x01181f76
0x01181f7d
0x01181f82
0x01181f87
0x00000000
0x01181f8d
0x01181f9a
0x01181f9f
0x01181fa4
0x01181faa
0x01181fb4
0x01181fbc
0x01181fc2
0x01181fc8
0x01181fca
0x01181fd2
0x01181fe0
0x01181fff
0x01181fff
0x01182005
0x01182007
0x0118200a
0x0118200a
0x0118200d
0x01182010
0x0118201b
0x01182023
0x01182054
0x01182057
0x0118205c
0x01182061
0x00000000
0x01182067
0x0118206e
0x01182073
0x01182078
0x00000000
0x0118207e
0x01182085
0x0118208a
0x0118208f
0x00000000
0x01182095
0x01182095
0x0118209b
0x0118209d
0x011820a0
0x011820a0
0x011820a3
0x011820a6
0x011820b1
0x011820b9
0x011823c2
0x00000000
0x011820bf
0x011820bf
0x011820c1
0x011820c4
0x011820c4
0x011820c7
0x011820ca
0x011820d5
0x011820df
0x011820e3
0x011820e4
0x011820f0
0x011820f5
0x011820fb
0x011820fe
0x01182100
0x0118210a
0x0118210d
0x0118210e
0x01182111
0x0118211a
0x00000000
0x00000000
0x00000000
0x0118211a
0x0118211c
0x0118211f
0x0118211f
0x01182127
0x01182129
0x01182132
0x0118217d
0x0118217d
0x0118235a
0x0118235f
0x01182364
0x01182367
0x01182369
0x00000000
0x0118236b
0x01182372
0x01182377
0x0118237a
0x0118237c
0x00000000
0x0118237e
0x0118237e
0x0118238a
0x01182392
0x01182397
0x0118239a
0x0118239c
0x00000000
0x0118239e
0x011823a5
0x011823aa
0x011823ad
0x011823af
0x00000000
0x011823b1
0x011823ba
0x00000000
0x011823ba
0x011823af
0x0118239c
0x0118237c
0x01182183
0x01182185
0x01182186
0x0118218a
0x01182190
0x01182194
0x01182199
0x0118219c
0x0118219e
0x00000000
0x011821a4
0x011821ab
0x011821b0
0x011821b3
0x011821b5
0x00000000
0x011821bb
0x011821bb
0x011821bb
0x011821c7
0x00000000
0x011821c7
0x011821b5
0x0118219e
0x01182134
0x01182137
0x0118217a
0x00000000
0x01182139
0x0118213b
0x0118213e
0x01182142
0x01182147
0x0118214c
0x00000000
0x01182152
0x01182159
0x0118215e
0x01182163
0x00000000
0x01182169
0x0118216f
0x01182175
0x011821ca
0x011821ca
0x011821cb
0x011821cb
0x011821cc
0x011821cd
0x011821d2
0x011821d7
0x00000000
0x011821dd
0x011821e4
0x011821e9
0x011821ee
0x00000000
0x011821f4
0x011821fb
0x01182200
0x01182205
0x00000000
0x0118220b
0x0118220b
0x0118220f
0x01182212
0x01182212
0x01182215
0x01182218
0x0118221f
0x01182221
0x01182223
0x01182226
0x01182226
0x01182229
0x0118222c
0x01182239
0x01182247
0x0118224c
0x01182251
0x00000000
0x01182257
0x0118225e
0x01182263
0x01182268
0x00000000
0x0118226e
0x01182275
0x0118227a
0x0118227f
0x00000000
0x01182285
0x01182285
0x01182289
0x0118228c
0x0118228c
0x0118228f
0x01182292
0x0118229b
0x011822a1
0x011822a7
0x011822aa
0x011822aa
0x011822ad
0x011822b0
0x011822bb
0x011822c2
0x011823c8
0x00000000
0x011822c8
0x011822cf
0x011822d8
0x011822dd
0x011822e2
0x00000000
0x011822e8
0x011822e8
0x011822ed
0x011822ed
0x011822ee
0x011822ef
0x011822f4
0x011822f9
0x00000000
0x011822ff
0x011822ff
0x01182307
0x0118230c
0x01182311
0x00000000
0x01182317
0x0118231e
0x01182323
0x01182328
0x00000000
0x0118232e
0x01182331
0x01182336
0x0118233b
0x00000000
0x01182341
0x01182348
0x0118234d
0x01182352
0x00000000
0x01182358
0x011823e1
0x011823e1
0x01182352
0x0118233b
0x01182328
0x01182311
0x011822f9
0x011822e2
0x011822c2
0x0118227f
0x01182268
0x01182251
0x01182205
0x011821ee
0x011821d7
0x01182163
0x0118214c
0x01182137
0x01182132
0x011820b9
0x0118208f
0x01182078
0x01182025
0x01182025
0x01182038
0x01182040
0x01182044
0x01182049
0x0118204e
0x00000000
0x00000000
0x00000000
0x00000000
0x0118204e
0x01181fe2
0x01181fef
0x01181ff4
0x01181ff9
0x00000000
0x00000000
0x00000000
0x00000000
0x01181ff9
0x01181fe0
0x01181f87
0x01181f70

APIs

GetModuleHandleExW.KERNEL32(00000006,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 01181FB4
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 01181FD8

Strings

<program name unknown>, xrefs: 01181FE2
Line: , xrefs: 011821F4
\, xrefs: 011820D5
..., xrefs: 01182033, 01182152, 011821A4, 011822E8, 0118236B, 0118239E
(Press Retry to debug the application - JIT must be enabled), xrefs: 01182341
Assertion failed!, xrefs: 01181F32
For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 01182317
File: , xrefs: 0118207E
Program: , xrefs: 01181F76
Expression: , xrefs: 0118226E

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Module$FileHandleName
String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program: $\
API String ID: 4146042529-3261600717
Opcode ID: 321a936a62060c796eaf86f10531b59acffd408a9f5bff27b86f1b5601015efc
Instruction ID: 467b8ff4e268e63882b8ffd7cb121ad572de08be728791a4388b91138ccb75d6
Opcode Fuzzy Hash: 321a936a62060c796eaf86f10531b59acffd408a9f5bff27b86f1b5601015efc
Instruction Fuzzy Hash: 10C12735A4011AA6DB2FBA298CC5FEF3369EF68704F548169FD05E2101F7309A85CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0119BE2F, Relevance: 19.6, APIs: 13, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0119BE2F(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x11d8230) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E0118FAFF(_t46);
							E0119B219( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E0118FAFF(_t47);
							E0119B6CE( *((intOrPtr*)(_t74 + 0x88)));
						}
						E0118FAFF( *((intOrPtr*)(_t74 + 0x7c)));
						E0118FAFF( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E0118FAFF( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E0118FAFF( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E0118FAFF( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E0118FAFF( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0119BFA0( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x11d83b0) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E0118FAFF(_t31);
							E0118FAFF( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E0118FAFF(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E0118FAFF(_t74);
			}

0x0119be37
0x0119be3b
0x0119be43
0x0119be4c
0x0119be51
0x0119be58
0x0119be60
0x0119be68
0x0119be73
0x0119be79
0x0119be7a
0x0119be82
0x0119be8a
0x0119be95
0x0119be9b
0x0119be9f
0x0119beaa
0x0119beb0
0x0119be51
0x0119beb1
0x0119beb9
0x0119becc
0x0119bedf
0x0119beed
0x0119bef8
0x0119befd
0x0119bf06
0x0119bf0e
0x0119bf0f
0x0119bf15
0x0119bf18
0x0119bf1b
0x0119bf22
0x0119bf24
0x0119bf28
0x0119bf30
0x0119bf37
0x0119bf3d
0x0119bf3e
0x0119bf3e
0x0119bf45
0x0119bf47
0x0119bf4c
0x0119bf54
0x0119bf59
0x0119bf5a
0x0119bf5a
0x0119bf5d
0x0119bf60
0x0119bf63
0x0119bf66
0x0119bf66
0x0119bf76

APIs

___free_lconv_mon.LIBCMT ref: 0119BE73

Part of subcall function 0119B219: _free.LIBCMT ref: 0119B236
Part of subcall function 0119B219: _free.LIBCMT ref: 0119B248
Part of subcall function 0119B219: _free.LIBCMT ref: 0119B25A
Part of subcall function 0119B219: _free.LIBCMT ref: 0119B26C
Part of subcall function 0119B219: _free.LIBCMT ref: 0119B27E
Part of subcall function 0119B219: _free.LIBCMT ref: 0119B290
Part of subcall function 0119B219: _free.LIBCMT ref: 0119B2A2
Part of subcall function 0119B219: _free.LIBCMT ref: 0119B2B4
Part of subcall function 0119B219: _free.LIBCMT ref: 0119B2C6
Part of subcall function 0119B219: _free.LIBCMT ref: 0119B2D8
Part of subcall function 0119B219: _free.LIBCMT ref: 0119B2EA
Part of subcall function 0119B219: _free.LIBCMT ref: 0119B2FC
Part of subcall function 0119B219: _free.LIBCMT ref: 0119B30E

_free.LIBCMT ref: 0119BE68

Part of subcall function 0118FAFF: HeapFree.KERNEL32(00000000,00000000,?,0119B970,?,00000000,?,?,?,0119BC13,?,00000007,?,?,0119BFC6,?), ref: 0118FB15
Part of subcall function 0118FAFF: GetLastError.KERNEL32(?,?,0119B970,?,00000000,?,?,?,0119BC13,?,00000007,?,?,0119BFC6,?,?), ref: 0118FB27

_free.LIBCMT ref: 0119BE8A
_free.LIBCMT ref: 0119BE9F
_free.LIBCMT ref: 0119BEAA
_free.LIBCMT ref: 0119BECC
_free.LIBCMT ref: 0119BEDF
_free.LIBCMT ref: 0119BEED
_free.LIBCMT ref: 0119BEF8
_free.LIBCMT ref: 0119BF30
_free.LIBCMT ref: 0119BF37
_free.LIBCMT ref: 0119BF54
_free.LIBCMT ref: 0119BF6C

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: f5c59fc74d8669007c1c0d7ec2248a74dc1e23e231d4da6396537779f970e328
Instruction ID: 549e1b195e2af0907b5c382c04f39039ec666809365abe63a0495be246fb57c1
Opcode Fuzzy Hash: f5c59fc74d8669007c1c0d7ec2248a74dc1e23e231d4da6396537779f970e328
Instruction Fuzzy Hash: 45316F316082069FEF29AA3DE844F56B7E9EF10364F208519E569DB190DF71E841CF25

Uniqueness

Uniqueness Score: -1.00%

Function 01195F5A, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01195F5A(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E01186163(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E01186176( *_t137))) = 9;
						L60:
						_t139 = E011828B6();
						goto L61;
					}
					__eflags = _t198 -  *0x11fa488; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x11fa288 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E01186163(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E01186176(__eflags))) = 0x16;
								E011828B6();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E01190910(_t212, _t154);
								E0118FAFF(0);
								E0118FAFF(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E011964AD(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x11fa288 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x11fa288 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x11fa288 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x11fa288 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x11fa288 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x11fa288 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x11fa288 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E0119F593(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E01186140(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E01186176(__eflags))) = 9;
											 *(E01186163(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x11fa288 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E01195AA3();
												} else {
													_t170 = E01195DCB();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E01195C74(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x11fa288 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t108 =  &_v28; // 0xa
									_t174 = GetConsoleMode( *_t108,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E01186176(__eflags))) = 0xc;
									 *(E01186163(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E0118FAFF(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x11fa288 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E01186163(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E01186176(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E01186163(_t246)) =  *_t197 & 0x00000000;
					_t139 = E01186176(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x01195f63
0x01195f67
0x01195f6a
0x01195f84
0x01195f86
0x011962eb
0x011962eb
0x011962f0
0x011962f0
0x011962f8
0x011962fe
0x011962fe
0x00000000
0x011962fe
0x01195f8c
0x01195f92
0x00000000
0x00000000
0x01195f9c
0x01195fa2
0x01195fa5
0x01195fa8
0x01195fb2
0x01195fb5
0x01195fb8
0x01195fbc
0x01195fbe
0x00000000
0x00000000
0x01195fc4
0x01195fc7
0x01195fcd
0x01195fe7
0x01195fe9
0x011962e7
0x00000000
0x011962e7
0x01195fef
0x01195ff2
0x00000000
0x00000000
0x01195ff8
0x01195ffc
0x00000000
0x00000000
0x01196002
0x01196005
0x01196009
0x01196010
0x01196012
0x01196012
0x01196015
0x0119606a
0x0119606c
0x01196032
0x01196037
0x0119603e
0x01196044
0x00000000
0x0119606e
0x01196070
0x01196071
0x01196073
0x01196076
0x01196078
0x0119607a
0x0119607c
0x0119607c
0x01196087
0x01196089
0x01196090
0x01196095
0x01196098
0x0119609b
0x0119609d
0x011960c1
0x011960c9
0x011960cc
0x011960d3
0x011960da
0x011960de
0x011960e0
0x011960e3
0x011960ea
0x011960ea
0x011960ed
0x011960ef
0x011960f2
0x011960f7
0x011960fa
0x01196103
0x01196107
0x0119610a
0x0119610c
0x01196112
0x01196114
0x0119611d
0x0119611e
0x01196120
0x01196124
0x01196125
0x01196129
0x0119612c
0x01196136
0x0119613b
0x0119613e
0x0119614d
0x01196151
0x01196154
0x01196156
0x01196158
0x0119615a
0x0119615f
0x01196161
0x01196165
0x01196166
0x0119616c
0x01196176
0x01196177
0x0119617a
0x0119617f
0x01196182
0x01196191
0x01196195
0x01196198
0x0119619a
0x0119619c
0x0119619e
0x011961a0
0x011961a6
0x011961a6
0x011961a7
0x011961b6
0x011961b9
0x011961ba
0x011961ba
0x0119619e
0x0119619a
0x01196182
0x0119615a
0x01196156
0x0119613e
0x01196114
0x0119610c
0x011961c0
0x011961c6
0x011961c8
0x0119623b
0x0119623b
0x0119623f
0x0119624f
0x01196255
0x01196257
0x011962b3
0x011962b3
0x011962bb
0x011962bc
0x011962be
0x011962d7
0x011962da
0x01196217
0x01196218
0x00000000
0x0119621d
0x011962e0
0x00000000
0x011962e0
0x011962c5
0x011962d0
0x00000000
0x011962d0
0x01196259
0x0119625c
0x0119625f
0x00000000
0x00000000
0x01196261
0x01196261
0x01196264
0x01196267
0x0119626a
0x01196271
0x01196276
0x01196278
0x0119627c
0x01196297
0x0119629b
0x0119629c
0x0119629f
0x011962a0
0x011962ac
0x011962a2
0x011962a2
0x011962a2
0x0119627e
0x0119627e
0x0119627e
0x01196289
0x0119628e
0x01196291
0x01196291
0x00000000
0x01196276
0x011961cd
0x011961d0
0x011961d7
0x011961dc
0x00000000
0x00000000
0x011961e2
0x011961e5
0x011961eb
0x011961ed
0x00000000
0x00000000
0x011961ef
0x011961f3
0x00000000
0x00000000
0x01196207
0x0119620d
0x0119620f
0x01196233
0x01196236
0x00000000
0x01196236
0x01196211
0x00000000
0x0119609f
0x011960a4
0x011960af
0x0119621e
0x0119621e
0x0119621e
0x01196221
0x01196222
0x00000000
0x0119622a
0x0119609d
0x0119606c
0x01196017
0x0119601a
0x0119602e
0x01196030
0x01196051
0x01196054
0x01196057
0x0119605a
0x00000000
0x0119605a
0x00000000
0x0119601c
0x0119601c
0x0119601f
0x01196022
0x00000000
0x01196022
0x0119601a
0x01195fcf
0x01195fd4
0x01195fdc
0x00000000
0x01195f6c
0x01195f71
0x01195f74
0x01195f79
0x01196303
0x00000000
0x01196303

Strings

, xrefs: 011961E2

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 18609e83876f716a1a96afb4a2feece9796524bc049de08f6586752bc5427692
Instruction ID: edc25dcea0abc7f1e7aba1ebc3b5691bb15fbaf3a0b88234da31420d4b4e9ccc
Opcode Fuzzy Hash: 18609e83876f716a1a96afb4a2feece9796524bc049de08f6586752bc5427692
Instruction Fuzzy Hash: CAC1E274E042069FDF1EDFA8D890BADBBB1BF49344F0481A9E524AB382C7749941CB71

Uniqueness

Uniqueness Score: -1.00%

Function 01140823, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E01140823(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char* _t34;
				intOrPtr _t40;
				long _t42;
				void* _t43;
				int* _t44;
				void* _t49;
				intOrPtr _t52;
				int _t54;
				void* _t56;
				void* _t60;
				long _t62;
				intOrPtr _t64;
				void* _t66;
				void** _t77;
				intOrPtr* _t80;
				char _t82;
				int* _t83;
				void* _t85;

				_t56 = __ecx;
				_push(0x48);
				E0115ECB1(0x11aa96b, __ebx, __edi);
				_t54 = 0;
				_push(0x100c);
				_t34 = E0118601C(_t56);
				_t80 = _t34;
				if(_t80 != 0) {
					_t60 = 0x100c;
					do {
						 *_t34 = 0;
						_t34 = _t34 + 1;
						_t60 = _t60 - 1;
					} while (_t60 != 0);
					 *(_t80 + 4) = 0x400;
					__imp__QueryInformationJobObject(0, 3, _t80, 0x100c, 0);
					if(_t34 != 0) {
						_t40 =  *_t80;
						_t82 = 0;
						 *((intOrPtr*)(_t85 - 0x2c)) = 0;
						 *((intOrPtr*)(_t85 - 0x34)) = 0;
						if(_t40 != 0) {
							_t4 = _t80 + 8; // 0x8
							_t77 = _t4;
							 *(_t85 - 0x38) = _t77;
							do {
								 *(_t85 - 0x30) =  *_t77;
								_t42 = GetCurrentProcessId();
								_t62 =  *(_t85 - 0x30);
								if(_t62 != _t42) {
									_t43 = OpenProcess(0x400, _t54, _t62);
									 *(_t85 - 0x30) = _t43;
									__eflags = _t43;
									if(__eflags != 0) {
										_push(0x2000);
										_t44 = E0118601C(_t62);
										_t83 = _t44;
										 *(_t85 - 0x3c) = _t83;
										__eflags = _t83;
										if(__eflags != 0) {
											_t66 = 0x2000;
											do {
												 *_t44 = _t54;
												_t44 =  &(_t44[0]);
												_t66 = _t66 - 1;
												__eflags = _t66;
											} while (_t66 != 0);
											__imp__K32GetProcessImageFileNameW( *(_t85 - 0x30), _t83, 0x1000);
											__eflags = _t44;
											if(__eflags != 0) {
												E0111A15A(_t85 - 0x28, _t83);
												 *(_t85 - 4) = _t54;
												_t49 = E0111A0B8(_t85 - 0x28, E0111A15A(_t85 - 0x54, L"\\Windows\\System32\\conhost.exe"), _t54);
												E0111B354(_t85 - 0x54);
												 *(_t85 - 4) =  *(_t85 - 4) | 0xffffffff;
												E0111B354(_t85 - 0x28);
												_t52 =  *((intOrPtr*)(_t85 - 0x2c));
												__eflags = _t49 - 0xffffffff;
												_t83 =  *(_t85 - 0x3c);
												_t74 =  ==  ? _t52 : _t52 + 1;
												 *((intOrPtr*)(_t85 - 0x2c)) =  ==  ? _t52 : _t52 + 1;
											}
											E011838CA(_t83);
										}
										CloseHandle( *(_t85 - 0x30));
										_t82 =  *((intOrPtr*)(_t85 - 0x2c));
									}
								} else {
									_t82 = _t82 + 1;
									 *((intOrPtr*)(_t85 - 0x2c)) = _t82;
								}
								_t64 =  *((intOrPtr*)(_t85 - 0x34)) + 1;
								_t40 =  *_t80;
								_t77 =  &(( *(_t85 - 0x38))[1]);
								 *((intOrPtr*)(_t85 - 0x34)) = _t64;
								 *(_t85 - 0x38) = _t77;
							} while (_t64 < _t40);
						}
						_t54 = 0 | _t82 != _t40;
					}
					E011838CA(_t80);
				}
				_t95 = _t54;
				if(_t54 != 0) {
					E0111CC91(0x11f93d0, E0111C7AF(_t54, 0x11f93d0, "ProcessJob", _t80, _t95));
				}
				return E0115EC5B(_t54 & 0x000000ff, _t54, _t80);
			}

0x01140823
0x01140823
0x0114082a
0x01140834
0x01140836
0x01140837
0x0114083c
0x01140841
0x01140847
0x01140849
0x01140849
0x0114084b
0x0114084c
0x0114084c
0x01140857
0x0114085e
0x01140866
0x0114086c
0x0114086e
0x01140870
0x01140873
0x01140878
0x0114087e
0x0114087e
0x01140881
0x01140884
0x01140886
0x01140889
0x0114088f
0x01140894
0x011408a6
0x011408ac
0x011408af
0x011408b1
0x011408b7
0x011408bc
0x011408c1
0x011408c3
0x011408c7
0x011408c9
0x011408cb
0x011408d0
0x011408d0
0x011408d2
0x011408d3
0x011408d3
0x011408d3
0x011408e1
0x011408e7
0x011408e9
0x011408ef
0x011408fc
0x01140909
0x01140913
0x01140918
0x0114091f
0x01140924
0x01140927
0x0114092a
0x01140930
0x01140933
0x01140933
0x01140937
0x0114093c
0x01140940
0x01140946
0x01140946
0x01140896
0x01140896
0x01140897
0x01140897
0x0114094f
0x01140950
0x01140952
0x01140955
0x01140958
0x0114095b
0x01140884
0x01140967
0x01140967
0x0114096b
0x01140970
0x01140971
0x01140973
0x01140985
0x0114098a
0x01140993

APIs

__EH_prolog3_GS.LIBCMT ref: 0114082A
QueryInformationJobObject.KERNEL32(00000000,00000003,00000000,0000100C,00000000), ref: 0114085E
GetCurrentProcessId.KERNEL32 ref: 01140889
OpenProcess.KERNEL32(00000400,00000000,?), ref: 011408A6
K32GetProcessImageFileNameW.KERNEL32(?,00000000,00001000), ref: 011408E1
CloseHandle.KERNEL32(?), ref: 01140940

Strings

\Windows\System32\conhost.exe, xrefs: 011408F4
ProcessJob, xrefs: 01140975

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$CloseCurrentFileH_prolog3_HandleImageInformationNameObjectOpenQuery
String ID: ProcessJob$\Windows\System32\conhost.exe
API String ID: 2200565947-3079622981
Opcode ID: 2b08f1667b1c59e8ffd2bce12a753584e4ab9c7386dd0e212a306a913d5e92b1
Instruction ID: 09b430f584e92a0c4553cd4fdcd2b16af3263052a9edc0bae72e05680ef17eec
Opcode Fuzzy Hash: 2b08f1667b1c59e8ffd2bce12a753584e4ab9c7386dd0e212a306a913d5e92b1
Instruction Fuzzy Hash: 4941D075D01216ABEB1CEBA9D894AEDBBB4BF19714F148128F615B7284EB308D05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01140BDB, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E01140BDB(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				long _v12;
				long _v16;
				void* __ebp;
				signed int _t11;
				unsigned int _t16;
				void* _t18;
				signed int _t27;
				signed int _t33;
				signed char _t34;
				void* _t40;
				void* _t44;
				void* _t46;
				signed int _t48;

				_t11 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t11 ^ _t48;
				_t46 = VirtualAlloc(0, 0x4000, 0x3000, 4);
				if(_t46 != 0) {
					_t44 = VirtualAlloc(0, 0x1000000, 0x203000, 0x40);
					__eflags = _t44;
					if(_t44 != 0) {
						 *_t44 = 0xb951;
						_t34 = 0;
						_t40 = 2;
						do {
							_t16 = IsDebuggerPresent >> _t34;
							_t34 = _t34 + 8;
							 *(_t44 + _t40) = _t16;
							_t40 = _t40 + 1;
							__eflags = _t40 - 6;
						} while (_t40 < 6);
						 *((intOrPtr*)(_t40 + _t44)) = 0xc359d1ff;
						ResetWriteWatch(_t44, 0x1000000);
						_t18 =  *_t44();
						_t33 = 1;
						__eflags = _t18 - 1;
						if(_t18 != 1) {
							_v12 = 0x1000;
							_t27 = GetWriteWatch(0, _t44, 0x1000, _t46,  &_v12,  &_v16);
							_t33 = 0;
							__eflags = _t27;
							if(_t27 == 0) {
								__eflags = _v12;
								_t9 = _v12 != 0;
								__eflags = _t9;
								_t33 = 0 | _t9;
							}
						}
						VirtualFree(_t46, 0, 0x8000);
						VirtualFree(_t44, 0, 0x8000);
						__eflags = _t33;
						if(__eflags != 0) {
							E0111CC91(0x11f93d0, E0111C7AF(_t33, 0x11f93d0, "WriteWatchCodeWrite", _t44, __eflags));
						}
						L12:
						return E0115E184(_v8 ^ _t48);
					}
					VirtualFree(_t46, 0, 0x8000);
				}
				goto L12;
			}

0x01140be1
0x01140be8
0x01140c05
0x01140c09
0x01140c21
0x01140c23
0x01140c25
0x01140c38
0x01140c3d
0x01140c3f
0x01140c40
0x01140c45
0x01140c47
0x01140c4a
0x01140c4d
0x01140c4e
0x01140c4e
0x01140c59
0x01140c60
0x01140c66
0x01140c6a
0x01140c6b
0x01140c6d
0x01140c7b
0x01140c84
0x01140c8a
0x01140c8c
0x01140c8e
0x01140c90
0x01140c93
0x01140c93
0x01140c93
0x01140c93
0x01140c8e
0x01140ca4
0x01140cae
0x01140cb0
0x01140cb2
0x01140cc4
0x01140cc9
0x01140ccd
0x01140cdb
0x01140cdb
0x01140c2e
0x01140c2e
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,00004000,00003000,00000004,011F93D0,00000000,?), ref: 01140C03
VirtualAlloc.KERNEL32(00000000,01000000,00203000,00000040), ref: 01140C1F
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01140C2E
ResetWriteWatch.KERNEL32(00000000,01000000), ref: 01140C60
GetWriteWatch.KERNEL32(00000000,00000000,00001000,00000000,?,?), ref: 01140C84
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01140CA4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01140CAE

Strings

WriteWatchCodeWrite, xrefs: 01140CB4

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Virtual$Free$AllocWatchWrite$Reset
String ID: WriteWatchCodeWrite
API String ID: 3544933417-1678248148
Opcode ID: d259222b26cac76d3e48baf9434dcd36f1173f9fcbaef3cdeb43df772644714b
Instruction ID: 6432b1905a26ff9b4b8677c1c57f8c64b6aa26ee1b783dd38bf1592739431545
Opcode Fuzzy Hash: d259222b26cac76d3e48baf9434dcd36f1173f9fcbaef3cdeb43df772644714b
Instruction Fuzzy Hash: E3212970780306BBE3399A6A9D55FAE7BACEB45A54F204079F341A61C0CBB0A8458668

Uniqueness

Uniqueness Score: -1.00%

Function 01140994, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E01140994(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				long _v12;
				long _v16;
				void* __ebp;
				signed int _t9;
				signed int _t15;
				signed int _t25;
				void* _t35;
				void* _t37;
				signed int _t39;

				_t9 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t9 ^ _t39;
				_t25 = 0;
				_t37 = VirtualAlloc(0, 0x4000, 0x3000, 4);
				if(_t37 != 0) {
					_t35 = VirtualAlloc(0, 0x1000000, 0x203000, 4);
					__eflags = _t35;
					if(_t35 != 0) {
						 *_t35 = 0x4d2;
						_v12 = 0x1000;
						_t15 = GetWriteWatch(0, _t35, 0x1000, _t37,  &_v12,  &_v16);
						__eflags = _t15;
						if(_t15 == 0) {
							__eflags = _v12 - 1;
							_t7 = _v12 != 1;
							__eflags = _t7;
							_t25 = 0 | _t7;
						}
						VirtualFree(_t37, 0, 0x8000);
						VirtualFree(_t35, 0, 0x8000);
						__eflags = _t25;
						if(__eflags != 0) {
							E0111CC91(0x11f93d0, E0111C7AF(_t25, 0x11f93d0, "WriteWatchBufferOnly", _t35, __eflags));
						}
					} else {
						VirtualFree(_t37, 0, 0x8000);
						goto L1;
					}
				} else {
					L1:
				}
				return E0115E184(_v8 ^ _t39);
			}

0x0114099a
0x011409a1
0x011409ad
0x011409be
0x011409c2
0x011409da
0x011409dc
0x011409de
0x011409f2
0x01140a06
0x01140a09
0x01140a0f
0x01140a11
0x01140a15
0x01140a19
0x01140a19
0x01140a19
0x01140a19
0x01140a2a
0x01140a34
0x01140a36
0x01140a38
0x01140a4a
0x01140a4f
0x011409e0
0x011409e7
0x00000000
0x011409e7
0x011409c4
0x011409c4
0x011409c4
0x01140a61

APIs

VirtualAlloc.KERNEL32(00000000,00004000,00003000,00000004,011F93D0,00000000,?), ref: 011409BC
VirtualAlloc.KERNEL32(00000000,01000000,00203000,00000004), ref: 011409D8
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 011409E7
GetWriteWatch.KERNEL32(00000000,00000000,00001000,00000000,?,?), ref: 01140A09
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01140A2A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01140A34

Strings

WriteWatchBufferOnly, xrefs: 01140A3A

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Virtual$Free$Alloc$WatchWrite
String ID: WriteWatchBufferOnly
API String ID: 2642962992-3547876682
Opcode ID: afbe56003e9f87549e768498c6e83bb697f4c2807dbf68e75d0efe02e2b35cfa
Instruction ID: 103ee8b085778ec9bd928ecc2a35eb609216cf1e8b5776ea0e5ac2f591ac770f
Opcode Fuzzy Hash: afbe56003e9f87549e768498c6e83bb697f4c2807dbf68e75d0efe02e2b35cfa
Instruction Fuzzy Hash: 4E112971781309BBE3399A659C41FAF7BACDB44B54F204029F701B71C4DBB09D058664

Uniqueness

Uniqueness Score: -1.00%

Function 01117812, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E01117812(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				signed int _v8;
				struct tagPAINTSTRUCT _v72;
				signed int _t10;
				void* _t13;
				void* _t16;
				void* _t17;
				struct HWND__* _t28;
				signed int _t29;

				_t10 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t10 ^ _t29;
				_t28 = _a4;
				_t13 = _a8 - 1;
				if(_t13 == 0) {
					__imp__ShutdownBlockReasonCreate(_t28, L"Windows Update");
					goto L8;
				} else {
					_t16 = _t13 - 1;
					if(_t16 == 0) {
						__imp__ShutdownBlockReasonDestroy(_t28);
						PostQuitMessage(0);
						goto L8;
					} else {
						_t17 = _t16 - 0xd;
						if(_t17 == 0) {
							BeginPaint(_t28,  &_v72);
							EndPaint(_t28,  &_v72);
							goto L8;
						} else {
							if(_t17 == 0) {
								L8:
							} else {
								DefWindowProcW(_t28, _a8, _a12, _a16);
							}
						}
					}
				}
				return E0115E184(_v8 ^ _t29);
			}

0x01117818
0x0111781f
0x01117826
0x01117829
0x0111782c
0x0111787f
0x00000000
0x0111782e
0x0111782e
0x01117831
0x01117869
0x01117871
0x00000000
0x01117833
0x01117833
0x01117836
0x01117855
0x01117860
0x00000000
0x01117838
0x0111783c
0x01117885
0x0111783e
0x01117848
0x01117848
0x0111783c
0x01117836
0x01117831
0x01117893

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 01117848
BeginPaint.USER32(?,?), ref: 01117855
EndPaint.USER32(?,?), ref: 01117860
ShutdownBlockReasonDestroy.USER32(?), ref: 01117869
PostQuitMessage.USER32(00000000), ref: 01117871
ShutdownBlockReasonCreate.USER32(?,Windows Update), ref: 0111787F

Strings

Windows Update, xrefs: 01117879

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: BlockPaintReasonShutdown$BeginCreateDestroyMessagePostProcQuitWindow
String ID: Windows Update
API String ID: 787913518-1282563427
Opcode ID: fdfe4116028bcf1fd9040d4bd5993bdd334811a1d431aa1a207b93644a55d31f
Instruction ID: 5960d365cacfa8e27734b09c0d508440e05f2311fbc465a32973a677d51be3ab
Opcode Fuzzy Hash: fdfe4116028bcf1fd9040d4bd5993bdd334811a1d431aa1a207b93644a55d31f
Instruction Fuzzy Hash: D2012C3514511AEBCB1DDFB8A90C9AEBFB8EF09304B400135F916D2298D730DA56CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0118EF18, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0118EF18(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int* _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int* _v724;
				intOrPtr _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _v772;
				signed int _v784;
				void* __ebp;
				signed int _t151;
				void* _t158;
				signed int _t161;
				signed int _t162;
				intOrPtr _t163;
				signed int _t166;
				signed int _t168;
				signed int _t169;
				signed int _t172;
				signed int _t173;
				signed int _t176;
				signed int _t177;
				signed int _t179;
				signed int _t199;
				signed int _t201;
				signed int _t203;
				signed int _t208;
				signed int _t211;
				intOrPtr* _t219;
				intOrPtr* _t220;
				char* _t227;
				signed int _t229;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t235;
				signed int* _t239;
				signed int _t240;
				void* _t247;
				signed int _t248;
				intOrPtr _t250;
				signed int _t256;
				signed int _t258;
				signed int _t261;
				signed int* _t262;
				intOrPtr* _t263;
				short _t264;
				signed int _t266;
				signed int _t270;
				void* _t272;
				void* _t274;

				_t266 = _t270;
				_t151 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t151 ^ _t266;
				_push(__ebx);
				_t211 = _a8;
				_push(__esi);
				_push(__edi);
				_t250 = _a4;
				_v736 = _t211;
				_v724 = E01190FC4(__ecx, __edx) + 0x278;
				_t158 = E0118E603(_t211, __edx, _t250, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v712);
				_t272 = _t270 - 0x2e4 + 0x18;
				if(_t158 == 0) {
					L40:
					__eflags = 0;
					goto L41;
				} else {
					_t10 = _t211 + 2; // 0x2
					_t256 = _t10 << 4;
					_t161 =  &_v272;
					_v716 = _t256;
					_t219 =  *((intOrPtr*)(_t256 + _t250));
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t258 = _v716;
						if( *_t161 !=  *_t219) {
							break;
						}
						if( *_t161 == 0) {
							L7:
							_t162 = _v704;
						} else {
							_t264 =  *((intOrPtr*)(_t161 + 2));
							_v706 = _t264;
							_t258 = _v716;
							if(_t264 !=  *((intOrPtr*)(_t219 + 2))) {
								break;
							} else {
								_t161 = _t161 + 4;
								_t219 = _t219 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L7;
								}
							}
						}
						L9:
						if(_t162 != 0) {
							_t220 =  &_v272;
							_t247 = _t220 + 2;
							do {
								_t163 =  *_t220;
								_t220 = _t220 + 2;
								__eflags = _t163 - _v704;
							} while (_t163 != _v704);
							_v720 = (_t220 - _t247 >> 1) + 1;
							_t166 = E01190910(_t220 - _t247 >> 1, 4 + ((_t220 - _t247 >> 1) + 1) * 2);
							_v732 = _t166;
							__eflags = _t166;
							if(_t166 == 0) {
								goto L40;
							} else {
								_v728 =  *((intOrPtr*)(_t258 + _t250));
								_v740 =  *(_t250 + 0xa0 + _t211 * 4);
								_v744 =  *(_t250 + 8);
								_t227 =  &_v272;
								_v708 = _t166 + 4;
								_t168 = E0118CEAC(_t166 + 4, _v720, _t227);
								_t274 = _t272 + 0xc;
								__eflags = _t168;
								if(_t168 != 0) {
									_t169 = _v704;
									_push(_t169);
									_push(_t169);
									_push(_t169);
									_push(_t169);
									_push(_t169);
									E011828E3();
									asm("int3");
									_push(_t266);
									_push(_t227);
									_v784 = _v784 & 0x00000000;
									_t172 = E011901B3(_v772, 0x20001004,  &_v784, 2);
									__eflags = _t172;
									if(_t172 == 0) {
										L50:
										_t173 = 0xfde9;
									} else {
										_t173 = _v12;
										__eflags = _t173;
										if(_t173 == 0) {
											goto L50;
										}
									}
									return _t173;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t258 + _t250)) = _v708;
									if(_v272 != 0x43) {
										L18:
										_t176 = E0118E320(_t211, _t250,  &_v700);
										_t229 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L18;
										} else {
											_t229 = _v704;
											_t176 = _t229;
										}
									}
									 *(_t250 + 0xa0 + _t211 * 4) = _t176;
									__eflags = _t211 - 2;
									if(_t211 != 2) {
										__eflags = _t211 - 1;
										if(_t211 != 1) {
											__eflags = _t211 - 5;
											if(_t211 == 5) {
												 *((intOrPtr*)(_t250 + 0x14)) = _v712;
											}
										} else {
											 *((intOrPtr*)(_t250 + 0x10)) = _v712;
										}
									} else {
										_t262 = _v724;
										_t248 = _t229;
										_t239 = _t262;
										 *(_t250 + 8) = _v712;
										_v708 = _t262;
										_v720 = _t262[8];
										_v712 = _t262[9];
										while(1) {
											__eflags =  *(_t250 + 8) -  *_t239;
											if( *(_t250 + 8) ==  *_t239) {
												break;
											}
											_t263 = _v708;
											_t248 = _t248 + 1;
											_t208 =  *_t239;
											 *_t263 = _v720;
											_v712 = _t239[1];
											_t239 = _t263 + 8;
											 *((intOrPtr*)(_t263 + 4)) = _v712;
											_t211 = _v736;
											_t262 = _v724;
											_v720 = _t208;
											_v708 = _t239;
											__eflags = _t248 - 5;
											if(_t248 < 5) {
												continue;
											} else {
											}
											L26:
											__eflags = _t248 - 5;
											if(__eflags == 0) {
												_t199 = E0119870E(_t211, _t248, _t250, _t262, __eflags, _v704, 1, 0x11b6ea0, 0x7f,  &_v528,  *(_t250 + 8), 1);
												_t274 = _t274 + 0x1c;
												__eflags = _t199;
												if(_t199 == 0) {
													_t240 = _v704;
												} else {
													_t201 = _v704;
													do {
														 *(_t266 + _t201 * 2 - 0x20c) =  *(_t266 + _t201 * 2 - 0x20c) & 0x000001ff;
														_t201 = _t201 + 1;
														__eflags = _t201 - 0x7f;
													} while (_t201 < 0x7f);
													_t203 = E0117B9BD( &_v528,  *0x11d82a0, 0xfe);
													_t274 = _t274 + 0xc;
													__eflags = _t203;
													_t240 = 0 | _t203 == 0x00000000;
												}
												_t262[1] = _t240;
												 *_t262 =  *(_t250 + 8);
											}
											 *(_t250 + 0x18) = _t262[1];
											goto L38;
										}
										__eflags = _t248;
										if(_t248 != 0) {
											 *_t262 =  *(_t262 + _t248 * 8);
											_t262[1] =  *(_t262 + 4 + _t248 * 8);
											 *(_t262 + _t248 * 8) = _v720;
											 *(_t262 + 4 + _t248 * 8) = _v712;
										}
										goto L26;
									}
									L38:
									_t177 = _t211 * 0xc;
									_t106 = _t177 + 0x11b6f28; // 0x11113b0
									 *0x11af384(_t250);
									_t179 =  *((intOrPtr*)( *_t106))();
									_t232 = _v728;
									__eflags = _t179;
									if(_t179 == 0) {
										__eflags = _t232 - 0x11d83b0;
										if(_t232 != 0x11d83b0) {
											_t261 = _t211 + _t211;
											__eflags = _t261;
											asm("lock xadd [eax], ecx");
											if(_t261 != 0) {
												goto L45;
											} else {
												E0118FAFF( *((intOrPtr*)(_t250 + 0x28 + _t261 * 8)));
												E0118FAFF( *((intOrPtr*)(_t250 + 0x24 + _t261 * 8)));
												E0118FAFF( *(_t250 + 0xa0 + _t211 * 4));
												_t235 = _v704;
												 *(_v716 + _t250) = _t235;
												 *(_t250 + 0xa0 + _t211 * 4) = _t235;
											}
										}
										_t233 = _v732;
										 *_t233 = 1;
										 *((intOrPtr*)(_t250 + 0x28 + (_t211 + _t211) * 8)) = _t233;
									} else {
										 *((intOrPtr*)(_v716 + _t250)) = _t232;
										E0118FAFF( *(_t250 + 0xa0 + _t211 * 4));
										 *(_t250 + 0xa0 + _t211 * 4) = _v740;
										E0118FAFF(_v732);
										 *(_t250 + 8) = _v744;
										goto L40;
									}
									goto L41;
								}
							}
						} else {
							L41:
							return E0115E184(_v8 ^ _t266);
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t162 = _t161 | 0x00000001;
					__eflags = _t162;
					goto L9;
				}
				L52:
			}

0x0118ef1b
0x0118ef23
0x0118ef2a
0x0118ef2d
0x0118ef2e
0x0118ef31
0x0118ef35
0x0118ef36
0x0118ef39
0x0118ef49
0x0118ef6c
0x0118ef71
0x0118ef76
0x0118f24e
0x0118f24e
0x00000000
0x0118ef7c
0x0118ef7c
0x0118ef7f
0x0118ef82
0x0118ef88
0x0118ef91
0x0118ef93
0x0118ef96
0x0118efa0
0x0118efa6
0x00000000
0x00000000
0x0118efac
0x0118efd5
0x0118efd5
0x0118efae
0x0118efae
0x0118efb6
0x0118efbd
0x0118efc3
0x00000000
0x0118efc5
0x0118efc5
0x0118efc8
0x0118efd3
0x00000000
0x00000000
0x00000000
0x00000000
0x0118efd3
0x0118efc3
0x0118efe2
0x0118efe4
0x0118efed
0x0118eff3
0x0118eff6
0x0118eff6
0x0118eff9
0x0118effc
0x0118effc
0x0118f00c
0x0118f01a
0x0118f01f
0x0118f026
0x0118f028
0x00000000
0x0118f02e
0x0118f034
0x0118f041
0x0118f04a
0x0118f050
0x0118f05d
0x0118f064
0x0118f069
0x0118f06c
0x0118f06e
0x0118f2ce
0x0118f2d4
0x0118f2d5
0x0118f2d6
0x0118f2d7
0x0118f2d8
0x0118f2d9
0x0118f2de
0x0118f2e1
0x0118f2e4
0x0118f2e5
0x0118f2f7
0x0118f2fc
0x0118f2fe
0x0118f307
0x0118f307
0x0118f300
0x0118f300
0x0118f303
0x0118f305
0x00000000
0x00000000
0x0118f305
0x0118f30d
0x0118f074
0x0118f074
0x0118f082
0x0118f085
0x0118f09b
0x0118f0a2
0x0118f0a8
0x0118f087
0x0118f087
0x0118f08f
0x00000000
0x0118f091
0x0118f091
0x0118f097
0x0118f097
0x0118f08f
0x0118f0ae
0x0118f0b5
0x0118f0b8
0x0118f1d8
0x0118f1db
0x0118f1e8
0x0118f1eb
0x0118f1f3
0x0118f1f3
0x0118f1dd
0x0118f1e3
0x0118f1e3
0x0118f0be
0x0118f0be
0x0118f0c4
0x0118f0cc
0x0118f0ce
0x0118f0d1
0x0118f0da
0x0118f0e3
0x0118f0e9
0x0118f0ec
0x0118f0ee
0x00000000
0x00000000
0x0118f0f0
0x0118f0f6
0x0118f0f7
0x0118f102
0x0118f10a
0x0118f112
0x0118f115
0x0118f118
0x0118f11e
0x0118f124
0x0118f12a
0x0118f130
0x0118f133
0x00000000
0x00000000
0x0118f135
0x0118f15a
0x0118f15a
0x0118f15d
0x0118f17a
0x0118f17f
0x0118f182
0x0118f184
0x0118f1c2
0x0118f186
0x0118f186
0x0118f18c
0x0118f191
0x0118f199
0x0118f19a
0x0118f19a
0x0118f1b1
0x0118f1b8
0x0118f1bb
0x0118f1bd
0x0118f1bd
0x0118f1c8
0x0118f1ce
0x0118f1ce
0x0118f1d3
0x00000000
0x0118f1d3
0x0118f137
0x0118f139
0x0118f13e
0x0118f144
0x0118f14d
0x0118f156
0x0118f156
0x00000000
0x0118f139
0x0118f1f6
0x0118f1f6
0x0118f1fa
0x0118f202
0x0118f208
0x0118f20b
0x0118f211
0x0118f213
0x0118f25f
0x0118f265
0x0118f26c
0x0118f26c
0x0118f272
0x0118f276
0x00000000
0x0118f278
0x0118f27c
0x0118f285
0x0118f291
0x0118f29f
0x0118f2a5
0x0118f2a8
0x0118f2a8
0x0118f276
0x0118f2b7
0x0118f2bf
0x0118f2c8
0x0118f215
0x0118f21b
0x0118f225
0x0118f237
0x0118f23e
0x0118f24b
0x00000000
0x0118f24b
0x00000000
0x0118f213
0x0118f06e
0x0118efe6
0x0118f250
0x0118f25e
0x0118f25e
0x00000000
0x0118efe4
0x0118efdd
0x0118efdf
0x0118efdf
0x00000000
0x0118efdf
0x00000000

APIs

Part of subcall function 01190FC4: GetLastError.KERNEL32(?,?,?,0117EFA3,?,?,?,?,0117F06E,00000000), ref: 01190FC9
Part of subcall function 01190FC4: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,0117F06E,00000000), ref: 01191067

_free.LIBCMT ref: 0118F225
_free.LIBCMT ref: 0118F23E
_free.LIBCMT ref: 0118F27C
_free.LIBCMT ref: 0118F285
_free.LIBCMT ref: 0118F291

Strings

C, xrefs: 0118F074

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 7017156921a2026c582be516e6dfe474f007fc1e6ad1041f7e979c0cc4abc076
Instruction ID: 2bb7a6a0653167ac0d22b0ad117de9fce1bba20f23960b546b7af46babb30c2c
Opcode Fuzzy Hash: 7017156921a2026c582be516e6dfe474f007fc1e6ad1041f7e979c0cc4abc076
Instruction Fuzzy Hash: 85B14E75A0121A9FDB28EF18C884BADB7B5FF19314F5085EAE909A7350D771AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0111C6F3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0111C6F3(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a8, signed int _a12, intOrPtr _a16) {
				signed int _v4;
				void* _v20;
				char _v24;
				void* _t22;
				intOrPtr* _t23;
				signed int _t30;
				signed int _t31;
				signed int _t37;
				void* _t47;
				void* _t49;

				_t47 = __edx;
				_push(0xc);
				E0115ECB1(0x11a5f12, __ebx, __edi);
				_t37 = _a8;
				E011469AA( &_v24, 0);
				_v4 = _v4 & 0x00000000;
				_t49 =  *0x11fa5e8; // 0xef7630
				_v20 = _t49;
				_t22 = E01115C4B(0x11f92a8, __esi);
				_t41 = _t37;
				_t23 = E01115CFE(_t37, _t22);
				_t51 = _t23;
				if(_t23 != 0) {
					L5:
					E01146A02( &_v24);
					return E0115EC5B(_t51, _t37, _t49);
				} else {
					if(_t49 == 0) {
						_push(_t37);
						_push( &_v20);
						__eflags = E01115D7F(_t37, _t41, _t47, _t49, _t51, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E01115AD2();
							asm("int3");
							__eflags = _a8 - 0x3000;
							if(_a8 != 0x3000) {
								__eflags = _a12;
								_t30 = _a8;
								if(__eflags < 0) {
									L11:
									_t31 = _t30 | _a12;
									__eflags = _t31;
									if(_t31 != 0) {
										_push(6);
										goto L14;
									} else {
										__eflags = _a16 - _t31;
										_t18 = _a16 == _t31;
										__eflags = _t18;
										return _t31 & 0xffffff00 | _t18;
									}
								} else {
									if(__eflags > 0) {
										goto L15;
									} else {
										__eflags = _t30;
										if(_t30 != 0) {
											goto L15;
										} else {
											goto L11;
										}
									}
								}
							} else {
								_push(0xd);
								L14:
								_pop(_t30);
								L15:
								return _t30;
							}
						} else {
							_t51 = _v20;
							_v20 = _t51;
							_v4 = 1;
							E01146BDD(__eflags, _t51);
							 *((intOrPtr*)( *_t51 + 4))();
							 *0x11fa5e8 = _t51;
							goto L5;
						}
					} else {
						_t51 = _t49;
						goto L5;
					}
				}
			}

0x0111c6f3
0x0111c6f3
0x0111c6fa
0x0111c6ff
0x0111c707
0x0111c70c
0x0111c715
0x0111c71b
0x0111c71e
0x0111c724
0x0111c726
0x0111c72b
0x0111c72f
0x0111c768
0x0111c76b
0x0111c777
0x0111c731
0x0111c733
0x0111c73c
0x0111c73d
0x0111c745
0x0111c748
0x0111c778
0x0111c77d
0x0111c781
0x0111c788
0x0111c78e
0x0111c792
0x0111c795
0x0111c79d
0x0111c79d
0x0111c79d
0x0111c7a0
0x0111c7aa
0x00000000
0x0111c7a2
0x0111c7a2
0x0111c7a5
0x0111c7a5
0x0111c7a9
0x0111c7a9
0x0111c797
0x0111c797
0x00000000
0x0111c799
0x0111c799
0x0111c79b
0x00000000
0x00000000
0x00000000
0x00000000
0x0111c79b
0x0111c797
0x0111c78a
0x0111c78a
0x0111c7ac
0x0111c7ac
0x0111c7ad
0x0111c7ae
0x0111c7ae
0x0111c74a
0x0111c74a
0x0111c74d
0x0111c751
0x0111c755
0x0111c75f
0x0111c762
0x00000000
0x0111c762
0x0111c735
0x0111c735
0x00000000
0x0111c735
0x0111c733

APIs

__EH_prolog3_GS.LIBCMT ref: 0111C6FA
std::_Lockit::_Lockit.LIBCPMT ref: 0111C707

Part of subcall function 01115C4B: std::_Lockit::_Lockit.LIBCPMT ref: 01115C67
Part of subcall function 01115C4B: std::_Lockit::~_Lockit.LIBCPMT ref: 01115C83

std::_Facet_Register.LIBCPMT ref: 0111C755
std::_Lockit::~_Lockit.LIBCPMT ref: 0111C76B
Concurrency::cancel_current_task.LIBCPMT ref: 0111C778

Strings

0v, xrefs: 0111C715, 0111C762

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3_Register
String ID: 0v
API String ID: 3498242614-1566857728
Opcode ID: e25de9a5cafc219c6663ef27364bbf5261471123ef5815c1b582b1cfbf144e07
Instruction ID: 4f9be2f02b30dd2f5f88b1558c9230508ad4065e315ad2af7a1301bd32a7509c
Opcode Fuzzy Hash: e25de9a5cafc219c6663ef27364bbf5261471123ef5815c1b582b1cfbf144e07
Instruction Fuzzy Hash: 12112C31940B1ADBDF1CEF98D5447ADBBA9AF5072CF104129E9186B284D7B4DA40C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 0119BBFA, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0119BBFA(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0119B946(_t45, 7);
					E0119B946(_t45 + 0x1c, 7);
					E0119B946(_t45 + 0x38, 0xc);
					E0119B946(_t45 + 0x68, 0xc);
					E0119B946(_t45 + 0x98, 2);
					E0118FAFF( *((intOrPtr*)(_t45 + 0xa0)));
					E0118FAFF( *((intOrPtr*)(_t45 + 0xa4)));
					E0118FAFF( *((intOrPtr*)(_t45 + 0xa8)));
					E0119B946(_t45 + 0xb4, 7);
					E0119B946(_t45 + 0xd0, 7);
					E0119B946(_t45 + 0xec, 0xc);
					E0119B946(_t45 + 0x11c, 0xc);
					E0119B946(_t45 + 0x14c, 2);
					E0118FAFF( *((intOrPtr*)(_t45 + 0x154)));
					E0118FAFF( *((intOrPtr*)(_t45 + 0x158)));
					E0118FAFF( *((intOrPtr*)(_t45 + 0x15c)));
					return E0118FAFF( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x0119bc00
0x0119bc05
0x0119bc0e
0x0119bc19
0x0119bc24
0x0119bc2f
0x0119bc3d
0x0119bc48
0x0119bc53
0x0119bc5e
0x0119bc6c
0x0119bc7a
0x0119bc8b
0x0119bc99
0x0119bca7
0x0119bcb2
0x0119bcbd
0x0119bcc8
0x00000000
0x0119bcd8
0x0119bcdd

APIs

Part of subcall function 0119B946: _free.LIBCMT ref: 0119B96B

_free.LIBCMT ref: 0119BC48

Part of subcall function 0118FAFF: HeapFree.KERNEL32(00000000,00000000,?,0119B970,?,00000000,?,?,?,0119BC13,?,00000007,?,?,0119BFC6,?), ref: 0118FB15
Part of subcall function 0118FAFF: GetLastError.KERNEL32(?,?,0119B970,?,00000000,?,?,?,0119BC13,?,00000007,?,?,0119BFC6,?,?), ref: 0118FB27

_free.LIBCMT ref: 0119BC53
_free.LIBCMT ref: 0119BC5E
_free.LIBCMT ref: 0119BCB2
_free.LIBCMT ref: 0119BCBD
_free.LIBCMT ref: 0119BCC8
_free.LIBCMT ref: 0119BCD3

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d35157c85b61c26ae465c9cb3b5224b8f07a226bbf11e84281af154af61c295a
Instruction ID: 5f1f0467ff5095b5047184780d635e9ba4ac96bf4d57155a39867e516ae5d2d5
Opcode Fuzzy Hash: d35157c85b61c26ae465c9cb3b5224b8f07a226bbf11e84281af154af61c295a
Instruction Fuzzy Hash: D011D3F1904B17BADB34FBB0DC85FCBB79E9F10B24F404914A2A96A194EB78B8014B45

Uniqueness

Uniqueness Score: -1.00%

Function 011929FE, Relevance: 9.3, APIs: 6, Instructions: 318
fileCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E011929FE(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				long _t235;
				struct _OVERLAPPED* _t243;
				signed int _t247;
				intOrPtr _t250;
				signed int _t253;
				signed int _t254;
				signed int _t256;
				struct _OVERLAPPED* _t257;
				intOrPtr _t259;
				void* _t263;
				long _t264;
				signed char _t265;
				signed int _t266;
				void* _t267;
				void* _t269;
				struct _OVERLAPPED* _t270;
				long _t271;
				signed int _t272;
				long _t276;
				signed int _t280;
				long _t281;
				struct _OVERLAPPED* _t282;
				signed int _t284;
				intOrPtr _t286;
				signed int _t289;
				signed int _t292;
				long _t293;
				long _t294;
				signed int _t295;
				intOrPtr _t296;
				signed int _t298;
				signed int _t300;
				void* _t301;
				void* _t303;

				_t298 = _t300;
				_t301 = _t300 - 0x8c;
				_t172 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t172 ^ _t298;
				_t174 = _a8;
				_t264 = _a12;
				_t284 = (_t174 & 0x0000003f) * 0x38;
				_t247 = _t174 >> 6;
				_v112 = _t264;
				_v84 = _t247;
				_v80 = _t284;
				_t286 = _a16 + _t264;
				_v116 =  *((intOrPtr*)(_t284 +  *((intOrPtr*)(0x11fa288 + _t247 * 4)) + 0x18));
				_v104 = _t286;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E0117EF63( &_v72, _t264, 0);
				asm("stosd");
				_t250 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t250;
				asm("stosd");
				asm("stosd");
				_t276 = _v112;
				_v40 = _t276;
				if(_t276 >= _t286) {
					L53:
					__eflags = _v60 - _t243;
				} else {
					_t289 = _v92;
					while(1) {
						_v47 =  *_t276;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x11fa288 + _v84 * 4));
						_v52 = _t186;
						if(_t250 != 0xfde9) {
							goto L24;
						}
						_t266 = _v80;
						_t212 = _t186 + 0x2e + _t266;
						_t257 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t257)) != _t243) {
							_t257 =  &(_t257->Internal);
							if(_t257 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t280 = _v104 - _t213;
						_v44 = _t257;
						if(_t257 <= 0) {
							_t259 =  *((char*)(( *_t213 & 0x000000ff) + 0x11d8460)) + 1;
							_v52 = _t259;
							__eflags = _t259 - _t280;
							if(_t259 > _t280) {
								__eflags = _t280;
								if(_t280 <= 0) {
									goto L45;
								} else {
									_t293 = _v40;
									do {
										_t267 = _t266 + _t243;
										_t216 =  *((intOrPtr*)(_t243 + _t293));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t267 +  *((intOrPtr*)(0x11fa288 + _v84 * 4)) + 0x2e)) = _t216;
										_t266 = _v80;
										__eflags = _t243 - _t280;
									} while (_t243 < _t280);
									goto L44;
								}
							} else {
								_t281 = _v40;
								__eflags = _t259 - 4;
								_v144 = _t243;
								_t261 =  &_v144;
								_v140 = _t243;
								_v56 = _t281;
								_t219 = (0 | _t259 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L22;
							}
						} else {
							_t228 =  *((char*)(( *(_t266 + _v52 + 0x2e) & 0x000000ff) + 0x11d8460)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t257;
							_v52 = _t229;
							if(_t229 > _t280) {
								__eflags = _t280;
								if(_t280 > 0) {
									_t294 = _v40;
									do {
										_t269 = _t266 + _t243 + _t257;
										_t231 =  *((intOrPtr*)(_t243 + _t294));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t269 +  *((intOrPtr*)(0x11fa288 + _v84 * 4)) + 0x2e)) = _t231;
										_t257 = _v44;
										_t266 = _v80;
										__eflags = _t243 - _t280;
									} while (_t243 < _t280);
									L44:
									_t289 = _v92;
								}
								L45:
								_t292 = _t289 + _t280;
								__eflags = _t292;
								L46:
								__eflags = _v60;
								_v92 = _t292;
							} else {
								_t270 = _t243;
								if(_t257 > 0) {
									_t296 = _v108;
									do {
										 *((char*)(_t298 + _t270 - 0xc)) =  *((intOrPtr*)(_t296 + _t270));
										_t270 =  &(_t270->Internal);
									} while (_t270 < _t257);
									_t229 = _v52;
								}
								_t281 = _v40;
								if(_t229 > 0) {
									E0117ACA0( &_v16 + _t257, _t281, _v52);
									_t257 = _v44;
									_t301 = _t301 + 0xc;
								}
								if(_t257 > 0) {
									_t271 = _v44;
									_t282 = _t243;
									_t295 = _v80;
									do {
										_t263 = _t295 + _t282;
										_t282 =  &(_t282->Internal);
										 *(_t263 +  *((intOrPtr*)(0x11fa288 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t282 < _t271);
									_t281 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t261 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L22:
								_push(_t220);
								_push( &_v76);
								_t222 = E0119DFB9(_t261);
								_t303 = _t301 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L53;
								} else {
									_t276 = _t281 + _v52 - 1;
									L32:
									_t276 = _t276 + 1;
									_v40 = _t276;
									_t193 = E01196F79(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t301 = _t303 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L53;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L52:
											_v96 = GetLastError();
											goto L53;
										} else {
											_t289 = _v88 - _v112 + _t276;
											_v92 = _t289;
											if(_v100 < _v56) {
												goto L53;
											} else {
												if(_v47 != 0xa) {
													L39:
													if(_t276 >= _v104) {
														goto L53;
													} else {
														_t250 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L52;
													} else {
														if(_v100 < 1) {
															goto L53;
														} else {
															_v88 = _v88 + 1;
															_t289 = _t289 + 1;
															_v92 = _t289;
															goto L39;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L54;
						L24:
						_t253 = _v80;
						_t265 =  *((intOrPtr*)(_t253 + _t186 + 0x2d));
						__eflags = _t265 & 0x00000004;
						if((_t265 & 0x00000004) == 0) {
							_v33 =  *_t276;
							_t188 = E01186655(_t265);
							_t254 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t254 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t254 * 2)) >= _t243) {
								_push(1);
								_push(_t276);
								goto L31;
							} else {
								_t202 = _t276 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t272 = _v84;
									_t256 = _v80;
									 *((char*)(_t256 +  *((intOrPtr*)(0x11fa288 + _t272 * 4)) + 0x2e)) = _v33;
									 *(_t256 +  *((intOrPtr*)(0x11fa288 + _t272 * 4)) + 0x2d) =  *(_t256 +  *((intOrPtr*)(0x11fa288 + _t272 * 4)) + 0x2d) | 0x00000004;
									_t292 = _t289 + 1;
									goto L46;
								} else {
									_t206 = E01190AF4( &_v76, _t276, 2);
									_t303 = _t301 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L53;
									} else {
										_t276 = _v56;
										goto L32;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t253 + _t186 + 0x2e));
							_v23 =  *_t276;
							_push(2);
							 *(_t253 + _v52 + 0x2d) = _t265 & 0x000000fb;
							_push( &_v24);
							L31:
							_push( &_v76);
							_t190 = E01190AF4();
							_t303 = _t301 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L53;
							} else {
								goto L32;
							}
						}
						goto L54;
					}
				}
				L54:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t298;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E0115E184(_v8 ^ _t298);
			}

0x01192a01
0x01192a03
0x01192a09
0x01192a10
0x01192a13
0x01192a18
0x01192a20
0x01192a23
0x01192a27
0x01192a2a
0x01192a34
0x01192a3e
0x01192a40
0x01192a43
0x01192a46
0x01192a4c
0x01192a4e
0x01192a55
0x01192a62
0x01192a63
0x01192a66
0x01192a69
0x01192a6a
0x01192a6b
0x01192a6e
0x01192a73
0x01192d7f
0x01192d7f
0x01192a79
0x01192a79
0x01192a7c
0x01192a7e
0x01192a84
0x01192a87
0x01192a8e
0x01192a95
0x01192a9e
0x00000000
0x00000000
0x01192aa4
0x01192aaa
0x01192aac
0x01192aae
0x01192ab1
0x01192ab6
0x01192aba
0x00000000
0x00000000
0x00000000
0x01192aba
0x01192abf
0x01192ac2
0x01192ac4
0x01192ac9
0x01192b7b
0x01192b7c
0x01192b7f
0x01192b81
0x01192d2f
0x01192d31
0x00000000
0x01192d33
0x01192d33
0x01192d36
0x01192d39
0x01192d42
0x01192d45
0x01192d46
0x01192d4a
0x01192d4d
0x01192d4d
0x00000000
0x01192d51
0x01192b87
0x01192b87
0x01192b8c
0x01192b8f
0x01192b95
0x01192b9b
0x01192ba4
0x01192ba7
0x01192ba7
0x01192ba8
0x01192ba9
0x01192bac
0x01192bad
0x00000000
0x01192bad
0x01192acf
0x01192ade
0x01192adf
0x01192ae2
0x01192ae4
0x01192ae9
0x01192cfa
0x01192cfc
0x01192cfe
0x01192d01
0x01192d06
0x01192d0f
0x01192d12
0x01192d13
0x01192d17
0x01192d1a
0x01192d1d
0x01192d1d
0x01192d21
0x01192d21
0x01192d21
0x01192d24
0x01192d24
0x01192d24
0x01192d26
0x01192d26
0x01192d2a
0x01192aef
0x01192aef
0x01192af3
0x01192af5
0x01192af8
0x01192afb
0x01192aff
0x01192b00
0x01192b04
0x01192b04
0x01192b07
0x01192b0c
0x01192b18
0x01192b1d
0x01192b20
0x01192b20
0x01192b25
0x01192b27
0x01192b2a
0x01192b2c
0x01192b2f
0x01192b32
0x01192b35
0x01192b3d
0x01192b41
0x01192b45
0x01192b45
0x01192b4b
0x01192b51
0x01192b54
0x01192b5c
0x01192b63
0x01192b67
0x01192b68
0x01192b6b
0x01192b6c
0x01192bb0
0x01192bb0
0x01192bb4
0x01192bb5
0x01192bba
0x01192bc0
0x00000000
0x01192bc6
0x01192bca
0x01192c53
0x01192c5a
0x01192c62
0x01192c6a
0x01192c6f
0x01192c72
0x01192c77
0x00000000
0x01192c7d
0x01192c92
0x01192d76
0x01192d7c
0x00000000
0x01192c98
0x01192ca1
0x01192ca3
0x01192ca9
0x00000000
0x01192caf
0x01192cb3
0x01192ce9
0x01192cec
0x00000000
0x01192cf2
0x01192cf2
0x00000000
0x01192cf2
0x01192cb5
0x01192cb7
0x01192cb9
0x01192cd2
0x00000000
0x01192cd8
0x01192cdc
0x00000000
0x01192ce2
0x01192ce2
0x01192ce5
0x01192ce6
0x00000000
0x01192ce6
0x01192cdc
0x01192cd2
0x01192cb3
0x01192ca9
0x01192c92
0x01192c77
0x01192bc0
0x01192ae9
0x00000000
0x01192bd1
0x01192bd1
0x01192bd4
0x01192bd8
0x01192bdb
0x01192bfd
0x01192c00
0x01192c05
0x01192c09
0x01192c0d
0x01192c3b
0x01192c3d
0x00000000
0x01192c0f
0x01192c0f
0x01192c12
0x01192c15
0x01192c18
0x01192d53
0x01192d56
0x01192d63
0x01192d6e
0x01192d73
0x00000000
0x01192c1e
0x01192c25
0x01192c2a
0x01192c2d
0x01192c30
0x00000000
0x01192c36
0x01192c36
0x00000000
0x01192c36
0x01192c30
0x01192c18
0x01192bdd
0x01192be4
0x01192be9
0x01192bef
0x01192bf1
0x01192bf8
0x01192c3e
0x01192c41
0x01192c42
0x01192c47
0x01192c4a
0x01192c4d
0x00000000
0x00000000
0x00000000
0x00000000
0x01192c4d
0x00000000
0x01192bdb
0x01192a7c
0x01192d82
0x01192d82
0x01192d84
0x01192d87
0x01192d87
0x01192d87
0x01192d87
0x01192d99
0x01192d9b
0x01192d9c
0x01192d9d
0x01192da7

APIs

GetConsoleCP.KERNEL32(00000000,00000000,00000000), ref: 01192A46
__fassign.LIBCMT ref: 01192C25
__fassign.LIBCMT ref: 01192C42
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01192C8A
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 01192CCA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 01192D76

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 1bff60419f140249fdbcfea87f2e393e331116ca936032f03ea6c04d62f3cfee
Instruction ID: f80f24f4fa2735ef0e99bb0a6df07a0a2235c9b486579d585bb8288c8ec499bb
Opcode Fuzzy Hash: 1bff60419f140249fdbcfea87f2e393e331116ca936032f03ea6c04d62f3cfee
Instruction Fuzzy Hash: 8DD1BF75D00299AFCF29CFE8D8809EDBBF5BF49314F28016AE925B7245D730A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01183614, Relevance: 9.3, APIs: 6, Instructions: 284
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E01183614(void* __ebx, void* __edx, void* __edi, void* _a4, signed int _a8) {
				intOrPtr _v0;
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __esi;
				void* __ebp;
				signed int _t62;
				void* _t65;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed int _t74;
				signed int _t76;
				signed int _t78;
				signed int _t80;
				intOrPtr _t82;
				signed int _t83;
				void* _t84;
				signed int _t86;
				void* _t87;
				signed int _t89;
				signed int _t95;
				signed int _t104;
				signed int _t108;
				signed int* _t111;
				signed int* _t112;
				intOrPtr* _t114;
				signed int _t119;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t128;
				signed int _t131;
				void* _t133;
				signed int _t134;
				void* _t138;
				void* _t142;
				signed int _t144;
				intOrPtr _t147;
				signed int _t152;
				void _t154;
				void* _t155;
				void* _t157;
				void* _t159;
				void* _t160;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				intOrPtr _t164;

				_t142 = __edx;
				_t160 = _a4;
				_t169 = _t160;
				if(_t160 == 0) {
					_t114 = E01186176(_t169);
					_t164 = 0x16;
					 *_t114 = _t164;
					E011828B6();
					return _t164;
				}
				_push(__edi);
				_t126 = 9;
				memset(_t160, _t62 | 0xffffffff, _t126 << 2);
				_t152 = _a8;
				__eflags = _t152;
				if(__eflags == 0) {
					_t112 = E01186176(__eflags);
					_t163 = 0x16;
					 *_t112 = _t163;
					E011828B6();
					_t80 = _t163;
					L12:
					return _t80;
				}
				_push(__ebx);
				__eflags =  *(_t152 + 4);
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L10:
						_t111 = E01186176(__eflags);
						_t162 = 0x16;
						 *_t111 = _t162;
						_t80 = _t162;
						L11:
						goto L12;
					}
					__eflags =  *_t152;
					if(__eflags < 0) {
						goto L10;
					}
				}
				_t65 = 7;
				__eflags =  *(_t152 + 4) - _t65;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						goto L10;
					}
					__eflags =  *_t152 - 0x93582aff;
					if(__eflags > 0) {
						goto L10;
					}
				}
				E01194DE3(0, 0, _t142, _t152, _t160, __eflags);
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t68 = E0119436B( &_v12);
				_pop(_t128);
				__eflags = _t68;
				if(_t68 == 0) {
					_t76 = E01194397( &_v16);
					_pop(_t128);
					__eflags = _t76;
					if(_t76 == 0) {
						_t78 = E011943C3( &_v8);
						_pop(_t128);
						__eflags = _t78;
						if(_t78 == 0) {
							_t131 =  *_t152;
							_t119 =  *(_t152 + 4);
							_t144 = _t131 + 0xfffc0b7f;
							asm("adc eax, 0xffffffff");
							__eflags = _t119 - 7;
							if(__eflags > 0) {
								L25:
								_push(_t152);
								_t80 = E0119466A();
								_t133 = _t160;
								__eflags = _t80;
								if(_t80 != 0) {
									goto L11;
								}
								__eflags = _v12;
								asm("cdq");
								_t154 =  *_t160;
								_t121 = _t144;
								if(__eflags == 0) {
									L29:
									_t82 = _v8;
									L30:
									asm("cdq");
									_t155 = _t154 - _t82;
									asm("sbb ebx, edx");
									_t83 = E011A3940(_t155, _t121, 0x3c, 0);
									 *_t160 = _t83;
									__eflags = _t83;
									if(_t83 < 0) {
										_t155 = _t155 + 0xffffffc4;
										 *_t160 = _t83 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t84 = E011A3080(_t155, _t121, 0x3c, 0);
									_t122 = _t144;
									asm("cdq");
									_t157 = _t84 +  *(_t160 + 4);
									asm("adc ebx, edx");
									_t86 = E011A3940(_t157, _t144, 0x3c, 0);
									 *(_t160 + 4) = _t86;
									__eflags = _t86;
									if(_t86 < 0) {
										_t157 = _t157 + 0xffffffc4;
										 *(_t160 + 4) = _t86 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t87 = E011A3080(_t157, _t122, 0x3c, 0);
									_t123 = _t144;
									asm("cdq");
									_t159 = _t87 +  *(_t160 + 8);
									asm("adc ebx, edx");
									_t89 = E011A3940(_t159, _t144, 0x18, 0);
									 *(_t160 + 8) = _t89;
									__eflags = _t89;
									if(_t89 < 0) {
										_t159 = _t159 + 0xffffffe8;
										 *(_t160 + 8) = _t89 + 0x18;
										asm("adc ebx, 0xffffffff");
									}
									_t134 = E011A3080(_t159, _t123, 0x18, 0);
									__eflags = _t144;
									if(__eflags < 0) {
										L43:
										 *(_t160 + 0xc) =  *(_t160 + 0xc) + _t134;
										asm("cdq");
										_t124 = 7;
										_t95 =  *(_t160 + 0xc);
										 *(_t160 + 0x18) = ( *(_t160 + 0x18) + 7 + _t134) % _t124;
										_t147 =  *((intOrPtr*)(_t160 + 0x1c)) + _t134;
										__eflags = _t95;
										if(_t95 > 0) {
											 *((intOrPtr*)(_t160 + 0x1c)) = _t147;
										} else {
											 *((intOrPtr*)(_t160 + 0x10)) = 0xb;
											 *((intOrPtr*)(_t160 + 0x14)) =  *((intOrPtr*)(_t160 + 0x14)) - 1;
											 *(_t160 + 0xc) = _t95 + 0x1f;
											 *((intOrPtr*)(_t160 + 0x1c)) = _t147 + 0x16d;
										}
										goto L46;
									} else {
										if(__eflags > 0) {
											L39:
											 *(_t160 + 0xc) =  *(_t160 + 0xc) + _t134;
											asm("cdq");
											_t125 = 7;
											 *((intOrPtr*)(_t160 + 0x1c)) =  *((intOrPtr*)(_t160 + 0x1c)) + _t134;
											 *(_t160 + 0x18) = ( *(_t160 + 0x18) + _t134) % _t125;
											L46:
											_t80 = 0;
											goto L11;
										}
										__eflags = _t134;
										if(_t134 == 0) {
											__eflags = _t144;
											if(__eflags > 0) {
												goto L46;
											}
											if(__eflags < 0) {
												goto L43;
											}
											__eflags = _t134;
											if(_t134 >= 0) {
												goto L46;
											}
											goto L43;
										}
										goto L39;
									}
								}
								_push(_t160);
								_t104 = E01194E40(_t121, _t133, _t144, _t154, _t160, __eflags);
								__eflags = _t104;
								if(_t104 == 0) {
									goto L29;
								}
								_t82 = _v8 + _v16;
								 *((intOrPtr*)(_t160 + 0x20)) = 1;
								goto L30;
							}
							if(__eflags < 0) {
								L20:
								asm("cdq");
								_push( &_v24);
								asm("sbb ebx, edx");
								_v24 = _t131 - _v8;
								_v20 = _t119;
								_t80 = E0119466A();
								_t138 = _t160;
								__eflags = _t80;
								if(_t80 != 0) {
									goto L11;
								}
								__eflags = _v12 - _t80;
								if(__eflags == 0) {
									goto L46;
								}
								_push(_t160);
								_t108 = E01194E40(_t119, _t138, _t144, _t152, _t160, __eflags);
								__eflags = _t108;
								if(_t108 == 0) {
									goto L46;
								}
								asm("cdq");
								_v24 = _v24 - _v16;
								_push( &_v24);
								asm("sbb [ebp-0x10], edx");
								_push(_t160);
								_t80 = E0119466A();
								__eflags = _t80;
								if(_t80 != 0) {
									goto L11;
								}
								 *((intOrPtr*)(_t160 + 0x20)) = 1;
								goto L46;
							}
							__eflags = _t144 - 0x935041fd;
							if(_t144 > 0x935041fd) {
								goto L25;
							}
							goto L20;
						}
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E011828E3();
				asm("int3");
				_push(_t160);
				_t70 = E0119462C(_t128, __eflags);
				_t161 = _t70;
				__eflags = _t161;
				if(_t161 != 0) {
					_push(_v0);
					_t71 = E01183614(0, _t142, _t152, _t161);
					asm("sbb eax, eax");
					_t74 =  !( ~_t71) & _t161;
					__eflags = _t74;
					return _t74;
				}
				return _t70;
			}

0x01183614
0x0118361d
0x01183620
0x01183622
0x01183624
0x0118362b
0x0118362c
0x0118362e
0x00000000
0x01183633
0x01183637
0x0118363f
0x01183640
0x01183642
0x01183645
0x01183647
0x01183649
0x01183650
0x01183651
0x01183653
0x01183658
0x01183689
0x00000000
0x01183689
0x0118365c
0x0118365f
0x01183662
0x01183664
0x0118367c
0x0118367c
0x01183683
0x01183684
0x01183686
0x01183688
0x00000000
0x01183688
0x01183666
0x01183668
0x00000000
0x00000000
0x01183668
0x0118366c
0x0118366d
0x01183670
0x01183672
0x00000000
0x00000000
0x01183674
0x0118367a
0x00000000
0x00000000
0x0118367a
0x0118368d
0x01183695
0x01183699
0x0118369c
0x0118369f
0x011836a4
0x011836a5
0x011836a7
0x011836b1
0x011836b6
0x011836b7
0x011836b9
0x011836c3
0x011836c8
0x011836c9
0x011836cb
0x011836d1
0x011836d5
0x011836d8
0x011836e0
0x011836e3
0x011836e6
0x01183756
0x01183756
0x01183758
0x0118375e
0x0118375f
0x01183761
0x00000000
0x00000000
0x01183767
0x0118376d
0x0118376e
0x01183770
0x01183772
0x0118378e
0x0118378e
0x01183791
0x01183791
0x01183792
0x01183798
0x0118379c
0x011837a1
0x011837a3
0x011837a5
0x011837aa
0x011837ad
0x011837af
0x011837af
0x011837b8
0x011837bf
0x011837c4
0x011837c5
0x011837cb
0x011837cf
0x011837d4
0x011837d7
0x011837d9
0x011837de
0x011837e1
0x011837e4
0x011837e4
0x011837ed
0x011837f4
0x011837f9
0x011837fa
0x01183800
0x01183804
0x01183809
0x0118380c
0x0118380e
0x01183813
0x01183816
0x01183819
0x01183819
0x01183827
0x01183829
0x0118382b
0x01183853
0x01183859
0x01183860
0x01183861
0x01183864
0x01183867
0x0118386d
0x0118386f
0x01183871
0x0118388e
0x01183873
0x01183876
0x0118387d
0x01183880
0x01183889
0x01183889
0x00000000
0x0118382d
0x0118382d
0x01183833
0x01183838
0x0118383d
0x0118383e
0x01183841
0x01183844
0x01183891
0x01183891
0x00000000
0x01183891
0x0118382f
0x01183831
0x01183849
0x0118384b
0x00000000
0x00000000
0x0118384d
0x00000000
0x00000000
0x0118384f
0x01183851
0x00000000
0x00000000
0x00000000
0x01183851
0x00000000
0x01183831
0x0118382b
0x01183774
0x01183775
0x0118377b
0x0118377d
0x00000000
0x00000000
0x01183782
0x01183785
0x00000000
0x01183785
0x011836e8
0x011836f2
0x011836f5
0x011836fb
0x011836fc
0x011836fe
0x01183702
0x01183705
0x0118370b
0x0118370c
0x0118370e
0x00000000
0x00000000
0x01183714
0x01183717
0x00000000
0x00000000
0x0118371d
0x0118371e
0x01183724
0x01183726
0x00000000
0x00000000
0x0118372f
0x01183730
0x01183736
0x01183737
0x0118373a
0x0118373b
0x01183742
0x01183744
0x00000000
0x00000000
0x0118374a
0x00000000
0x0118374a
0x011836ea
0x011836f0
0x00000000
0x00000000
0x00000000
0x011836f0
0x011836cb
0x011836b9
0x01183898
0x01183899
0x0118389a
0x0118389b
0x0118389c
0x0118389d
0x011838a2
0x011838a8
0x011838a9
0x011838ae
0x011838b0
0x011838b2
0x011838b4
0x011838b8
0x011838c0
0x011838c5
0x011838c5
0x00000000
0x011838c5
0x011838c9

APIs

__allrem.LIBCMT ref: 0118379C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011837B8
__allrem.LIBCMT ref: 011837CF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011837ED
__allrem.LIBCMT ref: 01183804
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01183822

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: a0ab6c895671028870778898a12e176ebd8c461a531c2342e6f10bd360096755
Instruction ID: 11754eb04d5a9d7199c824bce4aac6b9db09303483402138facf0c4eaaed4f2b
Opcode Fuzzy Hash: a0ab6c895671028870778898a12e176ebd8c461a531c2342e6f10bd360096755
Instruction Fuzzy Hash: 7F81F9B1A10702ABE72DBE6DCC40B5AB7E4BF55B28F28C62DE561D6780E774D5008F90

Uniqueness

Uniqueness Score: -1.00%

Function 01115B2D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01115B2D(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a8) {
				char _v4;
				intOrPtr _v16;
				char _v24;
				signed int _t44;
				void* _t48;
				intOrPtr _t60;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t83;

				_t60 = __ecx;
				_push(4);
				E0115EC7D(0x11a530a, __ebx, __edi);
				_t77 = _t60;
				_v16 = _t77;
				E011469AA(_t60, 0);
				_v4 = 0;
				 *((intOrPtr*)(_t77 + 4)) = 0;
				 *((char*)(_t77 + 8)) = 0;
				 *((intOrPtr*)(_t77 + 0xc)) = 0;
				 *((char*)(_t77 + 0x10)) = 0;
				 *((intOrPtr*)(_t77 + 0x14)) = 0;
				 *((short*)(_t77 + 0x18)) = 0;
				 *((intOrPtr*)(_t77 + 0x1c)) = 0;
				 *((short*)(_t77 + 0x20)) = 0;
				 *((intOrPtr*)(_t77 + 0x24)) = 0;
				 *((char*)(_t77 + 0x28)) = 0;
				 *((intOrPtr*)(_t77 + 0x2c)) = 0;
				 *((char*)(_t77 + 0x30)) = 0;
				_v4 = 6;
				if(_a8 == 0) {
					E011467CE("bad locale name");
					asm("int3");
					_push(0xffffffff);
					_push(0x11a5327);
					_push( *[fs:0x0]);
					_push(_t77);
					_push(__edi);
					_t44 =  *0x11d8098; // 0xa9f5dfda
					_push(_t44 ^ _t83);
					 *[fs:0x0] =  &_v24;
					_t78 = _t60;
					E01146D5A(_t60, _t78);
					if( *((intOrPtr*)(_t78 + 0x2c)) != 0) {
						E011838CA( *((intOrPtr*)(_t78 + 0x2c)));
					}
					 *((intOrPtr*)(_t78 + 0x2c)) = 0;
					if( *((intOrPtr*)(_t78 + 0x24)) != 0) {
						E011838CA( *((intOrPtr*)(_t78 + 0x24)));
					}
					 *((intOrPtr*)(_t78 + 0x24)) = 0;
					if( *((intOrPtr*)(_t78 + 0x1c)) != 0) {
						E011838CA( *((intOrPtr*)(_t78 + 0x1c)));
					}
					 *((intOrPtr*)(_t78 + 0x1c)) = 0;
					if( *((intOrPtr*)(_t78 + 0x14)) != 0) {
						E011838CA( *((intOrPtr*)(_t78 + 0x14)));
					}
					 *((intOrPtr*)(_t78 + 0x14)) = 0;
					if( *((intOrPtr*)(_t78 + 0xc)) != 0) {
						E011838CA( *((intOrPtr*)(_t78 + 0xc)));
					}
					 *((intOrPtr*)(_t78 + 0xc)) = 0;
					if( *((intOrPtr*)(_t78 + 4)) != 0) {
						E011838CA( *((intOrPtr*)(_t78 + 4)));
					}
					 *((intOrPtr*)(_t78 + 4)) = 0;
					_t48 = E01146A02(_t78);
					 *[fs:0x0] = _v16;
					return _t48;
				} else {
					E01146D0F(_t60, _t77, _a8);
					return E0115EC46(_t77);
				}
			}

0x01115b2d
0x01115b2d
0x01115b34
0x01115b39
0x01115b3b
0x01115b41
0x01115b46
0x01115b49
0x01115b4c
0x01115b4f
0x01115b52
0x01115b57
0x01115b5a
0x01115b5e
0x01115b61
0x01115b65
0x01115b68
0x01115b6b
0x01115b6e
0x01115b71
0x01115b78
0x01115b94
0x01115b99
0x01115b9d
0x01115b9f
0x01115baa
0x01115bab
0x01115bac
0x01115bad
0x01115bb4
0x01115bb8
0x01115bbe
0x01115bc1
0x01115bcb
0x01115bd0
0x01115bd5
0x01115bd8
0x01115bde
0x01115be3
0x01115be8
0x01115be9
0x01115bef
0x01115bf4
0x01115bf9
0x01115bfa
0x01115c00
0x01115c05
0x01115c0a
0x01115c0b
0x01115c11
0x01115c16
0x01115c1b
0x01115c1c
0x01115c22
0x01115c27
0x01115c2c
0x01115c2f
0x01115c32
0x01115c3a
0x01115c45
0x01115b7a
0x01115b7e
0x01115b8c
0x01115b8c

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01115B41
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 01115B7E

Part of subcall function 01146D0F: _Yarn.LIBCPMT ref: 01146D2E
Part of subcall function 01146D0F: _Yarn.LIBCPMT ref: 01146D52

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 01115BC1
std::_Lockit::~_Lockit.LIBCPMT ref: 01115C32

Strings

bad locale name, xrefs: 01115B8F

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Locinfo::_LockitYarn$Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2090653598-1405518554
Opcode ID: 3c71d59f605a008f15656388072e4669c3b624cf8f3794e5be9b3a7e83ee351b
Instruction ID: bd3647f3b4656a2c43122df32e73e271ebdd79cb45de4cc20f8b9893c2bca9ba
Opcode Fuzzy Hash: 3c71d59f605a008f15656388072e4669c3b624cf8f3794e5be9b3a7e83ee351b
Instruction Fuzzy Hash: 59319E71805B00DFC739AF2AD900A1AFBF1FF59A14B148A3FE09E82A50D734A545CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0118249B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0118249B(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				void _v1160;
				long _v1164;
				signed int _t12;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr* _t30;
				void* _t33;
				intOrPtr _t35;
				void* _t39;
				signed int _t44;

				_t42 = _t44;
				_t12 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t12 ^ _t44;
				_t26 = _a8;
				_t35 = _a4;
				_t39 = GetStdHandle(0xfffffff4);
				if(_t39 == 0xffffffff || _t39 == 0 || GetFileType(_t39) != 2 || swprintf( &_v1160, 0x240, L"Assertion failed: %Ts, file %Ts, line %d\n", _t35, _t26, _a12) < 0) {
					L8:
					return E0115E184(_v8 ^ _t42);
				} else {
					_t30 =  &_v1160;
					_t33 = _t30 + 2;
					do {
						_t19 =  *_t30;
						_t30 = _t30 + 2;
					} while (_t19 != 0);
					_v1164 = 0;
					_t32 = _t30 - _t33 >> 1;
					if(WriteConsoleW(_t39,  &_v1160, _t30 - _t33 >> 1,  &_v1164, 0) != 0) {
						E011844F3(_t26, _t32, _t33, 0, _t39);
						asm("int3");
						return L"Assertion failed: %Ts, file %Ts, line %d\n";
					} else {
						goto L8;
					}
				}
			}

0x0118249e
0x011824a6
0x011824ad
0x011824b1
0x011824b6
0x011824c1
0x011824c6
0x01182535
0x01182543
0x011824fa
0x011824fa
0x01182502
0x01182505
0x01182505
0x01182508
0x0118250b
0x01182513
0x0118251f
0x01182533
0x01182544
0x01182549
0x0118254f
0x00000000
0x00000000
0x00000000
0x01182533

APIs

GetStdHandle.KERNEL32(000000F4,00000000,?), ref: 011824BB
GetFileType.KERNEL32(00000000), ref: 011824CD
swprintf.LIBCMT ref: 011824EE
WriteConsoleW.KERNEL32(00000000,?,?,?,00000000), ref: 0118252B

Strings

Assertion failed: %Ts, file %Ts, line %d, xrefs: 011824E3

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConsoleFileHandleTypeWriteswprintf
String ID: Assertion failed: %Ts, file %Ts, line %d
API String ID: 2943507729-1719349581
Opcode ID: 422999f9c3088ed7dabcb187c3e991978d3f32268d1f12c650329872cd1b0c6f
Instruction ID: 717e6f5610d9ecc052cbf9f40c0d20d645bcd96884eb33c35447c397791701a4
Opcode Fuzzy Hash: 422999f9c3088ed7dabcb187c3e991978d3f32268d1f12c650329872cd1b0c6f
Instruction Fuzzy Hash: E1112B71500119ABCB29AF2DDC88AEF776DEF49210F508559EA26D3144EB30AA46CF64

Uniqueness

Uniqueness Score: -1.00%

Function 011406E7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
threadmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E011406E7() {
				void* __ebx;
				void* __edi;
				void* _t5;
				long _t11;
				signed char _t13;
				long _t18;
				void* _t19;

				_t18 = 0x2cc;
				_t13 = 0;
				_t5 = VirtualAlloc(0, 0x2cc, 0x1000, 4);
				_t19 = _t5;
				if(_t19 == 0) {
					L10:
					_t27 = _t13;
					if(_t13 != 0) {
						E0111CC91(0x11f93d0, E0111C7AF(_t13, 0x11f93d0, "HardwareBreakpoints", _t18, _t27));
					}
					return _t13 & 0x000000ff;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_t5 = 0;
					_t5 = _t5 + 1;
					_t18 = _t18 - 1;
				} while (_t18 != 0);
				 *_t19 = 0x10010;
				if(GetThreadContext(GetCurrentThread(), _t19) == 0) {
					_t11 = 0;
					__eflags = 0;
				} else {
					_t11 = 0;
					if( *((intOrPtr*)(_t19 + 4)) != 0 ||  *((intOrPtr*)(_t19 + 8)) != 0 ||  *((intOrPtr*)(_t19 + 0xc)) != 0 ||  *((intOrPtr*)(_t19 + 0x10)) != 0) {
						_t13 = 1;
					}
				}
				VirtualFree(_t19, _t11, 0x8000);
				goto L10;
			}

0x011406f1
0x011406f6
0x011406fa
0x01140700
0x01140704
0x01140750
0x01140750
0x01140752
0x01140764
0x01140769
0x01140770
0x00000000
0x00000000
0x00000000
0x01140706
0x01140706
0x01140706
0x01140708
0x01140709
0x01140709
0x0114070f
0x01140724
0x01140741
0x01140741
0x01140726
0x01140726
0x0114072b
0x0114073e
0x0114073e
0x0114072b
0x0114074a
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,000002CC,00001000,00000004,011F93D0,?,?,01116624,?), ref: 011406FA
GetCurrentThread.KERNEL32 ref: 01140715
GetThreadContext.KERNEL32(00000000,?,?,01116624,?), ref: 0114071C
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,01116624,?), ref: 0114074A

Strings

HardwareBreakpoints, xrefs: 01140754

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ThreadVirtual$AllocContextCurrentFree
String ID: HardwareBreakpoints
API String ID: 2998450305-1156716073
Opcode ID: c2ceb82afe3a6920c3b5166e804e1b623de24eacc973e03efa9ddd54a3494254
Instruction ID: 42ce77af4daad9a2a5d90ee92132978f556fe9e56e1ac50214861d49bf3404aa
Opcode Fuzzy Hash: c2ceb82afe3a6920c3b5166e804e1b623de24eacc973e03efa9ddd54a3494254
Instruction Fuzzy Hash: 5D012830781B129FE7399A768958BA73E98EB44E967018439F3C6C2084D770C441CF62

Uniqueness

Uniqueness Score: -1.00%

Function 01184421, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E01184421(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x11af384(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x01184427
0x0118442b
0x01184436
0x0118443e
0x01184449
0x0118444f
0x01184453
0x0118445a
0x01184460
0x01184460
0x01184462
0x01184467
0x00000000
0x0118446c
0x01184473

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,01184416,?,?,011843DE,?,00000000,?), ref: 01184436
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01184449
FreeLibrary.KERNEL32(00000000,?,?,01184416,?,?,011843DE,?,00000000,?), ref: 0118446C

Strings

mscoree.dll, xrefs: 0118442F
CorExitProcess, xrefs: 01184441

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e8346413d6751c1b2511517a10d5551deada6968a11693ff7d666396f93a4305
Instruction ID: c41cf2afe7e4c49770a80cfdd46ec17906c3e11fc7f30a36f65ded30d67b2b65
Opcode Fuzzy Hash: e8346413d6751c1b2511517a10d5551deada6968a11693ff7d666396f93a4305
Instruction Fuzzy Hash: CAF0A73150021AFBEB29AB55ED0ABDD7F75EF40755F448074FA05E1054CB708E42DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0118EA8D, Relevance: 7.7, APIs: 5, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0118EA8D(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int* _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int* _v732;
				intOrPtr _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1264;
				intOrPtr _v1276;
				signed int _v1288;
				intOrPtr _v1324;
				signed int _v1336;
				void* __ebp;
				signed int _t246;
				void* _t249;
				signed int _t252;
				signed int _t254;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t267;
				signed int _t269;
				void* _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t276;
				signed int _t279;
				signed int _t286;
				signed int _t289;
				signed int _t290;
				intOrPtr _t291;
				signed int _t294;
				signed int _t296;
				signed int _t297;
				signed int _t300;
				signed int _t302;
				signed int _t305;
				signed int _t306;
				signed int _t308;
				signed int _t328;
				signed int _t330;
				signed int _t332;
				signed int _t337;
				void* _t339;
				signed int _t341;
				void* _t342;
				intOrPtr _t343;
				signed int _t348;
				signed int _t349;
				intOrPtr* _t354;
				signed int _t368;
				signed int _t370;
				signed int _t372;
				intOrPtr* _t373;
				signed int _t375;
				signed int _t381;
				intOrPtr* _t385;
				intOrPtr* _t388;
				void* _t391;
				intOrPtr* _t394;
				intOrPtr* _t395;
				char* _t402;
				signed int _t404;
				intOrPtr _t407;
				intOrPtr* _t408;
				signed int _t410;
				signed int* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t430;
				short _t431;
				void* _t432;
				void* _t434;
				signed int _t435;
				signed int _t437;
				intOrPtr _t438;
				signed int _t441;
				intOrPtr _t442;
				signed int _t444;
				signed int _t447;
				intOrPtr _t453;
				signed int _t454;
				signed int _t456;
				signed int _t457;
				signed int _t461;
				signed int _t463;
				signed int _t466;
				signed int* _t467;
				intOrPtr* _t468;
				short _t469;
				signed int _t471;
				signed int _t472;
				void* _t474;
				void* _t475;
				signed int _t476;
				void* _t477;
				void* _t478;
				signed int _t479;
				void* _t481;
				void* _t482;
				signed int _t494;

				_t429 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t368 = E01190910(__ecx, 0x6a6);
				_t245 = 0;
				_pop(_t381);
				if(_t368 == 0) {
					L20:
					return _t245;
				} else {
					_push(__edi);
					_t437 = _t368 + 4;
					 *_t437 = 0;
					 *_t368 = 1;
					_t453 = _a4;
					_t246 = _t453 + 0x30;
					_push( *_t246);
					_v16 = _t246;
					_push(0x11b6ff0);
					_push( *0x11b6f2c);
					E0118E9C9(_t368, _t381, __edx, _t437, _t453, _t437, 0x351, 3);
					_t475 = _t474 + 0x18;
					_v8 = 0x11b6f2c;
					while(1) {
						L2:
						_t249 = E01191EB6(_t437, 0x351, 0x11b6fec);
						_t476 = _t475 + 0xc;
						if(_t249 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t421 = _t8;
							_t348 =  *_v16;
							_v16 = _t421;
							_t381 =  *_t421;
							_v20 = _t381;
							goto L4;
						}
						while(1) {
							L4:
							_t429 =  *_t348;
							if(_t429 !=  *_t381) {
								break;
							}
							if(_t429 == 0) {
								L8:
								_t349 = 0;
							} else {
								_t429 =  *((intOrPtr*)(_t348 + 2));
								if(_t429 !=  *((intOrPtr*)(_t381 + 2))) {
									break;
								} else {
									_t348 = _t348 + 4;
									_t381 = _t381 + 4;
									if(_t429 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x11b6ff0);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t349);
							_t354 = _v8 + 0xc;
							_v8 = _t354;
							_push( *_t354);
							E0118E9C9(_t368, _t381, _t429, _t437, _t453, _t437, 0x351, 3);
							_t475 = _t476 + 0x18;
							if(_v8 < 0x11b6f5c) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E0118FAFF(_t368);
									_t444 = _t437 | 0xffffffff;
									__eflags =  *(_t453 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E0118FAFF( *(_t453 + 0x28));
										}
									}
									__eflags =  *(_t453 + 0x24);
									if( *(_t453 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t444 == 1;
										if(_t444 == 1) {
											E0118FAFF( *(_t453 + 0x24));
										}
									}
									 *(_t453 + 0x24) = 0;
									 *(_t453 + 0x1c) = 0;
									 *(_t453 + 0x28) = 0;
									 *((intOrPtr*)(_t453 + 0x20)) = 0;
									_t245 =  *((intOrPtr*)(_t453 + 0x40));
								} else {
									_t447 = _t437 | 0xffffffff;
									_t494 =  *(_t453 + 0x28);
									if(_t494 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t494 == 0) {
											E0118FAFF( *(_t453 + 0x28));
										}
									}
									if( *(_t453 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t447 == 1) {
											E0118FAFF( *(_t453 + 0x24));
										}
									}
									 *(_t453 + 0x24) =  *(_t453 + 0x24) & 0x00000000;
									_t245 = _t368 + 4;
									 *(_t453 + 0x1c) =  *(_t453 + 0x1c) & 0x00000000;
									 *(_t453 + 0x28) = _t368;
									 *((intOrPtr*)(_t453 + 0x20)) = _t245;
								}
								goto L20;
							}
							goto L136;
						}
						asm("sbb eax, eax");
						_t349 = _t348 | 0x00000001;
						__eflags = _t349;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E011828E3();
					asm("int3");
					_t471 = _t476;
					_t477 = _t476 - 0x1d0;
					_t252 =  *0x11d8098; // 0xa9f5dfda
					_v60 = _t252 ^ _t471;
					_t254 = _v44;
					_push(_t368);
					_push(_t453);
					_t454 = _v40;
					_push(_t437);
					_t438 = _v48;
					_v512 = _t438;
					__eflags = _t254;
					if(_t254 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t370 = 0;
						_v452 = 0;
						__eflags = _t454;
						if(__eflags == 0) {
							L80:
							E0118EA8D(_t370, _t381, _t429, _t438, _t454, __eflags, _t438);
							goto L81;
						} else {
							__eflags =  *_t454 - 0x4c;
							if( *_t454 != 0x4c) {
								L60:
								_t261 = E0118E603(_t370, _t429, _t438, _t454, _t454,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t478 = _t477 + 0x18;
								__eflags = _t261;
								if(_t261 != 0) {
									_t381 = 0;
									__eflags = 0;
									_t430 = _t438 + 0x20;
									_t456 = 0;
									_v452 = _t430;
									do {
										__eflags = _t456;
										if(_t456 == 0) {
											L75:
											_t262 = _v460;
										} else {
											_t385 =  *_t430;
											_t263 =  &_v276;
											while(1) {
												__eflags =  *_t263 -  *_t385;
												_t438 = _v464;
												if( *_t263 !=  *_t385) {
													break;
												}
												__eflags =  *_t263;
												if( *_t263 == 0) {
													L68:
													_t381 = 0;
													_t264 = 0;
												} else {
													_t431 =  *((intOrPtr*)(_t263 + 2));
													__eflags = _t431 -  *((intOrPtr*)(_t385 + 2));
													_v454 = _t431;
													_t430 = _v452;
													if(_t431 !=  *((intOrPtr*)(_t385 + 2))) {
														break;
													} else {
														_t263 = _t263 + 4;
														_t385 = _t385 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L68;
														}
													}
												}
												L70:
												__eflags = _t264;
												if(_t264 == 0) {
													_t370 = _t370 + 1;
													__eflags = _t370;
													goto L75;
												} else {
													_t265 =  &_v276;
													_push(_t265);
													_push(_t456);
													_push(_t438);
													L84();
													_t430 = _v452;
													_t478 = _t478 + 0xc;
													__eflags = _t265;
													if(_t265 == 0) {
														_t381 = 0;
														_t262 = 0;
														_v460 = 0;
													} else {
														_t370 = _t370 + 1;
														_t381 = 0;
														goto L75;
													}
												}
												goto L76;
											}
											asm("sbb eax, eax");
											_t264 = _t263 | 0x00000001;
											_t381 = 0;
											__eflags = 0;
											goto L70;
										}
										L76:
										_t456 = _t456 + 1;
										_t430 = _t430 + 0x10;
										_v452 = _t430;
										__eflags = _t456 - 5;
									} while (_t456 <= 5);
									__eflags = _t262;
									if(__eflags != 0) {
										goto L80;
									} else {
										__eflags = _t370;
										if(__eflags != 0) {
											goto L80;
										} else {
										}
									}
								}
								goto L81;
							} else {
								__eflags =  *(_t454 + 2) - 0x43;
								if( *(_t454 + 2) != 0x43) {
									goto L60;
								} else {
									__eflags =  *((short*)(_t454 + 4)) - 0x5f;
									if( *((short*)(_t454 + 4)) != 0x5f) {
										goto L60;
									} else {
										while(1) {
											_t267 = E01197447(_t454, 0x11b6fe4);
											_t372 = _t267;
											_v468 = _t372;
											_pop(_t387);
											__eflags = _t372;
											if(_t372 == 0) {
												break;
											}
											_t269 = _t267 - _t454;
											__eflags = _t269;
											_v460 = _t269 >> 1;
											if(_t269 == 0) {
												break;
											} else {
												_t271 = 0x3b;
												__eflags =  *_t372 - _t271;
												if( *_t372 == _t271) {
													break;
												} else {
													_t441 = _v460;
													_t373 = 0x11b6f2c;
													_v456 = 1;
													do {
														_t272 = E0118FA68( *_t373, _t454, _t441);
														_t477 = _t477 + 0xc;
														__eflags = _t272;
														if(_t272 != 0) {
															goto L46;
														} else {
															_t388 =  *_t373;
															_t432 = _t388 + 2;
															do {
																_t343 =  *_t388;
																_t388 = _t388 + 2;
																__eflags = _t343 - _v472;
															} while (_t343 != _v472);
															_t387 = _t388 - _t432 >> 1;
															__eflags = _t441 - _t388 - _t432 >> 1;
															if(_t441 != _t388 - _t432 >> 1) {
																goto L46;
															}
														}
														break;
														L46:
														_v456 = _v456 + 1;
														_t373 = _t373 + 0xc;
														__eflags = _t373 - 0x11b6f5c;
													} while (_t373 <= 0x11b6f5c);
													_t370 = _v468 + 2;
													_t273 = E0119BD59(_t387, _t370, 0x11b6fec);
													_t438 = _v464;
													_t457 = _t273;
													_pop(_t391);
													__eflags = _t457;
													if(_t457 != 0) {
														L49:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t381 = _v452;
															goto L55;
														} else {
															_push(_t457);
															_t276 = E0118F97C( &_v276, 0x83, _t370);
															_t479 = _t477 + 0x10;
															__eflags = _t276;
															if(_t276 != 0) {
																L83:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E011828E3();
																asm("int3");
																_push(_t471);
																_t472 = _t479;
																_t279 =  *0x11d8098; // 0xa9f5dfda
																_v560 = _t279 ^ _t472;
																_push(_t370);
																_t375 = _v544;
																_push(_t457);
																_push(_t438);
																_t442 = _v548;
																_v1288 = _t375;
																_v1276 = E01190FC4(_t391, _t429) + 0x278;
																_t286 = E0118E603(_t375, _t429, _t442, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1264);
																_t481 = _t479 - 0x2e4 + 0x18;
																__eflags = _t286;
																if(_t286 == 0) {
																	L124:
																	__eflags = 0;
																	goto L125;
																} else {
																	_t103 = _t375 + 2; // 0x2
																	_t461 = _t103 << 4;
																	__eflags = _t461;
																	_t289 =  &_v280;
																	_v724 = _t461;
																	_t394 =  *((intOrPtr*)(_t461 + _t442));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t289 -  *_t394;
																		_t463 = _v724;
																		if( *_t289 !=  *_t394) {
																			break;
																		}
																		__eflags =  *_t289;
																		if( *_t289 == 0) {
																			L91:
																			_t290 = _v712;
																		} else {
																			_t469 =  *((intOrPtr*)(_t289 + 2));
																			__eflags = _t469 -  *((intOrPtr*)(_t394 + 2));
																			_v714 = _t469;
																			_t463 = _v724;
																			if(_t469 !=  *((intOrPtr*)(_t394 + 2))) {
																				break;
																			} else {
																				_t289 = _t289 + 4;
																				_t394 = _t394 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t290;
																		if(_t290 != 0) {
																			_t395 =  &_v280;
																			_t434 = _t395 + 2;
																			do {
																				_t291 =  *_t395;
																				_t395 = _t395 + 2;
																				__eflags = _t291 - _v712;
																			} while (_t291 != _v712);
																			_v728 = (_t395 - _t434 >> 1) + 1;
																			_t294 = E01190910(_t395 - _t434 >> 1, 4 + ((_t395 - _t434 >> 1) + 1) * 2);
																			_v740 = _t294;
																			__eflags = _t294;
																			if(_t294 == 0) {
																				goto L124;
																			} else {
																				_v736 =  *((intOrPtr*)(_t463 + _t442));
																				_v748 =  *(_t442 + 0xa0 + _t375 * 4);
																				_v752 =  *(_t442 + 8);
																				_t402 =  &_v280;
																				_v716 = _t294 + 4;
																				_t296 = E0118CEAC(_t294 + 4, _v728, _t402);
																				_t482 = _t481 + 0xc;
																				__eflags = _t296;
																				if(_t296 != 0) {
																					_t297 = _v712;
																					_push(_t297);
																					_push(_t297);
																					_push(_t297);
																					_push(_t297);
																					_push(_t297);
																					E011828E3();
																					asm("int3");
																					_push(_t472);
																					_push(_t402);
																					_v1336 = _v1336 & 0x00000000;
																					_t300 = E011901B3(_v1324, 0x20001004,  &_v1336, 2);
																					__eflags = _t300;
																					if(_t300 == 0) {
																						L134:
																						return 0xfde9;
																					}
																					_t302 = _v20;
																					__eflags = _t302;
																					if(_t302 == 0) {
																						goto L134;
																					}
																					return _t302;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t463 + _t442)) = _v716;
																					if(_v280 != 0x43) {
																						L102:
																						_t305 = E0118E320(_t375, _t442,  &_v708);
																						_t404 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t404 = _v712;
																							_t305 = _t404;
																						}
																					}
																					 *(_t442 + 0xa0 + _t375 * 4) = _t305;
																					__eflags = _t375 - 2;
																					if(_t375 != 2) {
																						__eflags = _t375 - 1;
																						if(_t375 != 1) {
																							__eflags = _t375 - 5;
																							if(_t375 == 5) {
																								 *((intOrPtr*)(_t442 + 0x14)) = _v720;
																							}
																						} else {
																							 *((intOrPtr*)(_t442 + 0x10)) = _v720;
																						}
																					} else {
																						_t467 = _v732;
																						_t435 = _t404;
																						_t414 = _t467;
																						 *(_t442 + 8) = _v720;
																						_v716 = _t467;
																						_v728 = _t467[8];
																						_v720 = _t467[9];
																						while(1) {
																							__eflags =  *(_t442 + 8) -  *_t414;
																							if( *(_t442 + 8) ==  *_t414) {
																								break;
																							}
																							_t468 = _v716;
																							_t435 = _t435 + 1;
																							_t337 =  *_t414;
																							 *_t468 = _v728;
																							_v720 = _t414[1];
																							_t414 = _t468 + 8;
																							 *((intOrPtr*)(_t468 + 4)) = _v720;
																							_t375 = _v744;
																							_t467 = _v732;
																							_v728 = _t337;
																							_v716 = _t414;
																							__eflags = _t435 - 5;
																							if(_t435 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t435 - 5;
																							if(__eflags == 0) {
																								_t328 = E0119870E(_t375, _t435, _t442, _t467, __eflags, _v712, 1, 0x11b6ea0, 0x7f,  &_v536,  *(_t442 + 8), 1);
																								_t482 = _t482 + 0x1c;
																								__eflags = _t328;
																								if(_t328 == 0) {
																									_t415 = _v712;
																								} else {
																									_t330 = _v712;
																									do {
																										 *(_t472 + _t330 * 2 - 0x20c) =  *(_t472 + _t330 * 2 - 0x20c) & 0x000001ff;
																										_t330 = _t330 + 1;
																										__eflags = _t330 - 0x7f;
																									} while (_t330 < 0x7f);
																									_t332 = E0117B9BD( &_v536,  *0x11d82a0, 0xfe);
																									_t482 = _t482 + 0xc;
																									__eflags = _t332;
																									_t415 = 0 | _t332 == 0x00000000;
																								}
																								_t467[1] = _t415;
																								 *_t467 =  *(_t442 + 8);
																							}
																							 *(_t442 + 0x18) = _t467[1];
																							goto L122;
																						}
																						__eflags = _t435;
																						if(_t435 != 0) {
																							 *_t467 =  *(_t467 + _t435 * 8);
																							_t467[1] =  *(_t467 + 4 + _t435 * 8);
																							 *(_t467 + _t435 * 8) = _v728;
																							 *(_t467 + 4 + _t435 * 8) = _v720;
																						}
																						goto L110;
																					}
																					L122:
																					_t306 = _t375 * 0xc;
																					_t199 = _t306 + 0x11b6f28; // 0x11113b0
																					 *0x11af384(_t442);
																					_t308 =  *((intOrPtr*)( *_t199))();
																					_t407 = _v736;
																					__eflags = _t308;
																					if(_t308 == 0) {
																						__eflags = _t407 - 0x11d83b0;
																						if(_t407 != 0x11d83b0) {
																							_t466 = _t375 + _t375;
																							__eflags = _t466;
																							asm("lock xadd [eax], ecx");
																							if(_t466 != 0) {
																								goto L129;
																							} else {
																								E0118FAFF( *((intOrPtr*)(_t442 + 0x28 + _t466 * 8)));
																								E0118FAFF( *((intOrPtr*)(_t442 + 0x24 + _t466 * 8)));
																								E0118FAFF( *(_t442 + 0xa0 + _t375 * 4));
																								_t410 = _v712;
																								 *(_v724 + _t442) = _t410;
																								 *(_t442 + 0xa0 + _t375 * 4) = _t410;
																							}
																						}
																						_t408 = _v740;
																						 *_t408 = 1;
																						 *((intOrPtr*)(_t442 + 0x28 + (_t375 + _t375) * 8)) = _t408;
																					} else {
																						 *((intOrPtr*)(_v724 + _t442)) = _t407;
																						E0118FAFF( *(_t442 + 0xa0 + _t375 * 4));
																						 *(_t442 + 0xa0 + _t375 * 4) = _v748;
																						E0118FAFF(_v740);
																						 *(_t442 + 8) = _v752;
																						goto L124;
																					}
																					goto L125;
																				}
																			}
																		} else {
																			L125:
																			__eflags = _v16 ^ _t472;
																			return E0115E184(_v16 ^ _t472);
																		}
																		goto L136;
																	}
																	asm("sbb eax, eax");
																	_t290 = _t289 | 0x00000001;
																	__eflags = _t290;
																	goto L93;
																}
															} else {
																_t339 = _t457 + _t457;
																__eflags = _t339 - 0x106;
																if(_t339 >= 0x106) {
																	E0115E916();
																	goto L83;
																} else {
																	 *((short*)(_t471 + _t339 - 0x10c)) = 0;
																	_t341 =  &_v276;
																	_push(_t341);
																	_push(_v456);
																	_push(_t438);
																	L84();
																	_t381 = _v452;
																	_t477 = _t479 + 0xc;
																	__eflags = _t341;
																	if(_t341 != 0) {
																		_t381 = _t381 + 1;
																		_v452 = _t381;
																	}
																	L55:
																	_t454 = _t370 + _t457 * 2;
																	_t274 =  *_t454 & 0x0000ffff;
																	_t429 = _t274;
																	__eflags = _t274;
																	if(_t274 != 0) {
																		_t454 = _t454 + 2;
																		__eflags = _t454;
																		_t429 =  *_t454 & 0x0000ffff;
																	}
																	__eflags = _t429;
																	if(_t429 != 0) {
																		continue;
																	} else {
																		__eflags = _t381;
																		if(__eflags != 0) {
																			goto L80;
																		} else {
																			break;
																		}
																		goto L81;
																	}
																}
															}
														}
													} else {
														_t342 = 0x3b;
														__eflags =  *_t370 - _t342;
														if( *_t370 != _t342) {
															break;
														} else {
															goto L49;
														}
													}
												}
											}
											goto L136;
										}
										goto L81;
									}
								}
							}
						}
					} else {
						__eflags = _t454;
						if(_t454 != 0) {
							_push(_t454);
							_push(_t254);
							_push(_t438);
							L84();
						}
						L81:
						__eflags = _v12 ^ _t471;
						return E0115E184(_v12 ^ _t471);
					}
				}
				L136:
			}

0x0118ea8d
0x0118ea95
0x0118ea96
0x0118ea9f
0x0118eaa7
0x0118eaa9
0x0118eaab
0x0118eaae
0x0118ebcb
0x0118ebce
0x0118eab4
0x0118eab4
0x0118eab5
0x0118eab8
0x0118eabb
0x0118eabd
0x0118eac0
0x0118eac3
0x0118eac5
0x0118eac8
0x0118eacd
0x0118eadb
0x0118eae5
0x0118eae8
0x0118eaeb
0x0118eaeb
0x0118eaf6
0x0118eafb
0x0118eb00
0x00000000
0x0118eb06
0x0118eb09
0x0118eb09
0x0118eb0c
0x0118eb0e
0x0118eb11
0x0118eb13
0x0118eb13
0x0118eb13
0x0118eb16
0x0118eb16
0x0118eb16
0x0118eb1c
0x00000000
0x00000000
0x0118eb21
0x0118eb38
0x0118eb38
0x0118eb23
0x0118eb23
0x0118eb2b
0x00000000
0x0118eb2d
0x0118eb2d
0x0118eb30
0x0118eb36
0x00000000
0x00000000
0x00000000
0x00000000
0x0118eb36
0x0118eb2b
0x0118eb41
0x0118eb41
0x0118eb46
0x0118eb4b
0x0118eb4f
0x0118eb5b
0x0118eb5e
0x0118eb61
0x0118eb6b
0x0118eb73
0x0118eb7b
0x00000000
0x0118eb81
0x0118eb85
0x0118ebd0
0x0118ebd9
0x0118ebdc
0x0118ebde
0x0118ebe2
0x0118ebe6
0x0118ebeb
0x0118ebf0
0x0118ebe6
0x0118ebf4
0x0118ebf6
0x0118ebf8
0x0118ebfc
0x0118ebfd
0x0118ec02
0x0118ec07
0x0118ebfd
0x0118ec0a
0x0118ec0d
0x0118ec10
0x0118ec13
0x0118ec16
0x0118eb87
0x0118eb8a
0x0118eb8d
0x0118eb8f
0x0118eb93
0x0118eb97
0x0118eb9c
0x0118eba1
0x0118eb97
0x0118eba7
0x0118eba9
0x0118ebae
0x0118ebb3
0x0118ebb8
0x0118ebae
0x0118ebb9
0x0118ebbd
0x0118ebc0
0x0118ebc4
0x0118ebc7
0x0118ebc7
0x00000000
0x0118ebca
0x00000000
0x0118eb7b
0x0118eb3c
0x0118eb3e
0x0118eb3e
0x00000000
0x0118eb3e
0x0118ec1d
0x0118ec1e
0x0118ec1f
0x0118ec20
0x0118ec21
0x0118ec22
0x0118ec27
0x0118ec2b
0x0118ec2d
0x0118ec33
0x0118ec3a
0x0118ec3d
0x0118ec40
0x0118ec41
0x0118ec42
0x0118ec45
0x0118ec46
0x0118ec49
0x0118ec4f
0x0118ec51
0x0118ec76
0x0118ec80
0x0118ec86
0x0118ec88
0x0118ec8e
0x0118ec90
0x0118eef0
0x0118eef1
0x00000000
0x0118ec96
0x0118ec96
0x0118ec9a
0x0118ee08
0x0118ee25
0x0118ee2a
0x0118ee2d
0x0118ee2f
0x0118ee35
0x0118ee35
0x0118ee37
0x0118ee3a
0x0118ee3c
0x0118ee42
0x0118ee42
0x0118ee44
0x0118eecb
0x0118eecb
0x0118ee4a
0x0118ee4a
0x0118ee4c
0x0118ee52
0x0118ee55
0x0118ee58
0x0118ee5e
0x00000000
0x00000000
0x0118ee60
0x0118ee64
0x0118ee8d
0x0118ee8d
0x0118ee8f
0x0118ee66
0x0118ee66
0x0118ee6a
0x0118ee6e
0x0118ee75
0x0118ee7b
0x00000000
0x0118ee7d
0x0118ee7d
0x0118ee80
0x0118ee83
0x0118ee8b
0x00000000
0x00000000
0x00000000
0x00000000
0x0118ee8b
0x0118ee7b
0x0118ee9a
0x0118ee9a
0x0118ee9c
0x0118eeca
0x0118eeca
0x00000000
0x0118ee9e
0x0118ee9e
0x0118eea4
0x0118eea5
0x0118eea6
0x0118eea7
0x0118eeac
0x0118eeb2
0x0118eeb5
0x0118eeb7
0x0118eebe
0x0118eec0
0x0118eec2
0x0118eeb9
0x0118eeb9
0x0118eeba
0x00000000
0x0118eeba
0x0118eeb7
0x00000000
0x0118ee9c
0x0118ee93
0x0118ee95
0x0118ee98
0x0118ee98
0x00000000
0x0118ee98
0x0118eed1
0x0118eed1
0x0118eed2
0x0118eed5
0x0118eedb
0x0118eedb
0x0118eee4
0x0118eee6
0x00000000
0x0118eee8
0x0118eee8
0x0118eeea
0x00000000
0x0118eeec
0x0118eeec
0x0118eeea
0x0118eee6
0x00000000
0x0118eca0
0x0118eca0
0x0118eca5
0x00000000
0x0118ecab
0x0118ecab
0x0118ecb0
0x00000000
0x0118ecb6
0x0118ecb6
0x0118ecbc
0x0118ecc1
0x0118ecc3
0x0118ecca
0x0118eccb
0x0118eccd
0x00000000
0x00000000
0x0118ecd3
0x0118ecd3
0x0118ecd7
0x0118ecdd
0x00000000
0x0118ece3
0x0118ece5
0x0118ece6
0x0118ece9
0x00000000
0x0118ecef
0x0118ecef
0x0118ecf5
0x0118ecfa
0x0118ed04
0x0118ed08
0x0118ed0d
0x0118ed10
0x0118ed12
0x00000000
0x0118ed14
0x0118ed14
0x0118ed16
0x0118ed19
0x0118ed19
0x0118ed1c
0x0118ed1f
0x0118ed1f
0x0118ed2a
0x0118ed2c
0x0118ed2e
0x00000000
0x00000000
0x0118ed2e
0x00000000
0x0118ed30
0x0118ed30
0x0118ed36
0x0118ed39
0x0118ed39
0x0118ed47
0x0118ed50
0x0118ed55
0x0118ed5b
0x0118ed5e
0x0118ed5f
0x0118ed61
0x0118ed6f
0x0118ed6f
0x0118ed76
0x0118edd7
0x00000000
0x0118ed78
0x0118ed78
0x0118ed86
0x0118ed8b
0x0118ed8e
0x0118ed90
0x0118ef0b
0x0118ef0d
0x0118ef0e
0x0118ef0f
0x0118ef10
0x0118ef11
0x0118ef12
0x0118ef17
0x0118ef1a
0x0118ef1b
0x0118ef23
0x0118ef2a
0x0118ef2d
0x0118ef2e
0x0118ef31
0x0118ef35
0x0118ef36
0x0118ef39
0x0118ef49
0x0118ef6c
0x0118ef71
0x0118ef74
0x0118ef76
0x0118f24e
0x0118f24e
0x00000000
0x0118ef7c
0x0118ef7c
0x0118ef7f
0x0118ef7f
0x0118ef82
0x0118ef88
0x0118ef91
0x0118ef93
0x0118ef96
0x0118ef9d
0x0118efa0
0x0118efa6
0x00000000
0x00000000
0x0118efa8
0x0118efac
0x0118efd5
0x0118efd5
0x0118efae
0x0118efae
0x0118efb2
0x0118efb6
0x0118efbd
0x0118efc3
0x00000000
0x0118efc5
0x0118efc5
0x0118efc8
0x0118efcb
0x0118efd3
0x00000000
0x00000000
0x00000000
0x00000000
0x0118efd3
0x0118efc3
0x0118efe2
0x0118efe2
0x0118efe4
0x0118efed
0x0118eff3
0x0118eff6
0x0118eff6
0x0118eff9
0x0118effc
0x0118effc
0x0118f00c
0x0118f01a
0x0118f01f
0x0118f026
0x0118f028
0x00000000
0x0118f02e
0x0118f034
0x0118f041
0x0118f04a
0x0118f050
0x0118f05d
0x0118f064
0x0118f069
0x0118f06c
0x0118f06e
0x0118f2ce
0x0118f2d4
0x0118f2d5
0x0118f2d6
0x0118f2d7
0x0118f2d8
0x0118f2d9
0x0118f2de
0x0118f2e1
0x0118f2e4
0x0118f2e5
0x0118f2f7
0x0118f2fc
0x0118f2fe
0x0118f307
0x00000000
0x0118f307
0x0118f300
0x0118f303
0x0118f305
0x00000000
0x00000000
0x0118f30d
0x0118f074
0x0118f074
0x0118f082
0x0118f085
0x0118f09b
0x0118f0a2
0x0118f0a8
0x0118f087
0x0118f087
0x0118f08f
0x00000000
0x0118f091
0x0118f091
0x0118f097
0x0118f097
0x0118f08f
0x0118f0ae
0x0118f0b5
0x0118f0b8
0x0118f1d8
0x0118f1db
0x0118f1e8
0x0118f1eb
0x0118f1f3
0x0118f1f3
0x0118f1dd
0x0118f1e3
0x0118f1e3
0x0118f0be
0x0118f0be
0x0118f0c4
0x0118f0cc
0x0118f0ce
0x0118f0d1
0x0118f0da
0x0118f0e3
0x0118f0e9
0x0118f0ec
0x0118f0ee
0x00000000
0x00000000
0x0118f0f0
0x0118f0f6
0x0118f0f7
0x0118f102
0x0118f10a
0x0118f112
0x0118f115
0x0118f118
0x0118f11e
0x0118f124
0x0118f12a
0x0118f130
0x0118f133
0x00000000
0x00000000
0x0118f135
0x0118f15a
0x0118f15a
0x0118f15d
0x0118f17a
0x0118f17f
0x0118f182
0x0118f184
0x0118f1c2
0x0118f186
0x0118f186
0x0118f18c
0x0118f191
0x0118f199
0x0118f19a
0x0118f19a
0x0118f1b1
0x0118f1b8
0x0118f1bb
0x0118f1bd
0x0118f1bd
0x0118f1c8
0x0118f1ce
0x0118f1ce
0x0118f1d3
0x00000000
0x0118f1d3
0x0118f137
0x0118f139
0x0118f13e
0x0118f144
0x0118f14d
0x0118f156
0x0118f156
0x00000000
0x0118f139
0x0118f1f6
0x0118f1f6
0x0118f1fa
0x0118f202
0x0118f208
0x0118f20b
0x0118f211
0x0118f213
0x0118f25f
0x0118f265
0x0118f26c
0x0118f26c
0x0118f272
0x0118f276
0x00000000
0x0118f278
0x0118f27c
0x0118f285
0x0118f291
0x0118f29f
0x0118f2a5
0x0118f2a8
0x0118f2a8
0x0118f276
0x0118f2b7
0x0118f2bf
0x0118f2c8
0x0118f215
0x0118f21b
0x0118f225
0x0118f237
0x0118f23e
0x0118f24b
0x00000000
0x0118f24b
0x00000000
0x0118f213
0x0118f06e
0x0118efe6
0x0118f250
0x0118f255
0x0118f25e
0x0118f25e
0x00000000
0x0118efe4
0x0118efdd
0x0118efdf
0x0118efdf
0x00000000
0x0118efdf
0x0118ed96
0x0118ed96
0x0118ed99
0x0118ed9e
0x0118ef06
0x00000000
0x0118eda4
0x0118eda6
0x0118edae
0x0118edb4
0x0118edb5
0x0118edbb
0x0118edbc
0x0118edc1
0x0118edc7
0x0118edca
0x0118edcc
0x0118edce
0x0118edcf
0x0118edcf
0x0118eddd
0x0118eddd
0x0118ede0
0x0118ede3
0x0118ede5
0x0118ede8
0x0118edea
0x0118edea
0x0118eded
0x0118eded
0x0118edf0
0x0118edf3
0x00000000
0x0118edf9
0x0118edf9
0x0118edfb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0118edfb
0x0118edf3
0x0118ed9e
0x0118ed90
0x0118ed63
0x0118ed65
0x0118ed66
0x0118ed69
0x00000000
0x00000000
0x00000000
0x00000000
0x0118ed69
0x0118ed61
0x0118ece9
0x00000000
0x0118ecdd
0x00000000
0x0118ee01
0x0118ecb0
0x0118eca5
0x0118ec9a
0x0118ec53
0x0118ec53
0x0118ec55
0x0118ec57
0x0118ec58
0x0118ec59
0x0118ec5a
0x0118ec5f
0x0118eef7
0x0118eefc
0x0118ef05
0x0118ef05
0x0118ec51
0x00000000

APIs

Part of subcall function 01190910: RtlAllocateHeap.NTDLL(00000000,?,?,?,01191CA4,00001000,?,?,?,?,0117F057), ref: 01190942

_free.LIBCMT ref: 0118EB9C
_free.LIBCMT ref: 0118EBB3
_free.LIBCMT ref: 0118EBD0
_free.LIBCMT ref: 0118EBEB
_free.LIBCMT ref: 0118EC02

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 24c30b9162df52ffda91112d338daa5c9c4aac60d51563948cbf60b6da1b8246
Instruction ID: 9e703cf23dda84553e5491106747d9930edc2afc2b24c32239f79ea4cf789b72
Opcode Fuzzy Hash: 24c30b9162df52ffda91112d338daa5c9c4aac60d51563948cbf60b6da1b8246
Instruction Fuzzy Hash: 0051C132A01605AFDB29EF69CC81A6AB7F4EF54724F14856DE906D7290E731D901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0111D25B, Relevance: 7.6, APIs: 5, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0111D25B(intOrPtr* __ecx, signed short* _a4, intOrPtr* _a8) {
				signed int _v0;
				signed int _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				void* _t45;
				void* _t50;
				void* _t56;
				signed int _t57;
				signed int _t58;
				signed int _t63;
				signed int _t65;
				void* _t87;
				signed short* _t88;
				void* _t89;
				intOrPtr _t91;
				void* _t92;
				void* _t100;
				void* _t101;
				unsigned int _t105;
				void* _t113;
				void* _t114;
				intOrPtr* _t116;
				unsigned int _t118;
				signed int _t121;
				signed int _t122;
				signed int _t127;
				signed int _t129;
				signed int _t130;
				void* _t133;
				void* _t137;
				void* _t141;
				void* _t142;
				void* _t144;

				_t137 = _t141;
				_t142 = _t141 - 0xc;
				_t42 = _a4;
				_push(_t87);
				_t120 = __ecx;
				_v12 = _t42;
				_t126 = 0x7fffffff;
				_v8 = _t42 -  *__ecx;
				_t45 =  *((intOrPtr*)(__ecx + 4)) -  *__ecx;
				if(_t45 == 0x7fffffff) {
					E01115084(_t87, __ecx, __ecx);
					asm("int3");
					_push(0xc);
					E0115ECB1(0x11a5f12, _t87, __ecx);
					_t88 = _a4;
					E011469AA( &_v28, 0);
					_v8 = _v8 & 0x00000000;
					_t121 =  *0x11fa5e4; // 0x0
					_v24 = _t121;
					_t50 = E01115C4B(0x11fa71c, 0x7fffffff);
					_t97 = _t88;
					_t127 = E01115CFE(_t88, _t50);
					__eflags = _t127;
					if(_t127 != 0) {
						L13:
						E01146A02( &_v28);
						return E0115EC5B(_t127, _t88, _t121);
					} else {
						__eflags = _t121;
						if(__eflags == 0) {
							_push(_t88);
							_push( &_v24);
							_t56 = E0111DB0D(_t88, _t97, _t113, _t121, _t127, __eflags);
							_pop(_t100);
							__eflags = _t56 - 0xffffffff;
							if(__eflags == 0) {
								_t57 = E01115AD2();
								asm("int3");
								_push(_t137);
								_push(_t100);
								_push(_t88);
								_push(_t127);
								_push(_t121);
								_t122 = _v4;
								_t89 = _t100;
								__eflags = _t122 - _t113;
								if(_t122 > _t113) {
									L22:
									_t58 = _t57 | 0xffffffff;
									__eflags = _t58;
								} else {
									_t57 = _v0;
									_t114 = _t113 - _t122;
									__eflags = _t57 - _t114;
									if(_t57 > _t114) {
										goto L22;
									} else {
										__eflags = _t122;
										if(_t122 != 0) {
											_t101 = _t89 + _t57 * 2;
											_t116 = _t89 + (_t114 + 1) * 2;
											_t129 =  *_a4 & 0x0000ffff;
											_a8 = _t116;
											_push(_t116 - _t101 >> 1);
											_push(_t129);
											_v12 = _t129;
											_push(_t101);
											while(1) {
												_t57 = E01115787();
												_t130 = _t57;
												_t144 = _t142 + 0xc;
												__eflags = _t130;
												if(_t130 == 0) {
													goto L22;
												}
												_t63 = E011157A9(_t130, _a4, _t122);
												_t142 = _t144 + 0xc;
												__eflags = _t63;
												if(_t63 == 0) {
													_t58 = _t130 - _t89 >> 1;
												} else {
													_t133 = _t130 + 2;
													_t65 = _a8 - _t133;
													__eflags = _t65;
													_push(_t65 >> 1);
													_push(_v12);
													_push(_t133);
													continue;
												}
												goto L23;
											}
											goto L22;
										}
									}
								}
								L23:
								return _t58;
							} else {
								_t127 = _v24;
								_v24 = _t127;
								_v8 = 1;
								E01146BDD(__eflags, _t127);
								 *((intOrPtr*)( *_t127 + 4))();
								 *0x11fa5e4 = _t127;
								goto L13;
							}
						} else {
							_t127 = _t121;
							goto L13;
						}
					}
				} else {
					_t6 = _t45 + 1; // 0x1
					_t91 = _t6;
					_t105 =  *((intOrPtr*)(__ecx + 8)) -  *__ecx;
					_v16 = _t91;
					_t118 = _t105 >> 1;
					if(_t105 <= 0x7fffffff - _t118) {
						_t126 =  <  ? _t91 : _t118 + _t105;
					}
					_t92 = E01112B2C(_t91, _t118, _t120, _t126);
					 *((char*)(_v8 + _t92)) =  *_a8;
					_t109 =  *((intOrPtr*)(_t120 + 4));
					_t74 = _v12;
					if(_v12 !=  *((intOrPtr*)(_t120 + 4))) {
						E0117B390(_t92,  *_t120, _t74 -  *_t120);
						__eflags = _v8 + 1 + _t92;
						E0117B390(_v8 + 1 + _t92, _v12,  *((intOrPtr*)(_t120 + 4)) - _v12);
					} else {
						E0117B390(_t92,  *_t120, _t109 -  *_t120);
					}
					E0111508F(_t120, _t92, _v16, _t126);
					return _v8 + _t92;
				}
			}

0x0111d25c
0x0111d25e
0x0111d261
0x0111d264
0x0111d267
0x0111d269
0x0111d26c
0x0111d273
0x0111d279
0x0111d27d
0x0111d30c
0x0111d311
0x0111d312
0x0111d319
0x0111d31e
0x0111d326
0x0111d32b
0x0111d334
0x0111d33a
0x0111d33d
0x0111d343
0x0111d34a
0x0111d34c
0x0111d34e
0x0111d387
0x0111d38a
0x0111d396
0x0111d350
0x0111d350
0x0111d352
0x0111d35b
0x0111d35c
0x0111d35d
0x0111d363
0x0111d364
0x0111d367
0x0111d397
0x0111d39c
0x0111d39d
0x0111d3a0
0x0111d3a1
0x0111d3a2
0x0111d3a3
0x0111d3a4
0x0111d3a7
0x0111d3a9
0x0111d3ab
0x0111d406
0x0111d406
0x0111d406
0x0111d3ad
0x0111d3ad
0x0111d3b0
0x0111d3b2
0x0111d3b4
0x00000000
0x0111d3b6
0x0111d3b6
0x0111d3b8
0x0111d3ba
0x0111d3c1
0x0111d3c4
0x0111d3cb
0x0111d3d0
0x0111d3d1
0x0111d3d2
0x0111d3d5
0x0111d3f8
0x0111d3f8
0x0111d3fd
0x0111d3ff
0x0111d402
0x0111d404
0x00000000
0x00000000
0x0111d3dd
0x0111d3e2
0x0111d3e5
0x0111d3e7
0x0111d412
0x0111d3e9
0x0111d3ec
0x0111d3ef
0x0111d3ef
0x0111d3f3
0x0111d3f4
0x0111d3f7
0x00000000
0x0111d3f7
0x00000000
0x0111d3e7
0x00000000
0x0111d3f8
0x0111d3b8
0x0111d3b4
0x0111d409
0x0111d40d
0x0111d369
0x0111d369
0x0111d36c
0x0111d370
0x0111d374
0x0111d37e
0x0111d381
0x00000000
0x0111d381
0x0111d354
0x0111d354
0x00000000
0x0111d354
0x0111d352
0x0111d283
0x0111d286
0x0111d286
0x0111d289
0x0111d28f
0x0111d292
0x0111d298
0x0111d29f
0x0111d29f
0x0111d2ac
0x0111d2b3
0x0111d2b6
0x0111d2b9
0x0111d2be
0x0111d2d6
0x0111d2e9
0x0111d2ec
0x0111d2c0
0x0111d2c6
0x0111d2cb
0x0111d2fb
0x0111d309
0x0111d309

APIs

__EH_prolog3_GS.LIBCMT ref: 0111D319
std::_Lockit::_Lockit.LIBCPMT ref: 0111D326
std::_Lockit::~_Lockit.LIBCPMT ref: 0111D38A

Part of subcall function 0111DB0D: std::_Locinfo::~_Locinfo.LIBCPMT ref: 0111DB56

std::_Facet_Register.LIBCPMT ref: 0111D374
Concurrency::cancel_current_task.LIBCPMT ref: 0111D397

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Concurrency::cancel_current_taskFacet_H_prolog3_LocinfoLocinfo::~_Lockit::_Lockit::~_Register
String ID:
API String ID: 75473322-0
Opcode ID: 13a3d05c951ff352a7365abfb7d9ab0184fd057b3b6a7bbe2a1dd00092e2e6e4
Instruction ID: 33a60dbc28ea6e29cd134a2e564dcd79f6e6ceb88bb6b0738dd60b6fbf9457f6
Opcode Fuzzy Hash: 13a3d05c951ff352a7365abfb7d9ab0184fd057b3b6a7bbe2a1dd00092e2e6e4
Instruction Fuzzy Hash: DC41C371A04116AFCB0CEFACD9C4DADFBB9EF55318B204129E915A7344EB30AE40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01111BCA, Relevance: 7.6, APIs: 5, Instructions: 114
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E01111BCA(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t43;
				int _t45;
				void* _t51;
				void* _t60;
				void* _t62;
				int _t72;
				int _t83;
				void* _t87;
				void* _t88;

				_push(0x28);
				E0115ECB1(0x11a4b01, __ebx, __edi);
				_t67 =  *(_t88 + 0xc);
				_t85 =  *(_t88 + 8);
				 *(_t88 - 0x30) =  *(_t88 + 8);
				 *(_t88 - 0x2c) = 0;
				_t43 = FormatMessageW(0x1300, 0,  *(_t88 + 0xc), 0x400, _t88 - 0x2c, 0, 0);
				_t90 = _t43;
				if(_t43 != 0) {
					_t87 =  *(_t88 - 0x2c);
					 *(_t88 - 0x34) = _t87;
					 *((intOrPtr*)(_t88 - 4)) = 0;
					_t45 = WideCharToMultiByte(0, 0, _t87, 0xffffffff, 0, 0, 0, 0);
					 *(_t88 - 0x30) = _t45;
					__eflags = _t45;
					if(__eflags != 0) {
						 *(_t88 - 0x18) =  *(_t88 - 0x18) & 0x00000000;
						 *((intOrPtr*)(_t88 - 0x14)) = 0xf;
						 *((char*)(_t88 - 0x28)) = 0;
						E011126AD(_t88 - 0x28, _t45, 0);
						 *((char*)(_t88 - 4)) = 1;
						__eflags =  *((intOrPtr*)(_t88 - 0x14)) - 0x10;
						_t48 =  >=  ?  *((void*)(_t88 - 0x28)) : _t88 - 0x28;
						_t72 = WideCharToMultiByte(0, 0,  *(_t88 - 0x2c), 0xffffffff,  >=  ?  *((void*)(_t88 - 0x28)) : _t88 - 0x28,  *(_t88 - 0x30), 0, 0);
						__eflags = _t72;
						if(__eflags != 0) {
							while(1) {
								_t72 = _t72 - 1;
								__eflags = _t72;
								if(_t72 <= 0) {
									break;
								}
								__eflags =  *((intOrPtr*)(_t88 - 0x14)) - 0x10;
								_t83 = _t72;
								_t51 =  >=  ?  *((void*)(_t88 - 0x28)) : _t88 - 0x28;
								__eflags =  *((char*)(_t51 + _t72 - 1)) - 0xa;
								if( *((char*)(_t51 + _t72 - 1)) == 0xa) {
									continue;
								}
								__eflags =  *((intOrPtr*)(_t88 - 0x14)) - 0x10;
								_t60 =  >=  ?  *((void*)(_t88 - 0x28)) : _t88 - 0x28;
								__eflags =  *((char*)(_t60 + _t72 - 1)) - 0xd;
								if( *((char*)(_t60 + _t72 - 1)) != 0xd) {
									__eflags =  *((intOrPtr*)(_t88 - 0x14)) - 0x10;
									_t72 = _t83;
									_t62 =  >=  ?  *((void*)(_t88 - 0x28)) : _t88 - 0x28;
									__eflags =  *((char*)(_t83 + _t62 - 1)) - 0x2e;
									if( *((char*)(_t83 + _t62 - 1)) == 0x2e) {
										_t36 = _t83 - 1; // -2
										_t72 = _t36;
									}
									L12:
									E01112569(_t88 - 0x28, _t72, 0);
									E011125F9(_t85, _t88 - 0x28);
									L13:
									E01112687(_t88 - 0x28);
									L14:
									LocalFree(_t87);
									L15:
									return E0115EC5B(_t85, _t67, _t85);
								}
							}
							goto L12;
						}
						E01111B82(_t87, __eflags, _t85, _t67);
						goto L13;
					}
					E01111B82(_t87, __eflags, _t85, _t67);
					goto L14;
				}
				E01111B82(__esi, _t90, _t85, _t67);
				goto L15;
			}

0x01111bca
0x01111bd1
0x01111bd6
0x01111bdc
0x01111bf0
0x01111bf3
0x01111bf6
0x01111bfc
0x01111bfe
0x01111c0e
0x01111c11
0x01111c1f
0x01111c22
0x01111c28
0x01111c2b
0x01111c2d
0x01111c3d
0x01111c47
0x01111c4e
0x01111c52
0x01111c57
0x01111c5e
0x01111c62
0x01111c7b
0x01111c7d
0x01111c7f
0x01111cb2
0x01111cb2
0x01111cb3
0x01111cb5
0x00000000
0x00000000
0x01111c8c
0x01111c93
0x01111c95
0x01111c99
0x01111c9e
0x00000000
0x00000000
0x01111ca0
0x01111ca7
0x01111cab
0x01111cb0
0x01111cb9
0x01111cc0
0x01111cc2
0x01111cc6
0x01111ccb
0x01111ccd
0x01111ccd
0x01111ccd
0x01111cd0
0x01111cd6
0x01111ce1
0x01111ce6
0x01111ce9
0x01111cee
0x01111cef
0x01111cf5
0x01111cfc
0x01111cfc
0x01111cb0
0x00000000
0x01111cb7
0x01111c83
0x00000000
0x01111c89
0x01111c31
0x00000000
0x01111c37
0x01111c02
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 01111BD1
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,00000028,011120EE,?,?), ref: 01111BF6
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 01111C22
LocalFree.KERNEL32(?,00000000,-00000001,00000000,?,?,00000000,00000000), ref: 01111CEF

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharFormatFreeH_prolog3_LocalMessageMultiWide
String ID:
API String ID: 4049754800-0
Opcode ID: 2ac4d58da364fbacbcaa81f478a11eda127cea486d8d736c63e713b5c75dc060
Instruction ID: eaf9a99f74221652e924ce9c0f5c2f21b903baede59a69d691e738ce35fc63bf
Opcode Fuzzy Hash: 2ac4d58da364fbacbcaa81f478a11eda127cea486d8d736c63e713b5c75dc060
Instruction Fuzzy Hash: D741747091520ABEEF1CDB68C844FFEFBBDEB18224F54412DE911B2184DB7159848B31

Uniqueness

Uniqueness Score: -1.00%

Function 0111D1D0, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0111D1D0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed short* _a4, intOrPtr* _a8) {
				signed int _v0;
				signed int _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				void* _t56;
				void* _t62;
				signed int _t64;
				void* _t67;
				void* _t72;
				void* _t78;
				signed int _t79;
				signed int _t80;
				signed int _t85;
				signed int _t87;
				signed int _t96;
				signed int _t107;
				intOrPtr* _t113;
				signed short* _t114;
				void* _t115;
				intOrPtr _t117;
				void* _t118;
				intOrPtr* _t126;
				void* _t132;
				void* _t133;
				unsigned int _t137;
				intOrPtr _t141;
				void* _t147;
				void* _t148;
				intOrPtr _t150;
				unsigned int _t152;
				void* _t154;
				intOrPtr* _t155;
				signed int _t156;
				signed int _t157;
				intOrPtr* _t161;
				signed int _t163;
				signed int _t165;
				signed int _t166;
				void* _t169;
				void* _t171;
				void* _t173;
				void* _t177;
				void* _t178;
				void* _t180;

				_t147 = __edx;
				_push(0xc);
				E0115ECB1(0x11a5f12, __ebx, __edi);
				_t113 = _a8;
				E011469AA( &_v24, 0);
				_v4 = _v4 & 0x00000000;
				_t154 =  *0x11fa5f0; // 0xefe988
				_v20 = _t154;
				_t56 = E01115C4B(0x11fa724, __esi);
				_t123 = _t113;
				_t161 = E01115CFE(_t113, _t56);
				if(_t161 != 0) {
					L5:
					E01146A02( &_v24);
					return E0115EC5B(_t161, _t113, _t154);
				} else {
					if(_t154 == 0) {
						_push(_t113);
						_push( &_v20);
						_t62 = E0111DB64(_t113, _t123, _t147, _t154, _t161, __eflags);
						_pop(_t126);
						__eflags = _t62 - 0xffffffff;
						if(__eflags == 0) {
							E01115AD2();
							asm("int3");
							_t173 = _t177;
							_t178 = _t177 - 0xc;
							_t64 = _a4;
							_push(_t113);
							_push(_t161);
							_push(_t154);
							_t155 = _t126;
							_v12 = _t64;
							_t162 = 0x7fffffff;
							_v8 = _t64 -  *_t155;
							_t67 =  *((intOrPtr*)(_t155 + 4)) -  *_t155;
							__eflags = _t67 - 0x7fffffff;
							if(_t67 == 0x7fffffff) {
								E01115084(_t113, _t126, _t155);
								asm("int3");
								_push(0xc);
								E0115ECB1(0x11a5f12, _t113, _t155);
								_t114 = _a4;
								E011469AA( &_v28, 0);
								_v8 = _v8 & 0x00000000;
								_t156 =  *0x11fa5e4; // 0x0
								_v24 = _t156;
								_t72 = E01115C4B(0x11fa71c, 0x7fffffff);
								_t129 = _t114;
								_t163 = E01115CFE(_t114, _t72);
								__eflags = _t163;
								if(_t163 != 0) {
									L20:
									E01146A02( &_v28);
									return E0115EC5B(_t163, _t114, _t156);
								} else {
									__eflags = _t156;
									if(__eflags == 0) {
										_push(_t114);
										_push( &_v24);
										_t78 = E0111DB0D(_t114, _t129, _t147, _t156, _t163, __eflags);
										_pop(_t132);
										__eflags = _t78 - 0xffffffff;
										if(__eflags == 0) {
											_t79 = E01115AD2();
											asm("int3");
											_push(_t173);
											_push(_t132);
											_push(_t114);
											_push(_t163);
											_push(_t156);
											_t157 = _v4;
											_t115 = _t132;
											__eflags = _t157 - _t147;
											if(_t157 > _t147) {
												L29:
												_t80 = _t79 | 0xffffffff;
												__eflags = _t80;
											} else {
												_t79 = _v0;
												_t148 = _t147 - _t157;
												__eflags = _t79 - _t148;
												if(_t79 > _t148) {
													goto L29;
												} else {
													__eflags = _t157;
													if(_t157 != 0) {
														_t133 = _t115 + _t79 * 2;
														_t150 = _t115 + (_t148 + 1) * 2;
														_t165 =  *_a4 & 0x0000ffff;
														_a8 = _t150;
														_push(_t150 - _t133 >> 1);
														_push(_t165);
														_v12 = _t165;
														_push(_t133);
														while(1) {
															_t79 = E01115787();
															_t166 = _t79;
															_t180 = _t178 + 0xc;
															__eflags = _t166;
															if(_t166 == 0) {
																goto L29;
															}
															_t85 = E011157A9(_t166, _a4, _t157);
															_t178 = _t180 + 0xc;
															__eflags = _t85;
															if(_t85 == 0) {
																_t80 = _t166 - _t115 >> 1;
															} else {
																_t169 = _t166 + 2;
																_t87 = _a8 - _t169;
																__eflags = _t87;
																_push(_t87 >> 1);
																_push(_v12);
																_push(_t169);
																continue;
															}
															goto L30;
														}
														goto L29;
													}
												}
											}
											L30:
											return _t80;
										} else {
											_t163 = _v24;
											_v24 = _t163;
											_v8 = 1;
											E01146BDD(__eflags, _t163);
											 *((intOrPtr*)( *_t163 + 4))();
											 *0x11fa5e4 = _t163;
											goto L20;
										}
									} else {
										_t163 = _t156;
										goto L20;
									}
								}
							} else {
								_t17 = _t67 + 1; // 0x1
								_t117 = _t17;
								_t137 =  *((intOrPtr*)(_t155 + 8)) -  *_t155;
								_v16 = _t117;
								_t152 = _t137 >> 1;
								__eflags = _t137 - 0x7fffffff - _t152;
								if(_t137 <= 0x7fffffff - _t152) {
									_t171 = _t152 + _t137;
									__eflags = _t171 - _t117;
									_t162 =  <  ? _t117 : _t171;
								}
								_t118 = E01112B2C(_t117, _t152, _t155, _t162);
								 *((char*)(_v8 + _t118)) =  *_a8;
								_t141 =  *((intOrPtr*)(_t155 + 4));
								_t96 = _v12;
								__eflags = _t96 - _t141;
								if(_t96 != _t141) {
									E0117B390(_t118,  *_t155, _t96 -  *_t155);
									__eflags = _v8 + 1 + _t118;
									E0117B390(_v8 + 1 + _t118, _v12,  *((intOrPtr*)(_t155 + 4)) - _v12);
								} else {
									E0117B390(_t118,  *_t155, _t141 -  *_t155);
								}
								E0111508F(_t155, _t118, _v16, _t162);
								_t107 = _v8 + _t118;
								__eflags = _t107;
								return _t107;
							}
						} else {
							_t161 = _v20;
							_v20 = _t161;
							_v4 = 1;
							E01146BDD(__eflags, _t161);
							 *((intOrPtr*)( *_t161 + 4))();
							 *0x11fa5f0 = _t161;
							goto L5;
						}
					} else {
						_t161 = _t154;
						goto L5;
					}
				}
			}

0x0111d1d0
0x0111d1d0
0x0111d1d7
0x0111d1dc
0x0111d1e4
0x0111d1e9
0x0111d1f2
0x0111d1f8
0x0111d1fb
0x0111d201
0x0111d208
0x0111d20c
0x0111d245
0x0111d248
0x0111d254
0x0111d20e
0x0111d210
0x0111d219
0x0111d21a
0x0111d21b
0x0111d221
0x0111d222
0x0111d225
0x0111d255
0x0111d25a
0x0111d25c
0x0111d25e
0x0111d261
0x0111d264
0x0111d265
0x0111d266
0x0111d267
0x0111d269
0x0111d26c
0x0111d273
0x0111d279
0x0111d27b
0x0111d27d
0x0111d30c
0x0111d311
0x0111d312
0x0111d319
0x0111d31e
0x0111d326
0x0111d32b
0x0111d334
0x0111d33a
0x0111d33d
0x0111d343
0x0111d34a
0x0111d34c
0x0111d34e
0x0111d387
0x0111d38a
0x0111d396
0x0111d350
0x0111d350
0x0111d352
0x0111d35b
0x0111d35c
0x0111d35d
0x0111d363
0x0111d364
0x0111d367
0x0111d397
0x0111d39c
0x0111d39d
0x0111d3a0
0x0111d3a1
0x0111d3a2
0x0111d3a3
0x0111d3a4
0x0111d3a7
0x0111d3a9
0x0111d3ab
0x0111d406
0x0111d406
0x0111d406
0x0111d3ad
0x0111d3ad
0x0111d3b0
0x0111d3b2
0x0111d3b4
0x00000000
0x0111d3b6
0x0111d3b6
0x0111d3b8
0x0111d3ba
0x0111d3c1
0x0111d3c4
0x0111d3cb
0x0111d3d0
0x0111d3d1
0x0111d3d2
0x0111d3d5
0x0111d3f8
0x0111d3f8
0x0111d3fd
0x0111d3ff
0x0111d402
0x0111d404
0x00000000
0x00000000
0x0111d3dd
0x0111d3e2
0x0111d3e5
0x0111d3e7
0x0111d412
0x0111d3e9
0x0111d3ec
0x0111d3ef
0x0111d3ef
0x0111d3f3
0x0111d3f4
0x0111d3f7
0x00000000
0x0111d3f7
0x00000000
0x0111d3e7
0x00000000
0x0111d3f8
0x0111d3b8
0x0111d3b4
0x0111d409
0x0111d40d
0x0111d369
0x0111d369
0x0111d36c
0x0111d370
0x0111d374
0x0111d37e
0x0111d381
0x00000000
0x0111d381
0x0111d354
0x0111d354
0x00000000
0x0111d354
0x0111d352
0x0111d283
0x0111d286
0x0111d286
0x0111d289
0x0111d28f
0x0111d292
0x0111d296
0x0111d298
0x0111d29a
0x0111d29d
0x0111d29f
0x0111d29f
0x0111d2ac
0x0111d2b3
0x0111d2b6
0x0111d2b9
0x0111d2bc
0x0111d2be
0x0111d2d6
0x0111d2e9
0x0111d2ec
0x0111d2c0
0x0111d2c6
0x0111d2cb
0x0111d2fb
0x0111d305
0x0111d305
0x0111d309
0x0111d309
0x0111d227
0x0111d227
0x0111d22a
0x0111d22e
0x0111d232
0x0111d23c
0x0111d23f
0x00000000
0x0111d23f
0x0111d212
0x0111d212
0x00000000
0x0111d212
0x0111d210

APIs

__EH_prolog3_GS.LIBCMT ref: 0111D1D7
std::_Lockit::_Lockit.LIBCPMT ref: 0111D1E4

Part of subcall function 01115C4B: std::_Lockit::_Lockit.LIBCPMT ref: 01115C67
Part of subcall function 01115C4B: std::_Lockit::~_Lockit.LIBCPMT ref: 01115C83

std::_Facet_Register.LIBCPMT ref: 0111D232
std::_Lockit::~_Lockit.LIBCPMT ref: 0111D248
Concurrency::cancel_current_task.LIBCPMT ref: 0111D255

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3_Register
String ID:
API String ID: 3498242614-0
Opcode ID: 9e5bd926d610eb6fb9c9bbd845514a5ccb36625be678048faa82a8eb50a85340
Instruction ID: 190d16df41e9baf59ac58eba3eb476a4c037e1832a9c990008d799710ab31178
Opcode Fuzzy Hash: 9e5bd926d610eb6fb9c9bbd845514a5ccb36625be678048faa82a8eb50a85340
Instruction Fuzzy Hash: E50128319002168BCF1CEFA4E104BEDBBB9AF91728F200128D925A7288EB349E01C791

Uniqueness

Uniqueness Score: -1.00%

Function 0111D50D, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0111D50D(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, short _a12, intOrPtr _a20) {
				signed int _v4;
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v80;
				char _v96;
				intOrPtr _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				intOrPtr _v124;
				intOrPtr* _v128;
				intOrPtr _v140;
				intOrPtr _v152;
				signed int* _t188;
				void* _t213;
				void* _t223;
				void* _t229;
				intOrPtr _t236;
				intOrPtr _t238;
				intOrPtr _t246;
				intOrPtr _t248;
				intOrPtr _t256;
				intOrPtr* _t259;
				intOrPtr _t268;
				intOrPtr _t270;
				intOrPtr _t276;
				intOrPtr _t284;
				intOrPtr _t286;
				intOrPtr _t294;
				intOrPtr _t296;
				intOrPtr _t311;
				intOrPtr* _t312;
				intOrPtr* _t313;
				signed int _t314;
				intOrPtr _t315;
				intOrPtr _t316;
				intOrPtr* _t318;
				signed int _t319;
				void** _t320;
				intOrPtr _t324;
				intOrPtr* _t335;
				intOrPtr* _t336;
				intOrPtr* _t337;
				intOrPtr* _t340;
				intOrPtr _t341;
				signed int _t349;
				signed int _t378;
				signed int _t384;
				signed int _t393;
				intOrPtr* _t401;
				void* _t411;
				intOrPtr _t415;
				signed int _t416;
				intOrPtr _t418;
				intOrPtr _t419;
				signed int _t422;
				intOrPtr* _t423;
				void* _t425;
				intOrPtr _t429;
				signed int _t430;
				intOrPtr _t432;
				signed int _t433;
				intOrPtr _t435;
				signed int _t436;
				intOrPtr _t440;
				signed int _t441;
				intOrPtr _t443;
				intOrPtr _t444;
				signed int _t447;
				signed int _t452;
				void* _t453;
				void* _t464;
				intOrPtr _t467;
				void* _t473;
				void* _t477;
				void* _t478;
				void* _t479;
				void* _t480;
				void* _t481;
				void* _t482;
				void* _t491;
				void* _t492;
				void* _t493;
				void* _t494;
				void* _t495;

				_push(0xc);
				E0115ECB1(0x11a5f12, __ebx, __edi);
				_t311 = _a8;
				E011469AA( &_v24, 0);
				_v4 = _v4 & 0x00000000;
				_t422 =  *0x11fa5e0; // 0x0
				_v20 = _t422;
				_t447 = E01115CFE(_t311, E01115C4B(0x11fa720, __esi));
				if(_t447 != 0) {
					L5:
					E01146A02( &_v24);
					return E0115EC5B(_t447, _t311, _t422);
				} else {
					if(_t422 == 0) {
						_t188 =  &_v20;
						_push(_t311);
						L54();
						_t335 = _t188;
						__eflags = _t188 - 0xffffffff;
						if(__eflags == 0) {
							E01115AD2();
							asm("int3");
							_t477 = _t491;
							_t492 = _t491 - 0xc;
							_t415 = _a4;
							_push(_t311);
							_push(_t447);
							_t312 = _t335;
							_push(_t422);
							_t336 =  *((intOrPtr*)(_t312 + 0x10));
							_v8 = _t336;
							__eflags = 0x7ffffffe - _t336 - _t415;
							if(__eflags < 0) {
								E01111760(_t336, __eflags);
								asm("int3");
								_push(_t477);
								_t478 = _t492;
								_t493 = _t492 - 0x10;
								_t416 = _v20;
								_push(_t312);
								_push(0x7ffffffe);
								_t313 = _t336;
								_v32 = _v4;
								_push(_t422);
								_t337 =  *((intOrPtr*)(_t313 + 0x10));
								_v36 = _t337;
								__eflags = 0x7ffffffe - _t337 - _t416;
								if(__eflags < 0) {
									E01111760(_t337, __eflags);
									asm("int3");
									_push(_t478);
									_t479 = _t493;
									_push(_t337);
									_push(_t337);
									_push(_t313);
									_t314 = _v48;
									_push(0x7ffffffe);
									_push(_t422);
									_t423 = _t337;
									__eflags = _t314 - 0x7ffffffe;
									if(__eflags > 0) {
										E01111760(0x7ffffffe, __eflags);
										asm("int3");
										_push(_t479);
										_t480 = _t493;
										_t494 = _t493 - 0xc;
										_push(_t314);
										_t315 = _v68;
										_push(_t423);
										_v80 = _v60;
										__eflags = _t315 - 0x7ffffffe;
										if(__eflags > 0) {
											E01111760(0x7ffffffe, __eflags);
											asm("int3");
											_push(_t480);
											_t481 = _t494;
											_t495 = _t494 - 0xc;
											_push(_t315);
											_t316 =  *0x8000000E;
											_v108 = 0x7ffffffe;
											_push(0x7ffffffe);
											_push(0x7ffffffe);
											__eflags = 0x7fffffff - _t316 - 1;
											if(__eflags < 0) {
												E01111760(0x7ffffffe, __eflags);
												asm("int3");
												_push(_t481);
												_t482 = _t495;
												_t418 = _v112;
												_push(_t316);
												_push(0x7ffffffe);
												_v124 = _v104;
												_push(0x7ffffffe);
												_t340 =  *((intOrPtr*)(0x8000000e));
												_v128 = _t340;
												__eflags = 0x7ffffffe - _t340 - _t418;
												if(__eflags < 0) {
													E01111760(_t340, __eflags);
													asm("int3");
													_push(_t482);
													_t419 = _v140;
													_push(0x7ffffffe);
													_push(0x7ffffffe);
													_t318 = _t340;
													_push(0x7ffffffe);
													_t341 =  *((intOrPtr*)(_t318 + 0x10));
													_v152 = _t341;
													__eflags = 0x7fffffff - _t341 - _t419;
													if(__eflags < 0) {
														E01111760(_t341, __eflags);
														asm("int3");
														_push(0xc);
														E0115ECB1(0x11a5f12, _t318, 0x7ffffffe);
														_t319 = _v20;
														E011469AA( &_v52, 0);
														_v32 = _v32 & 0x00000000;
														_t425 =  *0x11fa5ec; // 0xef6cd8
														_v48 = _t425;
														_t213 = E01115C4B(0x11f92a4, 0x7fffffff);
														_t344 = _t319;
														_t452 = E01115CFE(_t319, _t213);
														__eflags = _t452;
														if(_t452 != 0) {
															L52:
															E01146A02( &_v52);
															return E0115EC5B(_t452, _t319, _t425);
														} else {
															__eflags = _t425;
															if(__eflags == 0) {
																_push(_t319);
																_push( &_v48);
																__eflags = E01115F12(_t319, _t344, _t419, _t425, _t452, __eflags) - 0xffffffff;
																if(__eflags == 0) {
																	E01115AD2();
																	asm("int3");
																	_push(0x38);
																	E0115EC7D(0x11a6041, _t319, _t425);
																	_v44 = 0;
																	_t320 = _v20;
																	__eflags = _t320;
																	if(_t320 != 0) {
																		__eflags =  *_t320;
																		if(__eflags == 0) {
																			_t453 = E0115E3DD(_t452, __eflags, 0x18);
																			_v20 = _t453;
																			_v32 = 0;
																			_t349 = 6;
																			memset(_t453, 0, _t349 << 2);
																			_t229 = E01115B2D(_t320,  &_v96, _t419, _t453 + _t349, __eflags, E01115CE6(_v16));
																			 *(_t453 + 4) =  *(_t453 + 4) & 0x00000000;
																			__eflags = 1;
																			_v44 = 1;
																			_push(1);
																			_v32 = 2;
																			_push(_t229);
																			 *_t453 = 0x11b04a8;
																			E0111DDB7(_t320, _t453, _t419, _t453 + _t349, 1);
																			 *_t320 = _t453;
																			E01115B9A( &_v96);
																		}
																	}
																	_t223 = 4;
																	return E0115EC46(_t223);
																} else {
																	_t452 = _v48;
																	_v48 = _t452;
																	_v32 = 1;
																	E01146BDD(__eflags, _t452);
																	 *((intOrPtr*)( *_t452 + 4))();
																	 *0x11fa5ec = _t452;
																	goto L52;
																}
															} else {
																_t452 = _t425;
																goto L52;
															}
														}
													} else {
														_t429 = _t341 + _t419;
														_v36 =  *((intOrPtr*)(_t318 + 0x14));
														_t236 = E01112FA7(_t429,  *((intOrPtr*)(_t318 + 0x14)), 0x7fffffff);
														_t362 =  ~(__eflags > 0) | _t236 + 0x00000001;
														_t238 = E01112B2C(_t318, _t419, _t429,  ~(__eflags > 0) | _t236 + 0x00000001);
														 *((intOrPtr*)(_t318 + 0x10)) = _t429;
														_t430 = _v36;
														_v40 = _t238;
														 *((intOrPtr*)(_t318 + 0x14)) = _t236;
														_push(_v4);
														_push(_v8);
														_push(_v12);
														_push(_v32);
														__eflags = _t430 - 0x10;
														if(_t430 < 0x10) {
															_push(_t318);
															_push(_t238);
															E0111C602();
														} else {
															_push( *_t318);
															_push(_t238);
															E0111C602();
															E01112B52(_t318, _t362, _t430,  *_t318, _t430 + 1);
														}
														 *_t318 = _v40;
														return _t318;
													}
												} else {
													_t432 = _t340 + _t418;
													_v36 =  *0x80000012;
													_t246 = E0111DD86(_t432,  *0x80000012, 0x7ffffffe);
													_t248 = E0111B732(0x7ffffffe, _t418, _t432,  ~(0 | __eflags > 0x00000000) | _t246 + 0x00000001);
													_push(_v4);
													 *((intOrPtr*)(0x8000000e)) = _t432;
													_push(_v28);
													_t433 = _v36;
													_v40 = _t248;
													 *((intOrPtr*)(0x80000012)) = _t246;
													_push(_v32);
													__eflags = _t433 - 8;
													if(_t433 < 8) {
														_push(0x7ffffffe);
														_push(_t248);
														E0111C3DD();
													} else {
														_push( *0x7ffffffe);
														_push(_t248);
														E0111C3DD();
														E01112B52(0x7ffffffe,  &_v12, _t433,  *0x7ffffffe, 2 + _t433 * 2);
													}
													 *0x7ffffffe = _v40;
													return 0x7ffffffe;
												}
											} else {
												_t435 = _t316 + 1;
												_v24 =  *((intOrPtr*)(0x80000012));
												_t256 = E01112FA7(_t435,  *((intOrPtr*)(0x80000012)), 0x7fffffff);
												_t376 =  ~(__eflags > 0) | _t256 + 0x00000001;
												_v28 = E01112B2C(_t316, 0x7fffffff, _t435,  ~(__eflags > 0) | _t256 + 0x00000001);
												__eflags = _v24 - 0x10;
												_t259 = _v32;
												_push(_t316);
												 *((intOrPtr*)(_t259 + 0x10)) = _t435;
												_t436 = _v28;
												 *((intOrPtr*)(_t259 + 0x14)) = _t256;
												if(_v24 < 0x10) {
													_push(_t259);
													_push(_t436);
													E0117ACA0();
													 *((char*)(_t436 + _t316)) = _v4;
													 *((char*)(_t436 + _t316 + 1)) = 0;
												} else {
													_push( *_t259);
													_push(_t436);
													E0117ACA0();
													 *((char*)(_t436 + _t316)) = _v4;
													 *((char*)(_t436 + _t316 + 1)) = 0;
													E01112B52(_t316, _t376, _t436,  *_t259, _v24 + 1);
												}
												_t378 = _v32;
												 *_t378 = _t436;
												return _t378;
											}
										} else {
											_push(0x7ffffffe);
											_v28 =  *((intOrPtr*)(0x80000012));
											_t268 = E0111DD86(_t315,  *((intOrPtr*)(0x80000012)), 0x7ffffffe);
											_t270 = E0111B732(_t315, _t416, 0x7ffffffe,  ~(0 | __eflags > 0x00000000) | _t268 + 0x00000001);
											 *((intOrPtr*)(0x80000012)) = _t268;
											_t464 = _t315 + _t315;
											_v24 = _t270;
											 *((intOrPtr*)(0x8000000e)) = _t315;
											E0117ACA0(_t270, _v20, _t464);
											_t324 = _v24;
											_t384 = _v28;
											 *((short*)(_t464 + _t324)) = 0;
											__eflags = _t384 - 8;
											if(_t384 >= 8) {
												E01112B52(_t324, 2 + _t384 * 2, 0x7ffffffe,  *0x7ffffffe, 2 + _t384 * 2);
											}
											 *0x7ffffffe = _t324;
											return 0x7ffffffe;
										}
									} else {
										_v20 =  *((intOrPtr*)(_t423 + 0x14));
										_t276 = E0111DD86(_t314,  *((intOrPtr*)(_t423 + 0x14)), 0x7ffffffe);
										_v16 = E0111B732(_t314, _t416, _t423,  ~(0 | __eflags > 0x00000000) | _t276 + 0x00000001);
										 *(_t423 + 0x10) = _t314;
										 *((intOrPtr*)(_t423 + 0x14)) = _t276;
										E011157DF(_t278, _a4, _t314);
										_t467 = _v16;
										_t393 = _v20;
										 *((short*)(_t467 + _t314 * 2)) = 0;
										__eflags = _t393 - 8;
										if(_t393 >= 8) {
											E01112B52(_t314, 2 + _t393 * 2, _t423,  *_t423, 2 + _t393 * 2);
										}
										 *_t423 = _t467;
										return _t423;
									}
								} else {
									_t440 = _t337 + _t416;
									_v20 =  *((intOrPtr*)(_t313 + 0x14));
									_t284 = E0111DD86(_t440,  *((intOrPtr*)(_t313 + 0x14)), 0x7ffffffe);
									_t401 = _t313;
									_t286 = E0111B732(_t313, _t416, _t440,  ~(0 | __eflags > 0x00000000) | _t284 + 0x00000001);
									_push(_a20);
									 *((intOrPtr*)(_t313 + 0x10)) = _t440;
									_push(_v12);
									_t441 = _v20;
									_v24 = _t286;
									 *((intOrPtr*)(_t313 + 0x14)) = _t284;
									_push(_a12);
									_push(_a8);
									_push(_v16);
									__eflags = _t441 - 8;
									if(_t441 < 8) {
										_push(_t313);
										_push(_t286);
										E0111B55E();
									} else {
										_push( *_t313);
										_push(_t286);
										E0111B55E();
										E01112B52(_t313, _t401, _t441,  *_t313, 2 + _t441 * 2);
									}
									 *_t313 = _v24;
									return _t313;
								}
							} else {
								_t443 = _t336 + _t415;
								_v12 =  *((intOrPtr*)(_t312 + 0x14));
								_t294 = E0111DD86(_t443,  *((intOrPtr*)(_t312 + 0x14)), 0x7ffffffe);
								_t296 = E0111B732(_t312, _t415, _t443,  ~(0 | __eflags > 0x00000000) | _t294 + 0x00000001);
								__eflags = _v12 - 8;
								_t409 = _v8;
								 *((intOrPtr*)(_t312 + 0x14)) = _t294;
								_v16 = _t296;
								 *((intOrPtr*)(_t312 + 0x10)) = _t443;
								_t473 = _v8 + _v8;
								if(_v12 < 8) {
									_t444 = _t296;
									E0117ACA0(_t444, _t312, _t473);
									__eflags = 0;
									 *((short*)(_t473 + _t444)) = _a12;
									 *((short*)(_t473 + _t444 + 2)) = 0;
								} else {
									_t444 = _v16;
									E0117ACA0(_t444,  *_t312, _t409 + _t409);
									_t411 = _v8 + _v8;
									 *((short*)(_t411 + _t444)) = _a12;
									 *((short*)(_t411 + _t444 + 2)) = 0;
									E01112B52(_t312, _t411, _t444,  *_t312, 2 + _v12 * 2);
								}
								 *_t312 = _t444;
								return _t312;
							}
						} else {
							_t447 = _v20;
							_v20 = _t447;
							_v4 = 1;
							E01146BDD(__eflags, _t447);
							 *((intOrPtr*)( *_t447 + 4))();
							 *0x11fa5e0 = _t447;
							goto L5;
						}
					} else {
						_t447 = _t422;
						goto L5;
					}
				}
			}

0x0111d50d
0x0111d514
0x0111d519
0x0111d521
0x0111d526
0x0111d52f
0x0111d535
0x0111d545
0x0111d549
0x0111d582
0x0111d585
0x0111d591
0x0111d54b
0x0111d54d
0x0111d553
0x0111d556
0x0111d558
0x0111d55e
0x0111d55f
0x0111d562
0x0111d592
0x0111d597
0x0111d599
0x0111d59b
0x0111d59e
0x0111d5a1
0x0111d5a2
0x0111d5a3
0x0111d5ac
0x0111d5ad
0x0111d5b2
0x0111d5b5
0x0111d5b7
0x0111d65e
0x0111d663
0x0111d664
0x0111d665
0x0111d667
0x0111d66d
0x0111d670
0x0111d671
0x0111d672
0x0111d674
0x0111d67e
0x0111d67f
0x0111d684
0x0111d687
0x0111d689
0x0111d705
0x0111d70a
0x0111d70b
0x0111d70c
0x0111d70e
0x0111d70f
0x0111d710
0x0111d711
0x0111d714
0x0111d715
0x0111d716
0x0111d71d
0x0111d71f
0x0111d78b
0x0111d790
0x0111d791
0x0111d792
0x0111d794
0x0111d79a
0x0111d79b
0x0111d79e
0x0111d7a1
0x0111d7a9
0x0111d7ab
0x0111d81b
0x0111d820
0x0111d821
0x0111d822
0x0111d824
0x0111d827
0x0111d828
0x0111d832
0x0111d837
0x0111d838
0x0111d839
0x0111d83c
0x0111d8c7
0x0111d8cc
0x0111d8cd
0x0111d8ce
0x0111d8d6
0x0111d8d9
0x0111d8da
0x0111d8dd
0x0111d8e7
0x0111d8e8
0x0111d8ed
0x0111d8f0
0x0111d8f2
0x0111d96b
0x0111d970
0x0111d971
0x0111d977
0x0111d97a
0x0111d97b
0x0111d97c
0x0111d985
0x0111d986
0x0111d98b
0x0111d98e
0x0111d990
0x0111da03
0x0111da08
0x0111da09
0x0111da10
0x0111da15
0x0111da1d
0x0111da22
0x0111da2b
0x0111da31
0x0111da34
0x0111da3a
0x0111da41
0x0111da43
0x0111da45
0x0111da7e
0x0111da81
0x0111da8d
0x0111da47
0x0111da47
0x0111da49
0x0111da52
0x0111da53
0x0111da5b
0x0111da5e
0x0111da8e
0x0111da93
0x0111da94
0x0111da9b
0x0111daa2
0x0111daa5
0x0111daa8
0x0111daaa
0x0111daac
0x0111daae
0x0111dab7
0x0111daba
0x0111dabd
0x0111dac4
0x0111dac7
0x0111dad5
0x0111dada
0x0111dae0
0x0111dae1
0x0111dae4
0x0111dae5
0x0111daee
0x0111daef
0x0111daf5
0x0111dafd
0x0111daff
0x0111daff
0x0111daae
0x0111db06
0x0111db0c
0x0111da60
0x0111da60
0x0111da63
0x0111da67
0x0111da6b
0x0111da75
0x0111da78
0x00000000
0x0111da78
0x0111da4b
0x0111da4b
0x00000000
0x0111da4b
0x0111da49
0x0111d992
0x0111d995
0x0111d99b
0x0111d99e
0x0111d9af
0x0111d9b2
0x0111d9ba
0x0111d9bd
0x0111d9c0
0x0111d9c3
0x0111d9c6
0x0111d9c9
0x0111d9cc
0x0111d9cf
0x0111d9d2
0x0111d9d5
0x0111d9ee
0x0111d9ef
0x0111d9f0
0x0111d9d7
0x0111d9d9
0x0111d9da
0x0111d9db
0x0111d9e5
0x0111d9eb
0x0111d9f9
0x0111da00
0x0111da00
0x0111d8f4
0x0111d8f7
0x0111d8fd
0x0111d900
0x0111d919
0x0111d91e
0x0111d921
0x0111d927
0x0111d92a
0x0111d92d
0x0111d930
0x0111d933
0x0111d936
0x0111d939
0x0111d956
0x0111d957
0x0111d958
0x0111d93b
0x0111d93d
0x0111d93e
0x0111d93f
0x0111d94d
0x0111d953
0x0111d961
0x0111d968
0x0111d968
0x0111d842
0x0111d845
0x0111d84b
0x0111d84e
0x0111d85f
0x0111d867
0x0111d86d
0x0111d871
0x0111d874
0x0111d875
0x0111d878
0x0111d87b
0x0111d87e
0x0111d8a4
0x0111d8a5
0x0111d8a6
0x0111d8b1
0x0111d8b4
0x0111d880
0x0111d882
0x0111d883
0x0111d884
0x0111d88c
0x0111d893
0x0111d89a
0x0111d89f
0x0111d8b9
0x0111d8be
0x0111d8c4
0x0111d8c4
0x0111d7ad
0x0111d7b0
0x0111d7b4
0x0111d7b7
0x0111d7d0
0x0111d7d5
0x0111d7d8
0x0111d7df
0x0111d7e3
0x0111d7e6
0x0111d7eb
0x0111d7f1
0x0111d7f6
0x0111d7fb
0x0111d7fe
0x0111d80a
0x0111d810
0x0111d811
0x0111d818
0x0111d818
0x0111d721
0x0111d727
0x0111d72a
0x0111d74c
0x0111d750
0x0111d753
0x0111d756
0x0111d75b
0x0111d760
0x0111d766
0x0111d76a
0x0111d76d
0x0111d779
0x0111d77f
0x0111d780
0x0111d788
0x0111d788
0x0111d68b
0x0111d68e
0x0111d694
0x0111d697
0x0111d6ae
0x0111d6b0
0x0111d6b5
0x0111d6b8
0x0111d6bb
0x0111d6be
0x0111d6c1
0x0111d6c4
0x0111d6c7
0x0111d6ca
0x0111d6cd
0x0111d6d0
0x0111d6d3
0x0111d6f0
0x0111d6f1
0x0111d6f2
0x0111d6d5
0x0111d6d7
0x0111d6d8
0x0111d6d9
0x0111d6e7
0x0111d6ed
0x0111d6fb
0x0111d702
0x0111d702
0x0111d5bd
0x0111d5c0
0x0111d5c6
0x0111d5c9
0x0111d5e2
0x0111d5e7
0x0111d5eb
0x0111d5ee
0x0111d5f1
0x0111d5f4
0x0111d5f7
0x0111d5fa
0x0111d638
0x0111d63c
0x0111d648
0x0111d64a
0x0111d64e
0x0111d5fc
0x0111d601
0x0111d607
0x0111d613
0x0111d616
0x0111d61c
0x0111d62d
0x0111d632
0x0111d653
0x0111d65b
0x0111d65b
0x0111d564
0x0111d564
0x0111d567
0x0111d56b
0x0111d56f
0x0111d579
0x0111d57c
0x00000000
0x0111d57c
0x0111d54f
0x0111d54f
0x00000000
0x0111d54f
0x0111d54d

APIs

__EH_prolog3_GS.LIBCMT ref: 0111D514
std::_Lockit::_Lockit.LIBCPMT ref: 0111D521

Part of subcall function 01115C4B: std::_Lockit::_Lockit.LIBCPMT ref: 01115C67
Part of subcall function 01115C4B: std::_Lockit::~_Lockit.LIBCPMT ref: 01115C83

std::_Facet_Register.LIBCPMT ref: 0111D56F
std::_Lockit::~_Lockit.LIBCPMT ref: 0111D585
Concurrency::cancel_current_task.LIBCPMT ref: 0111D592

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3_Register
String ID:
API String ID: 3498242614-0
Opcode ID: 8fcd1c73f3110117bc68d982e730cda0cf64edcdd2816c5e8cd7b398ec9210bb
Instruction ID: 19bded72a1b6f1e610ec7e77d8f605acc415a797fa3769749952d7435a3df853
Opcode Fuzzy Hash: 8fcd1c73f3110117bc68d982e730cda0cf64edcdd2816c5e8cd7b398ec9210bb
Instruction Fuzzy Hash: 800128319002168BCF5CEFA4E0446ADBB79AF5175CF204129D515A7284EB348E01C791

Uniqueness

Uniqueness Score: -1.00%

Function 0119B6CE, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0119B6CE(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x11d8230; // 0x11d8284
					if(_t23 != 0) {
						E0118FAFF(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x11d8234; // 0x11f9db8
					if(_t24 != 0) {
						E0118FAFF(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x11d8238; // 0x11f9db8
					if(_t25 != 0) {
						E0118FAFF(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x11d8260; // 0x11d8288
					if(_t26 != 0) {
						E0118FAFF(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x11d8264; // 0x11f9dbc
					if(_t27 != 0) {
						return E0118FAFF(_t6);
					}
				}
				return _t6;
			}

0x0119b6d4
0x0119b6d9
0x0119b6dd
0x0119b6e3
0x0119b6e6
0x0119b6eb
0x0119b6ef
0x0119b6f5
0x0119b6f8
0x0119b6fd
0x0119b701
0x0119b707
0x0119b70a
0x0119b70f
0x0119b713
0x0119b719
0x0119b71c
0x0119b721
0x0119b722
0x0119b725
0x0119b72b
0x00000000
0x0119b733
0x0119b72b
0x0119b736

APIs

_free.LIBCMT ref: 0119B6E6

Part of subcall function 0118FAFF: HeapFree.KERNEL32(00000000,00000000,?,0119B970,?,00000000,?,?,?,0119BC13,?,00000007,?,?,0119BFC6,?), ref: 0118FB15
Part of subcall function 0118FAFF: GetLastError.KERNEL32(?,?,0119B970,?,00000000,?,?,?,0119BC13,?,00000007,?,?,0119BFC6,?,?), ref: 0118FB27

_free.LIBCMT ref: 0119B6F8
_free.LIBCMT ref: 0119B70A
_free.LIBCMT ref: 0119B71C
_free.LIBCMT ref: 0119B72E

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c55b70a14df9825dcf0f8fca81624cdf48085defc2f98824f52d95fa51303b6d
Instruction ID: 4128e39660cee198baebaed42020f78028a0477a72a5ee56726eaed5adea42d9
Opcode Fuzzy Hash: c55b70a14df9825dcf0f8fca81624cdf48085defc2f98824f52d95fa51303b6d
Instruction Fuzzy Hash: 1EF0683250BA02AB9B2CEA5CF0C1C1A7BD9EB007647644909F164DB580CF70FC80CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0111519F, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0111519F(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				signed int _v20;
				signed int _v24;
				signed int* _v28;
				signed int* _v32;
				void* _t29;
				signed int _t32;
				signed int _t38;
				signed int* _t45;
				void* _t46;
				signed int* _t47;
				signed int _t57;
				signed int _t59;
				void* _t60;
				signed int* _t61;
				signed int _t63;
				void* _t65;
				signed int* _t66;

				_t47 = __ecx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t59 = _a4;
				_t63 = __ecx;
				_v20 = __ecx;
				_v24 = _t59;
				if(_t59 <= 0xa) {
					_v8 = __ecx;
					goto L4;
				} else {
					if(_t59 > 0x1fffffff) {
						E011116DC();
						asm("int3");
						_push(8);
						E0115ECE8(0x11a51a4, __ebx, _t59);
						_t66 = _t47;
						 *_t66 =  *_t66 & 0x00000000;
						_v8 = _v8 & 0x00000000;
						_t38 = E0115E3DD(_t66, __eflags, 0x10);
						__eflags = 1;
						 *((intOrPtr*)(_t38 + 4)) = 1;
						 *((intOrPtr*)(_t38 + 8)) = 1;
						 *_t38 = 0x11c0348;
						 *(_t38 + 0xc) = _a4;
						 *_t66 = _t38;
						return E0115EC46(_t66);
					} else {
						_t47 = E01112B2C(__ebx, __edx, _t59, _t59 << 3);
						_v8 = _t47;
						L4:
						_t57 =  *(_t63 + 0x54);
						_t45 = _t47;
						_v28 = _t45;
						_t29 = _t57 +  *(_t63 + 0x58) * 8;
						if(_t57 != _t29) {
							_t61 = _t57;
							_t65 = _t29;
							do {
								_t11 =  &(_t45[1]); // 0x4
								 *_t45 =  *_t61;
								_t12 =  &(_t61[1]); // 0x1113fce
								_t29 = E011118B4(_t11, _t12);
								_t61 =  &(_t61[2]);
								_t45 =  &(_t45[2]);
								_t77 = _t61 - _t65;
							} while (_t61 != _t65);
							_t63 = _v20;
							_t59 = _v24;
							_v28 = _t45;
						}
						_v32 = _t45;
						E011156EE(_t29, _t45,  &_v32, _t77);
						E0111429A(_t45, _t63, _t57, _t59);
						_t78 =  *(_t63 + 0x58) - _t59;
						_t32 = _v8;
						 *(_t63 + 0x50) = _t59;
						_pop(_t60);
						 *(_t63 + 0x54) = _t32;
						_pop(_t46);
						if( *(_t63 + 0x58) > _t59) {
							_push(0x13a);
							_t32 = E0118257F(_t46, _t57, _t60, _t78, L"size_ <= members_.capacity_", L"D:\\31-App\\app\\Slave\\Slave\\packages\\boost.1.72.0.0\\lib\\native\\include\\boost\\signals2\\detail\\auto_buffer.hpp");
						}
						return _t32;
					}
				}
			}

0x0111519f
0x011151a5
0x011151a6
0x011151a7
0x011151a8
0x011151ab
0x011151ad
0x011151b0
0x011151b6
0x011151d7
0x00000000
0x011151b8
0x011151be
0x01115251
0x01115256
0x01115257
0x0111525e
0x01115263
0x01115265
0x01115268
0x0111526e
0x01115276
0x01115277
0x0111527a
0x01115280
0x01115286
0x01115289
0x01115292
0x011151c4
0x011151d0
0x011151d2
0x011151da
0x011151da
0x011151dd
0x011151e2
0x011151e5
0x011151ea
0x011151ec
0x011151ee
0x011151f0
0x011151f2
0x011151f5
0x011151f7
0x011151fb
0x01115200
0x01115203
0x01115206
0x01115206
0x0111520a
0x0111520d
0x01115210
0x01115210
0x01115216
0x01115219
0x01115220
0x01115225
0x01115228
0x0111522b
0x0111522e
0x0111522f
0x01115233
0x01115234
0x01115236
0x01115245
0x0111524a
0x0111524e
0x0111524e
0x011151be

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 01115251
__EH_prolog3_catch.LIBCMT ref: 0111525E

Strings

size_ <= members_.capacity_, xrefs: 01115240
D:\31-App\app\Slave\Slave\packages\boost.1.72.0.0\lib\native\include\boost\signals2\detail\auto_buffer.hpp, xrefs: 011151A5, 0111523B

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskH_prolog3_catch
String ID: D:\31-App\app\Slave\Slave\packages\boost.1.72.0.0\lib\native\include\boost\signals2\detail\auto_buffer.hpp$size_ <= members_.capacity_
API String ID: 3440774267-3170698691
Opcode ID: fee348c4a04748f51bb146fd7f14dff89672d4a1ba504115268898ee7dbc47b2
Instruction ID: ab3c8823b79f0bbe7fd1b22c4fcaeb50684973093a3f55539f9f19b45600ab02
Opcode Fuzzy Hash: fee348c4a04748f51bb146fd7f14dff89672d4a1ba504115268898ee7dbc47b2
Instruction Fuzzy Hash: A7319FB6E00306DFCB18DF98D44059EFBF5AFA5314F25852EE945A7344D7B09A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011162C1, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E011162C1(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t23;
				void* _t24;
				void* _t26;
				void* _t28;
				intOrPtr* _t30;
				void* _t31;

				_t26 = __edx;
				_t23 = __ecx;
				E0115EC7D(0x11a53a2, __ebx, __edi);
				_t28 = _t23;
				 *((intOrPtr*)(_t28 + 0x14)) = 0x201;
				 *((intOrPtr*)(_t28 + 0x30)) = 0;
				 *((intOrPtr*)(_t28 + 8)) = 0;
				 *((intOrPtr*)(_t28 + 0x10)) = 0;
				 *((intOrPtr*)(_t28 + 0x18)) = 6;
				 *((intOrPtr*)(_t28 + 0x1c)) = 0;
				 *((intOrPtr*)(_t28 + 0x20)) = 0;
				 *((intOrPtr*)(_t28 + 0x24)) = 0;
				 *((intOrPtr*)(_t28 + 0x28)) = 0;
				 *((intOrPtr*)(_t28 + 0x2c)) = 0;
				L01116257(0, _t23, _t26, _t28, __esi, 0, 0);
				_t30 = E0115E3DD(__esi, 0, 8);
				_t24 = 4;
				 *_t30 = 0;
				 *((intOrPtr*)(_t30 + 4)) = 0;
				_push(1);
				 *((intOrPtr*)(_t31 - 4)) = 0;
				 *((intOrPtr*)(_t30 + 4)) = E01146C0F(0, _t24, _t26, _t28, 0);
				 *((intOrPtr*)(_t28 + 0x30)) = _t30;
				return E0115EC46(_t19);
			}

0x011162c1
0x011162c1
0x011162c8
0x011162cd
0x011162d1
0x011162da
0x011162dd
0x011162e0
0x011162e3
0x011162ea
0x011162ed
0x011162f0
0x011162f3
0x011162f6
0x011162f9
0x01116305
0x01116307
0x01116308
0x0111630a
0x0111630d
0x0111630f
0x01116317
0x0111631b
0x01116323

Strings

ios_base::failbit set, xrefs: 01116283
ios_base::eofbit set, xrefs: 01116288
ios_base::badbit set, xrefs: 01116279, 0111629E

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Initstd::locale::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1620887387-1866435925
Opcode ID: 512489b8bcdcf3f8fb565e9570e1ffd7b509b0e44d32a161c7eb10c80c5301c6
Instruction ID: 2748b2591173ed642d2b8be6ab3dea5155e25407a4e1545c7cf7030ecd9a705a
Opcode Fuzzy Hash: 512489b8bcdcf3f8fb565e9570e1ffd7b509b0e44d32a161c7eb10c80c5301c6
Instruction Fuzzy Hash: CFF0A4F0905B06EFD358AF6AC5C0645FAF1FF18708F90862ED56C97A40C7B5A560CB84

Uniqueness

Uniqueness Score: -1.00%

Function 011912D2, Relevance: 6.3, APIs: 4, Instructions: 320
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E011912D2(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t85;
				void* _t91;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				void* _t119;
				signed int* _t120;
				void* _t123;
				signed int _t125;
				signed int _t131;
				signed int* _t132;
				signed int* _t135;
				signed int _t136;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t148;
				signed int _t149;
				signed int _t153;
				signed int _t154;
				void* _t158;
				unsigned int _t159;
				signed int _t166;
				void* _t167;
				signed int _t168;
				signed int* _t169;
				signed int _t172;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t184;
				signed int _t185;
				signed int _t186;

				_t167 = __edx;
				_t180 = _a24;
				if(_t180 < 0) {
					_t180 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E0117EF63( &_v60, _t167, _a36);
				_t5 = _t180 + 0xb; // 0xb
				_t192 = _a12 - _t5;
				if(_a12 > _t5) {
					_t135 = _a4;
					_t141 = _t135[1];
					_t168 =  *_t135;
					__eflags = (_t141 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t141 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t141;
						if(__eflags > 0) {
							L14:
							_t17 = _t184 + 1; // 0x2
							_t169 = _t17;
							_t85 = _a28 ^ 0x00000001;
							_v20 = 0x3ff;
							_v5 = _t85;
							_v40 = _t169;
							_v32 = ((_t85 & 0x000000ff) << 5) + 7;
							__eflags = _t141 & 0x7ff00000;
							_t91 = 0x30;
							if((_t141 & 0x7ff00000) != 0) {
								 *_t184 = 0x31;
								L19:
								_t143 = 0;
								__eflags = 0;
								L20:
								_t25 =  &(_t169[0]); // 0x2
								_t185 = _t25;
								_v16 = _t185;
								__eflags = _t180;
								if(_t180 != 0) {
									_t95 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t95 = _t143;
								}
								 *_t169 = _t95;
								_t97 = _t135[1] & 0x000fffff;
								__eflags = _t97;
								_v24 = _t97;
								if(_t97 > 0) {
									L25:
									_t170 = _t143;
									_t144 = 0xf0000;
									_t98 = 0x30;
									_v12 = _t98;
									_v16 = _t143;
									_v24 = 0xf0000;
									do {
										__eflags = _t180;
										if(_t180 <= 0) {
											break;
										}
										_t123 = E011A3B00( *_t135 & _t170, _v12, _t135[1] & _t144 & 0x000fffff);
										_t158 = 0x30;
										_t125 = _t123 + _t158 & 0x0000ffff;
										__eflags = _t125 - 0x39;
										if(_t125 > 0x39) {
											_t125 = _t125 + _v32;
											__eflags = _t125;
										}
										_t159 = _v24;
										_t170 = (_t159 << 0x00000020 | _v16) >> 4;
										 *_t185 = _t125;
										_t185 = _t185 + 1;
										_t144 = _t159 >> 4;
										_t98 = _v12 - 4;
										_t180 = _t180 - 1;
										_v16 = (_t159 << 0x00000020 | _v16) >> 4;
										_v24 = _t159 >> 4;
										_v12 = _t98;
										__eflags = _t98;
									} while (_t98 >= 0);
									_v16 = _t185;
									__eflags = _t98;
									if(_t98 < 0) {
										goto L42;
									}
									_t119 = E011A3B00( *_t135 & _t170, _v12, _t135[1] & _t144 & 0x000fffff);
									__eflags = _t119 - 8;
									if(_t119 <= 8) {
										goto L42;
									}
									_t50 = _t185 - 1; // 0x2
									_t120 = _t50;
									_t139 = 0x30;
									while(1) {
										_t153 =  *_t120;
										__eflags = _t153 - 0x66;
										if(_t153 == 0x66) {
											goto L35;
										}
										__eflags = _t153 - 0x46;
										if(_t153 != 0x46) {
											_t135 = _a4;
											__eflags = _t120 - _v40;
											if(_t120 == _v40) {
												_t54 = _t120 - 1;
												 *_t54 =  *(_t120 - 1) + 1;
												__eflags =  *_t54;
											} else {
												__eflags = _t153 - 0x39;
												if(_t153 != 0x39) {
													_t154 = _t153 + 1;
													__eflags = _t154;
												} else {
													_t154 = _v32 + 0x3a;
												}
												 *_t120 = _t154;
											}
											goto L42;
										}
										L35:
										 *_t120 = _t139;
										_t120 = _t120 - 1;
									}
								} else {
									__eflags =  *_t135 - _t143;
									if( *_t135 <= _t143) {
										L42:
										__eflags = _t180;
										if(_t180 > 0) {
											_push(_t180);
											_t115 = 0x30;
											_push(_t115);
											_push(_t185);
											E0117B230(_t180);
											_t185 = _t185 + _t180;
											__eflags = _t185;
											_v16 = _t185;
										}
										_t99 = _v40;
										__eflags =  *_t99;
										if( *_t99 == 0) {
											_t185 = _t99;
											_v16 = _t185;
										}
										 *_t185 = (_v5 << 5) + 0x50;
										_t104 = E011A3B00( *_t135, 0x34, _t135[1]);
										_t186 = 0;
										_t105 = _v16;
										_t148 = (_t104 & 0x000007ff) - _v20;
										__eflags = _t148;
										asm("sbb esi, esi");
										_t63 = _t105 + 2; // 0x2
										_t172 = _t63;
										_v40 = _t172;
										if(__eflags < 0) {
											L50:
											_t148 =  ~_t148;
											asm("adc esi, 0x0");
											_t186 =  ~_t186;
											_t136 = 0x2d;
											goto L51;
										} else {
											if(__eflags > 0) {
												L49:
												_t136 = 0x2b;
												L51:
												 *(_t105 + 1) = _t136;
												_t181 = _t172;
												_t106 = 0x30;
												 *_t172 = _t106;
												_t107 = 0;
												__eflags = _t186;
												if(__eflags < 0) {
													L55:
													__eflags = _t181 - _t172;
													if(_t181 != _t172) {
														L59:
														_push(_t136);
														_push(_t107);
														_push(0x64);
														_push(_t186);
														_t108 = E011A3A00();
														_t186 = _t136;
														_t136 = _t148;
														_v32 = _t172;
														_t172 = _v40;
														 *_t181 = _t108 + 0x30;
														_t181 = _t181 + 1;
														_t107 = 0;
														__eflags = 0;
														L60:
														__eflags = _t181 - _t172;
														if(_t181 != _t172) {
															L64:
															_push(_t136);
															_push(_t107);
															_push(0xa);
															_push(_t186);
															_push(_t148);
															_t110 = E011A3A00();
															_v40 = _t172;
															 *_t181 = _t110 + 0x30;
															_t181 = _t181 + 1;
															_t107 = 0;
															__eflags = 0;
															L65:
															_t149 = _t148 + 0x30;
															__eflags = _t149;
															 *_t181 = _t149;
															 *(_t181 + 1) = _t107;
															_t182 = _t107;
															L66:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t182;
														}
														__eflags = _t186 - _t107;
														if(__eflags < 0) {
															goto L65;
														}
														if(__eflags > 0) {
															goto L64;
														}
														__eflags = _t148 - 0xa;
														if(_t148 < 0xa) {
															goto L65;
														}
														goto L64;
													}
													__eflags = _t186 - _t107;
													if(__eflags < 0) {
														goto L60;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t148 - 0x64;
													if(_t148 < 0x64) {
														goto L60;
													}
													goto L59;
												}
												_t136 = 0x3e8;
												if(__eflags > 0) {
													L54:
													_push(_t136);
													_push(_t107);
													_push(_t136);
													_push(_t186);
													_t113 = E011A3A00();
													_t186 = _t136;
													_t136 = _t148;
													_v32 = _t172;
													_t172 = _v40;
													 *_t172 = _t113 + 0x30;
													_t181 = _t172 + 1;
													_t107 = 0;
													__eflags = 0;
													goto L55;
												}
												__eflags = _t148 - 0x3e8;
												if(_t148 < 0x3e8) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t148;
											if(_t148 < 0) {
												goto L50;
											}
											goto L49;
										}
									}
									goto L25;
								}
							}
							 *_t184 = _t91;
							_t143 =  *_t135 | _t135[1] & 0x000fffff;
							__eflags = _t143;
							if(_t143 != 0) {
								_v20 = 0x3fe;
								goto L19;
							}
							_v20 = _t143;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
							_t141 = _t135[1];
							goto L14;
						}
						__eflags = _t168;
						if(_t168 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t182 = E011915EB(_t135, _t141, _t135, _t184, _a12, _a16, _a20, _t180, 0, _a32, 0);
					__eflags = _t182;
					if(_t182 == 0) {
						_t131 = E011A3B20(_t184, 0x65);
						__eflags = _t131;
						if(_t131 != 0) {
							_t166 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t166;
							 *_t131 = _t166;
							 *((char*)(_t131 + 3)) = 0;
						}
						_t182 = 0;
					} else {
						 *_t184 = 0;
					}
					goto L66;
				}
				_t132 = E01186176(_t192);
				_t182 = 0x22;
				 *_t132 = _t182;
				E011828B6();
				goto L66;
			}

0x011912d2
0x011912dd
0x011912e2
0x011912e4
0x011912e4
0x011912e8
0x011912f1
0x011912f3
0x011912f8
0x011912fb
0x011912fe
0x01191314
0x01191317
0x0119131c
0x01191326
0x0119132b
0x0119137f
0x01191381
0x01191390
0x01191393
0x01191393
0x01191396
0x01191398
0x0119139f
0x011913b1
0x011913b4
0x011913b9
0x011913bd
0x011913be
0x011913de
0x011913e1
0x011913e1
0x011913e1
0x011913e3
0x011913e3
0x011913e3
0x011913e6
0x011913e9
0x011913eb
0x011913fc
0x011913ed
0x011913ed
0x011913ed
0x011913fe
0x01191403
0x01191403
0x01191408
0x0119140b
0x01191415
0x01191417
0x01191419
0x0119141e
0x0119141f
0x01191422
0x01191425
0x01191428
0x01191428
0x0119142a
0x00000000
0x00000000
0x01191441
0x01191448
0x0119144c
0x0119144f
0x01191452
0x01191454
0x01191454
0x01191454
0x0119145a
0x0119145d
0x01191461
0x01191463
0x01191467
0x0119146a
0x0119146d
0x0119146e
0x01191471
0x01191474
0x01191477
0x01191477
0x0119147c
0x0119147f
0x01191482
0x00000000
0x00000000
0x01191499
0x0119149e
0x011914a2
0x00000000
0x00000000
0x011914a6
0x011914a6
0x011914a9
0x011914aa
0x011914aa
0x011914ac
0x011914af
0x00000000
0x00000000
0x011914b1
0x011914b4
0x011914bb
0x011914be
0x011914c1
0x011914d6
0x011914d6
0x011914d6
0x011914c3
0x011914c3
0x011914c6
0x011914d0
0x011914d0
0x011914c8
0x011914cb
0x011914cb
0x011914d2
0x011914d2
0x00000000
0x011914c1
0x011914b6
0x011914b6
0x011914b8
0x011914b8
0x0119140d
0x0119140d
0x0119140f
0x011914d9
0x011914d9
0x011914db
0x011914dd
0x011914e0
0x011914e1
0x011914e2
0x011914e3
0x011914eb
0x011914eb
0x011914ed
0x011914ed
0x011914f0
0x011914f3
0x011914f6
0x011914f8
0x011914fa
0x011914fa
0x01191507
0x0119150e
0x01191515
0x01191517
0x01191520
0x01191520
0x01191523
0x01191525
0x01191525
0x01191528
0x0119152b
0x01191537
0x01191537
0x0119153b
0x0119153e
0x01191540
0x00000000
0x0119152d
0x0119152d
0x01191533
0x01191533
0x01191541
0x01191541
0x01191544
0x01191548
0x01191549
0x0119154b
0x0119154d
0x0119154f
0x01191579
0x01191579
0x0119157b
0x01191588
0x01191588
0x01191589
0x0119158a
0x0119158c
0x0119158e
0x01191593
0x01191595
0x01191599
0x0119159c
0x0119159f
0x011915a1
0x011915a2
0x011915a2
0x011915a4
0x011915a4
0x011915a6
0x011915b3
0x011915b3
0x011915b4
0x011915b5
0x011915b7
0x011915b8
0x011915b9
0x011915c2
0x011915c5
0x011915c7
0x011915c8
0x011915c8
0x011915ca
0x011915ca
0x011915ca
0x011915cd
0x011915cf
0x011915d2
0x011915d4
0x011915da
0x011915df
0x011915df
0x011915ea
0x011915ea
0x011915a8
0x011915aa
0x00000000
0x00000000
0x011915ac
0x00000000
0x00000000
0x011915ae
0x011915b1
0x00000000
0x00000000
0x00000000
0x011915b1
0x0119157d
0x0119157f
0x00000000
0x00000000
0x01191581
0x00000000
0x00000000
0x01191583
0x01191586
0x00000000
0x00000000
0x00000000
0x01191586
0x01191551
0x01191556
0x0119155c
0x0119155c
0x0119155d
0x0119155e
0x0119155f
0x01191561
0x01191566
0x01191568
0x0119156a
0x0119156f
0x01191572
0x01191574
0x01191577
0x01191577
0x00000000
0x01191577
0x01191558
0x0119155a
0x00000000
0x00000000
0x00000000
0x0119155a
0x0119152f
0x01191531
0x00000000
0x00000000
0x00000000
0x01191531
0x0119152b
0x00000000
0x0119140f
0x0119140b
0x011913c0
0x011913cc
0x011913cc
0x011913ce
0x011913d5
0x00000000
0x011913d5
0x011913d0
0x00000000
0x011913d0
0x01191383
0x01191389
0x01191389
0x0119138c
0x0119138c
0x0119138d
0x00000000
0x0119138d
0x01191385
0x01191387
0x00000000
0x00000000
0x00000000
0x01191387
0x01191345
0x0119134a
0x0119134c
0x01191359
0x01191360
0x01191362
0x0119136d
0x0119136d
0x01191370
0x01191372
0x01191372
0x01191376
0x0119134e
0x0119134e
0x0119134e
0x00000000
0x0119134c
0x01191300
0x01191307
0x01191308
0x0119130a
0x00000000

APIs

_strrchr.LIBCMT ref: 01191359

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 6d08e808b6220efdbe461e913e63a5d805a302101c1d3d28be8cce45d8f38837
Instruction ID: 5906cb1bf9c34f95c2cebfc0c7ba73bb902d7baf0ec0aaeda640d4e6866cd6e1
Opcode Fuzzy Hash: 6d08e808b6220efdbe461e913e63a5d805a302101c1d3d28be8cce45d8f38837
Instruction Fuzzy Hash: EFB14732904247AFEF19CF68C8407AEBFF5EF56360F198169D462DB241D3349981CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01190FC4, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E01190FC4(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x11d82e8; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0119011A(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E0118FAA2(_t43, 1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E0119011A(__eflags,  *0x11d82e8, _t51);
							if(__eflags != 0) {
								E01190DF2(_t51, 0x11fa4a0);
								E0118FAFF(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E0119011A(__eflags,  *0x11d82e8, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E0119011A(0,  *0x11d82e8, 0);
							_push(0);
							L9:
							E0118FAFF();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E011900DB(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x11d82e8; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E011844F3(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x11d82e8; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E0119011A(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E0118FAA2(_t43, 1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E0119011A(__eflags,  *0x11d82e8, _t60);
								if(__eflags != 0) {
									E01190DF2(_t60, 0x11fa4a0);
									E0118FAFF(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E0119011A(__eflags,  *0x11d82e8, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E0119011A(__eflags,  *0x11d82e8, _t20);
								_push(_t60);
								L25:
								E0118FAFF();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E011900DB(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x11d82e8; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E011844F3(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x11d82e8; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E0119011A(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E0118FAA2(_t43, 1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E0119011A(__eflags,  *0x11d82e8, _t54);
											if(__eflags != 0) {
												E01190DF2(_t54, 0x11fa4a0);
												E0118FAFF(0);
												goto L45;
											} else {
												_t40 = 0;
												E0119011A(__eflags,  *0x11d82e8, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E0119011A(0,  *0x11d82e8, 0);
											_push(0);
											L41:
											E0118FAFF();
											goto L36;
										}
									}
								} else {
									_t54 = E011900DB(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x11d82e8; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x01190fc4
0x01190fc4
0x01190fcf
0x01190fd1
0x01190fd6
0x01190fd9
0x01190ff7
0x01190ffa
0x01190fff
0x01191001
0x00000000
0x01191003
0x0119100f
0x01191012
0x01191013
0x01191015
0x0119103a
0x0119103c
0x01191055
0x0119105c
0x01191061
0x00000000
0x0119103e
0x0119103e
0x01191047
0x0119104c
0x00000000
0x0119104c
0x01191017
0x01191017
0x01191017
0x01191020
0x01191025
0x01191026
0x01191026
0x0119102b
0x00000000
0x0119102b
0x01191015
0x01190fdb
0x01190fe1
0x01190fe5
0x01190ff2
0x00000000
0x01190fe7
0x01190fea
0x01191064
0x01191064
0x01190fec
0x01190fec
0x01190fec
0x01190fee
0x01190fee
0x01190fee
0x01190fea
0x01190fe5
0x01191067
0x0119106f
0x01191071
0x01191073
0x0119107b
0x01191080
0x01191081
0x01191086
0x01191087
0x0119108a
0x011910a4
0x011910a7
0x011910ac
0x011910ae
0x00000000
0x011910b0
0x011910bc
0x011910bf
0x011910c0
0x011910c2
0x011910e5
0x011910e7
0x011910fe
0x01191105
0x0119110a
0x00000000
0x011910e9
0x011910f0
0x011910f5
0x00000000
0x011910f5
0x011910c4
0x011910cb
0x011910d0
0x011910d1
0x011910d1
0x011910d6
0x00000000
0x011910d6
0x011910c2
0x0119108c
0x01191092
0x01191094
0x01191096
0x0119109f
0x00000000
0x01191098
0x01191098
0x0119109b
0x01191115
0x01191115
0x0119111a
0x0119111d
0x0119111e
0x0119111f
0x01191126
0x01191128
0x0119112d
0x01191130
0x0119114e
0x01191151
0x01191156
0x01191158
0x00000000
0x0119115a
0x01191166
0x0119116a
0x0119116c
0x01191191
0x01191193
0x011911ac
0x011911b3
0x00000000
0x01191195
0x01191195
0x0119119e
0x011911a3
0x00000000
0x011911a3
0x0119116e
0x0119116e
0x0119116e
0x01191177
0x0119117c
0x0119117d
0x0119117d
0x00000000
0x01191182
0x0119116c
0x01191132
0x01191138
0x0119113a
0x0119113c
0x01191149
0x00000000
0x0119113e
0x0119113e
0x01191141
0x011911bb
0x011911bb
0x01191143
0x01191143
0x01191143
0x01191143
0x01191145
0x01191145
0x01191145
0x01191141
0x0119113c
0x011911be
0x011911c6
0x011911c8
0x011911c8
0x011911cf
0x0119109d
0x0119110d
0x0119110d
0x0119110f
0x00000000
0x01191111
0x01191114
0x01191114
0x0119110f
0x0119109b
0x01191096
0x01191075
0x0119107a
0x0119107a

APIs

GetLastError.KERNEL32(?,?,?,0117EFA3,?,?,?,?,0117F06E,00000000), ref: 01190FC9
_free.LIBCMT ref: 01191026
_free.LIBCMT ref: 0119105C
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,0117F06E,00000000), ref: 01191067

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 9dd537e658a86dbf661814d948c4ac359ed500bf1d6a48a1bd17ce23f084490c
Instruction ID: 979dc4cd004956deb94ed32e7f69a304ecfd703a37956ceab0e62eec7a61924b
Opcode Fuzzy Hash: 9dd537e658a86dbf661814d948c4ac359ed500bf1d6a48a1bd17ce23f084490c
Instruction Fuzzy Hash: B011C6323456077B9F2E36799C84D2B395EEBD47797690334F274861D1DF628C828225

Uniqueness

Uniqueness Score: -1.00%

Function 0119111B, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0119111B(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				void* _t14;
				signed int _t18;
				long _t21;

				_t14 = __ecx;
				_t21 = GetLastError();
				_t2 =  *0x11d82e8; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0119011A(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E0118FAA2(_t14, 1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E0119011A(__eflags,  *0x11d82e8, _t18);
							if(__eflags != 0) {
								E01190DF2(_t18, 0x11fa4a0);
								E0118FAFF(0);
								goto L13;
							} else {
								_t13 = 0;
								E0119011A(__eflags,  *0x11d82e8, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E0119011A(0,  *0x11d82e8, 0);
							_push(0);
							L9:
							E0118FAFF();
							goto L4;
						}
					}
				} else {
					_t18 = E011900DB(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x11d82e8; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x0119111b
0x01191126
0x01191128
0x0119112d
0x01191130
0x0119114e
0x01191151
0x01191156
0x01191158
0x00000000
0x0119115a
0x01191166
0x0119116a
0x0119116c
0x01191191
0x01191193
0x011911ac
0x011911b3
0x00000000
0x01191195
0x01191195
0x0119119e
0x011911a3
0x00000000
0x011911a3
0x0119116e
0x0119116e
0x0119116e
0x01191177
0x0119117c
0x0119117d
0x0119117d
0x00000000
0x01191182
0x0119116c
0x01191132
0x01191138
0x0119113c
0x01191149
0x00000000
0x0119113e
0x01191141
0x011911bb
0x011911bb
0x01191143
0x01191143
0x01191143
0x01191145
0x01191145
0x01191145
0x01191141
0x0119113c
0x011911be
0x011911c6
0x011911cf

APIs

GetLastError.KERNEL32(?,?,?,0118617B,01181C10), ref: 01191120
_free.LIBCMT ref: 0119117D
_free.LIBCMT ref: 011911B3
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,0118617B,01181C10), ref: 011911BE

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: bddec86f089ea38ce50d6f64585435aa83dd2079562d1e55da5aa145d7ac1995
Instruction ID: dcbe2c2a261dc5f07068126bd5458b73ae4fc9b157b13da2657913062a23a3e3
Opcode Fuzzy Hash: bddec86f089ea38ce50d6f64585435aa83dd2079562d1e55da5aa145d7ac1995
Instruction Fuzzy Hash: DA112BB23416073ADF6E25799C84D2B295EEBD4B797650334F134871D1DF318CC28224

Uniqueness

Uniqueness Score: -1.00%

Function 011113E1, Relevance: 6.1, APIs: 4, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E011113E1(void* __ebx, signed short __ecx, signed short __edx, void* __edi, void* __esi, short _a4) {
				signed int _v8;
				struct _OSVERSIONINFOEXW _v292;
				signed int _t16;
				signed short _t29;
				signed short _t36;
				signed short _t38;
				intOrPtr* _t41;
				signed int _t42;

				_t36 = __edx;
				_t16 =  *0x11d8098; // 0xa9f5dfda
				_v8 = _t16 ^ _t42;
				_v292.dwOSVersionInfoSize = 0x11c;
				_v292.dwBuildNumber = 0;
				_t29 = __edx;
				_v292.dwPlatformId = 0;
				_t38 = __ecx;
				E0117B230(__ecx,  &(_v292.szCSDVersion), 0, 0x100);
				_v292.wSuiteMask = 0;
				_v292.wServicePackMinor = 0;
				_t41 = __imp__VerSetConditionMask;
				 *_t41(0, 0, 2, 3, 1, 3, 0x20, 3);
				 *_t41(0, _t36);
				 *_t41(0, _t36);
				_v292.dwMajorVersion = _t38 & 0x0000ffff;
				_v292.dwMinorVersion = _t29 & 0x0000ffff;
				_v292.wServicePackMajor = _a4;
				VerifyVersionInfoW( &_v292, 0x23, 0);
				return E0115E184(_v8 ^ _t42, _t36);
			}

0x011113e1
0x011113ea
0x011113f1
0x011113f9
0x0111140e
0x01111416
0x01111419
0x0111141f
0x01111422
0x0111142a
0x0111142f
0x01111441
0x01111447
0x0111144b
0x0111144f
0x01111455
0x01111465
0x01111472
0x01111476
0x0111148f

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 01111447
VerSetConditionMask.KERNEL32(00000000), ref: 0111144B
VerSetConditionMask.KERNEL32(00000000), ref: 0111144F
VerifyVersionInfoW.KERNEL32 ref: 01111476

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: eb981cf9d212f0ac2331d708f004d32754ce9d1aa7193b469db2bc6b21627385
Instruction ID: 2d72c4e6b02ae19e2b8f44379cc870445b4f14ea2ecc6fcc97ffa6a9735fd581
Opcode Fuzzy Hash: eb981cf9d212f0ac2331d708f004d32754ce9d1aa7193b469db2bc6b21627385
Instruction Fuzzy Hash: BA110070E41228BADB349B659C46BDBBABCEF49B50F00409AB508A6281D6B45A408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0114AEBF, Relevance: 6.0, APIs: 4, Instructions: 44
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0114AEBF(intOrPtr __eax, void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr* _v24;
				intOrPtr _v32;
				signed int _t26;
				signed int _t28;
				int _t30;
				void* _t33;
				void* _t34;
				signed int _t39;
				signed int _t40;
				void* _t42;
				signed int _t43;
				void* _t44;

				_t44 = __esi;
				_t42 = __edi;
				_t41 = __edx;
				_t33 = __ebx;
				if( *0x11d8088 == 0) {
					__eflags = E0118482E();
					if(__eflags != 0) {
						E0118487C(_t34, __edx, __eflags);
						_t34 = 0x16;
					}
					__eflags =  *0x11d828c & 0x00000002;
					if(( *0x11d828c & 0x00000002) != 0) {
						_t30 = IsProcessorFeaturePresent(0x17);
						__eflags = _t30;
						if(_t30 != 0) {
							_t34 = 7;
							asm("int 0x29");
						}
						E0118270A(_t33, _t41, _t42, _t44, 3, 0x40000015, 1);
					}
					E011844A1(3);
					asm("int3");
					E0115F0B0(_t41, 0x11d54f0, 0xc);
					_t43 = _a4;
					__eflags = _t43;
					if(_t43 == 0) {
						ExitThread(GetLastError());
					}
					 *(E01190FC4(_t34, _t41) + 0x360) = _t43;
					__eflags = E01196DE8(_t34) - 2;
					if(__eflags == 0) {
						_t26 = E011903F5(__eflags, 1);
						asm("sbb al, al");
						_t28 =  ~_t26 + 1;
						__eflags = _t28;
						 *(_t43 + 0x10) = _t28;
					}
					_t9 =  &_v8;
					 *_t9 = _v8 & 0x00000000;
					__eflags =  *_t9;
					_t45 =  *_t43;
					 *0x11af384( *((intOrPtr*)(_t43 + 4)));
					E01184716(_t33, _t45, _t41, _t43, __eflags,  *((intOrPtr*)( *_t43))());
					_t36 = _v24;
					_t24 =  *((intOrPtr*)( *_v24));
					_v32 =  *((intOrPtr*)( *_v24));
					return E0118CFA8(_t36, __eflags, _t24, _t36);
				} else {
					__imp__EncodePointer(_a4);
					_t39 =  *0x11d8088; // 0xa
					_t40 = _t39 - 1;
					 *0x11d8088 = _t40;
					 *((intOrPtr*)(0x11f9644 + _t40 * 4)) = __eax;
					return __eax;
				}
			}

0x0114aebf
0x0114aebf
0x0114aebf
0x0114aebf
0x0114aec9
0x011844f8
0x011844fa
0x011844fe
0x01184503
0x01184503
0x01184504
0x0118450b
0x0118450f
0x01184515
0x01184517
0x0118451b
0x0118451c
0x0118451c
0x01184527
0x0118452c
0x01184531
0x01184536
0x0118453e
0x01184543
0x01184546
0x01184548
0x01184551
0x01184551
0x0118455c
0x01184567
0x0118456a
0x0118456e
0x01184575
0x01184577
0x01184577
0x01184579
0x01184579
0x0118457c
0x0118457c
0x0118457c
0x01184580
0x01184587
0x01184590
0x01184595
0x0118459a
0x0118459c
0x011845a8
0x0114aecf
0x0114aed2
0x0114aed8
0x0114aede
0x0114aedf
0x0114aee5
0x0114aeed
0x0114aeed

APIs

EncodePointer.KERNEL32(00000000,?,01146DE4,01146E2A,?,01146C41,00000000,00000000,00000000,00000004,01116317,00000001,00000004,00000000,00000000), ref: 0114AED2
IsProcessorFeaturePresent.KERNEL32(00000017,01191080,?,?,?,0117F06E,00000000), ref: 0118450F
GetLastError.KERNEL32(011D54F0,0000000C,00000003,01191080,?,?,?,0117F06E,00000000), ref: 0118454A
ExitThread.KERNEL32 ref: 01184551

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EncodeErrorExitFeatureLastPointerPresentProcessorThread
String ID:
API String ID: 2377284876-0
Opcode ID: dccd26f0c6e04487d674f41f0f39474281d0e618d246901e90e2776a75f73f9c
Instruction ID: 84a411c4e63afd88af79dfaaa68a4cb445c092995bd9481c4628e47e798ecbe9
Opcode Fuzzy Hash: dccd26f0c6e04487d674f41f0f39474281d0e618d246901e90e2776a75f73f9c
Instruction Fuzzy Hash: 0601F271241207AAEB2C3BA8F809B5E3F669B10719F044029F62C868C5DF7481C1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0111DA09, Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0111DA09(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t27;
				intOrPtr* _t28;
				void* _t37;
				void* _t43;
				void* _t50;
				void** _t51;
				signed int _t60;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;

				_t70 = __edx;
				_push(0xc);
				E0115ECB1(0x11a5f12, __ebx, __edi);
				_t50 =  *(_t79 + 8);
				E011469AA(_t79 - 0x18, 0);
				 *(_t79 - 4) =  *(_t79 - 4) & 0x00000000;
				_t72 =  *0x11fa5ec; // 0xef6cd8
				 *((intOrPtr*)(_t79 - 0x14)) = _t72;
				_t27 = E01115C4B(0x11f92a4, __esi);
				_t55 = _t50;
				_t28 = E01115CFE(_t50, _t27);
				_t77 = _t28;
				if(_t28 != 0) {
					L5:
					E01146A02(_t79 - 0x18);
					return E0115EC5B(_t77, _t50, _t72);
				} else {
					if(_t72 == 0) {
						_push(_t50);
						_push(_t79 - 0x14);
						__eflags = E01115F12(_t50, _t55, _t70, _t72, _t77, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E01115AD2();
							asm("int3");
							_push(0x38);
							E0115EC7D(0x11a6041, _t50, _t72);
							 *((intOrPtr*)(_t79 - 0x10)) = 0;
							_t51 =  *(_t79 + 8);
							__eflags = _t51;
							if(_t51 != 0) {
								__eflags =  *_t51;
								if(__eflags == 0) {
									_t78 = E0115E3DD(_t77, __eflags, 0x18);
									 *(_t79 + 8) = _t78;
									 *(_t79 - 4) = 0;
									_t60 = 6;
									_t74 = _t78;
									memset(_t78, 0, _t60 << 2);
									_t43 = E01115B2D(_t51, _t79 - 0x44, _t70, _t74 + _t60, __eflags, E01115CE6( *((intOrPtr*)(_t79 + 0xc))));
									 *(_t78 + 4) =  *(_t78 + 4) & 0x00000000;
									__eflags = 1;
									 *((intOrPtr*)(_t79 - 0x10)) = 1;
									_push(1);
									 *(_t79 - 4) = 2;
									_push(_t43);
									 *_t78 = 0x11b04a8;
									E0111DDB7(_t51, _t78, _t70, _t74 + _t60, 1);
									 *_t51 = _t78;
									E01115B9A(_t79 - 0x44);
								}
							}
							_t37 = 4;
							return E0115EC46(_t37);
						} else {
							_t77 =  *((intOrPtr*)(_t79 - 0x14));
							 *((intOrPtr*)(_t79 - 0x14)) = _t77;
							 *(_t79 - 4) = 1;
							E01146BDD(__eflags, _t77);
							 *((intOrPtr*)( *_t77 + 4))();
							 *0x11fa5ec = _t77;
							goto L5;
						}
					} else {
						_t77 = _t72;
						goto L5;
					}
				}
			}

0x0111da09
0x0111da09
0x0111da10
0x0111da15
0x0111da1d
0x0111da22
0x0111da2b
0x0111da31
0x0111da34
0x0111da3a
0x0111da3c
0x0111da41
0x0111da45
0x0111da7e
0x0111da81
0x0111da8d
0x0111da47
0x0111da49
0x0111da52
0x0111da53
0x0111da5b
0x0111da5e
0x0111da8e
0x0111da93
0x0111da94
0x0111da9b
0x0111daa2
0x0111daa5
0x0111daa8
0x0111daaa
0x0111daac
0x0111daae
0x0111dab7
0x0111daba
0x0111dabd
0x0111dac4
0x0111dac5
0x0111dac7
0x0111dad5
0x0111dada
0x0111dae0
0x0111dae1
0x0111dae4
0x0111dae5
0x0111daee
0x0111daef
0x0111daf5
0x0111dafd
0x0111daff
0x0111daff
0x0111daae
0x0111db06
0x0111db0c
0x0111da60
0x0111da60
0x0111da63
0x0111da67
0x0111da6b
0x0111da75
0x0111da78
0x00000000
0x0111da78
0x0111da4b
0x0111da4b
0x00000000
0x0111da4b
0x0111da49

APIs

__EH_prolog3_GS.LIBCMT ref: 0111DA10
std::_Lockit::_Lockit.LIBCPMT ref: 0111DA1D

Part of subcall function 01115C4B: std::_Lockit::_Lockit.LIBCPMT ref: 01115C67
Part of subcall function 01115C4B: std::_Lockit::~_Lockit.LIBCPMT ref: 01115C83

std::_Lockit::~_Lockit.LIBCPMT ref: 0111DA81

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
String ID:
API String ID: 2088892359-0
Opcode ID: c1ee1cfb688097c1924dde400a607ccb3d61ab21a15df692fc7682cd701672bc
Instruction ID: c2c310b2bfde552cfe15c78b980da72f614af0151dfd0a214309131ba2b6eaf9
Opcode Fuzzy Hash: c1ee1cfb688097c1924dde400a607ccb3d61ab21a15df692fc7682cd701672bc
Instruction Fuzzy Hash: 4FF0B4769042078BDF5CFBE8A584B6DB729AF9161CF204229DB10672C8EF34CE018791

Uniqueness

Uniqueness Score: -1.00%

Function 011A2132, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011A2132(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x11d8a90, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E011A211B();
					E011A20DD();
					_t13 = WriteConsoleW( *0x11d8a90, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x011a214f
0x011a2153
0x011a2160
0x011a2165
0x011a2180
0x011a2180
0x011a2186

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,0119F607,00000000,00000001,00000000,00000000,?,01192DD3,00000000,00000000,00000000), ref: 011A2149
GetLastError.KERNEL32(?,0119F607,00000000,00000001,00000000,00000000,?,01192DD3,00000000,00000000,00000000,00000000,00000000,?,01193327,?), ref: 011A2155

Part of subcall function 011A211B: CloseHandle.KERNEL32(FFFFFFFE,011A2165,?,0119F607,00000000,00000001,00000000,00000000,?,01192DD3,00000000,00000000,00000000,00000000,00000000), ref: 011A212B

___initconout.LIBCMT ref: 011A2165

Part of subcall function 011A20DD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,011A210C,0119F5F4,00000000,?,01192DD3,00000000,00000000,00000000,00000000), ref: 011A20F0

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,0119F607,00000000,00000001,00000000,00000000,?,01192DD3,00000000,00000000,00000000,00000000), ref: 011A217A

Memory Dump Source

Source File: 00000000.00000002.642739656.0000000001111000.00000020.00020000.sdmp, Offset: 01110000, based on PE: true

Associated: 00000000.00000002.642736410.0000000001110000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642802037.00000000011AF000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.642825422.00000000011D8000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642829620.00000000011D9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.642846124.00000000011F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.642851203.00000000011FB000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 4d858202ab9f78865c33d32304deb604f16e4c89376aa8d9df3359095c65d2fd
Instruction ID: 3bc12e7d519d08df7d55db9ed54414f2db1a8325c12d46420fcbb050d414d352
Opcode Fuzzy Hash: 4d858202ab9f78865c33d32304deb604f16e4c89376aa8d9df3359095c65d2fd
Instruction Fuzzy Hash: 73F0153E10112ABBCF3B2FD5DD0898E3F67EB192A1B804024FA2985520C73299A09B91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report nW47Os1nLL

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: nW47Os1nLL.exe PID: 6872 Parent PID: 5960

General

File Activities

File Opened

File Created

File Written

File Attributes Queried

Other File Operations

Volume Information Queried

Function 011843DF, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Function 01196E70, Relevance: .0, Instructions: 22
COMMON